Loading ...

Play interactive tourEdit tour

Windows Analysis Report B6VQd36tt6.dll

Overview

General Information

Sample Name:B6VQd36tt6.dll
Analysis ID:500299
MD5:c4c060ec6b1e42d70972d0af66a04e66
SHA1:3ef84847fceb31b8814c12c94c57c72a5281d6f5
SHA256:47715e425398283d53019c270311ad0c709f660048d2f884d5116d80b983743f
Tags:BRTdllgeoGoziISFBITAUrsnif
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Multi AV Scanner detection for domain / URL
Writes or reads registry keys via WMI
Writes registry values via WMI
Uses 32bit PE files
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Detected potential crypto function
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
IP address seen in connection with other malware
Creates a DirectInput object (often for capturing keystrokes)
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 6116 cmdline: loaddll32.exe 'C:\Users\user\Desktop\B6VQd36tt6.dll' MD5: 72FCD8FB0ADC38ED9050569AD673650E)
    • cmd.exe (PID: 4024 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\B6VQd36tt6.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 4720 cmdline: rundll32.exe 'C:\Users\user\Desktop\B6VQd36tt6.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 4892 cmdline: rundll32.exe C:\Users\user\Desktop\B6VQd36tt6.dll,BeGrass MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 4364 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 864 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 5780 cmdline: rundll32.exe C:\Users\user\Desktop\B6VQd36tt6.dll,Fieldeight MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 2836 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5780 -s 840 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 724 cmdline: rundll32.exe C:\Users\user\Desktop\B6VQd36tt6.dll,Often MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 4736 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 724 -s 636 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "UmEkthy8LQToWYBqtBaWyLn/P1d2KjpXi9nl2is1X7NEi7AW4Al92U7HvBiCwWHgXhs6UyTZ7q6npv3YCi+rPS7xAyorWWgcyyviEpE9CETDXviZ72XZkxmen4ztvEtct+obFAEe0tiXOsfOcC8xDsI0CHPpvmUknsexTYqAJgwcghgx1mGHx/yFM4fnPYw4mFFE6bVI7eMnbu1CuunRmAVRDHZ7MAS7zSkAmYjeo1zAzRnOEWgblRHwenmwlBtp0SFGuYCGVe3TZZ4Nndgpd5xpSeLOoSZi/fRXjtS8b6LXBS/zslRCRObMDjDX4pa1fM1uOgFHyvjANgWJpZ272bpOHjM52/hsEGZXskaNztU=", "c2_domain": ["msn.com/mail", "breuranel.website", "outlook.com/signup", "areuranel.website"], "botnet": "8899", "server": "12", "serpent_key": "56473871MNTYAIDA", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000003.499708236.00000000057E8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000003.00000002.785119761.00000000053F0000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000000.00000003.638534724.0000000002D1F000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000003.00000003.498145572.00000000057E8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000000.00000003.506367708.0000000003098000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 30 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.2.rundll32.exe.50394a0.1.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
              0.2.loaddll32.exe.6e610000.2.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                2.3.rundll32.exe.a6a31a.0.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                  0.3.loaddll32.exe.85a31a.0.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                    6.3.rundll32.exe.d7a31a.0.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                      Click to see the 13 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 00000003.00000003.419038437.0000000003030000.00000040.00000001.sdmpMalware Configuration Extractor: Ursnif {"RSA Public Key": "UmEkthy8LQToWYBqtBaWyLn/P1d2KjpXi9nl2is1X7NEi7AW4Al92U7HvBiCwWHgXhs6UyTZ7q6npv3YCi+rPS7xAyorWWgcyyviEpE9CETDXviZ72XZkxmen4ztvEtct+obFAEe0tiXOsfOcC8xDsI0CHPpvmUknsexTYqAJgwcghgx1mGHx/yFM4fnPYw4mFFE6bVI7eMnbu1CuunRmAVRDHZ7MAS7zSkAmYjeo1zAzRnOEWgblRHwenmwlBtp0SFGuYCGVe3TZZ4Nndgpd5xpSeLOoSZi/fRXjtS8b6LXBS/zslRCRObMDjDX4pa1fM1uOgFHyvjANgWJpZ272bpOHjM52/hsEGZXskaNztU=", "c2_domain": ["msn.com/mail", "breuranel.website", "outlook.com/signup", "areuranel.website"], "botnet": "8899", "server": "12", "serpent_key": "56473871MNTYAIDA", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: B6VQd36tt6.dllVirustotal: Detection: 16%Perma Link
                      Source: B6VQd36tt6.dllReversingLabs: Detection: 24%
                      Multi AV Scanner detection for domain / URLShow sources
                      Source: areuranel.websiteVirustotal: Detection: 6%Perma Link
                      Source: breuranel.websiteVirustotal: Detection: 6%Perma Link
                      Source: B6VQd36tt6.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: unknownHTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.7:49747 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.7:49749 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.97.164.146:443 -> 192.168.2.7:49762 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.101.91.82:443 -> 192.168.2.7:49763 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.97.183.162:443 -> 192.168.2.7:49764 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.97.164.146:443 -> 192.168.2.7:49765 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.97.151.114:443 -> 192.168.2.7:49766 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.97.183.162:443 -> 192.168.2.7:49767 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.7:49810 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.7:49815 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.97.164.146:443 -> 192.168.2.7:49836 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.97.137.178:443 -> 192.168.2.7:49837 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.97.151.18:443 -> 192.168.2.7:49838 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.97.164.146:443 -> 192.168.2.7:49839 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.101.60.2:443 -> 192.168.2.7:49840 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.97.151.18:443 -> 192.168.2.7:49841 version: TLS 1.2
                      Source: B6VQd36tt6.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: WinTypes.pdb source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
                      Source: Binary string: powrprof.pdbdH source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp
                      Source: Binary string: mpr.pdb) source: WerFault.exe, 00000014.00000003.509842537.00000000054B0000.00000004.00000040.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000011.00000003.485227453.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.493177698.00000000032C5000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.507567039.0000000004934000.00000004.00000001.sdmp
                      Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
