Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report B6VQd36tt6.dll

Overview

General Information

Sample Name:B6VQd36tt6.dll
Analysis ID:500299
MD5:c4c060ec6b1e42d70972d0af66a04e66
SHA1:3ef84847fceb31b8814c12c94c57c72a5281d6f5
SHA256:47715e425398283d53019c270311ad0c709f660048d2f884d5116d80b983743f
Tags:BRTdllgeoGoziISFBITAUrsnif
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Multi AV Scanner detection for domain / URL
Writes or reads registry keys via WMI
Writes registry values via WMI
Uses 32bit PE files
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
IP address seen in connection with other malware
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 3272 cmdline: loaddll32.exe 'C:\Users\user\Desktop\B6VQd36tt6.dll' MD5: 72FCD8FB0ADC38ED9050569AD673650E)
    • cmd.exe (PID: 3144 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\B6VQd36tt6.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 5692 cmdline: rundll32.exe 'C:\Users\user\Desktop\B6VQd36tt6.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 5256 cmdline: rundll32.exe C:\Users\user\Desktop\B6VQd36tt6.dll,BeGrass MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 2032 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5256 -s 868 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 6284 cmdline: rundll32.exe C:\Users\user\Desktop\B6VQd36tt6.dll,Fieldeight MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 2192 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6284 -s 832 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 2772 cmdline: rundll32.exe C:\Users\user\Desktop\B6VQd36tt6.dll,Often MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 1984 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 644 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "UmEkthy8LQToWYBqtBaWyLn/P1d2KjpXi9nl2is1X7NEi7AW4Al92U7HvBiCwWHgXhs6UyTZ7q6npv3YCi+rPS7xAyorWWgcyyviEpE9CETDXviZ72XZkxmen4ztvEtct+obFAEe0tiXOsfOcC8xDsI0CHPpvmUknsexTYqAJgwcghgx1mGHx/yFM4fnPYw4mFFE6bVI7eMnbu1CuunRmAVRDHZ7MAS7zSkAmYjeo1zAzRnOEWgblRHwenmwlBtp0SFGuYCGVe3TZZ4Nndgpd5xpSeLOoSZi/fRXjtS8b6LXBS/zslRCRObMDjDX4pa1fM1uOgFHyvjANgWJpZ272bpOHjM52/hsEGZXskaNztU=", "c2_domain": ["msn.com/mail", "breuranel.website", "outlook.com/signup", "areuranel.website"], "botnet": "8899", "server": "12", "serpent_key": "56473871MNTYAIDA", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000003.598864684.0000000005318000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000000.00000003.596720166.00000000034D8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000000.00000003.597214572.00000000034D8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000005.00000003.536008305.0000000002D20000.00000040.00000001.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
          00000000.00000003.597886088.00000000034D8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 28 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.loaddll32.exe.6f030000.2.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
              4.0.rundll32.exe.6f030000.1.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                0.2.loaddll32.exe.2d094a0.1.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                  3.2.rundll32.exe.6f030000.2.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                    3.2.rundll32.exe.4c394a0.1.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                      Click to see the 16 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 00000005.00000003.536008305.0000000002D20000.00000040.00000001.sdmpMalware Configuration Extractor: Ursnif {"RSA Public Key": "UmEkthy8LQToWYBqtBaWyLn/P1d2KjpXi9nl2is1X7NEi7AW4Al92U7HvBiCwWHgXhs6UyTZ7q6npv3YCi+rPS7xAyorWWgcyyviEpE9CETDXviZ72XZkxmen4ztvEtct+obFAEe0tiXOsfOcC8xDsI0CHPpvmUknsexTYqAJgwcghgx1mGHx/yFM4fnPYw4mFFE6bVI7eMnbu1CuunRmAVRDHZ7MAS7zSkAmYjeo1zAzRnOEWgblRHwenmwlBtp0SFGuYCGVe3TZZ4Nndgpd5xpSeLOoSZi/fRXjtS8b6LXBS/zslRCRObMDjDX4pa1fM1uOgFHyvjANgWJpZ272bpOHjM52/hsEGZXskaNztU=", "c2_domain": ["msn.com/mail", "breuranel.website", "outlook.com/signup", "areuranel.website"], "botnet": "8899", "server": "12", "serpent_key": "56473871MNTYAIDA", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: B6VQd36tt6.dllVirustotal: Detection: 16%Perma Link
                      Source: B6VQd36tt6.dllReversingLabs: Detection: 24%
                      Multi AV Scanner detection for domain / URLShow sources
                      Source: areuranel.websiteVirustotal: Detection: 6%Perma Link
                      Source: breuranel.websiteVirustotal: Detection: 6%Perma Link
                      Source: https://areuranel.website/Virustotal: Detection: 6%Perma Link
                      Source: B6VQd36tt6.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: unknownHTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.6:49761 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.6:49763 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.97.161.50:443 -> 192.168.2.6:49777 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.98.199.194:443 -> 192.168.2.6:49778 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.98.208.66:443 -> 192.168.2.6:49779 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.97.161.50:443 -> 192.168.2.6:49780 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.97.178.34:443 -> 192.168.2.6:49781 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.97.178.98:443 -> 192.168.2.6:49782 version: TLS 1.2
                      Source: B6VQd36tt6.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: WinTypes.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: ntmarta.pdb?1 source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000E.00000003.586282107.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.599851558.0000000005691000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.606501610.0000000004981000.00000004.00000001.sdmp
                      Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: sfc_os.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000E.00000003.586282107.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.599691898.0000000005662000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606501610.0000000004981000.00000004.00000001.sdmp
                      Source: Binary string: cryptbase.pdbl< source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp
                      Source: Binary string: CoreMessaging.pdb_ source: WerFault.exe, 00000014.00000003.606688005.0000000004963000.00000004.00000040.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000E.00000003.586282107.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.599851558.0000000005691000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.606501610.0000000004981000.00000004.00000001.sdmp
                      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000E.00000003.586428949.0000000004A10000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.600086412.0000000005660000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606750760.0000000004950000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000E.00000003.586282107.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.599851558.0000000005691000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.596009652.000000000280B000.00000004.00000001.sdmp
                      Source: Binary string: CoreMessaging.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606688005.0000000004963000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdb source: WerFault.exe, 0000000E.00000003.586440457.0000000004A14000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599691898.0000000005662000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606608773.0000000004952000.00000004.00000040.sdmp
                      Source: Binary string: CoreMessaging.pdbK source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000E.00000003.586282107.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.599851558.0000000005691000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.606501610.0000000004981000.00000004.00000001.sdmp
                      Source: Binary string: rundll32.pdbk source: WerFault.exe, 0000000E.00000003.586282107.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.606501610.0000000004981000.00000004.00000001.sdmp
                      Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: shell32.pdb source: WerFault.exe, 0000000E.00000003.586282107.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.599691898.0000000005662000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606501610.0000000004981000.00000004.00000001.sdmp
                      Source: Binary string: msvcp_win.pdbk source: WerFault.exe, 00000013.00000003.599691898.0000000005662000.00000004.00000040.sdmp
                      Source: Binary string: ntmarta.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000E.00000003.586282107.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.599691898.0000000005662000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606501610.0000000004981000.00000004.00000001.sdmp
                      Source: Binary string: iphlpapi.pdb^8 source: WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp
                      Source: Binary string: mpr.pdbH source: WerFault.exe, 0000000E.00000003.586428949.0000000004A10000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000E.00000003.578075706.00000000027EA000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.599851558.0000000005691000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.594966351.0000000002816000.00000004.00000001.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: CoreUIComponents.pdb source: WerFault.exe, 0000000E.00000003.586394801.0000000004A23000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.600018161.0000000005674000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: mpr.pdb source: WerFault.exe, 0000000E.00000003.586428949.0000000004A10000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.600086412.0000000005660000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606750760.0000000004950000.00000004.00000040.sdmp
                      Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000E.00000003.586282107.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.599851558.0000000005691000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.606501610.0000000004981000.00000004.00000001.sdmp
                      Source: Binary string: setupapi.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: mpr.pdb: source: WerFault.exe, 00000014.00000003.606750760.0000000004950000.00000004.00000040.sdmp
                      Source: Binary string: wUxTheme.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: imagehlp.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: dwmapi.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: ole32.pdb-1 source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000000E.00000003.577718554.00000000027DE000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.596009652.000000000280B000.00000004.00000001.sdmp
                      Source: Binary string: shcore.pdbk source: WerFault.exe, 0000000E.00000003.586440457.0000000004A14000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599691898.0000000005662000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606608773.0000000004952000.00000004.00000040.sdmp
                      Source: Binary string: profapi.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: winspool.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000E.00000003.586282107.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.599851558.0000000005691000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.606501610.0000000004981000.00000004.00000001.sdmp
                      Source: Binary string: shell32.pdbk source: WerFault.exe, 00000013.00000003.599691898.0000000005662000.00000004.00000040.sdmp
                      Source: Binary string: sfc.pdb9 source: WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdb~ source: WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: WinTypes.pdb91 source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp
                      Source: Binary string: propsys.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000E.00000003.586440457.0000000004A14000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599691898.0000000005662000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606608773.0000000004952000.00000004.00000040.sdmp
                      Source: Binary string: dwmapi.pdb} source: WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: CoreUIComponents.pdb9 source: WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000013.00000003.599691898.0000000005662000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdbx< source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp
                      Source: Binary string: sfc.pdbK source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp
                      Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: imagehlp.pdbt< source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp
                      Source: Binary string: msctf.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: ole32.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: TextInputFramework.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: AcLayers.pdb source: WerFault.exe, 0000000E.00000003.586282107.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.599851558.0000000005691000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.606501610.0000000004981000.00000004.00000001.sdmp
                      Source: Binary string: imagehlp.pdbh source: WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: winspool.pdbb< source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp
                      Source: Binary string: c:\wheel\receive\Many-rise\score.pdb source: loaddll32.exe, 00000000.00000002.751009999.000000006F0AB000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.753309847.000000006F0AB000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.584623901.000000006F0AB000.00000002.00020000.sdmp, B6VQd36tt6.dll
                      Source: Binary string: sfc_os.pdbd source: WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000E.00000003.586428949.0000000004A10000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.600086412.0000000005660000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606750760.0000000004950000.00000004.00000040.sdmp
                      Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000E.00000003.578075706.00000000027EA000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.594966351.0000000002816000.00000004.00000001.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000E.00000003.586428949.0000000004A10000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.600086412.0000000005660000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606750760.0000000004950000.00000004.00000040.sdmp
                      Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000E.00000003.586440457.0000000004A14000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599691898.0000000005662000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606608773.0000000004952000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdbV source: WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000E.00000003.586428949.0000000004A10000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.600086412.0000000005660000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606750760.0000000004950000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdbp source: WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: wimm32.pdbb source: WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: ole32.pdb1 source: WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: rundll32.pdb source: WerFault.exe, 0000000E.00000003.586282107.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.599851558.0000000005691000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.606501610.0000000004981000.00000004.00000001.sdmp
                      Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000000E.00000003.579171572.00000000027E4000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.594931191.0000000002810000.00000004.00000001.sdmp
                      Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: sfc.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: CoreUIComponents.pdb_ source: WerFault.exe, 0000000E.00000003.586394801.0000000004A23000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.600018161.0000000005674000.00000004.00000040.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000E.00000003.586282107.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.599851558.0000000005691000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.606501610.0000000004981000.00000004.00000001.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000E.00000003.586282107.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.599851558.0000000005691000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.606501610.0000000004981000.00000004.00000001.sdmp
                      Source: Binary string: advapi32.pdbJ< source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdbk source: WerFault.exe, 0000000E.00000003.586282107.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.606501610.0000000004981000.00000004.00000001.sdmp
                      Source: Binary string: wimm32.pdb~< source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp

