Windows Analysis Report B6VQd36tt6.dll

AV Detection:

Found malware configuration

Source: 00000003.00000003.419038437.0000000003030000.00000040.00000001.sdmp

Malware Configuration Extractor: Ursnif {"RSA Public Key": "UmEkthy8LQToWYBqtBaWyLn/P1d2KjpXi9nl2is1X7NEi7AW4Al92U7HvBiCwWHgXhs6UyTZ7q6npv3YCi+rPS7xAyorWWgcyyviEpE9CETDXviZ72XZkxmen4ztvEtct+obFAEe0tiXOsfOcC8xDsI0CHPpvmUknsexTYqAJgwcghgx1mGHx/yFM4fnPYw4mFFE6bVI7eMnbu1CuunRmAVRDHZ7MAS7zSkAmYjeo1zAzRnOEWgblRHwenmwlBtp0SFGuYCGVe3TZZ4Nndgpd5xpSeLOoSZi/fRXjtS8b6LXBS/zslRCRObMDjDX4pa1fM1uOgFHyvjANgWJpZ272bpOHjM52/hsEGZXskaNztU=", "c2_domain": ["msn.com/mail", "breuranel.website", "outlook.com/signup", "areuranel.website"], "botnet": "8899", "server": "12", "serpent_key": "56473871MNTYAIDA", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Multi AV Scanner detection for submitted file

Source: B6VQd36tt6.dll	Virustotal: Detection: 16%			Perma Link
Source: B6VQd36tt6.dll	ReversingLabs: Detection: 24%

Multi AV Scanner detection for domain / URL

Source: areuranel.website	Virustotal: Detection: 6%			Perma Link
Source: breuranel.website	Virustotal: Detection: 6%			Perma Link

Compliance:

Uses 32bit PE files

Source: B6VQd36tt6.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.7:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.7:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.97.164.146:443 -> 192.168.2.7:49762 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.101.91.82:443 -> 192.168.2.7:49763 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.97.183.162:443 -> 192.168.2.7:49764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.97.164.146:443 -> 192.168.2.7:49765 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.97.151.114:443 -> 192.168.2.7:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.97.183.162:443 -> 192.168.2.7:49767 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.7:49810 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.7:49815 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.97.164.146:443 -> 192.168.2.7:49836 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.97.137.178:443 -> 192.168.2.7:49837 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.97.151.18:443 -> 192.168.2.7:49838 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.97.164.146:443 -> 192.168.2.7:49839 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.101.60.2:443 -> 192.168.2.7:49840 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.97.151.18:443 -> 192.168.2.7:49841 version: TLS 1.2

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: B6VQd36tt6.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Source:	Binary string: WinTypes.pdb source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdbdH source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb) source: WerFault.exe, 00000014.00000003.509842537.00000000054B0000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000011.00000003.485227453.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.493177698.00000000032C5000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.507567039.0000000004934000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
Source:	Binary string: combase.pdbbH source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000011.00000003.485227453.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.509695928.00000000054E1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.519966119.0000000004BE1000.00000004.00000001.sdmp
Source:	Binary string: CoreMessaging.pdb_ source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509889795.00000000054C3000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520068624.0000000004BC3000.00000004.00000040.sdmp
Source:	Binary string: lbase.pdb source: WerFault.exe, 00000011.00000003.479795785.00000000048C4000.00000004.00000001.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000011.00000003.485227453.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.509695928.00000000054E1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.519966119.0000000004BE1000.00000004.00000001.sdmp
Source:	Binary string: mpr.pdb! source: WerFault.exe, 00000011.00000003.485297941.0000000004BF0000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000011.00000003.485297941.0000000004BF0000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509842537.00000000054B0000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520145267.0000000004BB0000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb# source: WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb5 source: WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000011.00000003.485227453.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.493154431.00000000032BF000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.509793696.0000000002C2F000.00000004.00000001.sdmp
Source:	Binary string: CoreMessaging.pdb source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509889795.00000000054C3000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520068624.0000000004BC3000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000011.00000003.485303195.0000000004BF4000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509855215.00000000054B4000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520172099.0000000004BB4000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb9 source: WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb+ source: WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000011.00000003.485227453.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.509695928.00000000054E1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.519966119.0000000004BE1000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdbk source: WerFault.exe, 00000011.00000003.485227453.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.509695928.00000000054E1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.519966119.0000000004BE1000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb- source: WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb& source: WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000011.00000003.485227453.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.509695928.00000000054E1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.519966119.0000000004BE1000.00000004.00000001.sdmp
Source:	Binary string: ntmarta.pdb@ source: WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp
Source:	Binary string: ntmarta.pdb source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdbvH source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000011.00000003.485227453.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.509695928.00000000054E1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.519966119.0000000004BE1000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb, source: WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdbzH source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000011.00000003.485227453.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.494991181.00000000032CB000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.519966119.0000000004BE1000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
Source:	Binary string: CoreUIComponents.pdb source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 00000011.00000003.485297941.0000000004BF0000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509842537.00000000054B0000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520145267.0000000004BB0000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb> source: WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000011.00000003.485227453.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.509695928.00000000054E1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.519966119.0000000004BE1000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb* source: WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb|H source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
Source:	Binary string: CoreUIComponents.pdb" source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb" source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdbNH source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdbhH source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 00000011.00000003.485303195.0000000004BF4000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509855215.00000000054B4000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520172099.0000000004BB4000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000014.00000003.493154431.00000000032BF000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.509793696.0000000002C2F000.00000004.00000001.sdmp
Source:	Binary string: ole32.pdbl source: WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
Source:	Binary string: CoreUIComponents.pdb* source: WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000011.00000003.485227453.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.509695928.00000000054E1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.519966119.0000000004BE1000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdbTH source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp
Source:	Binary string: WinTypes.pdbIE source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb,H source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000011.00000003.485303195.0000000004BF4000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509855215.00000000054B4000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520172099.0000000004BB4000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdbv source: WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb2 source: WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb? source: WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
Source:	Binary string: TextInputFramework.pdb source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 00000011.00000003.485227453.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.509695928.00000000054E1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.519966119.0000000004BE1000.00000004.00000001.sdmp
Source:	Binary string: msctf.pdb8 source: WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
Source:	Binary string: c:\wheel\receive\Many-rise\score.pdb source: loaddll32.exe, 00000000.00000002.784287371.000000006E68B000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.785711066.000000006E68B000.00000002.00020000.sdmp, B6VQd36tt6.dll
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000011.00000003.485297941.0000000004BF0000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509842537.00000000054B0000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520145267.0000000004BB0000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb&H source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdbXH source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000011.00000003.485297941.0000000004BF0000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509842537.00000000054B0000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520145267.0000000004BB0000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000011.00000003.485303195.0000000004BF4000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509855215.00000000054B4000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520172099.0000000004BB4000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000014.00000003.494991181.00000000032CB000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.507712896.0000000002C3B000.00000004.00000001.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000011.00000003.485297941.0000000004BF0000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509842537.00000000054B0000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520145267.0000000004BB0000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 00000011.00000003.485227453.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.509695928.00000000054E1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.519966119.0000000004BE1000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000014.00000003.493177698.00000000032C5000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.507687054.0000000002C35000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb@H source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000011.00000003.485227453.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.509695928.00000000054E1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.519966119.0000000004BE1000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000011.00000003.485227453.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.509695928.00000000054E1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.519966119.0000000004BE1000.00000004.00000001.sdmp
Source:	Binary string: winspool.pdbRH source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb| source: WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbk source: WerFault.exe, 00000011.00000003.485227453.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.509695928.00000000054E1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.519966119.0000000004BE1000.00000004.00000001.sdmp