                      Source: Binary string: sfc_os.pdb source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdbbH source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000011.00000003.485227453.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.509695928.00000000054E1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.519966119.0000000004BE1000.00000004.00000001.sdmp
                      Source: Binary string: CoreMessaging.pdb_ source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509889795.00000000054C3000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520068624.0000000004BC3000.00000004.00000040.sdmp
                      Source: Binary string: lbase.pdb source: WerFault.exe, 00000011.00000003.479795785.00000000048C4000.00000004.00000001.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000011.00000003.485227453.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.509695928.00000000054E1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.519966119.0000000004BE1000.00000004.00000001.sdmp
                      Source: Binary string: mpr.pdb! source: WerFault.exe, 00000011.00000003.485297941.0000000004BF0000.00000004.00000040.sdmp
                      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000011.00000003.485297941.0000000004BF0000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509842537.00000000054B0000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520145267.0000000004BB0000.00000004.00000040.sdmp
                      Source: Binary string: fltLib.pdb# source: WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp
                      Source: Binary string: powrprof.pdb5 source: WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 00000011.00000003.485227453.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.493154431.00000000032BF000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.509793696.0000000002C2F000.00000004.00000001.sdmp
                      Source: Binary string: CoreMessaging.pdb source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509889795.00000000054C3000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520068624.0000000004BC3000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdb source: WerFault.exe, 00000011.00000003.485303195.0000000004BF4000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509855215.00000000054B4000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520172099.0000000004BB4000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdb9 source: WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp
                      Source: Binary string: dwmapi.pdb+ source: WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000011.00000003.485227453.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.509695928.00000000054E1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.519966119.0000000004BE1000.00000004.00000001.sdmp
                      Source: Binary string: fltLib.pdb source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
                      Source: Binary string: advapi32.pdb source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
                      Source: Binary string: rundll32.pdbk source: WerFault.exe, 00000011.00000003.485227453.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.509695928.00000000054E1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.519966119.0000000004BE1000.00000004.00000001.sdmp
                      Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
                      Source: Binary string: oleaut32.pdb- source: WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp
                      Source: Binary string: imagehlp.pdb& source: WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
                      Source: Binary string: shell32.pdb source: WerFault.exe, 00000011.00000003.485227453.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.509695928.00000000054E1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.519966119.0000000004BE1000.00000004.00000001.sdmp
                      Source: Binary string: ntmarta.pdb@ source: WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp
                      Source: Binary string: ntmarta.pdb source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
                      Source: Binary string: oleaut32.pdbvH source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000011.00000003.485227453.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.509695928.00000000054E1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.519966119.0000000004BE1000.00000004.00000001.sdmp
                      Source: Binary string: wimm32.pdb, source: WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdbzH source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000011.00000003.485227453.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.494991181.00000000032CB000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.519966119.0000000004BE1000.00000004.00000001.sdmp
                      Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
                      Source: Binary string: CoreUIComponents.pdb source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
                      Source: Binary string: mpr.pdb source: WerFault.exe, 00000011.00000003.485297941.0000000004BF0000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509842537.00000000054B0000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520145267.0000000004BB0000.00000004.00000040.sdmp
                      Source: Binary string: oleaut32.pdb> source: WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000011.00000003.485227453.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.509695928.00000000054E1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.519966119.0000000004BE1000.00000004.00000001.sdmp
                      Source: Binary string: setupapi.pdb source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
                      Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
                      Source: Binary string: imagehlp.pdb source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
                      Source: Binary string: sfc.pdb* source: WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp
                      Source: Binary string: wUxTheme.pdb|H source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp
                      Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
                      Source: Binary string: CoreUIComponents.pdb" source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp
                      Source: Binary string: sfc.pdb" source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp
                      Source: Binary string: wimm32.pdbNH source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdb source: WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