                      Networking:

                      barindex
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 52.97.178.34 187
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 52.97.178.98 187
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: www.msn.com
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: areuranel.website
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 40.97.161.50 187
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: breuranel.website
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: outlook.office365.com
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: msn.com
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: outlook.com
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: www.outlook.com
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 13.82.28.61 187
                      Source: Joe Sandbox ViewJA3 fingerprint: ce5f3254611a8c095a3d821d44539877
                      Source: Joe Sandbox ViewIP Address: 40.97.161.50 40.97.161.50
                      Source: global trafficHTTP traffic detected: GET /mail/liopolo/g1XXBsAxpar6N9kYzRnrf3/OQX2uNrM13y9W/Ob_2BksA/x8bQpkLjYsruIhPFJi3ZErA/tgPZIh6fnf/T9Sy6miArqkO107Ts/8FGy1p_2BKcs/IbQATX6Vpot/p9H1S_2FBpU5gj/XH9RZi7pSy90EfKCN0xoX/QAyaPWXD19YFLug2/I6ErSp8Uq8hZ5g3/WwbSra7jr8/n3VI4u.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
                      Source: global trafficHTTP traffic detected: GET /mail/liopolo/Y72qNipk37Ef6u/yMdIBjS0TF0zySEk6QqaV/RM1KEI93T2ySqpPS/3a9271HiYU26bKL/CuRYvP0IHiJcR1Om5j/v_2BngoS3/PTV0r6xFeitoJIhrqq8c/AEX9VsNnHNbr2POb3_2/FNC3movbIQSikKNXB2GV0p/4fgFX9c16BwP9/WREoUF91/5ZKv3_2F1kKAcsEj_2FjVau/em3Y7wQlz5/TIVYBPW_2/FO9688N.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/jxoib0nr0xisi2eIVGGk/Kbu0JPj_2B3fu4js1D7/jxotlkFcz1f8cNsX_2FadD/dwubn6X7zOguR/iMUlQrL6/BThA9h9Clk92iCx0cavsxkl/4fdI4nS6Sj/yihCHX4r_2Bf1xsG_/2BUKQzRucv09/S5UJEFULHgR/sYI2tOST5SUskI/G4qeFHRMNjcHJ2CVjy9gn/wxByXeY0/co.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/jxoib0nr0xisi2eIVGGk/Kbu0JPj_2B3fu4js1D7/jxotlkFcz1f8cNsX_2FadD/dwubn6X7zOguR/iMUlQrL6/BThA9h9Clk92iCx0cavsxkl/4fdI4nS6Sj/yihCHX4r_2Bf1xsG_/2BUKQzRucv09/S5UJEFULHgR/sYI2tOST5SUskI/G4qeFHRMNjcHJ2CVjy9gn/wxByXeY0/co.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/jxoib0nr0xisi2eIVGGk/Kbu0JPj_2B3fu4js1D7/jxotlkFcz1f8cNsX_2FadD/dwubn6X7zOguR/iMUlQrL6/BThA9h9Clk92iCx0cavsxkl/4fdI4nS6Sj/yihCHX4r_2Bf1xsG_/2BUKQzRucv09/S5UJEFULHgR/sYI2tOST5SUskI/G4qeFHRMNjcHJ2CVjy9gn/wxByXeY0/co.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/wJxSKqxKoIs4hl6/RPgHanWG_2BhdmCUvh/kPMaptHHD/74uKkWxVzwFhyaQkkp7I/NkZBZMfOWiOvGyR07Yg/UdsHK_2BhDWC9S_2Bq5qwQ/tic9OPnwrqPJ8/sBs9ep3g/eQ_2FbCMldJx8QkchMeY_2F/9VT2Y68DG0/T_2Fo8PaFlf7e2wiH/yMWBWkxn2yOC/D8kmhJaVYSvP5/Yp7bf.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/wJxSKqxKoIs4hl6/RPgHanWG_2BhdmCUvh/kPMaptHHD/74uKkWxVzwFhyaQkkp7I/NkZBZMfOWiOvGyR07Yg/UdsHK_2BhDWC9S_2Bq5qwQ/tic9OPnwrqPJ8/sBs9ep3g/eQ_2FbCMldJx8QkchMeY_2F/9VT2Y68DG0/T_2Fo8PaFlf7e2wiH/yMWBWkxn2yOC/D8kmhJaVYSvP5/Yp7bf.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/wJxSKqxKoIs4hl6/RPgHanWG_2BhdmCUvh/kPMaptHHD/74uKkWxVzwFhyaQkkp7I/NkZBZMfOWiOvGyR07Yg/UdsHK_2BhDWC9S_2Bq5qwQ/tic9OPnwrqPJ8/sBs9ep3g/eQ_2FbCMldJx8QkchMeY_2F/9VT2Y68DG0/T_2Fo8PaFlf7e2wiH/yMWBWkxn2yOC/D8kmhJaVYSvP5/Yp7bf.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49777
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49782 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49779 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49782
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49781
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49780
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49780 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49781 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49777 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49778 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49779
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49778
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 1245Content-Type: text/htmlServer: Microsoft-IIS/10.0request-id: 5c2fdc38-15df-1f17-392b-827de99c6af9Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-CalculatedFETarget: VI1PR0101CU002.internal.outlook.comX-BackEndHttpStatus: 404X-FEProxyInfo: VI1PR0101CA0050.EURPRD01.PROD.EXCHANGELABS.COMX-CalculatedBETarget: VI1PR06MB6510.eurprd06.prod.outlook.comX-BackEndHttpStatus: 404X-RUM-Validated: 1X-Proxy-RoutingCorrectness: 1X-Proxy-BackendServerStatus: 404MS-CV: ONwvXN8VFx85K4J96Zxq+Q.1.1X-FEServer: VI1PR0101CA0050X-Powered-By: ASP.NETX-FEServer: AS9PR06CA0070Date: Mon, 11 Oct 2021 20:36:17 GMTConnection: close
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 1245Content-Type: text/htmlServer: Microsoft-IIS/10.0request-id: 8895e295-2c4a-97c0-6a4c-33e5a4e5782aStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-CalculatedFETarget: VI1PR08CU014.internal.outlook.comX-BackEndHttpStatus: 404X-FEProxyInfo: VI1PR08CA0260.EURPRD08.PROD.OUTLOOK.COMX-CalculatedBETarget: VI1PR0401MB2509.EURPRD04.PROD.OUTLOOK.COMX-BackEndHttpStatus: 404X-RUM-Validated: 1X-Proxy-RoutingCorrectness: 1X-Proxy-BackendServerStatus: 404MS-CV: leKViEoswJdqTDPlpOV4Kg.1.1X-FEServer: VI1PR08CA0260X-Powered-By: ASP.NETX-FEServer: AM7PR04CA0027Date: Mon, 11 Oct 2021 20:36:19 GMTConnection: close
                      Source: loaddll32.exe, 00000000.00000002.747869464.0000000000E32000.00000004.00000020.sdmp, WerFault.exe, 0000000E.00000002.610520659.00000000044A0000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000002.629217988.0000000005231000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000002.633258942.0000000004590000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: loaddll32.exe, 00000000.00000003.597703077.0000000003459000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.597601691.0000000000E65000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000002.747507339.0000000000DF1000.00000004.00000020.sdmp, rundll32.exe, 00000003.00000003.599440417.0000000005299000.00000004.00000040.sdmpString found in binary or memory: http://ogp.me/ns#
                      Source: loaddll32.exe, 00000000.00000003.597703077.0000000003459000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.597601691.0000000000E65000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000002.747507339.0000000000DF1000.00000004.00000020.sdmp, rundll32.exe, 00000003.00000003.599440417.0000000005299000.00000004.00000040.sdmpString found in binary or memory: http://ogp.me/ns/fb#
                      Source: loaddll32.exe, 00000000.00000002.747869464.0000000000E32000.00000004.00000020.sdmpString found in binary or memory: https://areuranel.website/
                      Source: loaddll32.exe, 00000000.00000002.747507339.0000000000DF1000.00000004.00000020.sdmpString found in binary or memory: https://areuranel.website/liopolo/rWpAIhmksB/fMLnE1PXrqd2VqbBj/OJg6ENFLsvoK/2bIbYQZt6Yx/_2FaLr_2FAyB
                      Source: loaddll32.exe, 00000000.00000003.597703077.0000000003459000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.598864684.0000000005318000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.599253320.000000000531D000.00000004.00000040.sdmpString found in binary or memory: https://blogs.msn.com/
                      Source: loaddll32.exe, 00000000.00000002.747507339.0000000000DF1000.00000004.00000020.sdmpString found in binary or memory: https://breuranel.website/liopolo/gMrPChFga/JRICWiSmidyxIDHRRF29/nBc8QVOwWK1fs_2BdoE/a_2FMpJCzeZdSQf
                      Source: loaddll32.exe, 00000000.00000003.628949223.0000000000DF3000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.599602705.000000000531B000.00000004.00000040.sdmpString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
                      Source: loaddll32.exe, 00000000.00000003.597703077.0000000003459000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.628949223.0000000000DF3000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.597397384.0000000000E66000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&amp;rpsnv=13&amp;checkda=1&amp;ct=1633984536&amp;rver
                      Source: rundll32.exe, 00000003.00000003.599440417.0000000005299000.00000004.00000040.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&amp;rpsnv=13&amp;checkda=1&amp;ct=1633984537&amp;rver
                      Source: loaddll32.exe, 00000000.00000003.597703077.0000000003459000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.597397384.0000000000E66000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.599440417.0000000005299000.00000004.00000040.sdmpString found in binary or memory: https://mem.gfx.ms/meversion/?partner=msn&amp;market=en-us&quot;
                      Source: loaddll32.exe, 00000000.00000003.628949223.0000000000DF3000.00000004.00000001.sdmpString found in binary or memory: https://msn.com/
                      Source: loaddll32.exe, 00000000.00000003.628949223.0000000000DF3000.00000004.00000001.sdmpString found in binary or memory: https://msn.com/#
                      Source: loaddll32.exe, 00000000.00000002.747507339.0000000000DF1000.00000004.00000020.sdmp, loaddll32.exe, 00000000.00000003.696404681.0000000000DF1000.00000004.00000001.sdmpString found in binary or memory: https://outlook.com/signup/liopolo/jxoib0nr0xisi2eIVGGk/Kbu0JPj_2B3fu4js1D7/jxotlkFcz1f8cNsX_2FadD/d
                      Source: loaddll32.exe, 00000000.00000002.747507339.0000000000DF1000.00000004.00000020.sdmpString found in binary or memory: https://outlook.office365.com/
                      Source: loaddll32.exe, 00000000.00000002.747507339.0000000000DF1000.00000004.00000020.sdmp, loaddll32.exe, 00000000.00000003.696404681.0000000000DF1000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com/signup/liopolo/jxoib0nr0xisi2eIVGGk/Kbu0JPj_2B3fu4js1D7/jxotlkFcz1f8cN
                      Source: loaddll32.exe, 00000000.00000003.597703077.0000000003459000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.628949223.0000000000DF3000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.597397384.0000000000E66000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.599440417.0000000005299000.00000004.00000040.sdmpString found in binary or memory: https://static-global-s-msn-com.akamaized.net/en-us//api/modules/cdnfetch&quot;
                      Source: loaddll32.exe, 00000000.00000003.597703077.0000000003459000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.599440417.0000000005299000.00000004.00000040.sdmpString found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/en-us/homepage/_sc/css/d7cb56b9-3a82770e/direct
                      Source: loaddll32.exe, 00000000.00000003.597703077.0000000003459000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.599440417.0000000005299000.00000004.00000040.sdmpString found in binary or memory: https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&amp;ver=%272.1%27&amp;a
                      Source: loaddll32.exe, 00000000.00000003.628949223.0000000000DF3000.00000004.00000001.sdmpString found in binary or memory: https://www.msn.com/
                      Source: loaddll32.exe, 00000000.00000003.628949223.0000000000DF3000.00000004.00000001.sdmpString found in binary or memory: https://www.msn.com/.
                      Source: rundll32.exe, 00000003.00000003.599440417.0000000005299000.00000004.00000040.sdmpString found in binary or memory: https://www.msn.com/?refurl=%2fmail%2fliopolo%2fY72qNipk37Ef6u%2fyMdIBjS0TF0zySEk6QqaV%2fRM1KEI93T2y
                      Source: loaddll32.exe, 00000000.00000003.597703077.0000000003459000.00000004.00000040.sdmpString found in binary or memory: https://www.msn.com/?refurl=%2fmail%2fliopolo%2fg1XXBsAxpar6N9kYzRnrf3%2fOQX2uNrM13y9W%2fOb_2BksA%2f
                      Source: loaddll32.exe, 00000000.00000003.597703077.0000000003459000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.628949223.0000000000DF3000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.597397384.0000000000E66000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.599440417.0000000005299000.00000004.00000040.sdmpString found in binary or memory: https://www.msn.com/en-us//api/modules/fetch&quot;
                      Source: loaddll32.exe, 00000000.00000003.597522417.0000000000E5D000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.628949223.0000000000DF3000.00000004.00000001.sdmpString found in binary or memory: https://www.msn.com/mail/liopolo/g1XXBsAxpar6N9kYzRnrf3/OQX2uNrM13y9W/Ob_2BksA/x8bQpkLjYsruIhPFJi3ZE
                      Source: loaddll32.exe, 00000000.00000003.628949223.0000000000DF3000.00000004.00000001.sdmpString found in binary or memory: https://www.msn.com:443/mail/liopolo/g1XXBsAxpar6N9kYzRnrf3/OQX2uNrM13y9W/Ob_2BksA/x8bQpkLjYsruIhPFJ
                      Source: loaddll32.exe, 00000000.00000002.747507339.0000000000DF1000.00000004.00000020.sdmpString found in binary or memory: https://www.outlook.com
                      Source: loaddll32.exe, 00000000.00000003.696404681.0000000000DF1000.00000004.00000001.sdmpString found in binary or memory: https://www.outlook.com/signup/liopolo/jxoib0nr0xisi2eIVGGk/Kbu0JPj_2B3fu4js1D7/jxotlkFcz1f8cNsX_2Fa
                      Source: unknownDNS traffic detected: queries for: msn.com
                      Source: global trafficHTTP traffic detected: GET /mail/liopolo/g1XXBsAxpar6N9kYzRnrf3/OQX2uNrM13y9W/Ob_2BksA/x8bQpkLjYsruIhPFJi3ZErA/tgPZIh6fnf/T9Sy6miArqkO107Ts/8FGy1p_2BKcs/IbQATX6Vpot/p9H1S_2FBpU5gj/XH9RZi7pSy90EfKCN0xoX/QAyaPWXD19YFLug2/I6ErSp8Uq8hZ5g3/WwbSra7jr8/n3VI4u.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
                      Source: global trafficHTTP traffic detected: GET /mail/liopolo/Y72qNipk37Ef6u/yMdIBjS0TF0zySEk6QqaV/RM1KEI93T2ySqpPS/3a9271HiYU26bKL/CuRYvP0IHiJcR1Om5j/v_2BngoS3/PTV0r6xFeitoJIhrqq8c/AEX9VsNnHNbr2POb3_2/FNC3movbIQSikKNXB2GV0p/4fgFX9c16BwP9/WREoUF91/5ZKv3_2F1kKAcsEj_2FjVau/em3Y7wQlz5/TIVYBPW_2/FO9688N.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/jxoib0nr0xisi2eIVGGk/Kbu0JPj_2B3fu4js1D7/jxotlkFcz1f8cNsX_2FadD/dwubn6X7zOguR/iMUlQrL6/BThA9h9Clk92iCx0cavsxkl/4fdI4nS6Sj/yihCHX4r_2Bf1xsG_/2BUKQzRucv09/S5UJEFULHgR/sYI2tOST5SUskI/G4qeFHRMNjcHJ2CVjy9gn/wxByXeY0/co.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/jxoib0nr0xisi2eIVGGk/Kbu0JPj_2B3fu4js1D7/jxotlkFcz1f8cNsX_2FadD/dwubn6X7zOguR/iMUlQrL6/BThA9h9Clk92iCx0cavsxkl/4fdI4nS6Sj/yihCHX4r_2Bf1xsG_/2BUKQzRucv09/S5UJEFULHgR/sYI2tOST5SUskI/G4qeFHRMNjcHJ2CVjy9gn/wxByXeY0/co.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/jxoib0nr0xisi2eIVGGk/Kbu0JPj_2B3fu4js1D7/jxotlkFcz1f8cNsX_2FadD/dwubn6X7zOguR/iMUlQrL6/BThA9h9Clk92iCx0cavsxkl/4fdI4nS6Sj/yihCHX4r_2Bf1xsG_/2BUKQzRucv09/S5UJEFULHgR/sYI2tOST5SUskI/G4qeFHRMNjcHJ2CVjy9gn/wxByXeY0/co.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/wJxSKqxKoIs4hl6/RPgHanWG_2BhdmCUvh/kPMaptHHD/74uKkWxVzwFhyaQkkp7I/NkZBZMfOWiOvGyR07Yg/UdsHK_2BhDWC9S_2Bq5qwQ/tic9OPnwrqPJ8/sBs9ep3g/eQ_2FbCMldJx8QkchMeY_2F/9VT2Y68DG0/T_2Fo8PaFlf7e2wiH/yMWBWkxn2yOC/D8kmhJaVYSvP5/Yp7bf.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/wJxSKqxKoIs4hl6/RPgHanWG_2BhdmCUvh/kPMaptHHD/74uKkWxVzwFhyaQkkp7I/NkZBZMfOWiOvGyR07Yg/UdsHK_2BhDWC9S_2Bq5qwQ/tic9OPnwrqPJ8/sBs9ep3g/eQ_2FbCMldJx8QkchMeY_2F/9VT2Y68DG0/T_2Fo8PaFlf7e2wiH/yMWBWkxn2yOC/D8kmhJaVYSvP5/Yp7bf.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/wJxSKqxKoIs4hl6/RPgHanWG_2BhdmCUvh/kPMaptHHD/74uKkWxVzwFhyaQkkp7I/NkZBZMfOWiOvGyR07Yg/UdsHK_2BhDWC9S_2Bq5qwQ/tic9OPnwrqPJ8/sBs9ep3g/eQ_2FbCMldJx8QkchMeY_2F/9VT2Y68DG0/T_2Fo8PaFlf7e2wiH/yMWBWkxn2yOC/D8kmhJaVYSvP5/Yp7bf.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
                      Source: unknownHTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.6:49761 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.6:49763 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.97.161.50:443 -> 192.168.2.6:49777 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.98.199.194:443 -> 192.168.2.6:49778 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.98.208.66:443 -> 192.168.2.6:49779 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.97.161.50:443 -> 192.168.2.6:49780 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.97.178.34:443 -> 192.168.2.6:49781 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.97.178.98:443 -> 192.168.2.6:49782 version: TLS 1.2