Networking:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 40.97.164.146 187			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: www.msn.com
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 40.101.91.82 187			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: areuranel.website
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: breuranel.website
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: outlook.office365.com
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: msn.com
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: outlook.com
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: www.outlook.com
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 52.97.151.18 187			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 13.82.28.61 187			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 52.97.137.178 187			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 52.97.183.162 187			Jump to behavior

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: ce5f3254611a8c095a3d821d44539877

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 40.97.164.146 40.97.164.146

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /mail/liopolo/XqCHqVDXW8CZUpeu5peN_2/FydjgYTJtTmoC/fAo34oef/chWHLvpFFUOYdiWXbNbnYW0/Rfy3HU21P_/2FwjKpEqeFo_2FxU6/0A_2BR4J2MVl/hx12NRqsjmC/kkNl1wduKuFf8Q/FUG3Ocqqzs1x_2BibuPx6/9auuC1P5josci_2B/vyxmzUWJ7gSzOqo/Jt7rxzWzdI7AYIGNrQ/e7oR22vyh/Me9W1V8u/5SwAx9Su/B.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
Source: global traffic	HTTP traffic detected: GET /mail/liopolo/yn_2BPYQmJ20vgPRL3/3wjWE1bwH/DDPf_2FmyfN4qjiroAKh/7sxv413IrGA7KcA9Hu0/BYfxtbSdLKzFinzGkJGdmk/P_2Fifx7koRFQ/MIG6rk6P/jRWWDjWjz87k5xmFJxsJqsu/JDVOEV0_2F/rb6v_2FY3MQLb6_2F/gkDS2luFhYah/H5Mm0Y9iZUr/9_2FNXlrb5xId9/cAon_2FllX9wfUzSs9jRy/iECEQNsAU7oK/0.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/yxX7bEpX8fkEJbVyh9/qWpi3f2OW/wrbjI8c5A6cpHeOUtqJL/SsvBBOkr1Vxt3lBY9zj/5j0TGmFjnVfmYPqQrqQKOy/CuHlAfsl6J0Xl/Gz8IEoLZ/BwAkxXP5B5W2_2BPU7pGqQ9/BHC7nncuP2/eu0pY6BQJ958LuV7I/fzySs8nJ5lF3/1CG1ppCNJBl/xHTFfKCof0ib7S/py_2F4IYCav_2Ftxe98nI/nZH.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/yxX7bEpX8fkEJbVyh9/qWpi3f2OW/wrbjI8c5A6cpHeOUtqJL/SsvBBOkr1Vxt3lBY9zj/5j0TGmFjnVfmYPqQrqQKOy/CuHlAfsl6J0Xl/Gz8IEoLZ/BwAkxXP5B5W2_2BPU7pGqQ9/BHC7nncuP2/eu0pY6BQJ958LuV7I/fzySs8nJ5lF3/1CG1ppCNJBl/xHTFfKCof0ib7S/py_2F4IYCav_2Ftxe98nI/nZH.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/yxX7bEpX8fkEJbVyh9/qWpi3f2OW/wrbjI8c5A6cpHeOUtqJL/SsvBBOkr1Vxt3lBY9zj/5j0TGmFjnVfmYPqQrqQKOy/CuHlAfsl6J0Xl/Gz8IEoLZ/BwAkxXP5B5W2_2BPU7pGqQ9/BHC7nncuP2/eu0pY6BQJ958LuV7I/fzySs8nJ5lF3/1CG1ppCNJBl/xHTFfKCof0ib7S/py_2F4IYCav_2Ftxe98nI/nZH.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/f5kvQFsIv4wED/j69h8mSZ/xzzTxsSNNb1pIF2nd0zyLKL/oW0UsUUi2h/1n_2FrPb8KlH0Zm6I/DMN_2B2Rb3dP/VgvW0BFn0fE/SZJzWGdiy3m5qM/ymewVR1TpC9Ou3wlV9Okm/omWH_2FxfhHZzw96/HP0eihm9FW1uN9V/ykWA9NBBnDVcWXTKfE/JwgC0Jx4CafbQ/qgLsjM_2/F.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/f5kvQFsIv4wED/j69h8mSZ/xzzTxsSNNb1pIF2nd0zyLKL/oW0UsUUi2h/1n_2FrPb8KlH0Zm6I/DMN_2B2Rb3dP/VgvW0BFn0fE/SZJzWGdiy3m5qM/ymewVR1TpC9Ou3wlV9Okm/omWH_2FxfhHZzw96/HP0eihm9FW1uN9V/ykWA9NBBnDVcWXTKfE/JwgC0Jx4CafbQ/qgLsjM_2/F.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/f5kvQFsIv4wED/j69h8mSZ/xzzTxsSNNb1pIF2nd0zyLKL/oW0UsUUi2h/1n_2FrPb8KlH0Zm6I/DMN_2B2Rb3dP/VgvW0BFn0fE/SZJzWGdiy3m5qM/ymewVR1TpC9Ou3wlV9Okm/omWH_2FxfhHZzw96/HP0eihm9FW1uN9V/ykWA9NBBnDVcWXTKfE/JwgC0Jx4CafbQ/qgLsjM_2/F.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
Source: global traffic	HTTP traffic detected: GET /mail/liopolo/A1Qp_2BWzai2O5/xac_2BRG3wzSilIBjQnWR/yH8MK_2FDeyVZ7zs/MmgvT5kbS5J14SI/50tiJJe1m8aJQ2XT7T/rIRQt7iCb/CwoKyLq7nfSWQHvgpN7o/BCyQHF5XZOebIuFzT_2/BFFOtw4QHhKTLswkkvF9vD/aY9DT6JVICQxS/piqcZUHz/pQlXCrwUL0BTmEd_2FLWL2L/RH2uj8PySJ/d2LKLIyBddk3_2FhT/H.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
Source: global traffic	HTTP traffic detected: GET /mail/liopolo/pf6_2FLREfP_2FxP/xGe8YUjshftOGCf/JTttK9QVtKrTS7QkWE/ZPLHtzaUx/XGEoZcanWnYYYh5pU8Em/GLDLy5GpGXwcg_2Bwck/kT4Zd7sERIG_2Bba1DdBVT/1BoxASA_2FDOZ/PsNxvKNH/RweAmXaL_2B7o4rtkWRlTX9/6ZU5YSIMnk/yFSTinelYwomOZkWD/rkossiVbXA0U/C_2FCIlnEO_/2FzjQ_2By_2FPmxqq/uw86.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/5R03kGEb4YkHyvd/vrgMCXbUCWgL9mS74E/ZNV_2FT7r/A0OAE579SB7Hx3A4JeNe/QST70In3HBC_2F_2Flg/hEE1oqV04Tcb_2BXZ4DwC_/2BDjxaFgiu1Kq/cZhA7baN/ystZ_2FV5yPDIe8qQfN_2Fy/gQ02q5YT1n/eawFPHFBcfhAYskcF/Z0kyVxsdmmeN/mzjXdayEo/OIVTn_2Fwlw/Fu.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/5R03kGEb4YkHyvd/vrgMCXbUCWgL9mS74E/ZNV_2FT7r/A0OAE579SB7Hx3A4JeNe/QST70In3HBC_2F_2Flg/hEE1oqV04Tcb_2BXZ4DwC_/2BDjxaFgiu1Kq/cZhA7baN/ystZ_2FV5yPDIe8qQfN_2Fy/gQ02q5YT1n/eawFPHFBcfhAYskcF/Z0kyVxsdmmeN/mzjXdayEo/OIVTn_2Fwlw/Fu.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/5R03kGEb4YkHyvd/vrgMCXbUCWgL9mS74E/ZNV_2FT7r/A0OAE579SB7Hx3A4JeNe/QST70In3HBC_2F_2Flg/hEE1oqV04Tcb_2BXZ4DwC_/2BDjxaFgiu1Kq/cZhA7baN/ystZ_2FV5yPDIe8qQfN_2Fy/gQ02q5YT1n/eawFPHFBcfhAYskcF/Z0kyVxsdmmeN/mzjXdayEo/OIVTn_2Fwlw/Fu.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/7RiyOegViATthNX4pt/E65VkdFK0/peIG_2BaG1SxNKYOcdXs/80APf88JeQpK_2BfrxB/1_2B2_2FNDAEnuSdYMUmdr/BpxBwvlUzTu3W/v3tDiaIH/uhnULhLXCDfDONp_2FCc03F/ZkPsDATWsR/KNPTfNdkqqbWMwLBy/xU_2Bk46LKIT/9_2FOKzik9g/v8mZTndKcyg89a/ELxzR_2BALqku0rQMRn2U/KVAF7ruVq/mnKq.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/7RiyOegViATthNX4pt/E65VkdFK0/peIG_2BaG1SxNKYOcdXs/80APf88JeQpK_2BfrxB/1_2B2_2FNDAEnuSdYMUmdr/BpxBwvlUzTu3W/v3tDiaIH/uhnULhLXCDfDONp_2FCc03F/ZkPsDATWsR/KNPTfNdkqqbWMwLBy/xU_2Bk46LKIT/9_2FOKzik9g/v8mZTndKcyg89a/ELxzR_2BALqku0rQMRn2U/KVAF7ruVq/mnKq.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/7RiyOegViATthNX4pt/E65VkdFK0/peIG_2BaG1SxNKYOcdXs/80APf88JeQpK_2BfrxB/1_2B2_2FNDAEnuSdYMUmdr/BpxBwvlUzTu3W/v3tDiaIH/uhnULhLXCDfDONp_2FCc03F/ZkPsDATWsR/KNPTfNdkqqbWMwLBy/xU_2Bk46LKIT/9_2FOKzik9g/v8mZTndKcyg89a/ELxzR_2BALqku0rQMRn2U/KVAF7ruVq/mnKq.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com