                      Source: Binary string: msctf.pdbhH source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdbk source: WerFault.exe, 00000011.00000003.485303195.0000000004BF4000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509855215.00000000054B4000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520172099.0000000004BB4000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000014.00000003.493154431.00000000032BF000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.509793696.0000000002C2F000.00000004.00000001.sdmp
                      Source: Binary string: ole32.pdbl source: WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp
                      Source: Binary string: profapi.pdb source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
                      Source: Binary string: CoreUIComponents.pdb* source: WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp
                      Source: Binary string: winspool.pdb source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000011.00000003.485227453.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.509695928.00000000054E1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.519966119.0000000004BE1000.00000004.00000001.sdmp
                      Source: Binary string: profapi.pdbTH source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp
                      Source: Binary string: WinTypes.pdbIE source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdb source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
                      Source: Binary string: shlwapi.pdb,H source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
                      Source: Binary string: propsys.pdb source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
                      Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000011.00000003.485303195.0000000004BF4000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509855215.00000000054B4000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520172099.0000000004BB4000.00000004.00000040.sdmp
                      Source: Binary string: powrprof.pdbv source: WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
                      Source: Binary string: wUxTheme.pdb2 source: WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
                      Source: Binary string: powrprof.pdb source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
                      Source: Binary string: msctf.pdb source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
                      Source: Binary string: advapi32.pdb? source: WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp
                      Source: Binary string: ole32.pdb source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
                      Source: Binary string: TextInputFramework.pdb source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
                      Source: Binary string: AcLayers.pdb source: WerFault.exe, 00000011.00000003.485227453.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.509695928.00000000054E1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.519966119.0000000004BE1000.00000004.00000001.sdmp
                      Source: Binary string: msctf.pdb8 source: WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
                      Source: Binary string: c:\wheel\receive\Many-rise\score.pdb source: loaddll32.exe, 00000000.00000002.784287371.000000006E68B000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.785711066.000000006E68B000.00000002.00020000.sdmp, B6VQd36tt6.dll
                      Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000011.00000003.485297941.0000000004BF0000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509842537.00000000054B0000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520145267.0000000004BB0000.00000004.00000040.sdmp
                      Source: Binary string: fltLib.pdb&H source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp
                      Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
                      Source: Binary string: wsspicli.pdbXH source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000011.00000003.485297941.0000000004BF0000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509842537.00000000054B0000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520145267.0000000004BB0000.00000004.00000040.sdmp
                      Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000011.00000003.485303195.0000000004BF4000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509855215.00000000054B4000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520172099.0000000004BB4000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000014.00000003.494991181.00000000032CB000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.507712896.0000000002C3B000.00000004.00000001.sdmp
                      Source: Binary string: combase.pdb source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
                      Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000011.00000003.485297941.0000000004BF0000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509842537.00000000054B0000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520145267.0000000004BB0000.00000004.00000040.sdmp
                      Source: Binary string: rundll32.pdb source: WerFault.exe, 00000011.00000003.485227453.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.509695928.00000000054E1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.519966119.0000000004BE1000.00000004.00000001.sdmp
                      Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000014.00000003.493177698.00000000032C5000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.507687054.0000000002C35000.00000004.00000001.sdmp
                      Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
                      Source: Binary string: sfc.pdb source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.509869647.00000000054B7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdb@H source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 00000011.00000003.485227453.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.509695928.00000000054E1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.519966119.0000000004BE1000.00000004.00000001.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 00000011.00000003.485227453.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.509695928.00000000054E1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.519966119.0000000004BE1000.00000004.00000001.sdmp
                      Source: Binary string: winspool.pdbRH source: WerFault.exe, 00000011.00000003.485309093.0000000004BF7000.00000004.00000040.sdmp
                      Source: Binary string: propsys.pdb| source: WerFault.exe, 00000016.00000003.520038709.0000000004BB7000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdbk source: WerFault.exe, 00000011.00000003.485227453.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.509695928.00000000054E1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.519966119.0000000004BE1000.00000004.00000001.sdmp