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000003.00000003.598864684.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.596720166.00000000034D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.597214572.00000000034D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.597886088.00000000034D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.689258244.000000000509D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.598927334.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.642989614.000000000519B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.597021606.00000000034D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.596902134.00000000034D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.598779799.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.686530956.000000000325D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.641044169.000000000335B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.729588115.000000000315F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.597111833.00000000034D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.599125921.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.596646171.00000000034D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.598981939.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.599214026.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.599055381.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.599169417.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.597301011.00000000034D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.733741499.0000000004F9F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.596793912.00000000034D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.599525991.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 3272, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5692, type: MEMORYSTR
                      Source: Yara matchFile source: 0.2.loaddll32.exe.6f030000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.rundll32.exe.6f030000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.2d094a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.6f030000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4c394a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.e9a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.rundll32.exe.6f030000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.322a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.e9a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.322a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4c394a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.2d2a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.2d094a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.d50000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.6f030000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.2e1a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.2d2a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.2e2a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.2e2a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.2e1a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.3030000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000003.536008305.0000000002D20000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.513458257.0000000003220000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.492494632.0000000002E20000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.752028518.0000000004C39000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.492791250.0000000002E10000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.540888918.0000000000E90000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.749793100.0000000002D09000.00000004.00000040.sdmp, type: MEMORY

                      E-Banking Fraud:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000003.00000003.598864684.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.596720166.00000000034D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.597214572.00000000034D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.597886088.00000000034D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.689258244.000000000509D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.598927334.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.642989614.000000000519B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.597021606.00000000034D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.596902134.00000000034D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.598779799.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.686530956.000000000325D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.641044169.000000000335B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.729588115.000000000315F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.597111833.00000000034D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.599125921.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.596646171.00000000034D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.598981939.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.599214026.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.599055381.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.599169417.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.597301011.00000000034D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.733741499.0000000004F9F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.596793912.00000000034D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.599525991.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 3272, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5692, type: MEMORYSTR
                      Source: Yara matchFile source: 0.2.loaddll32.exe.6f030000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.rundll32.exe.6f030000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.2d094a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.6f030000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4c394a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.e9a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.rundll32.exe.6f030000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.322a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.e9a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.322a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4c394a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.2d2a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.2d094a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.d50000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.6f030000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.2e1a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.2d2a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.2e2a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.2e2a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.2e1a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.3030000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000003.536008305.0000000002D20000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.513458257.0000000003220000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.492494632.0000000002E20000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.752028518.0000000004C39000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.492791250.0000000002E10000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.540888918.0000000000E90000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.749793100.0000000002D09000.00000004.00000040.sdmp, type: MEMORY

                      System Summary:

                      barindex
                      Writes or reads registry keys via WMIShow sources
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Writes registry values via WMIShow sources
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: B6VQd36tt6.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5256 -s 868
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F0321B4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F045600
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F07D630
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F07B597
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F08A2B1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0303AF24
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03032B76
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03034C40
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F045600
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F088DAF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F06E8C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6F045600
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6F08A2B1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6F06E8C0
                      Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6F06ABD1 appears 86 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6F06ABD1 appears 113 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6F078487 appears 34 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6F06AEC0 appears 36 times
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F0313B8 GetProcAddress,NtCreateSection,memset,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F0315C6 SetThreadPriority,NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,GetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F031273 NtMapViewOfSection,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F0323D5 NtQueryVirtualMemory,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03035D10 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0303B149 NtQueryVirtualMemory,
                      Source: B6VQd36tt6.dllVirustotal: Detection: 16%
                      Source: B6VQd36tt6.dllReversingLabs: Detection: 24%
                      Source: B6VQd36tt6.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\B6VQd36tt6.dll'
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\B6VQd36tt6.dll',#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\B6VQd36tt6.dll,BeGrass
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\B6VQd36tt6.dll',#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\B6VQd36tt6.dll,Fieldeight
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\B6VQd36tt6.dll,Often
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5256 -s 868
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6284 -s 832
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 644
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\B6VQd36tt6.dll',#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\B6VQd36tt6.dll,BeGrass
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\B6VQd36tt6.dll,Fieldeight
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\B6VQd36tt6.dll,Often
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\B6VQd36tt6.dll',#1
                      Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
                      Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER5B10.tmpJump to behavior
                      Source: classification engineClassification label: mal96.troj.evad.winDLL@14/12@14/6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03034A03 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\B6VQd36tt6.dll,BeGrass
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6284
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5256
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2772
                      Source: C:\Windows\System32\loaddll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: B6VQd36tt6.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: B6VQd36tt6.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: WinTypes.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: ntmarta.pdb?1 source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000E.00000003.586282107.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.599851558.0000000005691000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.606501610.0000000004981000.00000004.00000001.sdmp
                      Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: sfc_os.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000E.00000003.586282107.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.599691898.0000000005662000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606501610.0000000004981000.00000004.00000001.sdmp
                      Source: Binary string: cryptbase.pdbl< source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp
                      Source: Binary string: CoreMessaging.pdb_ source: WerFault.exe, 00000014.00000003.606688005.0000000004963000.00000004.00000040.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000E.00000003.586282107.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.599851558.0000000005691000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.606501610.0000000004981000.00000004.00000001.sdmp
                      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000E.00000003.586428949.0000000004A10000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.600086412.0000000005660000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606750760.0000000004950000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000E.00000003.586282107.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.599851558.0000000005691000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.596009652.000000000280B000.00000004.00000001.sdmp
                      Source: Binary string: CoreMessaging.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606688005.0000000004963000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdb source: WerFault.exe, 0000000E.00000003.586440457.0000000004A14000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599691898.0000000005662000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606608773.0000000004952000.00000004.00000040.sdmp
                      Source: Binary string: CoreMessaging.pdbK source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000E.00000003.586282107.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.599851558.0000000005691000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.606501610.0000000004981000.00000004.00000001.sdmp
                      Source: Binary string: rundll32.pdbk source: WerFault.exe, 0000000E.00000003.586282107.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.606501610.0000000004981000.00000004.00000001.sdmp
                      Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: shell32.pdb source: WerFault.exe, 0000000E.00000003.586282107.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.599691898.0000000005662000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606501610.0000000004981000.00000004.00000001.sdmp
                      Source: Binary string: msvcp_win.pdbk source: WerFault.exe, 00000013.00000003.599691898.0000000005662000.00000004.00000040.sdmp
                      Source: Binary string: ntmarta.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000E.00000003.586282107.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.599691898.0000000005662000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606501610.0000000004981000.00000004.00000001.sdmp
                      Source: Binary string: iphlpapi.pdb^8 source: WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp
                      Source: Binary string: mpr.pdbH source: WerFault.exe, 0000000E.00000003.586428949.0000000004A10000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000E.00000003.578075706.00000000027EA000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.599851558.0000000005691000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.594966351.0000000002816000.00000004.00000001.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: CoreUIComponents.pdb source: WerFault.exe, 0000000E.00000003.586394801.0000000004A23000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.600018161.0000000005674000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: mpr.pdb source: WerFault.exe, 0000000E.00000003.586428949.0000000004A10000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.600086412.0000000005660000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606750760.0000000004950000.00000004.00000040.sdmp
                      Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000E.00000003.586282107.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.599851558.0000000005691000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.606501610.0000000004981000.00000004.00000001.sdmp
                      Source: Binary string: setupapi.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: mpr.pdb: source: WerFault.exe, 00000014.00000003.606750760.0000000004950000.00000004.00000040.sdmp
                      Source: Binary string: wUxTheme.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: imagehlp.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: dwmapi.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: ole32.pdb-1 source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000000E.00000003.577718554.00000000027DE000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.596009652.000000000280B000.00000004.00000001.sdmp
                      Source: Binary string: shcore.pdbk source: WerFault.exe, 0000000E.00000003.586440457.0000000004A14000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599691898.0000000005662000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606608773.0000000004952000.00000004.00000040.sdmp
                      Source: Binary string: profapi.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: winspool.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000E.00000003.586282107.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.599851558.0000000005691000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.606501610.0000000004981000.00000004.00000001.sdmp
                      Source: Binary string: shell32.pdbk source: WerFault.exe, 00000013.00000003.599691898.0000000005662000.00000004.00000040.sdmp
                      Source: Binary string: sfc.pdb9 source: WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdb~ source: WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: WinTypes.pdb91 source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp
                      Source: Binary string: propsys.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000E.00000003.586440457.0000000004A14000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599691898.0000000005662000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606608773.0000000004952000.00000004.00000040.sdmp
                      Source: Binary string: dwmapi.pdb} source: WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: CoreUIComponents.pdb9 source: WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000013.00000003.599691898.0000000005662000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdbx< source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp
                      Source: Binary string: sfc.pdbK source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp
                      Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: imagehlp.pdbt< source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp
                      Source: Binary string: msctf.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: ole32.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: TextInputFramework.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: AcLayers.pdb source: WerFault.exe, 0000000E.00000003.586282107.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.599851558.0000000005691000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.606501610.0000000004981000.00000004.00000001.sdmp
                      Source: Binary string: imagehlp.pdbh source: WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: winspool.pdbb< source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp
                      Source: Binary string: c:\wheel\receive\Many-rise\score.pdb source: loaddll32.exe, 00000000.00000002.751009999.000000006F0AB000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.753309847.000000006F0AB000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.584623901.000000006F0AB000.00000002.00020000.sdmp, B6VQd36tt6.dll
                      Source: Binary string: sfc_os.pdbd source: WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000E.00000003.586428949.0000000004A10000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.600086412.0000000005660000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606750760.0000000004950000.00000004.00000040.sdmp
                      Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000E.00000003.578075706.00000000027EA000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.594966351.0000000002816000.00000004.00000001.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000E.00000003.586428949.0000000004A10000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.600086412.0000000005660000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606750760.0000000004950000.00000004.00000040.sdmp
                      Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000E.00000003.586440457.0000000004A14000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599691898.0000000005662000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606608773.0000000004952000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdbV source: WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000E.00000003.586428949.0000000004A10000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.600086412.0000000005660000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606750760.0000000004950000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdbp source: WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: wimm32.pdbb source: WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: ole32.pdb1 source: WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: rundll32.pdb source: WerFault.exe, 0000000E.00000003.586282107.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.599851558.0000000005691000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.606501610.0000000004981000.00000004.00000001.sdmp
                      Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000000E.00000003.579171572.00000000027E4000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.594931191.0000000002810000.00000004.00000001.sdmp
                      Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: sfc.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: CoreUIComponents.pdb_ source: WerFault.exe, 0000000E.00000003.586394801.0000000004A23000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.600018161.0000000005674000.00000004.00000040.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000E.00000003.586282107.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.599851558.0000000005691000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.606501610.0000000004981000.00000004.00000001.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000E.00000003.586282107.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.599851558.0000000005691000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.606501610.0000000004981000.00000004.00000001.sdmp
                      Source: Binary string: advapi32.pdbJ< source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdbk source: WerFault.exe, 0000000E.00000003.586282107.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.606501610.0000000004981000.00000004.00000001.sdmp
                      Source: Binary string: wimm32.pdb~< source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F0321A3 push ecx; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F032150 push ecx; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F06AB9A push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0303AF13 push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0303ABE0 push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F06AB9A push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6F06AB9A push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0293CA9C push 3C0293CCh; retf
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0293C7A8 push eax; iretd
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0293C954 push edx; retf
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0293CEDA push esp; iretd
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0293CEF2 push esp; iretd
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0293C8F7 pushad ; iretd
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0293C8FC pushad ; iretd
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0293C8E0 push eax; iretd
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0293C7E4 push eax; iretd
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F031DE5 LoadLibraryA,GetProcAddress,