Uses HTTPS

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49840
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49839
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767

Tries to download or post to a non-existing HTTP route (HTTP/1.1 404 Not Found / 503 Service Unavailable / 403 Forbidden)

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 1245Content-Type: text/htmlServer: Microsoft-IIS/10.0request-id: 4a6581a2-619b-52fc-a3a1-1b46c2d11731Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-CalculatedFETarget: AM0PR02CU005.internal.outlook.comX-BackEndHttpStatus: 404X-FEProxyInfo: AM0PR02CA0158.EURPRD02.PROD.OUTLOOK.COMX-CalculatedBETarget: AM0PR0302MB3315.eurprd03.prod.outlook.comX-BackEndHttpStatus: 404X-RUM-Validated: 1X-Proxy-RoutingCorrectness: 1X-Proxy-BackendServerStatus: 404MS-CV: ooFlSpth/FKjoRtGwtEXMQ.1.1X-FEServer: AM0PR02CA0158X-Powered-By: ASP.NETX-FEServer: AM7PR03CA0005Date: Mon, 11 Oct 2021 20:23:36 GMTConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 1245Content-Type: text/htmlServer: Microsoft-IIS/10.0request-id: 3d79bdb5-66ac-6d20-1236-ee020757b4dfStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-CalculatedFETarget: DU2PR04CU011.internal.outlook.comX-BackEndHttpStatus: 404X-FEProxyInfo: DU2PR04CA0330.EURPRD04.PROD.OUTLOOK.COMX-CalculatedBETarget: DB6PR03MB2838.EURPRD03.PROD.OUTLOOK.COMX-BackEndHttpStatus: 404X-RUM-Validated: 1X-Proxy-RoutingCorrectness: 1X-Proxy-BackendServerStatus: 404MS-CV: tb15PaxmIG0SNu4CB1e03w.1.1X-FEServer: DU2PR04CA0330X-Powered-By: ASP.NETX-FEServer: AM7PR03CA0017Date: Mon, 11 Oct 2021 20:23:37 GMTConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 1245Content-Type: text/htmlServer: Microsoft-IIS/10.0request-id: de37bbb0-742b-37a2-87bd-bd1fca420c34Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-CalculatedFETarget: HE1PR05CU010.internal.outlook.comX-BackEndHttpStatus: 404X-FEProxyInfo: HE1PR05CA0294.EURPRD05.PROD.OUTLOOK.COMX-CalculatedBETarget: HE1P193MB0009.EURP193.PROD.OUTLOOK.COMX-BackEndHttpStatus: 404X-RUM-Validated: 1X-Proxy-RoutingCorrectness: 1X-Proxy-BackendServerStatus: 404MS-CV: sLs33it0ojeHvb0fykIMNA.1.1X-FEServer: HE1PR05CA0294X-Powered-By: ASP.NETX-FEServer: AM6P193CA0092Date: Mon, 11 Oct 2021 20:24:58 GMTConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 1245Content-Type: text/htmlServer: Microsoft-IIS/10.0request-id: cc782159-69ef-cf03-4f21-5a1c9fd141afStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-CalculatedFETarget: VI1PR06CU004.internal.outlook.comX-BackEndHttpStatus: 404X-FEProxyInfo: VI1PR06CA0144.EURPRD06.PROD.OUTLOOK.COMX-CalculatedBETarget: VI1P193MB0047.EURP193.PROD.OUTLOOK.COMX-BackEndHttpStatus: 404X-RUM-Validated: 1X-Proxy-RoutingCorrectness: 1X-Proxy-BackendServerStatus: 404MS-CV: WSF4zO9pA89PIVocn9FBrw.1.1X-FEServer: VI1PR06CA0144X-Powered-By: ASP.NETX-FEServer: AM6P193CA0101Date: Mon, 11 Oct 2021 20:25:00 GMTConnection: close