                      Networking:

                      barindex
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 40.97.164.146 187Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: www.msn.com
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 40.101.91.82 187Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: areuranel.website
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: breuranel.website
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: outlook.office365.com
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: msn.com
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: outlook.com
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: www.outlook.com
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 52.97.151.18 187Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 13.82.28.61 187Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 52.97.137.178 187Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 52.97.183.162 187Jump to behavior
                      Source: Joe Sandbox ViewJA3 fingerprint: ce5f3254611a8c095a3d821d44539877
                      Source: Joe Sandbox ViewIP Address: 40.97.164.146 40.97.164.146
                      Source: global trafficHTTP traffic detected: GET /mail/liopolo/XqCHqVDXW8CZUpeu5peN_2/FydjgYTJtTmoC/fAo34oef/chWHLvpFFUOYdiWXbNbnYW0/Rfy3HU21P_/2FwjKpEqeFo_2FxU6/0A_2BR4J2MVl/hx12NRqsjmC/kkNl1wduKuFf8Q/FUG3Ocqqzs1x_2BibuPx6/9auuC1P5josci_2B/vyxmzUWJ7gSzOqo/Jt7rxzWzdI7AYIGNrQ/e7oR22vyh/Me9W1V8u/5SwAx9Su/B.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
                      Source: global trafficHTTP traffic detected: GET /mail/liopolo/yn_2BPYQmJ20vgPRL3/3wjWE1bwH/DDPf_2FmyfN4qjiroAKh/7sxv413IrGA7KcA9Hu0/BYfxtbSdLKzFinzGkJGdmk/P_2Fifx7koRFQ/MIG6rk6P/jRWWDjWjz87k5xmFJxsJqsu/JDVOEV0_2F/rb6v_2FY3MQLb6_2F/gkDS2luFhYah/H5Mm0Y9iZUr/9_2FNXlrb5xId9/cAon_2FllX9wfUzSs9jRy/iECEQNsAU7oK/0.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/yxX7bEpX8fkEJbVyh9/qWpi3f2OW/wrbjI8c5A6cpHeOUtqJL/SsvBBOkr1Vxt3lBY9zj/5j0TGmFjnVfmYPqQrqQKOy/CuHlAfsl6J0Xl/Gz8IEoLZ/BwAkxXP5B5W2_2BPU7pGqQ9/BHC7nncuP2/eu0pY6BQJ958LuV7I/fzySs8nJ5lF3/1CG1ppCNJBl/xHTFfKCof0ib7S/py_2F4IYCav_2Ftxe98nI/nZH.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/yxX7bEpX8fkEJbVyh9/qWpi3f2OW/wrbjI8c5A6cpHeOUtqJL/SsvBBOkr1Vxt3lBY9zj/5j0TGmFjnVfmYPqQrqQKOy/CuHlAfsl6J0Xl/Gz8IEoLZ/BwAkxXP5B5W2_2BPU7pGqQ9/BHC7nncuP2/eu0pY6BQJ958LuV7I/fzySs8nJ5lF3/1CG1ppCNJBl/xHTFfKCof0ib7S/py_2F4IYCav_2Ftxe98nI/nZH.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/yxX7bEpX8fkEJbVyh9/qWpi3f2OW/wrbjI8c5A6cpHeOUtqJL/SsvBBOkr1Vxt3lBY9zj/5j0TGmFjnVfmYPqQrqQKOy/CuHlAfsl6J0Xl/Gz8IEoLZ/BwAkxXP5B5W2_2BPU7pGqQ9/BHC7nncuP2/eu0pY6BQJ958LuV7I/fzySs8nJ5lF3/1CG1ppCNJBl/xHTFfKCof0ib7S/py_2F4IYCav_2Ftxe98nI/nZH.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/f5kvQFsIv4wED/j69h8mSZ/xzzTxsSNNb1pIF2nd0zyLKL/oW0UsUUi2h/1n_2FrPb8KlH0Zm6I/DMN_2B2Rb3dP/VgvW0BFn0fE/SZJzWGdiy3m5qM/ymewVR1TpC9Ou3wlV9Okm/omWH_2FxfhHZzw96/HP0eihm9FW1uN9V/ykWA9NBBnDVcWXTKfE/JwgC0Jx4CafbQ/qgLsjM_2/F.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/f5kvQFsIv4wED/j69h8mSZ/xzzTxsSNNb1pIF2nd0zyLKL/oW0UsUUi2h/1n_2FrPb8KlH0Zm6I/DMN_2B2Rb3dP/VgvW0BFn0fE/SZJzWGdiy3m5qM/ymewVR1TpC9Ou3wlV9Okm/omWH_2FxfhHZzw96/HP0eihm9FW1uN9V/ykWA9NBBnDVcWXTKfE/JwgC0Jx4CafbQ/qgLsjM_2/F.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/f5kvQFsIv4wED/j69h8mSZ/xzzTxsSNNb1pIF2nd0zyLKL/oW0UsUUi2h/1n_2FrPb8KlH0Zm6I/DMN_2B2Rb3dP/VgvW0BFn0fE/SZJzWGdiy3m5qM/ymewVR1TpC9Ou3wlV9Okm/omWH_2FxfhHZzw96/HP0eihm9FW1uN9V/ykWA9NBBnDVcWXTKfE/JwgC0Jx4CafbQ/qgLsjM_2/F.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
                      Source: global trafficHTTP traffic detected: GET /mail/liopolo/A1Qp_2BWzai2O5/xac_2BRG3wzSilIBjQnWR/yH8MK_2FDeyVZ7zs/MmgvT5kbS5J14SI/50tiJJe1m8aJQ2XT7T/rIRQt7iCb/CwoKyLq7nfSWQHvgpN7o/BCyQHF5XZOebIuFzT_2/BFFOtw4QHhKTLswkkvF9vD/aY9DT6JVICQxS/piqcZUHz/pQlXCrwUL0BTmEd_2FLWL2L/RH2uj8PySJ/d2LKLIyBddk3_2FhT/H.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
                      Source: global trafficHTTP traffic detected: GET /mail/liopolo/pf6_2FLREfP_2FxP/xGe8YUjshftOGCf/JTttK9QVtKrTS7QkWE/ZPLHtzaUx/XGEoZcanWnYYYh5pU8Em/GLDLy5GpGXwcg_2Bwck/kT4Zd7sERIG_2Bba1DdBVT/1BoxASA_2FDOZ/PsNxvKNH/RweAmXaL_2B7o4rtkWRlTX9/6ZU5YSIMnk/yFSTinelYwomOZkWD/rkossiVbXA0U/C_2FCIlnEO_/2FzjQ_2By_2FPmxqq/uw86.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/5R03kGEb4YkHyvd/vrgMCXbUCWgL9mS74E/ZNV_2FT7r/A0OAE579SB7Hx3A4JeNe/QST70In3HBC_2F_2Flg/hEE1oqV04Tcb_2BXZ4DwC_/2BDjxaFgiu1Kq/cZhA7baN/ystZ_2FV5yPDIe8qQfN_2Fy/gQ02q5YT1n/eawFPHFBcfhAYskcF/Z0kyVxsdmmeN/mzjXdayEo/OIVTn_2Fwlw/Fu.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/5R03kGEb4YkHyvd/vrgMCXbUCWgL9mS74E/ZNV_2FT7r/A0OAE579SB7Hx3A4JeNe/QST70In3HBC_2F_2Flg/hEE1oqV04Tcb_2BXZ4DwC_/2BDjxaFgiu1Kq/cZhA7baN/ystZ_2FV5yPDIe8qQfN_2Fy/gQ02q5YT1n/eawFPHFBcfhAYskcF/Z0kyVxsdmmeN/mzjXdayEo/OIVTn_2Fwlw/Fu.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/5R03kGEb4YkHyvd/vrgMCXbUCWgL9mS74E/ZNV_2FT7r/A0OAE579SB7Hx3A4JeNe/QST70In3HBC_2F_2Flg/hEE1oqV04Tcb_2BXZ4DwC_/2BDjxaFgiu1Kq/cZhA7baN/ystZ_2FV5yPDIe8qQfN_2Fy/gQ02q5YT1n/eawFPHFBcfhAYskcF/Z0kyVxsdmmeN/mzjXdayEo/OIVTn_2Fwlw/Fu.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/7RiyOegViATthNX4pt/E65VkdFK0/peIG_2BaG1SxNKYOcdXs/80APf88JeQpK_2BfrxB/1_2B2_2FNDAEnuSdYMUmdr/BpxBwvlUzTu3W/v3tDiaIH/uhnULhLXCDfDONp_2FCc03F/ZkPsDATWsR/KNPTfNdkqqbWMwLBy/xU_2Bk46LKIT/9_2FOKzik9g/v8mZTndKcyg89a/ELxzR_2BALqku0rQMRn2U/KVAF7ruVq/mnKq.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/7RiyOegViATthNX4pt/E65VkdFK0/peIG_2BaG1SxNKYOcdXs/80APf88JeQpK_2BfrxB/1_2B2_2FNDAEnuSdYMUmdr/BpxBwvlUzTu3W/v3tDiaIH/uhnULhLXCDfDONp_2FCc03F/ZkPsDATWsR/KNPTfNdkqqbWMwLBy/xU_2Bk46LKIT/9_2FOKzik9g/v8mZTndKcyg89a/ELxzR_2BALqku0rQMRn2U/KVAF7ruVq/mnKq.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/7RiyOegViATthNX4pt/E65VkdFK0/peIG_2BaG1SxNKYOcdXs/80APf88JeQpK_2BfrxB/1_2B2_2FNDAEnuSdYMUmdr/BpxBwvlUzTu3W/v3tDiaIH/uhnULhLXCDfDONp_2FCc03F/ZkPsDATWsR/KNPTfNdkqqbWMwLBy/xU_2Bk46LKIT/9_2FOKzik9g/v8mZTndKcyg89a/ELxzR_2BALqku0rQMRn2U/KVAF7ruVq/mnKq.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49766
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49765
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49764
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49841
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49838 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49840
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49815 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49840 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49836 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49766 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49764 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49810 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49839