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000003.00000003.598864684.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.596720166.00000000034D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.597214572.00000000034D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.597886088.00000000034D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.689258244.000000000509D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.598927334.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.642989614.000000000519B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.597021606.00000000034D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.596902134.00000000034D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.598779799.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.686530956.000000000325D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.641044169.000000000335B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.729588115.000000000315F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.597111833.00000000034D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.599125921.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.596646171.00000000034D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.598981939.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.599214026.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.599055381.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.599169417.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.597301011.00000000034D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.733741499.0000000004F9F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.596793912.00000000034D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.599525991.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 3272, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5692, type: MEMORYSTR
                      Source: Yara matchFile source: 0.2.loaddll32.exe.6f030000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.rundll32.exe.6f030000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.2d094a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.6f030000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4c394a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.e9a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.rundll32.exe.6f030000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.322a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.e9a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.322a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4c394a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.2d2a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.2d094a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.d50000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.6f030000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.2e1a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.2d2a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.2e2a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.2e2a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.2e1a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.3030000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000003.536008305.0000000002D20000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.513458257.0000000003220000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.492494632.0000000002E20000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.752028518.0000000004C39000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.492791250.0000000002E10000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.540888918.0000000000E90000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.749793100.0000000002D09000.00000004.00000040.sdmp, type: MEMORY
                      Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: loaddll32.exe, 00000000.00000003.628949223.0000000000DF3000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000002.610696920.0000000004576000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000002.629141860.000000000521E000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.630848345.00000000045E2000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F076CB3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F031DE5 LoadLibraryA,GetProcAddress,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F08C325 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F08C325 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F098861 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F0DDFDA mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F0DDBB5 push dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F0DDEAA mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6F08C325 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6F098861 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6F0DDFDA mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6F0DDEAA mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6F0DDBB5 push dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F076CB3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F06B316 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F076CB3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F06B316 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6F076CB3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6F06B316 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 52.97.178.34 187
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 52.97.178.98 187
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: www.msn.com
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: areuranel.website
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 40.97.161.50 187
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: breuranel.website
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: outlook.office365.com
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: msn.com
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: outlook.com
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: www.outlook.com
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 13.82.28.61 187
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\B6VQd36tt6.dll',#1
                      Source: loaddll32.exe, 00000000.00000002.748732081.0000000001450000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.564391142.0000000003520000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.751742629.00000000033F0000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.584065442.00000000037A0000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000000.588170408.0000000003210000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: loaddll32.exe, 00000000.00000002.748732081.0000000001450000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.564391142.0000000003520000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.751742629.00000000033F0000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.584065442.00000000037A0000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000000.588170408.0000000003210000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: loaddll32.exe, 00000000.00000002.748732081.0000000001450000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.564391142.0000000003520000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.751742629.00000000033F0000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.584065442.00000000037A0000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000000.588170408.0000000003210000.00000002.00020000.sdmpBinary or memory string: &Program Manager
                      Source: loaddll32.exe, 00000000.00000002.748732081.0000000001450000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.564391142.0000000003520000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.751742629.00000000033F0000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.584065442.00000000037A0000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000000.588170408.0000000003210000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0303A82B cpuid
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F031172 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F08FF15 _free,_free,_free,GetTimeZoneInformation,_free,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F031825 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0303A82B RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000003.00000003.598864684.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.596720166.00000000034D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.597214572.00000000034D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.597886088.00000000034D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.689258244.000000000509D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.598927334.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.642989614.000000000519B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.597021606.00000000034D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.596902134.00000000034D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.598779799.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.686530956.000000000325D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.641044169.000000000335B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.729588115.000000000315F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.597111833.00000000034D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.599125921.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.596646171.00000000034D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.598981939.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.599214026.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.599055381.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.599169417.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.597301011.00000000034D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.733741499.0000000004F9F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.596793912.00000000034D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.599525991.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 3272, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5692, type: MEMORYSTR
                      Source: Yara matchFile source: 0.2.loaddll32.exe.6f030000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.rundll32.exe.6f030000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.2d094a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.6f030000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4c394a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.e9a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.rundll32.exe.6f030000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.322a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.e9a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.322a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4c394a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.2d2a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.2d094a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.d50000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.6f030000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.2e1a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.2d2a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.2e2a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.2e2a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.2e1a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.3030000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000003.536008305.0000000002D20000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.513458257.0000000003220000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.492494632.0000000002E20000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.752028518.0000000004C39000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.492791250.0000000002E10000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.540888918.0000000000E90000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.749793100.0000000002D09000.00000004.00000040.sdmp, type: MEMORY

                      Remote Access Functionality:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000003.00000003.598864684.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.596720166.00000000034D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.597214572.00000000034D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.597886088.00000000034D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.689258244.000000000509D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.598927334.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.642989614.000000000519B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.597021606.00000000034D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.596902134.00000000034D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.598779799.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.686530956.000000000325D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.641044169.000000000335B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.729588115.000000000315F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.597111833.00000000034D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.599125921.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.596646171.00000000034D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.598981939.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.599214026.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.599055381.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.599169417.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.597301011.00000000034D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.733741499.0000000004F9F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.596793912.00000000034D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.599525991.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 3272, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5692, type: MEMORYSTR
                      Source: Yara matchFile source: 0.2.loaddll32.exe.6f030000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.rundll32.exe.6f030000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.2d094a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.6f030000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4c394a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.e9a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.rundll32.exe.6f030000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.322a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.e9a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.322a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4c394a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.2d2a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.2d094a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.d50000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.6f030000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.2e1a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.2d2a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.2e2a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.2e2a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.2e1a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.3030000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000003.536008305.0000000002D20000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.513458257.0000000003220000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.492494632.0000000002E20000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.752028518.0000000004C39000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.492791250.0000000002E10000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.540888918.0000000000E90000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.749793100.0000000002D09000.00000004.00000040.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation2Path InterceptionProcess Injection112Virtualization/Sandbox Evasion1OS Credential DumpingSystem Time Discovery2Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel11Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsNative API1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection112LSASS MemorySecurity Software Discovery21Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerVirtualization/Sandbox Evasion1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information2NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol14SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptRundll321LSA SecretsAccount Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Owner/User Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncRemote System Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Information Discovery23Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 500299 Sample: B6VQd36tt6.dll Startdate: 11/10/2021 Architecture: WINDOWS Score: 96 42 Multi AV Scanner detection for domain / URL 2->42 44 Found malware configuration 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 Yara detected  Ursnif 2->48 7 loaddll32.exe 1 2->7         started        process3 dnsIp4 36 breuranel.website 7->36 38 areuranel.website 7->38 40 9 other IPs or domains 7->40 52 Writes or reads registry keys via WMI 7->52 54 Writes registry values via WMI 7->54 11 rundll32.exe 7->11         started        14 cmd.exe 1 7->14         started        16 rundll32.exe 7->16         started        18 rundll32.exe 7->18         started        signatures5 process6 signatures7 56 System process connects to network (likely due to code injection or exploit) 11->56 58 Writes registry values via WMI 11->58 20 WerFault.exe 23 9 11->20         started        22 rundll32.exe 14->22         started        26 WerFault.exe 9 16->26         started        28 WerFault.exe 2 9 18->28         started        process8 dnsIp9 30 52.97.178.34, 443, 49781 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 22->30 32 52.97.178.98, 443, 49782 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 22->32 34 10 other IPs or domains 22->34 50 System process connects to network (likely due to code injection or exploit) 22->50 signatures10

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      B6VQd36tt6.dll17%VirustotalBrowse
                      B6VQd36tt6.dll24%ReversingLabsWin32.Trojan.Ursnif

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      3.2.rundll32.exe.3030000.0.unpack100%AviraHEUR/AGEN.1108168Download File
                      0.2.loaddll32.exe.d50000.0.unpack100%AviraHEUR/AGEN.1108168Download File

                      Domains

                      SourceDetectionScannerLabelLink
                      areuranel.website7%VirustotalBrowse
                      breuranel.website7%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      https://areuranel.website/7%VirustotalBrowse
                      https://areuranel.website/0%Avira URL Cloudsafe
                      https://areuranel.website/liopolo/rWpAIhmksB/fMLnE1PXrqd2VqbBj/OJg6ENFLsvoK/2bIbYQZt6Yx/_2FaLr_2FAyB0%Avira URL Cloudsafe
                      https://deff.nelreports.net/api/report?cat=msn0%URL Reputationsafe
                      https://mem.gfx.ms/meversion/?partner=msn&amp;market=en-us&quot;0%Avira URL Cloudsafe
                      https://breuranel.website/liopolo/gMrPChFga/JRICWiSmidyxIDHRRF29/nBc8QVOwWK1fs_2BdoE/a_2FMpJCzeZdSQf0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      msn.com
                      		13.82.28.61
                      		truefalse
                        		high
                        outlook.com
                        		40.97.161.50
                        		truefalse
                          		high
                          HHN-efz.ms-acdc.office.com
                          		52.98.199.194
                          		truefalse
                            		high
                            FRA-efz.ms-acdc.office.com
                            		52.98.208.66
                            		truefalse
                              		high
                              www.msn.com
                              		unknown
                              		unknownfalse
                                		high
                                www.outlook.com
                                		unknown
                                		unknownfalse
                                  		high
                                  areuranel.website
                                  		unknown
                                  		unknowntrueunknown
                                  breuranel.website
                                  		unknown
                                  		unknowntrueunknown
                                  outlook.office365.com
                                  		unknown
                                  		unknownfalse
                                    		high