URLs found in memory or binary data

Source: loaddll32.exe, 00000000.00000003.700400046.0000000000A55000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000002.513974551.00000000047E0000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.528779312.0000000005105000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.539530897.000000000487F000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: loaddll32.exe, 00000000.00000002.777718170.0000000000A17000.00000004.00000020.sdmp, loaddll32.exe, 00000000.00000003.506906811.0000000003019000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.499989548.0000000005769000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.681194745.00000000057EB000.00000004.00000040.sdmp	String found in binary or memory: http://ogp.me/ns#
Source: loaddll32.exe, 00000000.00000003.683468251.000000000309B000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.506906811.0000000003019000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.499989548.0000000005769000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.681194745.00000000057EB000.00000004.00000040.sdmp	String found in binary or memory: http://ogp.me/ns/fb#
Source: loaddll32.exe, 00000000.00000003.506742991.0000000000ABB000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.506705607.000000000309D000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.499708236.00000000057E8000.00000004.00000040.sdmp	String found in binary or memory: https://blogs.msn.com/
Source: loaddll32.exe, 00000000.00000003.700400046.0000000000A55000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.771819176.0000000000A55000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.499708236.00000000057E8000.00000004.00000040.sdmp	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: rundll32.exe, 00000003.00000003.499989548.0000000005769000.00000004.00000040.sdmp	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1633983772&rver
Source: loaddll32.exe, 00000000.00000003.506863078.0000000000AB2000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.506771882.0000000000AB7000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1633983776&rver
Source: rundll32.exe, 00000003.00000003.681194745.00000000057EB000.00000004.00000040.sdmp	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1633983857&rver
Source: loaddll32.exe, 00000000.00000003.683468251.000000000309B000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.700400046.0000000000A55000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.683376159.0000000000AC4000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1633983858&rver
Source: loaddll32.exe, 00000000.00000003.700400046.0000000000A55000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.506742991.0000000000ABB000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.683447032.000000000309C000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.506863078.0000000000AB2000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.683376159.0000000000AC4000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.499989548.0000000005769000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.681162627.00000000057EC000.00000004.00000040.sdmp	String found in binary or memory: https://mem.gfx.ms/meversion/?partner=msn&market=en-us"
Source: loaddll32.exe, 00000000.00000003.700400046.0000000000A55000.00000004.00000001.sdmp	String found in binary or memory: https://msn.com/
Source: loaddll32.exe, 00000000.00000003.700400046.0000000000A55000.00000004.00000001.sdmp	String found in binary or memory: https://msn.com/O
Source: loaddll32.exe, 00000000.00000002.777718170.0000000000A17000.00000004.00000020.sdmp	String found in binary or memory: https://msn.com/o
Source: loaddll32.exe, 00000000.00000003.700400046.0000000000A55000.00000004.00000001.sdmp	String found in binary or memory: https://msn.com/y
Source: loaddll32.exe, 00000000.00000003.771819176.0000000000A55000.00000004.00000001.sdmp	String found in binary or memory: https://outlook.office365.com/
Source: loaddll32.exe, 00000000.00000003.771819176.0000000000A55000.00000004.00000001.sdmp	String found in binary or memory: https://outlook.office365.com/0
Source: loaddll32.exe, 00000000.00000003.771819176.0000000000A55000.00000004.00000001.sdmp	String found in binary or memory: https://outlook.office365.com/D
Source: loaddll32.exe, 00000000.00000003.771819176.0000000000A55000.00000004.00000001.sdmp	String found in binary or memory: https://outlook.office365.com/signup/liopolo/7RiyOegViATthNX4pt/E65VkdFK0/peIG_2BaG1SxNKYOcdXs/80APf
Source: loaddll32.exe, 00000000.00000003.595223833.0000000000ABE000.00000004.00000001.sdmp	String found in binary or memory: https://outlook.office365.com/signup/liopolo/f5kvQFsIv4wED/j69h8mSZ/xzzTxsSNNb1pIF2nd0zyLKL/oW0UsUUi
Source: loaddll32.exe, 00000000.00000003.683468251.000000000309B000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.700400046.0000000000A55000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.506863078.0000000000AB2000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.683376159.0000000000AC4000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.506771882.0000000000AB7000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.499989548.0000000005769000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.681194745.00000000057EB000.00000004.00000040.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/en-us//api/modules/cdnfetch"
Source: loaddll32.exe, 00000000.00000003.506742991.0000000000ABB000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.683447032.000000000309C000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.499989548.0000000005769000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.681162627.00000000057EC000.00000004.00000040.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/en-us/homepage/_sc/css/d7cb56b9-3a82770e/direct
Source: loaddll32.exe, 00000000.00000003.506742991.0000000000ABB000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.700328393.0000000000A3D000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.499989548.0000000005769000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.681162627.00000000057EC000.00000004.00000040.sdmp	String found in binary or memory: https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&ver=%272.1%27&a
Source: loaddll32.exe, 00000000.00000003.700400046.0000000000A55000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/
Source: rundll32.exe, 00000003.00000003.681162627.00000000057EC000.00000004.00000040.sdmp	String found in binary or memory: https://www.msn.com/?refurl=%2fmail%2fliopolo%2fA1Qp_2BWzai2O5%2fxac_2BRG3wzSilIBjQnWR%2fyH8MK_2FDey
Source: rundll32.exe, 00000003.00000003.499989548.0000000005769000.00000004.00000040.sdmp	String found in binary or memory: https://www.msn.com/?refurl=%2fmail%2fliopolo%2fXqCHqVDXW8CZUpeu5peN_2%2fFydjgYTJtTmoC%2ffAo34oef%2f
Source: loaddll32.exe, 00000000.00000003.700400046.0000000000A55000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/?refurl=%2fmail%2fliopolo%2fpf6_2FLREfP_2FxP%2fxGe8YUjshftOGCf%2fJTttK9QV
Source: loaddll32.exe, 00000000.00000003.683447032.000000000309C000.00000004.00000040.sdmp	String found in binary or memory: https://www.msn.com/?refurl=%2fmail%2fliopolo%2fpf6_2FLREfP_2FxP%2fxGe8YUjshftOGCf%2fJTttK9QVtKrTS7Q
Source: loaddll32.exe, 00000000.00000003.506742991.0000000000ABB000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/?refurl=%2fmail%2fliopolo%2fyn_2BPYQmJ20vgPRL3%2f3wjWE1bwH%2fDDPf_2FmyfN4qjiroAK
Source: loaddll32.exe, 00000000.00000003.683468251.000000000309B000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.700400046.0000000000A55000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.506863078.0000000000AB2000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.683376159.0000000000AC4000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.506771882.0000000000AB7000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.499989548.0000000005769000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.681194745.00000000057EB000.00000004.00000040.sdmp	String found in binary or memory: https://www.msn.com/en-us//api/modules/fetch"
Source: loaddll32.exe, 00000000.00000003.700400046.0000000000A55000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/mail/liopolo/pf6_2FLREfP_2FxP/xGe8YUjshftOGCf/JTttK9QVtKrTS7QkWE/ZPLHtzaUx/XGEoZ
Source: loaddll32.exe, 00000000.00000003.506863078.0000000000AB2000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/mail/liopolo/yn_2BPYQmJ20vgPRL3/3wjWE1bwH/DDPf_2FmyfN4qjiroAKh/7sxv413IrGA7KcA9H
Source: loaddll32.exe, 00000000.00000003.771819176.0000000000A55000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000002.777718170.0000000000A17000.00000004.00000020.sdmp, loaddll32.exe, 00000000.00000002.779210722.0000000000A55000.00000004.00000020.sdmp	String found in binary or memory: https://www.outlook.com/signup/liopolo/7RiyOegViATthNX4pt/E65VkdFK0/peIG_2BaG1SxNKYOcdXs/80APf88JeQp