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49838
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49815
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49837
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49836
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49810
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49841 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49839 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49837 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49767 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49767
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 1245Content-Type: text/htmlServer: Microsoft-IIS/10.0request-id: 4a6581a2-619b-52fc-a3a1-1b46c2d11731Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-CalculatedFETarget: AM0PR02CU005.internal.outlook.comX-BackEndHttpStatus: 404X-FEProxyInfo: AM0PR02CA0158.EURPRD02.PROD.OUTLOOK.COMX-CalculatedBETarget: AM0PR0302MB3315.eurprd03.prod.outlook.comX-BackEndHttpStatus: 404X-RUM-Validated: 1X-Proxy-RoutingCorrectness: 1X-Proxy-BackendServerStatus: 404MS-CV: ooFlSpth/FKjoRtGwtEXMQ.1.1X-FEServer: AM0PR02CA0158X-Powered-By: ASP.NETX-FEServer: AM7PR03CA0005Date: Mon, 11 Oct 2021 20:23:36 GMTConnection: close
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 1245Content-Type: text/htmlServer: Microsoft-IIS/10.0request-id: 3d79bdb5-66ac-6d20-1236-ee020757b4dfStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-CalculatedFETarget: DU2PR04CU011.internal.outlook.comX-BackEndHttpStatus: 404X-FEProxyInfo: DU2PR04CA0330.EURPRD04.PROD.OUTLOOK.COMX-CalculatedBETarget: DB6PR03MB2838.EURPRD03.PROD.OUTLOOK.COMX-BackEndHttpStatus: 404X-RUM-Validated: 1X-Proxy-RoutingCorrectness: 1X-Proxy-BackendServerStatus: 404MS-CV: tb15PaxmIG0SNu4CB1e03w.1.1X-FEServer: DU2PR04CA0330X-Powered-By: ASP.NETX-FEServer: AM7PR03CA0017Date: Mon, 11 Oct 2021 20:23:37 GMTConnection: close
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 1245Content-Type: text/htmlServer: Microsoft-IIS/10.0request-id: de37bbb0-742b-37a2-87bd-bd1fca420c34Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-CalculatedFETarget: HE1PR05CU010.internal.outlook.comX-BackEndHttpStatus: 404X-FEProxyInfo: HE1PR05CA0294.EURPRD05.PROD.OUTLOOK.COMX-CalculatedBETarget: HE1P193MB0009.EURP193.PROD.OUTLOOK.COMX-BackEndHttpStatus: 404X-RUM-Validated: 1X-Proxy-RoutingCorrectness: 1X-Proxy-BackendServerStatus: 404MS-CV: sLs33it0ojeHvb0fykIMNA.1.1X-FEServer: HE1PR05CA0294X-Powered-By: ASP.NETX-FEServer: AM6P193CA0092Date: Mon, 11 Oct 2021 20:24:58 GMTConnection: close
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 1245Content-Type: text/htmlServer: Microsoft-IIS/10.0request-id: cc782159-69ef-cf03-4f21-5a1c9fd141afStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-CalculatedFETarget: VI1PR06CU004.internal.outlook.comX-BackEndHttpStatus: 404X-FEProxyInfo: VI1PR06CA0144.EURPRD06.PROD.OUTLOOK.COMX-CalculatedBETarget: VI1P193MB0047.EURP193.PROD.OUTLOOK.COMX-BackEndHttpStatus: 404X-RUM-Validated: 1X-Proxy-RoutingCorrectness: 1X-Proxy-BackendServerStatus: 404MS-CV: WSF4zO9pA89PIVocn9FBrw.1.1X-FEServer: VI1PR06CA0144X-Powered-By: ASP.NETX-FEServer: AM6P193CA0101Date: Mon, 11 Oct 2021 20:25:00 GMTConnection: close
                      Source: loaddll32.exe, 00000000.00000003.700400046.0000000000A55000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000002.513974551.00000000047E0000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.528779312.0000000005105000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.539530897.000000000487F000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: loaddll32.exe, 00000000.00000002.777718170.0000000000A17000.00000004.00000020.sdmp, loaddll32.exe, 00000000.00000003.506906811.0000000003019000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.499989548.0000000005769000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.681194745.00000000057EB000.00000004.00000040.sdmpString found in binary or memory: http://ogp.me/ns#
                      Source: loaddll32.exe, 00000000.00000003.683468251.000000000309B000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.506906811.0000000003019000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.499989548.0000000005769000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.681194745.00000000057EB000.00000004.00000040.sdmpString found in binary or memory: http://ogp.me/ns/fb#
                      Source: loaddll32.exe, 00000000.00000003.506742991.0000000000ABB000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.506705607.000000000309D000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.499708236.00000000057E8000.00000004.00000040.sdmpString found in binary or memory: https://blogs.msn.com/
                      Source: loaddll32.exe, 00000000.00000003.700400046.0000000000A55000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.771819176.0000000000A55000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.499708236.00000000057E8000.00000004.00000040.sdmpString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
                      Source: rundll32.exe, 00000003.00000003.499989548.0000000005769000.00000004.00000040.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1633983772&rver
                      Source: loaddll32.exe, 00000000.00000003.506863078.0000000000AB2000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.506771882.0000000000AB7000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1633983776&rver
                      Source: rundll32.exe, 00000003.00000003.681194745.00000000057EB000.00000004.00000040.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1633983857&rver
                      Source: loaddll32.exe, 00000000.00000003.683468251.000000000309B000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.700400046.0000000000A55000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.683376159.0000000000AC4000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1633983858&rver
                      Source: loaddll32.exe, 00000000.00000003.700400046.0000000000A55000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.506742991.0000000000ABB000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.683447032.000000000309C000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.506863078.0000000000AB2000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.683376159.0000000000AC4000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.499989548.0000000005769000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.681162627.00000000057EC000.00000004.00000040.sdmpString found in binary or memory: https://mem.gfx.ms/meversion/?partner=msn&market=en-us"
                      Source: loaddll32.exe, 00000000.00000003.700400046.0000000000A55000.00000004.00000001.sdmpString found in binary or memory: https://msn.com/