                                    Contacted URLs

                                    NameMaliciousAntivirus DetectionReputation
                                    https://www.outlook.com/signup/liopolo/jxoib0nr0xisi2eIVGGk/Kbu0JPj_2B3fu4js1D7/jxotlkFcz1f8cNsX_2FadD/dwubn6X7zOguR/iMUlQrL6/BThA9h9Clk92iCx0cavsxkl/4fdI4nS6Sj/yihCHX4r_2Bf1xsG_/2BUKQzRucv09/S5UJEFULHgR/sYI2tOST5SUskI/G4qeFHRMNjcHJ2CVjy9gn/wxByXeY0/co.jrefalse
                                      		high
                                      https://outlook.com/signup/liopolo/wJxSKqxKoIs4hl6/RPgHanWG_2BhdmCUvh/kPMaptHHD/74uKkWxVzwFhyaQkkp7I/NkZBZMfOWiOvGyR07Yg/UdsHK_2BhDWC9S_2Bq5qwQ/tic9OPnwrqPJ8/sBs9ep3g/eQ_2FbCMldJx8QkchMeY_2F/9VT2Y68DG0/T_2Fo8PaFlf7e2wiH/yMWBWkxn2yOC/D8kmhJaVYSvP5/Yp7bf.jrefalse
                                        		high
                                        https://msn.com/mail/liopolo/Y72qNipk37Ef6u/yMdIBjS0TF0zySEk6QqaV/RM1KEI93T2ySqpPS/3a9271HiYU26bKL/CuRYvP0IHiJcR1Om5j/v_2BngoS3/PTV0r6xFeitoJIhrqq8c/AEX9VsNnHNbr2POb3_2/FNC3movbIQSikKNXB2GV0p/4fgFX9c16BwP9/WREoUF91/5ZKv3_2F1kKAcsEj_2FjVau/em3Y7wQlz5/TIVYBPW_2/FO9688N.jrefalse
                                          		high
                                          https://outlook.office365.com/signup/liopolo/jxoib0nr0xisi2eIVGGk/Kbu0JPj_2B3fu4js1D7/jxotlkFcz1f8cNsX_2FadD/dwubn6X7zOguR/iMUlQrL6/BThA9h9Clk92iCx0cavsxkl/4fdI4nS6Sj/yihCHX4r_2Bf1xsG_/2BUKQzRucv09/S5UJEFULHgR/sYI2tOST5SUskI/G4qeFHRMNjcHJ2CVjy9gn/wxByXeY0/co.jrefalse
                                            		high
                                            https://outlook.com/signup/liopolo/jxoib0nr0xisi2eIVGGk/Kbu0JPj_2B3fu4js1D7/jxotlkFcz1f8cNsX_2FadD/dwubn6X7zOguR/iMUlQrL6/BThA9h9Clk92iCx0cavsxkl/4fdI4nS6Sj/yihCHX4r_2Bf1xsG_/2BUKQzRucv09/S5UJEFULHgR/sYI2tOST5SUskI/G4qeFHRMNjcHJ2CVjy9gn/wxByXeY0/co.jrefalse
                                              		high
                                              https://outlook.office365.com/signup/liopolo/wJxSKqxKoIs4hl6/RPgHanWG_2BhdmCUvh/kPMaptHHD/74uKkWxVzwFhyaQkkp7I/NkZBZMfOWiOvGyR07Yg/UdsHK_2BhDWC9S_2Bq5qwQ/tic9OPnwrqPJ8/sBs9ep3g/eQ_2FbCMldJx8QkchMeY_2F/9VT2Y68DG0/T_2Fo8PaFlf7e2wiH/yMWBWkxn2yOC/D8kmhJaVYSvP5/Yp7bf.jrefalse
                                                		high
                                                https://www.outlook.com/signup/liopolo/wJxSKqxKoIs4hl6/RPgHanWG_2BhdmCUvh/kPMaptHHD/74uKkWxVzwFhyaQkkp7I/NkZBZMfOWiOvGyR07Yg/UdsHK_2BhDWC9S_2Bq5qwQ/tic9OPnwrqPJ8/sBs9ep3g/eQ_2FbCMldJx8QkchMeY_2F/9VT2Y68DG0/T_2Fo8PaFlf7e2wiH/yMWBWkxn2yOC/D8kmhJaVYSvP5/Yp7bf.jrefalse
                                                  		high

                                                  URLs from Memory and Binaries

                                                  NameSourceMaliciousAntivirus DetectionReputation
                                                  https://msn.com/#loaddll32.exe, 00000000.00000003.628949223.0000000000DF3000.00000004.00000001.sdmpfalse
                                                    		high
                                                    https://www.msn.com/?refurl=%2fmail%2fliopolo%2fY72qNipk37Ef6u%2fyMdIBjS0TF0zySEk6QqaV%2fRM1KEI93T2yrundll32.exe, 00000003.00000003.599440417.0000000005299000.00000004.00000040.sdmpfalse
                                                      		high
                                                      https://www.msn.com/.loaddll32.exe, 00000000.00000003.628949223.0000000000DF3000.00000004.00000001.sdmpfalse
                                                        		high
                                                        https://areuranel.website/loaddll32.exe, 00000000.00000002.747869464.0000000000E32000.00000004.00000020.sdmptrue
                                                        • 7%, Virustotal, Browse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&amp;ver=%272.1%27&amp;aloaddll32.exe, 00000000.00000003.597703077.0000000003459000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.599440417.0000000005299000.00000004.00000040.sdmpfalse
                                                          		high
                                                          https://areuranel.website/liopolo/rWpAIhmksB/fMLnE1PXrqd2VqbBj/OJg6ENFLsvoK/2bIbYQZt6Yx/_2FaLr_2FAyBloaddll32.exe, 00000000.00000002.747507339.0000000000DF1000.00000004.00000020.sdmptrue
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://blogs.msn.com/loaddll32.exe, 00000000.00000003.597703077.0000000003459000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.598864684.0000000005318000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.599253320.000000000531D000.00000004.00000040.sdmpfalse
                                                            		high
                                                            https://deff.nelreports.net/api/report?cat=msnloaddll32.exe, 00000000.00000003.628949223.0000000000DF3000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.599602705.000000000531B000.00000004.00000040.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://www.msn.com/en-us//api/modules/fetch&quot;loaddll32.exe, 00000000.00000003.597703077.0000000003459000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.628949223.0000000000DF3000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.597397384.0000000000E66000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.599440417.0000000005299000.00000004.00000040.sdmpfalse
                                                              		high
                                                              https://www.msn.com/loaddll32.exe, 00000000.00000003.628949223.0000000000DF3000.00000004.00000001.sdmpfalse
                                                                		high
                                                                http://ogp.me/ns/fb#loaddll32.exe, 00000000.00000003.597703077.0000000003459000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.597601691.0000000000E65000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000002.747507339.0000000000DF1000.00000004.00000020.sdmp, rundll32.exe, 00000003.00000003.599440417.0000000005299000.00000004.00000040.sdmpfalse
                                                                  		high
                                                                  https://outlook.com/signup/liopolo/jxoib0nr0xisi2eIVGGk/Kbu0JPj_2B3fu4js1D7/jxotlkFcz1f8cNsX_2FadD/dloaddll32.exe, 00000000.00000002.747507339.0000000000DF1000.00000004.00000020.sdmp, loaddll32.exe, 00000000.00000003.696404681.0000000000DF1000.00000004.00000001.sdmpfalse
                                                                    		high
                                                                    https://msn.com/loaddll32.exe, 00000000.00000003.628949223.0000000000DF3000.00000004.00000001.sdmpfalse
                                                                      		high
                                                                      https://outlook.office365.com/loaddll32.exe, 00000000.00000002.747507339.0000000000DF1000.00000004.00000020.sdmpfalse
                                                                        		high
                                                                        https://mem.gfx.ms/meversion/?partner=msn&amp;market=en-us&quot;loaddll32.exe, 00000000.00000003.597703077.0000000003459000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.597397384.0000000000E66000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.599440417.0000000005299000.00000004.00000040.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://www.outlook.com/signup/liopolo/jxoib0nr0xisi2eIVGGk/Kbu0JPj_2B3fu4js1D7/jxotlkFcz1f8cNsX_2Faloaddll32.exe, 00000000.00000003.696404681.0000000000DF1000.00000004.00000001.sdmpfalse
                                                                          		high
                                                                          http://ogp.me/ns#loaddll32.exe, 00000000.00000003.597703077.0000000003459000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.597601691.0000000000E65000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000002.747507339.0000000000DF1000.00000004.00000020.sdmp, rundll32.exe, 00000003.00000003.599440417.0000000005299000.00000004.00000040.sdmpfalse
                                                                            		high
                                                                            https://outlook.office365.com/signup/liopolo/jxoib0nr0xisi2eIVGGk/Kbu0JPj_2B3fu4js1D7/jxotlkFcz1f8cNloaddll32.exe, 00000000.00000002.747507339.0000000000DF1000.00000004.00000020.sdmp, loaddll32.exe, 00000000.00000003.696404681.0000000000DF1000.00000004.00000001.sdmpfalse
                                                                              		high
                                                                              https://www.outlook.comloaddll32.exe, 00000000.00000002.747507339.0000000000DF1000.00000004.00000020.sdmpfalse
                                                                                		high
                                                                                https://breuranel.website/liopolo/gMrPChFga/JRICWiSmidyxIDHRRF29/nBc8QVOwWK1fs_2BdoE/a_2FMpJCzeZdSQfloaddll32.exe, 00000000.00000002.747507339.0000000000DF1000.00000004.00000020.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown

                                                                                Contacted IPs

                                                                                • No. of IPs < 25%
                                                                                • 25% < No. of IPs < 50%
                                                                                • 50% < No. of IPs < 75%
                                                                                • 75% < No. of IPs

                                                                                Public

                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                52.98.199.194
                                                                                		HHN-efz.ms-acdc.office.comUnited States
                                                                                		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                                52.98.208.66
                                                                                		FRA-efz.ms-acdc.office.comUnited States
                                                                                		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                                52.97.178.34
                                                                                		unknownUnited States
                                                                                		8075MICROSOFT-CORP-MSN-AS-BLOCKUStrue
                                                                                52.97.178.98
                                                                                		unknownUnited States
                                                                                		8075MICROSOFT-CORP-MSN-AS-BLOCKUStrue
                                                                                40.97.161.50
                                                                                		outlook.comUnited States
                                                                                		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                                13.82.28.61
                                                                                		msn.comUnited States
                                                                                		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse

                                                                                General Information

                                                                                Joe Sandbox Version:33.0.0 White Diamond
                                                                                Analysis ID:500299
                                                                                Start date:11.10.2021
                                                                                Start time:22:32:39
                                                                                Joe Sandbox Product:CloudBasic
                                                                                Overall analysis duration:0h 11m 16s
                                                                                Hypervisor based Inspection enabled:false
                                                                                Report type:light
                                                                                Sample file name:B6VQd36tt6.dll
                                                                                Cookbook file name:default.jbs
                                                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                Run name:Run with higher sleep bypass
                                                                                Number of analysed new started processes analysed:33
                                                                                Number of new started drivers analysed:0
                                                                                Number of existing processes analysed:0
                                                                                Number of existing drivers analysed:0
                                                                                Number of injected processes analysed:0
                                                                                Technologies:
                                                                                • HCA enabled
                                                                                • EGA enabled
                                                                                • HDC enabled
                                                                                • AMSI enabled
                                                                                Analysis Mode:default
                                                                                Analysis stop reason:Timeout
                                                                                Detection:MAL
                                                                                Classification:mal96.troj.evad.winDLL@14/12@14/6
                                                                                EGA Information:Failed
                                                                                HDC Information:
                                                                                • Successful, ratio: 13.2% (good quality ratio 12.5%)
                                                                                • Quality average: 77.9%
                                                                                • Quality standard deviation: 29.8%
                                                                                HCA Information:
                                                                                • Successful, ratio: 81%
                                                                                • Number of executed functions: 0
                                                                                • Number of non-executed functions: 0
                                                                                Cookbook Comments:
                                                                                • Adjust boot time
                                                                                • Enable AMSI
                                                                                • Sleeps bigger than 120000ms are automatically reduced to 1000ms
                                                                                • Found application associated with file extension: .dll
                                                                                Warnings:
                                                                                Show All
                                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, dllhost.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                                                                                • TCP Packets have been reduced to 100
                                                                                • Excluded IPs from analysis (whitelisted): 95.100.218.79, 2.20.178.10, 2.20.178.56, 95.100.216.89, 20.50.102.62, 131.253.33.203, 204.79.197.203, 20.189.173.22, 104.208.16.94, 20.189.173.21, 52.184.81.210, 2.20.178.24, 2.20.178.18, 20.54.110.249, 40.112.88.60
                                                                                • Excluded domains from analysis (whitelisted): onedsblobprdwus17.westus.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, a767.dspw65.akamai.net, a-0003.dc-msedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, onedsblobprdwus16.westus.cloudapp.azure.com, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, onedsblobprdcus16.centralus.cloudapp.azure.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, a-0003.a-msedge.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, www-msn-com.a-0003.a-msedge.net, iris-de-prod-azsc-eas-b.eastasia.cloudapp.azure.com, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, icePrime.a-0003.dc-msedge.net, blobcollector.events.data.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                Simulations

                                                                                Behavior and APIs

                                                                                TimeTypeDescription
                                                                                22:35:22API Interceptor1x Sleep call for process: rundll32.exe modified

                                                                                Joe Sandbox View / Context

                                                                                IPs

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                52.97.178.98uT9rwkGATJ.dllGet hashmaliciousBrowse
                                                                                  https://storage.googleapis.com/aoffice365-eposes-451227998/index.htmlGet hashmaliciousBrowse
                                                                                    40.97.161.50test1.dllGet hashmaliciousBrowse
                                                                                      6.dllGet hashmaliciousBrowse
                                                                                        6101135878f66.dllGet hashmaliciousBrowse
                                                                                          a9FUs89dWy.dllGet hashmaliciousBrowse
                                                                                            609a460e94791.tiff.dllGet hashmaliciousBrowse
                                                                                              13fil.exeGet hashmaliciousBrowse
                                                                                                24messag.exeGet hashmaliciousBrowse
                                                                                                  .exeGet hashmaliciousBrowse
                                                                                                    .exeGet hashmaliciousBrowse
                                                                                                      66documen.exeGet hashmaliciousBrowse
                                                                                                        9messag.exeGet hashmaliciousBrowse