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: msn.com

Downloads files from webservers via HTTP

Source: global traffic	HTTP traffic detected: GET /mail/liopolo/XqCHqVDXW8CZUpeu5peN_2/FydjgYTJtTmoC/fAo34oef/chWHLvpFFUOYdiWXbNbnYW0/Rfy3HU21P_/2FwjKpEqeFo_2FxU6/0A_2BR4J2MVl/hx12NRqsjmC/kkNl1wduKuFf8Q/FUG3Ocqqzs1x_2BibuPx6/9auuC1P5josci_2B/vyxmzUWJ7gSzOqo/Jt7rxzWzdI7AYIGNrQ/e7oR22vyh/Me9W1V8u/5SwAx9Su/B.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
Source: global traffic	HTTP traffic detected: GET /mail/liopolo/yn_2BPYQmJ20vgPRL3/3wjWE1bwH/DDPf_2FmyfN4qjiroAKh/7sxv413IrGA7KcA9Hu0/BYfxtbSdLKzFinzGkJGdmk/P_2Fifx7koRFQ/MIG6rk6P/jRWWDjWjz87k5xmFJxsJqsu/JDVOEV0_2F/rb6v_2FY3MQLb6_2F/gkDS2luFhYah/H5Mm0Y9iZUr/9_2FNXlrb5xId9/cAon_2FllX9wfUzSs9jRy/iECEQNsAU7oK/0.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/yxX7bEpX8fkEJbVyh9/qWpi3f2OW/wrbjI8c5A6cpHeOUtqJL/SsvBBOkr1Vxt3lBY9zj/5j0TGmFjnVfmYPqQrqQKOy/CuHlAfsl6J0Xl/Gz8IEoLZ/BwAkxXP5B5W2_2BPU7pGqQ9/BHC7nncuP2/eu0pY6BQJ958LuV7I/fzySs8nJ5lF3/1CG1ppCNJBl/xHTFfKCof0ib7S/py_2F4IYCav_2Ftxe98nI/nZH.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/yxX7bEpX8fkEJbVyh9/qWpi3f2OW/wrbjI8c5A6cpHeOUtqJL/SsvBBOkr1Vxt3lBY9zj/5j0TGmFjnVfmYPqQrqQKOy/CuHlAfsl6J0Xl/Gz8IEoLZ/BwAkxXP5B5W2_2BPU7pGqQ9/BHC7nncuP2/eu0pY6BQJ958LuV7I/fzySs8nJ5lF3/1CG1ppCNJBl/xHTFfKCof0ib7S/py_2F4IYCav_2Ftxe98nI/nZH.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/yxX7bEpX8fkEJbVyh9/qWpi3f2OW/wrbjI8c5A6cpHeOUtqJL/SsvBBOkr1Vxt3lBY9zj/5j0TGmFjnVfmYPqQrqQKOy/CuHlAfsl6J0Xl/Gz8IEoLZ/BwAkxXP5B5W2_2BPU7pGqQ9/BHC7nncuP2/eu0pY6BQJ958LuV7I/fzySs8nJ5lF3/1CG1ppCNJBl/xHTFfKCof0ib7S/py_2F4IYCav_2Ftxe98nI/nZH.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/f5kvQFsIv4wED/j69h8mSZ/xzzTxsSNNb1pIF2nd0zyLKL/oW0UsUUi2h/1n_2FrPb8KlH0Zm6I/DMN_2B2Rb3dP/VgvW0BFn0fE/SZJzWGdiy3m5qM/ymewVR1TpC9Ou3wlV9Okm/omWH_2FxfhHZzw96/HP0eihm9FW1uN9V/ykWA9NBBnDVcWXTKfE/JwgC0Jx4CafbQ/qgLsjM_2/F.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/f5kvQFsIv4wED/j69h8mSZ/xzzTxsSNNb1pIF2nd0zyLKL/oW0UsUUi2h/1n_2FrPb8KlH0Zm6I/DMN_2B2Rb3dP/VgvW0BFn0fE/SZJzWGdiy3m5qM/ymewVR1TpC9Ou3wlV9Okm/omWH_2FxfhHZzw96/HP0eihm9FW1uN9V/ykWA9NBBnDVcWXTKfE/JwgC0Jx4CafbQ/qgLsjM_2/F.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/f5kvQFsIv4wED/j69h8mSZ/xzzTxsSNNb1pIF2nd0zyLKL/oW0UsUUi2h/1n_2FrPb8KlH0Zm6I/DMN_2B2Rb3dP/VgvW0BFn0fE/SZJzWGdiy3m5qM/ymewVR1TpC9Ou3wlV9Okm/omWH_2FxfhHZzw96/HP0eihm9FW1uN9V/ykWA9NBBnDVcWXTKfE/JwgC0Jx4CafbQ/qgLsjM_2/F.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
Source: global traffic	HTTP traffic detected: GET /mail/liopolo/A1Qp_2BWzai2O5/xac_2BRG3wzSilIBjQnWR/yH8MK_2FDeyVZ7zs/MmgvT5kbS5J14SI/50tiJJe1m8aJQ2XT7T/rIRQt7iCb/CwoKyLq7nfSWQHvgpN7o/BCyQHF5XZOebIuFzT_2/BFFOtw4QHhKTLswkkvF9vD/aY9DT6JVICQxS/piqcZUHz/pQlXCrwUL0BTmEd_2FLWL2L/RH2uj8PySJ/d2LKLIyBddk3_2FhT/H.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
Source: global traffic	HTTP traffic detected: GET /mail/liopolo/pf6_2FLREfP_2FxP/xGe8YUjshftOGCf/JTttK9QVtKrTS7QkWE/ZPLHtzaUx/XGEoZcanWnYYYh5pU8Em/GLDLy5GpGXwcg_2Bwck/kT4Zd7sERIG_2Bba1DdBVT/1BoxASA_2FDOZ/PsNxvKNH/RweAmXaL_2B7o4rtkWRlTX9/6ZU5YSIMnk/yFSTinelYwomOZkWD/rkossiVbXA0U/C_2FCIlnEO_/2FzjQ_2By_2FPmxqq/uw86.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/5R03kGEb4YkHyvd/vrgMCXbUCWgL9mS74E/ZNV_2FT7r/A0OAE579SB7Hx3A4JeNe/QST70In3HBC_2F_2Flg/hEE1oqV04Tcb_2BXZ4DwC_/2BDjxaFgiu1Kq/cZhA7baN/ystZ_2FV5yPDIe8qQfN_2Fy/gQ02q5YT1n/eawFPHFBcfhAYskcF/Z0kyVxsdmmeN/mzjXdayEo/OIVTn_2Fwlw/Fu.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/5R03kGEb4YkHyvd/vrgMCXbUCWgL9mS74E/ZNV_2FT7r/A0OAE579SB7Hx3A4JeNe/QST70In3HBC_2F_2Flg/hEE1oqV04Tcb_2BXZ4DwC_/2BDjxaFgiu1Kq/cZhA7baN/ystZ_2FV5yPDIe8qQfN_2Fy/gQ02q5YT1n/eawFPHFBcfhAYskcF/Z0kyVxsdmmeN/mzjXdayEo/OIVTn_2Fwlw/Fu.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/5R03kGEb4YkHyvd/vrgMCXbUCWgL9mS74E/ZNV_2FT7r/A0OAE579SB7Hx3A4JeNe/QST70In3HBC_2F_2Flg/hEE1oqV04Tcb_2BXZ4DwC_/2BDjxaFgiu1Kq/cZhA7baN/ystZ_2FV5yPDIe8qQfN_2Fy/gQ02q5YT1n/eawFPHFBcfhAYskcF/Z0kyVxsdmmeN/mzjXdayEo/OIVTn_2Fwlw/Fu.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/7RiyOegViATthNX4pt/E65VkdFK0/peIG_2BaG1SxNKYOcdXs/80APf88JeQpK_2BfrxB/1_2B2_2FNDAEnuSdYMUmdr/BpxBwvlUzTu3W/v3tDiaIH/uhnULhLXCDfDONp_2FCc03F/ZkPsDATWsR/KNPTfNdkqqbWMwLBy/xU_2Bk46LKIT/9_2FOKzik9g/v8mZTndKcyg89a/ELxzR_2BALqku0rQMRn2U/KVAF7ruVq/mnKq.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/7RiyOegViATthNX4pt/E65VkdFK0/peIG_2BaG1SxNKYOcdXs/80APf88JeQpK_2BfrxB/1_2B2_2FNDAEnuSdYMUmdr/BpxBwvlUzTu3W/v3tDiaIH/uhnULhLXCDfDONp_2FCc03F/ZkPsDATWsR/KNPTfNdkqqbWMwLBy/xU_2Bk46LKIT/9_2FOKzik9g/v8mZTndKcyg89a/ELxzR_2BALqku0rQMRn2U/KVAF7ruVq/mnKq.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/7RiyOegViATthNX4pt/E65VkdFK0/peIG_2BaG1SxNKYOcdXs/80APf88JeQpK_2BfrxB/1_2B2_2FNDAEnuSdYMUmdr/BpxBwvlUzTu3W/v3tDiaIH/uhnULhLXCDfDONp_2FCc03F/ZkPsDATWsR/KNPTfNdkqqbWMwLBy/xU_2Bk46LKIT/9_2FOKzik9g/v8mZTndKcyg89a/ELxzR_2BALqku0rQMRn2U/KVAF7ruVq/mnKq.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.7:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.7:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.97.164.146:443 -> 192.168.2.7:49762 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.101.91.82:443 -> 192.168.2.7:49763 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.97.183.162:443 -> 192.168.2.7:49764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.97.164.146:443 -> 192.168.2.7:49765 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.97.151.114:443 -> 192.168.2.7:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.97.183.162:443 -> 192.168.2.7:49767 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.7:49810 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.7:49815 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.97.164.146:443 -> 192.168.2.7:49836 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.97.137.178:443 -> 192.168.2.7:49837 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.97.151.18:443 -> 192.168.2.7:49838 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.97.164.146:443 -> 192.168.2.7:49839 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.101.60.2:443 -> 192.168.2.7:49840 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.97.151.18:443 -> 192.168.2.7:49841 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Source: Yara match	File source: 00000003.00000003.499708236.00000000057E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.785119761.00000000053F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.638534724.0000000002D1F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.498145572.00000000057E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.506367708.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.550238977.0000000002F1B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.506469970.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.506985927.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.500076992.00000000057E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.506632233.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.636450090.000000000546F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.506394245.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.506684501.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.499560563.00000000057E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.497950814.00000000057E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.498605690.00000000057E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.499306032.00000000057E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.783361786.0000000002CA0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.506547628.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.499390422.00000000057E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.499160942.00000000057E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.592754619.000000000556D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.506326169.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.546937803.000000000566B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.595315126.0000000002E1D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.506579239.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6116, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4720, type: MEMORYSTR
Source: Yara match	File source: 3.2.rundll32.exe.50394a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.6e610000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.a6a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.85a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.d7a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.3050000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.d7a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.50394a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.303a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.85a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.7ba31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.2b794a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.830000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.a6a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.7ba31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.303a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6e610000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.2b794a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000003.419038437.0000000003030000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.446200223.00000000007B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.455038196.0000000000850000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.452964722.0000000000D70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.784698066.0000000005039000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.783230082.0000000002B79000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.418099861.0000000000A60000.00000040.00000001.sdmp, type: MEMORY