                      Source: loaddll32.exe, 00000000.00000003.700400046.0000000000A55000.00000004.00000001.sdmpString found in binary or memory: https://msn.com/O
                      Source: loaddll32.exe, 00000000.00000002.777718170.0000000000A17000.00000004.00000020.sdmpString found in binary or memory: https://msn.com/o
                      Source: loaddll32.exe, 00000000.00000003.700400046.0000000000A55000.00000004.00000001.sdmpString found in binary or memory: https://msn.com/y
                      Source: loaddll32.exe, 00000000.00000003.771819176.0000000000A55000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com/
                      Source: loaddll32.exe, 00000000.00000003.771819176.0000000000A55000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com/0
                      Source: loaddll32.exe, 00000000.00000003.771819176.0000000000A55000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com/D
                      Source: loaddll32.exe, 00000000.00000003.771819176.0000000000A55000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com/signup/liopolo/7RiyOegViATthNX4pt/E65VkdFK0/peIG_2BaG1SxNKYOcdXs/80APf
                      Source: loaddll32.exe, 00000000.00000003.595223833.0000000000ABE000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com/signup/liopolo/f5kvQFsIv4wED/j69h8mSZ/xzzTxsSNNb1pIF2nd0zyLKL/oW0UsUUi
                      Source: loaddll32.exe, 00000000.00000003.683468251.000000000309B000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.700400046.0000000000A55000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.506863078.0000000000AB2000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.683376159.0000000000AC4000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.506771882.0000000000AB7000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.499989548.0000000005769000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.681194745.00000000057EB000.00000004.00000040.sdmpString found in binary or memory: https://static-global-s-msn-com.akamaized.net/en-us//api/modules/cdnfetch"
                      Source: loaddll32.exe, 00000000.00000003.506742991.0000000000ABB000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.683447032.000000000309C000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.499989548.0000000005769000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.681162627.00000000057EC000.00000004.00000040.sdmpString found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/en-us/homepage/_sc/css/d7cb56b9-3a82770e/direct
                      Source: loaddll32.exe, 00000000.00000003.506742991.0000000000ABB000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.700328393.0000000000A3D000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.499989548.0000000005769000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.681162627.00000000057EC000.00000004.00000040.sdmpString found in binary or memory: https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&ver=%272.1%27&a
                      Source: loaddll32.exe, 00000000.00000003.700400046.0000000000A55000.00000004.00000001.sdmpString found in binary or memory: https://www.msn.com/
                      Source: rundll32.exe, 00000003.00000003.681162627.00000000057EC000.00000004.00000040.sdmpString found in binary or memory: https://www.msn.com/?refurl=%2fmail%2fliopolo%2fA1Qp_2BWzai2O5%2fxac_2BRG3wzSilIBjQnWR%2fyH8MK_2FDey
                      Source: rundll32.exe, 00000003.00000003.499989548.0000000005769000.00000004.00000040.sdmpString found in binary or memory: https://www.msn.com/?refurl=%2fmail%2fliopolo%2fXqCHqVDXW8CZUpeu5peN_2%2fFydjgYTJtTmoC%2ffAo34oef%2f
                      Source: loaddll32.exe, 00000000.00000003.700400046.0000000000A55000.00000004.00000001.sdmpString found in binary or memory: https://www.msn.com/?refurl=%2fmail%2fliopolo%2fpf6_2FLREfP_2FxP%2fxGe8YUjshftOGCf%2fJTttK9QV
                      Source: loaddll32.exe, 00000000.00000003.683447032.000000000309C000.00000004.00000040.sdmpString found in binary or memory: https://www.msn.com/?refurl=%2fmail%2fliopolo%2fpf6_2FLREfP_2FxP%2fxGe8YUjshftOGCf%2fJTttK9QVtKrTS7Q
                      Source: loaddll32.exe, 00000000.00000003.506742991.0000000000ABB000.00000004.00000001.sdmpString found in binary or memory: https://www.msn.com/?refurl=%2fmail%2fliopolo%2fyn_2BPYQmJ20vgPRL3%2f3wjWE1bwH%2fDDPf_2FmyfN4qjiroAK
                      Source: loaddll32.exe, 00000000.00000003.683468251.000000000309B000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.700400046.0000000000A55000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.506863078.0000000000AB2000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.683376159.0000000000AC4000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.506771882.0000000000AB7000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.499989548.0000000005769000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.681194745.00000000057EB000.00000004.00000040.sdmpString found in binary or memory: https://www.msn.com/en-us//api/modules/fetch"
                      Source: loaddll32.exe, 00000000.00000003.700400046.0000000000A55000.00000004.00000001.sdmpString found in binary or memory: https://www.msn.com/mail/liopolo/pf6_2FLREfP_2FxP/xGe8YUjshftOGCf/JTttK9QVtKrTS7QkWE/ZPLHtzaUx/XGEoZ
                      Source: loaddll32.exe, 00000000.00000003.506863078.0000000000AB2000.00000004.00000001.sdmpString found in binary or memory: https://www.msn.com/mail/liopolo/yn_2BPYQmJ20vgPRL3/3wjWE1bwH/DDPf_2FmyfN4qjiroAKh/7sxv413IrGA7KcA9H
                      Source: loaddll32.exe, 00000000.00000003.771819176.0000000000A55000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000002.777718170.0000000000A17000.00000004.00000020.sdmp, loaddll32.exe, 00000000.00000002.779210722.0000000000A55000.00000004.00000020.sdmpString found in binary or memory: https://www.outlook.com/signup/liopolo/7RiyOegViATthNX4pt/E65VkdFK0/peIG_2BaG1SxNKYOcdXs/80APf88JeQp
                      Source: unknownDNS traffic detected: queries for: msn.com
                      Source: global trafficHTTP traffic detected: GET /mail/liopolo/XqCHqVDXW8CZUpeu5peN_2/FydjgYTJtTmoC/fAo34oef/chWHLvpFFUOYdiWXbNbnYW0/Rfy3HU21P_/2FwjKpEqeFo_2FxU6/0A_2BR4J2MVl/hx12NRqsjmC/kkNl1wduKuFf8Q/FUG3Ocqqzs1x_2BibuPx6/9auuC1P5josci_2B/vyxmzUWJ7gSzOqo/Jt7rxzWzdI7AYIGNrQ/e7oR22vyh/Me9W1V8u/5SwAx9Su/B.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