                                                                                                          Domains

                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext

                                                                                                          ASN

                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                          MICROSOFT-CORP-MSN-AS-BLOCKUSB6VQd36tt6.dllGet hashmaliciousBrowse
                                                                                                          • 52.97.183.162
                                                                                                          P2AN3Yrtnz.exeGet hashmaliciousBrowse
                                                                                                          • 40.93.212.0
                                                                                                          b3astmode.x86Get hashmaliciousBrowse
                                                                                                          • 72.154.237.78
                                                                                                          b3astmode.arm7Get hashmaliciousBrowse
                                                                                                          • 20.153.181.154
                                                                                                          b3astmode.arm7-20211011-1850Get hashmaliciousBrowse
                                                                                                          • 20.63.129.213
                                                                                                          TNIZtb3HS3.exeGet hashmaliciousBrowse
                                                                                                          • 20.42.65.92
                                                                                                          PROFORMA INVOICE -PI6120..htmlGet hashmaliciousBrowse
                                                                                                          • 40.101.62.34
                                                                                                          setup_x86_x64_install.exeGet hashmaliciousBrowse
                                                                                                          • 52.168.117.173
                                                                                                          ntpclientGet hashmaliciousBrowse
                                                                                                          • 21.215.78.72
                                                                                                          2021catalog-selected products.xlsmGet hashmaliciousBrowse
                                                                                                          • 13.92.100.208
                                                                                                          K6E9636KoqGet hashmaliciousBrowse
                                                                                                          • 159.27.209.248
                                                                                                          setup_x86_x64_install.exeGet hashmaliciousBrowse
                                                                                                          • 20.42.73.29
                                                                                                          Hm7d40tE44.exeGet hashmaliciousBrowse
                                                                                                          • 104.47.53.36
                                                                                                          mixsix_20211008-150045.exeGet hashmaliciousBrowse
                                                                                                          • 20.189.173.22
                                                                                                          SecuriteInfo.com.W32.AIDetect.malware2.21009.exeGet hashmaliciousBrowse
                                                                                                          • 104.47.53.36
                                                                                                          in7BcpKNoa.exeGet hashmaliciousBrowse
                                                                                                          • 40.93.212.0
                                                                                                          xiaomi-home.apkGet hashmaliciousBrowse
                                                                                                          • 104.45.180.93
                                                                                                          canon-camera-connect.apkGet hashmaliciousBrowse
                                                                                                          • 104.45.180.93
                                                                                                          aXNdDIO708.exeGet hashmaliciousBrowse
                                                                                                          • 104.47.53.36
                                                                                                          uT9rwkGATJ.dllGet hashmaliciousBrowse
                                                                                                          • 52.98.208.114

                                                                                                          JA3 Fingerprints

                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                          ce5f3254611a8c095a3d821d44539877B6VQd36tt6.dllGet hashmaliciousBrowse
                                                                                                          • 52.98.199.194
                                                                                                          • 52.98.208.66
                                                                                                          • 52.97.178.34
                                                                                                          • 52.97.178.98
                                                                                                          • 40.97.161.50
                                                                                                          • 13.82.28.61
                                                                                                          setup_x86_x64_install.exeGet hashmaliciousBrowse
                                                                                                          • 52.98.199.194
                                                                                                          • 52.98.208.66
                                                                                                          • 52.97.178.34
                                                                                                          • 52.97.178.98
                                                                                                          • 40.97.161.50
                                                                                                          • 13.82.28.61
                                                                                                          aVFOmbW2t7.dllGet hashmaliciousBrowse
                                                                                                          • 52.98.199.194
                                                                                                          • 52.98.208.66
                                                                                                          • 52.97.178.34
                                                                                                          • 52.97.178.98
                                                                                                          • 40.97.161.50
                                                                                                          • 13.82.28.61
                                                                                                          gxJ83rJkgw.msiGet hashmaliciousBrowse
                                                                                                          • 52.98.199.194
                                                                                                          • 52.98.208.66
                                                                                                          • 52.97.178.34
                                                                                                          • 52.97.178.98
                                                                                                          • 40.97.161.50
                                                                                                          • 13.82.28.61
                                                                                                          yR4AxlwcWJ.exeGet hashmaliciousBrowse
                                                                                                          • 52.98.199.194
                                                                                                          • 52.98.208.66
                                                                                                          • 52.97.178.34
                                                                                                          • 52.97.178.98
                                                                                                          • 40.97.161.50
                                                                                                          • 13.82.28.61
                                                                                                          BsyK7FB5DQ.exeGet hashmaliciousBrowse
                                                                                                          • 52.98.199.194
                                                                                                          • 52.98.208.66
                                                                                                          • 52.97.178.34
                                                                                                          • 52.97.178.98
                                                                                                          • 40.97.161.50
                                                                                                          • 13.82.28.61
                                                                                                          SGfGZT66wD.exeGet hashmaliciousBrowse
                                                                                                          • 52.98.199.194
                                                                                                          • 52.98.208.66
                                                                                                          • 52.97.178.34
                                                                                                          • 52.97.178.98
                                                                                                          • 40.97.161.50
                                                                                                          • 13.82.28.61
                                                                                                          uT9rwkGATJ.dllGet hashmaliciousBrowse
                                                                                                          • 52.98.199.194
                                                                                                          • 52.98.208.66
                                                                                                          • 52.97.178.34
                                                                                                          • 52.97.178.98
                                                                                                          • 40.97.161.50
                                                                                                          • 13.82.28.61
                                                                                                          XK1PLPuwjL.exeGet hashmaliciousBrowse
                                                                                                          • 52.98.199.194
                                                                                                          • 52.98.208.66
                                                                                                          • 52.97.178.34
                                                                                                          • 52.97.178.98
                                                                                                          • 40.97.161.50
                                                                                                          • 13.82.28.61
                                                                                                          pHEiqE9toa.msiGet hashmaliciousBrowse
                                                                                                          • 52.98.199.194
                                                                                                          • 52.98.208.66
                                                                                                          • 52.97.178.34
                                                                                                          • 52.97.178.98
                                                                                                          • 40.97.161.50
                                                                                                          • 13.82.28.61
                                                                                                          SecuriteInfo.com.W32.AIDetect.malware2.24481.exeGet hashmaliciousBrowse
                                                                                                          • 52.98.199.194
                                                                                                          • 52.98.208.66
                                                                                                          • 52.97.178.34
                                                                                                          • 52.97.178.98
                                                                                                          • 40.97.161.50
                                                                                                          • 13.82.28.61
                                                                                                          vH0SHswvrb.exeGet hashmaliciousBrowse
                                                                                                          • 52.98.199.194
                                                                                                          • 52.98.208.66
                                                                                                          • 52.97.178.34
                                                                                                          • 52.97.178.98
                                                                                                          • 40.97.161.50
                                                                                                          • 13.82.28.61
                                                                                                          NM0NyvZi8O.exeGet hashmaliciousBrowse
                                                                                                          • 52.98.199.194
                                                                                                          • 52.98.208.66
                                                                                                          • 52.97.178.34
                                                                                                          • 52.97.178.98
                                                                                                          • 40.97.161.50
                                                                                                          • 13.82.28.61
                                                                                                          yOTzv1Qz0n.exeGet hashmaliciousBrowse
                                                                                                          • 52.98.199.194
                                                                                                          • 52.98.208.66
                                                                                                          • 52.97.178.34
                                                                                                          • 52.97.178.98
                                                                                                          • 40.97.161.50
                                                                                                          • 13.82.28.61
                                                                                                          SWaTAV7EdD.exeGet hashmaliciousBrowse
                                                                                                          • 52.98.199.194
                                                                                                          • 52.98.208.66
                                                                                                          • 52.97.178.34
                                                                                                          • 52.97.178.98
                                                                                                          • 40.97.161.50
                                                                                                          • 13.82.28.61
                                                                                                          SKMC07102021.exeGet hashmaliciousBrowse
                                                                                                          • 52.98.199.194
                                                                                                          • 52.98.208.66
                                                                                                          • 52.97.178.34
                                                                                                          • 52.97.178.98
                                                                                                          • 40.97.161.50
                                                                                                          • 13.82.28.61
                                                                                                          50r72IVfM0.msiGet hashmaliciousBrowse
                                                                                                          • 52.98.199.194
                                                                                                          • 52.98.208.66
                                                                                                          • 52.97.178.34
                                                                                                          • 52.97.178.98
                                                                                                          • 40.97.161.50
                                                                                                          • 13.82.28.61
                                                                                                          setup_x86_x64_install.exeGet hashmaliciousBrowse
                                                                                                          • 52.98.199.194
                                                                                                          • 52.98.208.66
                                                                                                          • 52.97.178.34
                                                                                                          • 52.97.178.98
                                                                                                          • 40.97.161.50
                                                                                                          • 13.82.28.61
                                                                                                          83ONlZMwS9.msiGet hashmaliciousBrowse
                                                                                                          • 52.98.199.194
                                                                                                          • 52.98.208.66
                                                                                                          • 52.97.178.34
                                                                                                          • 52.97.178.98
                                                                                                          • 40.97.161.50
                                                                                                          • 13.82.28.61
                                                                                                          Dxr7myLbG2.msiGet hashmaliciousBrowse
                                                                                                          • 52.98.199.194
                                                                                                          • 52.98.208.66
                                                                                                          • 52.97.178.34
                                                                                                          • 52.97.178.98
                                                                                                          • 40.97.161.50
                                                                                                          • 13.82.28.61