Creates a DirectInput object (often for capturing keystrokes)

Source: loaddll32.exe, 00000000.00000002.777229049.00000000009FB000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected Ursnif

Source: Yara match	File source: 00000003.00000003.499708236.00000000057E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.785119761.00000000053F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.638534724.0000000002D1F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.498145572.00000000057E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.506367708.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.550238977.0000000002F1B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.506469970.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.506985927.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.500076992.00000000057E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.506632233.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.636450090.000000000546F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.506394245.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.506684501.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.499560563.00000000057E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.497950814.00000000057E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.498605690.00000000057E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.499306032.00000000057E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.783361786.0000000002CA0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.506547628.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.499390422.00000000057E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.499160942.00000000057E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.592754619.000000000556D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.506326169.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.546937803.000000000566B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.595315126.0000000002E1D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.506579239.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6116, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4720, type: MEMORYSTR
Source: Yara match	File source: 3.2.rundll32.exe.50394a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.6e610000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.a6a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.85a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.d7a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.3050000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.d7a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.50394a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.303a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.85a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.7ba31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.2b794a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.830000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.a6a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.7ba31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.303a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6e610000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.2b794a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000003.419038437.0000000003030000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.446200223.00000000007B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.455038196.0000000000850000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.452964722.0000000000D70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.784698066.0000000005039000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.783230082.0000000002B79000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.418099861.0000000000A60000.00000040.00000001.sdmp, type: MEMORY

System Summary:

Writes or reads registry keys via WMI

Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Uses 32bit PE files

Source: B6VQd36tt6.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

One or more processes crash

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 864

Creates files inside the system directory

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\Windows\AppCompat\Programs\Amcache.hve.tmp

Jump to behavior

Detected potential crypto function

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E6121B4		0_2_6E6121B4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E625600		0_2_6E625600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E625600		3_2_6E625600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E668DAF		3_2_6E668DAF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E64E8C0		3_2_6E64E8C0

Contains functionality to call native functions

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E611273 NtMapViewOfSection,		0_2_6E611273
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E6115C6 SetThreadPriority,NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,GetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,		0_2_6E6115C6
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E6113B8 GetProcAddress,NtCreateSection,memset,		0_2_6E6113B8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E6123D5 NtQueryVirtualMemory,		0_2_6E6123D5