                      Source: global trafficHTTP traffic detected: GET /mail/liopolo/yn_2BPYQmJ20vgPRL3/3wjWE1bwH/DDPf_2FmyfN4qjiroAKh/7sxv413IrGA7KcA9Hu0/BYfxtbSdLKzFinzGkJGdmk/P_2Fifx7koRFQ/MIG6rk6P/jRWWDjWjz87k5xmFJxsJqsu/JDVOEV0_2F/rb6v_2FY3MQLb6_2F/gkDS2luFhYah/H5Mm0Y9iZUr/9_2FNXlrb5xId9/cAon_2FllX9wfUzSs9jRy/iECEQNsAU7oK/0.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/yxX7bEpX8fkEJbVyh9/qWpi3f2OW/wrbjI8c5A6cpHeOUtqJL/SsvBBOkr1Vxt3lBY9zj/5j0TGmFjnVfmYPqQrqQKOy/CuHlAfsl6J0Xl/Gz8IEoLZ/BwAkxXP5B5W2_2BPU7pGqQ9/BHC7nncuP2/eu0pY6BQJ958LuV7I/fzySs8nJ5lF3/1CG1ppCNJBl/xHTFfKCof0ib7S/py_2F4IYCav_2Ftxe98nI/nZH.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/yxX7bEpX8fkEJbVyh9/qWpi3f2OW/wrbjI8c5A6cpHeOUtqJL/SsvBBOkr1Vxt3lBY9zj/5j0TGmFjnVfmYPqQrqQKOy/CuHlAfsl6J0Xl/Gz8IEoLZ/BwAkxXP5B5W2_2BPU7pGqQ9/BHC7nncuP2/eu0pY6BQJ958LuV7I/fzySs8nJ5lF3/1CG1ppCNJBl/xHTFfKCof0ib7S/py_2F4IYCav_2Ftxe98nI/nZH.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/yxX7bEpX8fkEJbVyh9/qWpi3f2OW/wrbjI8c5A6cpHeOUtqJL/SsvBBOkr1Vxt3lBY9zj/5j0TGmFjnVfmYPqQrqQKOy/CuHlAfsl6J0Xl/Gz8IEoLZ/BwAkxXP5B5W2_2BPU7pGqQ9/BHC7nncuP2/eu0pY6BQJ958LuV7I/fzySs8nJ5lF3/1CG1ppCNJBl/xHTFfKCof0ib7S/py_2F4IYCav_2Ftxe98nI/nZH.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/f5kvQFsIv4wED/j69h8mSZ/xzzTxsSNNb1pIF2nd0zyLKL/oW0UsUUi2h/1n_2FrPb8KlH0Zm6I/DMN_2B2Rb3dP/VgvW0BFn0fE/SZJzWGdiy3m5qM/ymewVR1TpC9Ou3wlV9Okm/omWH_2FxfhHZzw96/HP0eihm9FW1uN9V/ykWA9NBBnDVcWXTKfE/JwgC0Jx4CafbQ/qgLsjM_2/F.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/f5kvQFsIv4wED/j69h8mSZ/xzzTxsSNNb1pIF2nd0zyLKL/oW0UsUUi2h/1n_2FrPb8KlH0Zm6I/DMN_2B2Rb3dP/VgvW0BFn0fE/SZJzWGdiy3m5qM/ymewVR1TpC9Ou3wlV9Okm/omWH_2FxfhHZzw96/HP0eihm9FW1uN9V/ykWA9NBBnDVcWXTKfE/JwgC0Jx4CafbQ/qgLsjM_2/F.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/f5kvQFsIv4wED/j69h8mSZ/xzzTxsSNNb1pIF2nd0zyLKL/oW0UsUUi2h/1n_2FrPb8KlH0Zm6I/DMN_2B2Rb3dP/VgvW0BFn0fE/SZJzWGdiy3m5qM/ymewVR1TpC9Ou3wlV9Okm/omWH_2FxfhHZzw96/HP0eihm9FW1uN9V/ykWA9NBBnDVcWXTKfE/JwgC0Jx4CafbQ/qgLsjM_2/F.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
                      Source: global trafficHTTP traffic detected: GET /mail/liopolo/A1Qp_2BWzai2O5/xac_2BRG3wzSilIBjQnWR/yH8MK_2FDeyVZ7zs/MmgvT5kbS5J14SI/50tiJJe1m8aJQ2XT7T/rIRQt7iCb/CwoKyLq7nfSWQHvgpN7o/BCyQHF5XZOebIuFzT_2/BFFOtw4QHhKTLswkkvF9vD/aY9DT6JVICQxS/piqcZUHz/pQlXCrwUL0BTmEd_2FLWL2L/RH2uj8PySJ/d2LKLIyBddk3_2FhT/H.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
                      Source: global trafficHTTP traffic detected: GET /mail/liopolo/pf6_2FLREfP_2FxP/xGe8YUjshftOGCf/JTttK9QVtKrTS7QkWE/ZPLHtzaUx/XGEoZcanWnYYYh5pU8Em/GLDLy5GpGXwcg_2Bwck/kT4Zd7sERIG_2Bba1DdBVT/1BoxASA_2FDOZ/PsNxvKNH/RweAmXaL_2B7o4rtkWRlTX9/6ZU5YSIMnk/yFSTinelYwomOZkWD/rkossiVbXA0U/C_2FCIlnEO_/2FzjQ_2By_2FPmxqq/uw86.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/5R03kGEb4YkHyvd/vrgMCXbUCWgL9mS74E/ZNV_2FT7r/A0OAE579SB7Hx3A4JeNe/QST70In3HBC_2F_2Flg/hEE1oqV04Tcb_2BXZ4DwC_/2BDjxaFgiu1Kq/cZhA7baN/ystZ_2FV5yPDIe8qQfN_2Fy/gQ02q5YT1n/eawFPHFBcfhAYskcF/Z0kyVxsdmmeN/mzjXdayEo/OIVTn_2Fwlw/Fu.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/5R03kGEb4YkHyvd/vrgMCXbUCWgL9mS74E/ZNV_2FT7r/A0OAE579SB7Hx3A4JeNe/QST70In3HBC_2F_2Flg/hEE1oqV04Tcb_2BXZ4DwC_/2BDjxaFgiu1Kq/cZhA7baN/ystZ_2FV5yPDIe8qQfN_2Fy/gQ02q5YT1n/eawFPHFBcfhAYskcF/Z0kyVxsdmmeN/mzjXdayEo/OIVTn_2Fwlw/Fu.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/5R03kGEb4YkHyvd/vrgMCXbUCWgL9mS74E/ZNV_2FT7r/A0OAE579SB7Hx3A4JeNe/QST70In3HBC_2F_2Flg/hEE1oqV04Tcb_2BXZ4DwC_/2BDjxaFgiu1Kq/cZhA7baN/ystZ_2FV5yPDIe8qQfN_2Fy/gQ02q5YT1n/eawFPHFBcfhAYskcF/Z0kyVxsdmmeN/mzjXdayEo/OIVTn_2Fwlw/Fu.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/7RiyOegViATthNX4pt/E65VkdFK0/peIG_2BaG1SxNKYOcdXs/80APf88JeQpK_2BfrxB/1_2B2_2FNDAEnuSdYMUmdr/BpxBwvlUzTu3W/v3tDiaIH/uhnULhLXCDfDONp_2FCc03F/ZkPsDATWsR/KNPTfNdkqqbWMwLBy/xU_2Bk46LKIT/9_2FOKzik9g/v8mZTndKcyg89a/ELxzR_2BALqku0rQMRn2U/KVAF7ruVq/mnKq.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/7RiyOegViATthNX4pt/E65VkdFK0/peIG_2BaG1SxNKYOcdXs/80APf88JeQpK_2BfrxB/1_2B2_2FNDAEnuSdYMUmdr/BpxBwvlUzTu3W/v3tDiaIH/uhnULhLXCDfDONp_2FCc03F/ZkPsDATWsR/KNPTfNdkqqbWMwLBy/xU_2Bk46LKIT/9_2FOKzik9g/v8mZTndKcyg89a/ELxzR_2BALqku0rQMRn2U/KVAF7ruVq/mnKq.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/7RiyOegViATthNX4pt/E65VkdFK0/peIG_2BaG1SxNKYOcdXs/80APf88JeQpK_2BfrxB/1_2B2_2FNDAEnuSdYMUmdr/BpxBwvlUzTu3W/v3tDiaIH/uhnULhLXCDfDONp_2FCc03F/ZkPsDATWsR/KNPTfNdkqqbWMwLBy/xU_2Bk46LKIT/9_2FOKzik9g/v8mZTndKcyg89a/ELxzR_2BALqku0rQMRn2U/KVAF7ruVq/mnKq.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
                      Source: unknownHTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.7:49747 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.7:49749 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.97.164.146:443 -> 192.168.2.7:49762 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.101.91.82:443 -> 192.168.2.7:49763 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.97.183.162:443 -> 192.168.2.7:49764 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.97.164.146:443 -> 192.168.2.7:49765 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.97.151.114:443 -> 192.168.2.7:49766 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.97.183.162:443 -> 192.168.2.7:49767 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.7:49810 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.7:49815 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.97.164.146:443 -> 192.168.2.7:49836 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.97.137.178:443 -> 192.168.2.7:49837 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.97.151.18:443 -> 192.168.2.7:49838 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.97.164.146:443 -> 192.168.2.7:49839 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.101.60.2:443 -> 192.168.2.7:49840 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.97.151.18:443 -> 192.168.2.7:49841 version: TLS 1.2

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000003.00000003.499708236.00000000057E8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.785119761.00000000053F0000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.638534724.0000000002D1F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.498145572.00000000057E8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.506367708.0000000003098000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.550238977.0000000002F1B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.506469970.0000000003098000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.506985927.0000000003098000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.500076992.00000000057E8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.506632233.0000000003098000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.636450090.000000000546F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.506394245.0000000003098000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.506684501.0000000003098000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.499560563.00000000057E8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.497950814.00000000057E8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.498605690.00000000057E8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.499306032.00000000057E8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.783361786.0000000002CA0000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.506547628.0000000003098000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.499390422.00000000057E8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.499160942.00000000057E8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.592754619.000000000556D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.506326169.0000000003098000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.546937803.000000000566B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.595315126.0000000002E1D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.506579239.0000000003098000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6116, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4720, type: MEMORYSTR