                                                                                                          Dropped Files

                                                                                                          No context

                                                                                                          Created / dropped Files

                                                                                                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_4323c1d7a32576d87639b5d887c5a93fe7aab20_82810a17_09f0aab7\Report.wer
                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                          File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):11922
                                                                                                          Entropy (8bit):3.757615495140162
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:jIIiv0oXDHygBWjed+x/u7stS274ItWcQ:8IiRXDygBWjec/u7stX4ItWcQ
                                                                                                          MD5:A7E04B92D3FF2630B68DB7BFD15F234B
                                                                                                          SHA1:2DC4F227B387515B9B2F85292925E3A6130D8F89
                                                                                                          SHA-256:7A24FFCD6511ABEE0C923E0CB5AE405DC37DC14AE082A11B676FC554076A5398
                                                                                                          SHA-512:84E32729E07D17D86BF02D8187BCC84882D39C65B21D50E36D3DF1225414B3EC891830F8817E44B90FDC57DE15B473897E2B538DBD6A1A305AA7496DD94A1173
                                                                                                          Malicious:false
                                                                                                          Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.8.4.9.0.5.3.5.2.1.9.2.6.0.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.8.4.9.0.5.4.9.2.6.6.0.7.8.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.8.9.c.f.e.9.e.-.2.1.c.f.-.4.a.4.2.-.a.d.1.6.-.9.b.6.f.3.7.5.5.6.c.b.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.7.e.3.8.0.5.a.-.8.e.1.6.-.4.7.1.b.-.b.3.d.f.-.2.d.f.d.4.0.e.4.8.d.8.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.8.8.c.-.0.0.0.1.-.0.0.1.7.-.3.2.1.8.-.a.b.b.9.2.a.b.f.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.
                                                                                                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_70ca6d92bb7cd6d05a398077544511f8e964d76_82810a17_06908bb5\Report.wer
                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                          File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):12044
                                                                                                          Entropy (8bit):3.7648840989529164
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:mCsiP0oXSHBUZMX4jed+x/u7stS274It7c+:aixXqBUZMX4jec/u7stX4It7c+
                                                                                                          MD5:3BE35060EBF507559C93F8D1F5EB195B
                                                                                                          SHA1:5F8B547C0693CD5BBECA73FA322D9C3FE9B65353
                                                                                                          SHA-256:E7F44AE2CEF8BFE2CF014F4D3548912DDCE95B11ED79A28B7E5A7042C0CBA7E3
                                                                                                          SHA-512:DADA3BBA9A8ED31CED217F1AA4263EAC8057C5DB2278216BED7322A93AA9BC4A302276D40D84FF0DEE8EA4B07B4DE3128721216DA55C3D1BBCB491895362D87A
                                                                                                          Malicious:false
                                                                                                          Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.8.4.9.0.5.3.0.4.6.1.7.5.1.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.8.4.9.0.5.4.0.9.6.7.2.6.0.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.9.4.d.5.1.9.0.-.0.4.c.6.-.4.7.3.1.-.a.a.d.0.-.8.b.2.a.f.9.5.b.2.4.0.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.9.2.e.c.8.d.4.-.9.2.3.3.-.4.f.9.a.-.b.e.a.c.-.4.6.0.9.c.7.b.1.e.6.9.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.4.8.8.-.0.0.0.1.-.0.0.1.7.-.d.b.d.5.-.9.d.b.7.2.a.b.f.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.b.5.f.!.r.
                                                                                                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_70ca6d92bb7cd6d05a398077544511f8e964d76_82810a17_06a0b526\Report.wer
                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                          File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):12042
                                                                                                          Entropy (8bit):3.7633224655126005
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:KmrxiH0oXTHBUZMX4jed+5/u7stS274It7cl:Lti5XTBUZMX4jeU/u7stX4It7cl
                                                                                                          MD5:85950B9E9E4E67DE8E5F06F24CC9BF90
                                                                                                          SHA1:EBD85516F99D3D3DC07BB5BFBA834EAE487D708E
                                                                                                          SHA-256:9A31F447CB4C034FAD9CD7856D8CEB9107F86ACDB1D517B353913F72402B0405
                                                                                                          SHA-512:A81A3BDB2E927D7A9CBD6D73616DFAC506CD1D80D1CDE87EB1AC7D310D73A9077E5807484B47E9560DA02EF8F91A32ADE0C68C6EFD1FDD9FA9D2811FD647AA08
                                                                                                          Malicious:false
                                                                                                          Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.8.4.9.0.5.3.8.0.1.7.6.4.8.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.8.4.9.0.5.5.1.8.6.1.3.3.0.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.8.1.8.5.c.b.0.-.e.7.1.8.-.4.e.3.d.-.8.6.2.b.-.7.1.1.f.c.c.6.e.0.5.c.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.d.0.0.3.2.4.f.-.c.1.4.1.-.4.f.f.3.-.a.f.b.3.-.5.9.e.0.d.a.9.8.c.d.6.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.a.d.4.-.0.0.0.1.-.0.0.1.7.-.d.b.a.f.-.1.e.b.d.2.a.b.f.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.b.5.f.!.r.
                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER5B10.tmp.dmp
                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                          File Type:Mini DuMP crash report, 15 streams, Tue Oct 12 05:35:32 2021, 0x1205a4 type
                                                                                                          Category:dropped
                                                                                                          Size (bytes):35256
                                                                                                          Entropy (8bit):2.4208959350942596
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:JglDlA2Rs//a/f0MLLIZhsg1Qy+S+Ucctqen8IOX:Jv2Rs/C3tL4hsgGtUccl8IQ
                                                                                                          MD5:1F86AC58A89B09958F6BBDF996932D6C
                                                                                                          SHA1:B5C051402F31C21C47DFEBB77F853F1744BFA5EF
                                                                                                          SHA-256:DDA9149E21CEEC51431DE39AD01BAEA1411ECBEF9E04D6C826CC950CE8F74BAE
                                                                                                          SHA-512:6F497D8EDA8161F5D6F8863483063CCB277850A78D15C7B885DAAEC60F1E2452CC2B15E1E94F3968A582E224FE2323520B431AFECDC4A0D515BB4FAD513BBA0A
                                                                                                          Malicious:false
                                                                                                          Preview: MDMP....... .........ea...................U...........B..............GenuineIntelW...........T...........6.ea.............................0..1...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER63AC.tmp.WERInternalMetadata.xml
                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                          File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):8406
                                                                                                          Entropy (8bit):3.6987300061265027
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:Rrl7r3GLNipT65zh6Yug6nVtOmXgmf8eSjwZCprP89bSOsfNGm:RrlsNit69h6YJ6nVtOmXgmf8eSjwBSNN
                                                                                                          MD5:E03C343BC0633FAF3DF69A060E98C747
                                                                                                          SHA1:5135A8DF7F0E81B7FC6A480ADE2DC1B7CB8926FA
                                                                                                          SHA-256:29B00A99BF02D4F8D6906AD9996D4761AEA35B9A30E92FE4D37154522EA81CF4
                                                                                                          SHA-512:473843DA03DC96C22022591E55F1F8F3BFC0AA54C9D12BACC47D6C3FB0CE08FD7A86E68A787B0E2E3B4C0495A343CF2F2DD20EC95454E448CF020E7CB47CAB3E
                                                                                                          Malicious:false
                                                                                                          Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.2.5.6.<./.P.i.d.>.......
                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER67D4.tmp.xml
                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):4771
                                                                                                          Entropy (8bit):4.486523273735861
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:48:cvIwSD8zsmJgtWI9p5rWSC8BRc8fm8M4JCds0MF1+q8vjs0w4SrSrd:uITf8yUSNlJyIKtwDWrd
                                                                                                          MD5:FD9057D258E84F2AB9F3DA66302684D2
                                                                                                          SHA1:CFB67DC24CA388AA63C520A6A9C376283464903B
                                                                                                          SHA-256:2BFE2A84C2D32CFCB07775E0AB48253E5FAC997C9176F069895CE7C53BA34D66
                                                                                                          SHA-512:CEC0C4D580B87D3310DE8C03A3BFBDB7D0694AE64403AB7655F3C84100777B2AC488C43FA92DD60300AD6E6901A39621827457F4B110C2B8EC3A605BF2B42BF1
                                                                                                          Malicious:false
                                                                                                          Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1206166" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER6D9E.tmp.dmp
                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                          File Type:Mini DuMP crash report, 15 streams, Tue Oct 12 05:35:38 2021, 0x1205a4 type
                                                                                                          Category:dropped
                                                                                                          Size (bytes):63018
                                                                                                          Entropy (8bit):1.9002202523498852
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:3peTby7dJdyrIaf0x67tL5n+x5TYi4SJw7Ynh5RY:38fabdi7QQL5SRnf1h5RY
                                                                                                          MD5:10D974B64FF526B2A6BE856FEAE7A23C
                                                                                                          SHA1:2F9FEF4D1C2749CE1B3276CBB0C22DED5C762898
                                                                                                          SHA-256:469BEB63A87C03FF1FE513482FC8AE36E771E67EB2B6AAB9097A41919D47CA2C
                                                                                                          SHA-512:BE81FD47EF2BBE94016415A23FEE50EE74CEC9C686E121A46A1961F774FE1FA08279F66B9D15F668F675B6CD5861BB36D23DABA3D0EFCBC110AF3F3FEDE00068
                                                                                                          Malicious:false
                                                                                                          Preview: MDMP....... .........ea...................U...........B..............GenuineIntelW...........T...........9.ea.............................0..1...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER788B.tmp.dmp
                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                          File Type:Mini DuMP crash report, 15 streams, Tue Oct 12 05:35:41 2021, 0x1205a4 type
                                                                                                          Category:dropped
                                                                                                          Size (bytes):35698
                                                                                                          Entropy (8bit):2.408099527928471
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:C8gqrzXek1f0MLLIZhsRUlLiAVQk1/eB0nnS8+T:CIrKkdtL4hsR0OAqkIinh+T
                                                                                                          MD5:CDC28147E5D2C8FEE62D5F364AFA21BA
                                                                                                          SHA1:53EB490C35EAB537578892AD7F05349AB808A1DD
                                                                                                          SHA-256:8362B9A6373C9A5750EE252FB5C49CA38A8A60C04E9164CBCCF9AE86E5D904CE
                                                                                                          SHA-512:A217C4D04E56067D60012B814BF2862262E495B1389D70747E3E90F06C4A5F995F06CF75FADB968447BCD1181CA4B9061C5BA3D979D4069FC14F0942C05ECBB9
                                                                                                          Malicious:false
                                                                                                          Preview: MDMP....... .........ea...................U...........B..............GenuineIntelW...........T...........?.ea.............................0..1...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER7CD2.tmp.WERInternalMetadata.xml
                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                          File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):8306
                                                                                                          Entropy (8bit):3.6950985837951538
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:Rrl7r3GLNiFs6yP6YuW6pgmfTkOStwZCpDC89bYAsf7ZIm:RrlsNiu686Y/6pgmfTkOStwyYTf7z
                                                                                                          MD5:53A8713A3D518BF4398C7DC5EE97832E
                                                                                                          SHA1:6B32AD490FF98765EB4BBAAA70FFD48472359318
                                                                                                          SHA-256:A30F7DE6606984ECF22AA59393DE486BD3FE946732A3CF72C73A5455255AE5E8
                                                                                                          SHA-512:4179034EA76563C8B04680761DE582CB24C3F378576DCE61FD76237922081FE334B5415871E4A09A095DB7BC5A7C37C221CC785A9ED6CE8C1F0765EC0AD96DB5
                                                                                                          Malicious:false
                                                                                                          Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.2.8.4.<./.P.i.d.>.......
                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER837A.tmp.xml
                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):4630
                                                                                                          Entropy (8bit):4.455697919266282
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:48:cvIwSD8zsmJgtWI9p5rWSC8BfM8fm8M4JCds9Fex+q8/5Y4SrSxd:uITf8yUSNpxJ4xzDWxd
                                                                                                          MD5:B1DDC3420DFB7C2BBA3617F7CDF427FE
                                                                                                          SHA1:E23312B013B75C48E88A357A5785379F3DCFF69C
                                                                                                          SHA-256:B245B4E2C87A879130313F58B73202BFAAD8682932594690378021E4AED06ACA
                                                                                                          SHA-512:A72D80A2C8C5B06DFC7AA9B79A12FEDDD40BCFD5633AA9E3591693278561DF8D24AE857B9E74B8B95BCB10656F2C33631E63BCD939C6F9B5B6D1AF88E6B8E085
                                                                                                          Malicious:false
                                                                                                          Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1206166" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER88E7.tmp.WERInternalMetadata.xml
                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                          File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):8406
                                                                                                          Entropy (8bit):3.7004888092021453
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:Rrl7r3GLNiF06X6Yuy6pgmf8eSjwZCprI89bsfsf8Em:RrlsNiW6X6Yb6pgmf8eSjwEsEfW
                                                                                                          MD5:F9B0FDED752EEA1C8BA95054EBA02EFE
                                                                                                          SHA1:2D27B171C34E2014EF1EF7CACC6B1F114499504C
                                                                                                          SHA-256:F2689516846EB5ED28B5A31DBD00A54AE06BBCAF0FA57CFDB94889D8E4B7BD7C
                                                                                                          SHA-512:15602AAE224847856A1DBA1C017A5D38D1B45B05B8EF78743525D03E7A75BA62ADD39DF76C5995E5D90F7EA34BDC971691996F92B80133FB560388E305A6D5DD
                                                                                                          Malicious:false
                                                                                                          Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.7.7.2.<./.P.i.d.>.......
                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER8CD0.tmp.xml
                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):4771
                                                                                                          Entropy (8bit):4.483807136834076
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:48:cvIwSD8zsmJgtWI9p5rWSC8B2+8fm8M4JCds0MFP+q8vjs0Ji4SrSUd:uITf8yUSN87JyOKtJiDWUd
                                                                                                          MD5:40F554717EE45DC3457D352B8AE8CFA3
                                                                                                          SHA1:0BC9E6BF5E0BEB76C6996B7F162A3C4E60F3CEFC
                                                                                                          SHA-256:1F4F99A93A24C94FAC6CF76BBC62F517BEB2A4000011AFCE29662591E2C55F84
                                                                                                          SHA-512:7E70A8B81B3FA28DF4F997DBC8FE9D7DB3C926FE6C5A7FA5F98A062A78412E458B61F7A60D50940E13514A2252D0F40FE7F02FED07A8F9FF65A273858C654242
                                                                                                          Malicious:false
                                                                                                          Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1206166" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                                                                                                          Static File Info

                                                                                                          General

                                                                                                          File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                          Entropy (8bit):6.67002840473361
                                                                                                          TrID:
                                                                                                          • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                                                                                                          • Generic Win/DOS Executable (2004/3) 0.20%
                                                                                                          • DOS Executable Generic (2002/1) 0.20%
                                                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                          File name:B6VQd36tt6.dll
                                                                                                          File size:718336
                                                                                                          MD5:c4c060ec6b1e42d70972d0af66a04e66
                                                                                                          SHA1:3ef84847fceb31b8814c12c94c57c72a5281d6f5
                                                                                                          SHA256:47715e425398283d53019c270311ad0c709f660048d2f884d5116d80b983743f
                                                                                                          SHA512:5553d68867af378d347620208b35d4d6261526770cf2a47884f0eff17392cedfa91ab491265717a459b4ccbe43f490a90caaf9289b9f92e8cd63140710e9ca78
                                                                                                          SSDEEP:12288:QUAQSxT6fDEr8Np6b/rPPsjosrS9aEoe+0JCym+4YJAOSVUNcuHIGF4uW/XPGAsx:Qz3xT6fq8Np6bTPPaBreaZlYCOSVolam
                                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<..Ox.`.x.`.x.`..~..{.`.q...m.`...b.|.`...e.q.`...c.l.`..~..o.`.x.a...`...e...`...`.y.`...`.y.`.x...y.`...b.y.`.Richx.`........