Sample is known by Antivirus

Source: B6VQd36tt6.dll	Virustotal: Detection: 16%
Source: B6VQd36tt6.dll	ReversingLabs: Detection: 24%

PE file has an executable .text section and no other executable section

Source: B6VQd36tt6.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Reads software policies

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Spawns processes

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\B6VQd36tt6.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\B6VQd36tt6.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\B6VQd36tt6.dll,BeGrass
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\B6VQd36tt6.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\B6VQd36tt6.dll,Fieldeight
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\B6VQd36tt6.dll,Often
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 864
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5780 -s 840
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 724 -s 636
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\B6VQd36tt6.dll',#1			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\B6VQd36tt6.dll,BeGrass			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\B6VQd36tt6.dll,Fieldeight			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\B6VQd36tt6.dll,Often			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\B6VQd36tt6.dll',#1			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Creates temporary files

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER5812.tmp

Jump to behavior

Classification label

Source: classification engine

Classification label: mal96.troj.evad.winDLL@14/12@26/9

Runs a DLL by calling functions

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\B6VQd36tt6.dll,BeGrass

Creates mutexes

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5780
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess724
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4892

Reads the hosts file

Source: C:\Windows\System32\loaddll32.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Found GUI installer (many successful clicks)

Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: B6VQd36tt6.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

PE file contains a debug data directory

Source: B6VQd36tt6.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Binary contains paths to debug symbols

Source:	Binary string: WinTypes.pdb source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdbdH source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb) source: WerFault.exe, 00000014.00000003.509842537.00000000054B0000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000011.00000003.485227453.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.493177698.00000000032C5000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.507567039.0000000004934000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
Source:	Binary string: combase.pdbbH source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000011.00000003.485227453.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.509695928.00000000054E1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.519966119.0000000004BE1000.00000004.00000001.sdmp
Source:	Binary string: CoreMessaging.pdb_ source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509889795.00000000054C3000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520068624.0000000004BC3000.00000004.00000040.sdmp
Source:	Binary string: lbase.pdb source: WerFault.exe, 00000011.00000003.479795785.00000000048C4000.00000004.00000001.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000011.00000003.485227453.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.509695928.00000000054E1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.519966119.0000000004BE1000.00000004.00000001.sdmp
Source:	Binary string: mpr.pdb! source: WerFault.exe, 00000011.00000003.485297941.0000000004BF0000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000011.00000003.485297941.0000000004BF0000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509842537.00000000054B0000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520145267.0000000004BB0000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb# source: WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb5 source: WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000011.00000003.485227453.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.493154431.00000000032BF000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.509793696.0000000002C2F000.00000004.00000001.sdmp
Source:	Binary string: CoreMessaging.pdb source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509889795.00000000054C3000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520068624.0000000004BC3000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000011.00000003.485303195.0000000004BF4000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509855215.00000000054B4000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520172099.0000000004BB4000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb9 source: WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb+ source: WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000011.00000003.485227453.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.509695928.00000000054E1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.519966119.0000000004BE1000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdbk source: WerFault.exe, 00000011.00000003.485227453.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.509695928.00000000054E1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.519966119.0000000004BE1000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb- source: WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb& source: WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000011.00000003.485227453.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.509695928.00000000054E1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.519966119.0000000004BE1000.00000004.00000001.sdmp
Source:	Binary string: ntmarta.pdb@ source: WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp
Source:	Binary string: ntmarta.pdb source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdbvH source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000011.00000003.485227453.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.509695928.00000000054E1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.519966119.0000000004BE1000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb, source: WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdbzH source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000011.00000003.485227453.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.494991181.00000000032CB000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.519966119.0000000004BE1000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
Source:	Binary string: CoreUIComponents.pdb source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 00000011.00000003.485297941.0000000004BF0000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509842537.00000000054B0000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520145267.0000000004BB0000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb> source: WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000011.00000003.485227453.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.509695928.00000000054E1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.519966119.0000000004BE1000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb* source: WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb|H source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
Source:	Binary string: CoreUIComponents.pdb" source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb" source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdbNH source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdbhH source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 00000011.00000003.485303195.0000000004BF4000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509855215.00000000054B4000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520172099.0000000004BB4000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000014.00000003.493154431.00000000032BF000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.509793696.0000000002C2F000.00000004.00000001.sdmp
Source:	Binary string: ole32.pdbl source: WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
Source:	Binary string: CoreUIComponents.pdb* source: WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000011.00000003.485227453.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.509695928.00000000054E1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.519966119.0000000004BE1000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdbTH source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp
Source:	Binary string: WinTypes.pdbIE source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb,H source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000011.00000003.485303195.0000000004BF4000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509855215.00000000054B4000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520172099.0000000004BB4000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdbv source: WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb2 source: WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb? source: WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
Source:	Binary string: TextInputFramework.pdb source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 00000011.00000003.485227453.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.509695928.00000000054E1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.519966119.0000000004BE1000.00000004.00000001.sdmp
Source:	Binary string: msctf.pdb8 source: WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
Source:	Binary string: c:\wheel\receive\Many-rise\score.pdb source: loaddll32.exe, 00000000.00000002.784287371.000000006E68B000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.785711066.000000006E68B000.00000002.00020000.sdmp, B6VQd36tt6.dll
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000011.00000003.485297941.0000000004BF0000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509842537.00000000054B0000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520145267.0000000004BB0000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb&H source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdbXH source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000011.00000003.485297941.0000000004BF0000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509842537.00000000054B0000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520145267.0000000004BB0000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000011.00000003.485303195.0000000004BF4000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509855215.00000000054B4000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520172099.0000000004BB4000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000014.00000003.494991181.00000000032CB000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.507712896.0000000002C3B000.00000004.00000001.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000011.00000003.485297941.0000000004BF0000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509842537.00000000054B0000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520145267.0000000004BB0000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 00000011.00000003.485227453.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.509695928.00000000054E1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.519966119.0000000004BE1000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000014.00000003.493177698.00000000032C5000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.507687054.0000000002C35000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb@H source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000011.00000003.485227453.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.509695928.00000000054E1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.519966119.0000000004BE1000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000011.00000003.485227453.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.509695928.00000000054E1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.519966119.0000000004BE1000.00000004.00000001.sdmp
Source:	Binary string: winspool.pdbRH source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb| source: WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbk source: WerFault.exe, 00000011.00000003.485227453.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.509695928.00000000054E1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.519966119.0000000004BE1000.00000004.00000001.sdmp

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E612150 push ecx; ret		0_2_6E612159
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E6121A3 push ecx; ret		0_2_6E6121B3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E64AB9A push ecx; ret		0_2_6E64ABAD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E64AB9A push ecx; ret		3_2_6E64ABAD

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E611DE5 LoadLibraryA,GetProcAddress,