                      Source: Yara matchFile source: 3.2.rundll32.exe.50394a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.6e610000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.a6a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.85a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.rundll32.exe.d7a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.3050000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.rundll32.exe.d7a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.50394a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.303a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.85a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.7ba31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.2b794a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.830000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.a6a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.7ba31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.303a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.6e610000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.2b794a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000003.419038437.0000000003030000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.446200223.00000000007B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.455038196.0000000000850000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.452964722.0000000000D70000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.784698066.0000000005039000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.783230082.0000000002B79000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.418099861.0000000000A60000.00000040.00000001.sdmp, type: MEMORY
                      Source: loaddll32.exe, 00000000.00000002.777229049.00000000009FB000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      E-Banking Fraud:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000003.00000003.499708236.00000000057E8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.785119761.00000000053F0000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.638534724.0000000002D1F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.498145572.00000000057E8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.506367708.0000000003098000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.550238977.0000000002F1B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.506469970.0000000003098000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.506985927.0000000003098000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.500076992.00000000057E8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.506632233.0000000003098000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.636450090.000000000546F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.506394245.0000000003098000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.506684501.0000000003098000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.499560563.00000000057E8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.497950814.00000000057E8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.498605690.00000000057E8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.499306032.00000000057E8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.783361786.0000000002CA0000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.506547628.0000000003098000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.499390422.00000000057E8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.499160942.00000000057E8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.592754619.000000000556D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.506326169.0000000003098000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.546937803.000000000566B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.595315126.0000000002E1D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.506579239.0000000003098000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6116, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4720, type: MEMORYSTR
                      Source: Yara matchFile source: 3.2.rundll32.exe.50394a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.6e610000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.a6a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.85a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.rundll32.exe.d7a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.3050000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.rundll32.exe.d7a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.50394a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.303a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.85a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.7ba31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.2b794a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.830000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.a6a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.7ba31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.303a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.6e610000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.2b794a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000003.419038437.0000000003030000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.446200223.00000000007B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.455038196.0000000000850000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.452964722.0000000000D70000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.784698066.0000000005039000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.783230082.0000000002B79000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.418099861.0000000000A60000.00000040.00000001.sdmp, type: MEMORY

                      System Summary:

                      barindex
                      Writes or reads registry keys via WMIShow sources
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Writes registry values via WMIShow sources
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: B6VQd36tt6.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 864
                      Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\Windows\AppCompat\Programs\Amcache.hve.tmpJump to behavior