0_2_6E611DE5

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Source: Yara match	File source: 00000003.00000003.499708236.00000000057E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.785119761.00000000053F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.638534724.0000000002D1F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.498145572.00000000057E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.506367708.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.550238977.0000000002F1B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.506469970.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.506985927.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.500076992.00000000057E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.506632233.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.636450090.000000000546F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.506394245.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.506684501.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.499560563.00000000057E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.497950814.00000000057E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.498605690.00000000057E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.499306032.00000000057E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.783361786.0000000002CA0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.506547628.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.499390422.00000000057E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.499160942.00000000057E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.592754619.000000000556D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.506326169.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.546937803.000000000566B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.595315126.0000000002E1D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.506579239.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6116, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4720, type: MEMORYSTR
Source: Yara match	File source: 3.2.rundll32.exe.50394a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.6e610000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.a6a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.85a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.d7a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.3050000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.d7a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.50394a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.303a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.85a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.7ba31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.2b794a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.830000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.a6a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.7ba31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.303a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6e610000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.2b794a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000003.419038437.0000000003030000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.446200223.00000000007B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.455038196.0000000000850000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.452964722.0000000000D70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.784698066.0000000005039000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.783230082.0000000002B79000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.418099861.0000000000A60000.00000040.00000001.sdmp, type: MEMORY

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Windows\SysWOW64\WerFault.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Disables application error messsages (SetErrorMode)

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: WerFault.exe, 00000014.00000002.533156151.00000000051B7000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWX
Source: loaddll32.exe, 00000000.00000003.700400046.0000000000A55000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.511800609.00000000048CF000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000002.532925191.00000000050FC000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.547189400.0000000004860000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: loaddll32.exe, 00000000.00000002.777718170.0000000000A17000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW(
Source: WerFault.exe, 00000011.00000003.511800609.00000000048CF000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWnnection* 6-QoS Packet Scheduler-0000

Anti Debugging:

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E656CB3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_6E656CB3

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E611DE5 LoadLibraryA,GetProcAddress,

0_2_6E611DE5

Contains functionality to read the PEB

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E66C325 mov eax, dword ptr fs:[00000030h]		0_2_6E66C325
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E678861 mov eax, dword ptr fs:[00000030h]		0_2_6E678861
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E6BDFDA mov eax, dword ptr fs:[00000030h]		0_2_6E6BDFDA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E6BDEAA mov eax, dword ptr fs:[00000030h]		0_2_6E6BDEAA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E6BDBB5 push dword ptr fs:[00000030h]		0_2_6E6BDBB5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E66C325 mov eax, dword ptr fs:[00000030h]		3_2_6E66C325
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E678861 mov eax, dword ptr fs:[00000030h]		3_2_6E678861
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E6BDFDA mov eax, dword ptr fs:[00000030h]		3_2_6E6BDFDA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E6BDEAA mov eax, dword ptr fs:[00000030h]		3_2_6E6BDEAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E6BDBB5 push dword ptr fs:[00000030h]		3_2_6E6BDBB5

Checks if the current process is being debugged

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior

Contains functionality to register its own exception handler

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E64B316 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_6E64B316
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E656CB3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_6E656CB3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E656CB3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		3_2_6E656CB3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E64B316 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		3_2_6E64B316

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 40.97.164.146 187			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: www.msn.com
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 40.101.91.82 187			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: areuranel.website
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: breuranel.website
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: outlook.office365.com
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: msn.com
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: outlook.com
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: www.outlook.com
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 52.97.151.18 187			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 13.82.28.61 187			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 52.97.137.178 187			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 52.97.183.162 187			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\B6VQd36tt6.dll',#1

Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: loaddll32.exe, 00000000.00000002.782268539.00000000010F0000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.474867165.0000000003030000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.784327016.00000000038B0000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000000.489105451.0000000003030000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000000.496311981.00000000033C0000.00000002.00020000.sdmp	Binary or memory string: uProgram Manager
Source: loaddll32.exe, 00000000.00000002.782268539.00000000010F0000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.474867165.0000000003030000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.784327016.00000000038B0000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000000.489105451.0000000003030000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000000.496311981.00000000033C0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.782268539.00000000010F0000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.474867165.0000000003030000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.784327016.00000000038B0000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000000.489105451.0000000003030000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000000.496311981.00000000033C0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.782268539.00000000010F0000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.474867165.0000000003030000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.784327016.00000000038B0000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000000.489105451.0000000003030000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000000.496311981.00000000033C0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,		0_2_6E670E4C
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,		0_2_6E670429
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,		3_2_6E670E4C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,		3_2_6E649EB5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,		3_2_6E67E448
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,		3_2_6E670429
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,		3_2_6E67EA21
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,		3_2_6E67E344
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,		3_2_6E67E3AD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,		3_2_6E67E84C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,		3_2_6E67E0A2

Contains functionality to query local / system time

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E611172 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,

0_2_6E611172

Contains functionality to query time zone information

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6E66FF15 _free,_free,_free,GetTimeZoneInformation,_free,

3_2_6E66FF15

Contains functionality to query windows version

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E611825 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

0_2_6E611825

Stealing of Sensitive Information:

Yara detected Ursnif

Source: Yara match	File source: 00000003.00000003.499708236.00000000057E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.785119761.00000000053F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.638534724.0000000002D1F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.498145572.00000000057E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.506367708.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.550238977.0000000002F1B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.506469970.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.506985927.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.500076992.00000000057E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.506632233.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.636450090.000000000546F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.506394245.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.506684501.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.499560563.00000000057E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.497950814.00000000057E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.498605690.00000000057E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.499306032.00000000057E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.783361786.0000000002CA0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.506547628.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.499390422.00000000057E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.499160942.00000000057E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.592754619.000000000556D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.506326169.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.546937803.000000000566B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.595315126.0000000002E1D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.506579239.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6116, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4720, type: MEMORYSTR
Source: Yara match	File source: 3.2.rundll32.exe.50394a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.6e610000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.a6a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.85a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.d7a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.3050000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.d7a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.50394a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.303a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.85a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.7ba31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.2b794a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.830000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.a6a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.7ba31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.303a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6e610000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.2b794a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000003.419038437.0000000003030000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.446200223.00000000007B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.455038196.0000000000850000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.452964722.0000000000D70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.784698066.0000000005039000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.783230082.0000000002B79000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.418099861.0000000000A60000.00000040.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected Ursnif

Source: Yara match	File source: 00000003.00000003.499708236.00000000057E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.785119761.00000000053F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.638534724.0000000002D1F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.498145572.00000000057E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.506367708.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.550238977.0000000002F1B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.506469970.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.506985927.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.500076992.00000000057E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.506632233.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.636450090.000000000546F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.506394245.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.506684501.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.499560563.00000000057E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.497950814.00000000057E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.498605690.00000000057E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.499306032.00000000057E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.783361786.0000000002CA0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.506547628.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.499390422.00000000057E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.499160942.00000000057E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.592754619.000000000556D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.506326169.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.546937803.000000000566B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.595315126.0000000002E1D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.506579239.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6116, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4720, type: MEMORYSTR
Source: Yara match	File source: 3.2.rundll32.exe.50394a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.6e610000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.a6a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.85a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.d7a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.3050000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.d7a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.50394a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.303a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.85a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.7ba31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.2b794a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.830000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.a6a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.7ba31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.303a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6e610000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.2b794a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000003.419038437.0000000003030000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.446200223.00000000007B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.455038196.0000000000850000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.452964722.0000000000D70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.784698066.0000000005039000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.783230082.0000000002B79000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.418099861.0000000000A60000.00000040.00000001.sdmp, type: MEMORY