                                                                                                          File Icon

                                                                                                          Icon Hash:74f0e4ecccdce0e4

                                                                                                          Static PE Info

                                                                                                          General

                                                                                                          Entrypoint:0x1003ab77
                                                                                                          Entrypoint Section:.text
                                                                                                          Digitally signed:false
                                                                                                          Imagebase:0x10000000
                                                                                                          Subsystem:windows gui
                                                                                                          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                                                                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT
                                                                                                          Time Stamp:0x5F6FEFFF [Sun Sep 27 01:50:55 2020 UTC]
                                                                                                          TLS Callbacks:
                                                                                                          CLR (.Net) Version:
                                                                                                          OS Version Major:6
                                                                                                          OS Version Minor:0
                                                                                                          File Version Major:6
                                                                                                          File Version Minor:0
                                                                                                          Subsystem Version Major:6
                                                                                                          Subsystem Version Minor:0
                                                                                                          Import Hash:8acc1c3be9064cb55c8e3d7147f3d7c3

                                                                                                          Entrypoint Preview

                                                                                                          Instruction
                                                                                                          push ebp
                                                                                                          mov ebp, esp
                                                                                                          cmp dword ptr [ebp+0Ch], 01h
                                                                                                          jne 00007F07BCC462C7h
                                                                                                          call 00007F07BCC46DB2h
                                                                                                          push dword ptr [ebp+10h]
                                                                                                          push dword ptr [ebp+0Ch]
                                                                                                          push dword ptr [ebp+08h]
                                                                                                          call 00007F07BCC4616Ah
                                                                                                          add esp, 0Ch
                                                                                                          pop ebp
                                                                                                          retn 000Ch
                                                                                                          mov ecx, dword ptr [ebp-0Ch]
                                                                                                          mov dword ptr fs:[00000000h], ecx
                                                                                                          pop ecx
                                                                                                          pop edi
                                                                                                          pop edi
                                                                                                          pop esi
                                                                                                          pop ebx
                                                                                                          mov esp, ebp
                                                                                                          pop ebp
                                                                                                          push ecx
                                                                                                          ret
                                                                                                          mov ecx, dword ptr [ebp-10h]
                                                                                                          xor ecx, ebp
                                                                                                          call 00007F07BCC45EC3h
                                                                                                          jmp 00007F07BCC462A0h
                                                                                                          mov ecx, dword ptr [ebp-14h]
                                                                                                          xor ecx, ebp
                                                                                                          call 00007F07BCC45EB2h
                                                                                                          jmp 00007F07BCC4628Fh
                                                                                                          push eax
                                                                                                          push dword ptr fs:[00000000h]
                                                                                                          lea eax, dword ptr [esp+0Ch]
                                                                                                          sub esp, dword ptr [esp+0Ch]
                                                                                                          push ebx
                                                                                                          push esi
                                                                                                          push edi
                                                                                                          mov dword ptr [eax], ebp
                                                                                                          mov ebp, eax
                                                                                                          mov eax, dword ptr [100AA0D4h]
                                                                                                          xor eax, ebp
                                                                                                          push eax
                                                                                                          push dword ptr [ebp-04h]
                                                                                                          mov dword ptr [ebp-04h], FFFFFFFFh
                                                                                                          lea eax, dword ptr [ebp-0Ch]
                                                                                                          mov dword ptr fs:[00000000h], eax
                                                                                                          ret
                                                                                                          push eax
                                                                                                          push dword ptr fs:[00000000h]
                                                                                                          lea eax, dword ptr [esp+0Ch]
                                                                                                          sub esp, dword ptr [esp+0Ch]
                                                                                                          push ebx
                                                                                                          push esi
                                                                                                          push edi
                                                                                                          mov dword ptr [eax], ebp
                                                                                                          mov ebp, eax
                                                                                                          mov eax, dword ptr [100AA0D4h]
                                                                                                          xor eax, ebp
                                                                                                          push eax
                                                                                                          mov dword ptr [ebp-10h], eax
                                                                                                          push dword ptr [ebp-04h]
                                                                                                          mov dword ptr [ebp-04h], FFFFFFFFh
                                                                                                          lea eax, dword ptr [ebp-0Ch]
                                                                                                          mov dword ptr fs:[00000000h], eax
                                                                                                          ret
                                                                                                          push eax
                                                                                                          inc dword ptr fs:[eax]

                                                                                                          Data Directories

                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0xa89900x80.rdata
                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xa8a100x50.rdata
                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x1460000x53d0.reloc
                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0xa474c0x54.rdata
                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa47a00x40.rdata
                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x7b0000x1fc.rdata
                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                          Sections

                                                                                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                          .text0x10000x79f710x7a000False0.510071801358data6.75461975802IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                          .rdata0x7b0000x2e5860x2e600False0.556377400606data5.60164615331IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                          .data0xaa0000x9b19c0x1800False0.190266927083data4.15778005426IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                          .reloc0x1460000x53d00x5400False0.752650669643data6.72453697464IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                          Imports

                                                                                                          DLLImport
                                                                                                          KERNEL32.dllLockResource, FreeLibrary, GetProcAddress, VirtualProtect, OpenProcess, GetCurrentThreadId, Sleep, GetSystemTime, CreateSemaphoreW, LoadLibraryW, GetModuleFileNameW, GetModuleHandleW, GetTempPathW, CreateFileW, GetVolumeInformationW, QueryPerformanceCounter, GetVersionExW, GetDateFormatW, OutputDebugStringW, CloseHandle, ReadConsoleW, ReadFile, GetConsoleMode, GetConsoleCP, WriteFile, FlushFileBuffers, HeapSize, SetStdHandle, SetFilePointerEx, GetFileSizeEx, GetProcessHeap, SetEnvironmentVariableW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetOEMCP, GetACP, IsValidCodePage, FindNextFileW, FindFirstFileExW, FindClose, SetConsoleCtrlHandler, GetFileType, GetStdHandle, HeapReAlloc, HeapFree, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, EncodePointer, DecodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, WideCharToMultiByte, SetLastError, InitializeCriticalSectionAndSpinCount, CreateEventW, SwitchToThread, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetSystemTimeAsFileTime, GetTickCount, MultiByteToWideChar, GetStringTypeW, CompareStringW, LCMapStringW, GetLocaleInfoW, GetCPInfo, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, GetCurrentProcess, TerminateProcess, GetCurrentProcessId, InitializeSListHead, RaiseException, RtlUnwind, InterlockedPushEntrySList, InterlockedFlushSList, GetLastError, LoadLibraryExW, QueryPerformanceFrequency, ExitProcess, GetModuleHandleExW, GetCurrentThread, HeapAlloc, GetTimeZoneInformation, GetTimeFormatW, WriteConsoleW
                                                                                                          USER32.dllTranslateMessage, CreateMenu, UnregisterHotKey, DeferWindowPos, RegisterWindowMessageW, BeginDeferWindowPos, GetPropW
                                                                                                          MSACM32.dllacmFormatChooseW, acmFilterEnumW, acmFilterTagDetailsW, acmFilterDetailsW, acmDriverClose, acmFormatDetailsW, acmDriverOpen, acmDriverPriority, acmDriverMessage, acmFormatTagEnumW, acmDriverAddW, acmFilterTagEnumW, acmFormatTagDetailsW, acmDriverEnum, acmFormatEnumW, acmDriverID, acmFormatSuggest, acmDriverDetailsW, acmFilterChooseW, acmGetVersion, acmDriverRemove, acmMetrics

                                                                                                          Exports

                                                                                                          NameOrdinalAddress
                                                                                                          BeGrass10x10016020
                                                                                                          Fieldeight20x100162f0
                                                                                                          Often30x10016510
                                                                                                          Townenter40x100167a0

                                                                                                          Network Behavior

                                                                                                          Network Port Distribution

                                                                                                          TCP Packets

                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                          Oct 11, 2021 22:35:35.259776115 CEST49761443192.168.2.613.82.28.61
                                                                                                          Oct 11, 2021 22:35:35.259819031 CEST4434976113.82.28.61192.168.2.6
                                                                                                          Oct 11, 2021 22:35:35.260531902 CEST49761443192.168.2.613.82.28.61
                                                                                                          Oct 11, 2021 22:35:35.267252922 CEST49761443192.168.2.613.82.28.61
                                                                                                          Oct 11, 2021 22:35:35.267280102 CEST4434976113.82.28.61192.168.2.6
                                                                                                          Oct 11, 2021 22:35:35.636917114 CEST4434976113.82.28.61192.168.2.6
                                                                                                          Oct 11, 2021 22:35:35.637025118 CEST49761443192.168.2.613.82.28.61
                                                                                                          Oct 11, 2021 22:35:35.639486074 CEST49761443192.168.2.613.82.28.61
                                                                                                          Oct 11, 2021 22:35:35.639499903 CEST4434976113.82.28.61192.168.2.6
                                                                                                          Oct 11, 2021 22:35:35.639818907 CEST4434976113.82.28.61192.168.2.6
                                                                                                          Oct 11, 2021 22:35:35.694258928 CEST49761443192.168.2.613.82.28.61
                                                                                                          Oct 11, 2021 22:35:35.977374077 CEST49761443192.168.2.613.82.28.61
                                                                                                          Oct 11, 2021 22:35:36.019140005 CEST4434976113.82.28.61192.168.2.6
                                                                                                          Oct 11, 2021 22:35:36.100270987 CEST4434976113.82.28.61192.168.2.6
                                                                                                          Oct 11, 2021 22:35:36.100338936 CEST4434976113.82.28.61192.168.2.6
                                                                                                          Oct 11, 2021 22:35:36.100430965 CEST49761443192.168.2.613.82.28.61
                                                                                                          Oct 11, 2021 22:35:36.104357958 CEST49761443192.168.2.613.82.28.61
                                                                                                          Oct 11, 2021 22:35:36.104392052 CEST4434976113.82.28.61192.168.2.6
                                                                                                          Oct 11, 2021 22:35:36.720808029 CEST49763443192.168.2.613.82.28.61
                                                                                                          Oct 11, 2021 22:35:36.720849037 CEST4434976313.82.28.61192.168.2.6
                                                                                                          Oct 11, 2021 22:35:36.720937967 CEST49763443192.168.2.613.82.28.61
                                                                                                          Oct 11, 2021 22:35:36.728974104 CEST49763443192.168.2.613.82.28.61
                                                                                                          Oct 11, 2021 22:35:36.729003906 CEST4434976313.82.28.61192.168.2.6
                                                                                                          Oct 11, 2021 22:35:37.044668913 CEST4434976313.82.28.61192.168.2.6
                                                                                                          Oct 11, 2021 22:35:37.044819117 CEST49763443192.168.2.613.82.28.61
                                                                                                          Oct 11, 2021 22:35:37.047748089 CEST49763443192.168.2.613.82.28.61
                                                                                                          Oct 11, 2021 22:35:37.047772884 CEST4434976313.82.28.61192.168.2.6
                                                                                                          Oct 11, 2021 22:35:37.048060894 CEST4434976313.82.28.61192.168.2.6
                                                                                                          Oct 11, 2021 22:35:37.101821899 CEST49763443192.168.2.613.82.28.61
                                                                                                          Oct 11, 2021 22:35:37.458256960 CEST49763443192.168.2.613.82.28.61
                                                                                                          Oct 11, 2021 22:35:37.503140926 CEST4434976313.82.28.61192.168.2.6
                                                                                                          Oct 11, 2021 22:35:37.574573994 CEST4434976313.82.28.61192.168.2.6
                                                                                                          Oct 11, 2021 22:35:37.574657917 CEST4434976313.82.28.61192.168.2.6
                                                                                                          Oct 11, 2021 22:35:37.575021982 CEST49763443192.168.2.613.82.28.61
                                                                                                          Oct 11, 2021 22:35:37.575855970 CEST49763443192.168.2.613.82.28.61
                                                                                                          Oct 11, 2021 22:35:37.575877905 CEST4434976313.82.28.61192.168.2.6
                                                                                                          Oct 11, 2021 22:35:37.575956106 CEST49763443192.168.2.613.82.28.61
                                                                                                          Oct 11, 2021 22:35:37.575964928 CEST4434976313.82.28.61192.168.2.6
                                                                                                          Oct 11, 2021 22:36:17.610728979 CEST49777443192.168.2.640.97.161.50
                                                                                                          Oct 11, 2021 22:36:17.610759974 CEST4434977740.97.161.50192.168.2.6
                                                                                                          Oct 11, 2021 22:36:17.610867977 CEST49777443192.168.2.640.97.161.50
                                                                                                          Oct 11, 2021 22:36:17.611726999 CEST49777443192.168.2.640.97.161.50
                                                                                                          Oct 11, 2021 22:36:17.611743927 CEST4434977740.97.161.50192.168.2.6
                                                                                                          Oct 11, 2021 22:36:18.128029108 CEST4434977740.97.161.50192.168.2.6
                                                                                                          Oct 11, 2021 22:36:18.128792048 CEST49777443192.168.2.640.97.161.50
                                                                                                          Oct 11, 2021 22:36:18.132210016 CEST49777443192.168.2.640.97.161.50
                                                                                                          Oct 11, 2021 22:36:18.132224083 CEST4434977740.97.161.50192.168.2.6
                                                                                                          Oct 11, 2021 22:36:18.132575989 CEST4434977740.97.161.50192.168.2.6
                                                                                                          Oct 11, 2021 22:36:18.138678074 CEST49777443192.168.2.640.97.161.50
                                                                                                          Oct 11, 2021 22:36:18.179141998 CEST4434977740.97.161.50192.168.2.6
                                                                                                          Oct 11, 2021 22:36:18.307991028 CEST4434977740.97.161.50192.168.2.6
                                                                                                          Oct 11, 2021 22:36:18.308073044 CEST4434977740.97.161.50192.168.2.6
                                                                                                          Oct 11, 2021 22:36:18.308492899 CEST49777443192.168.2.640.97.161.50
                                                                                                          Oct 11, 2021 22:36:18.308541059 CEST49777443192.168.2.640.97.161.50
                                                                                                          Oct 11, 2021 22:36:18.308572054 CEST4434977740.97.161.50192.168.2.6
                                                                                                          Oct 11, 2021 22:36:18.308588028 CEST49777443192.168.2.640.97.161.50
                                                                                                          Oct 11, 2021 22:36:18.308599949 CEST4434977740.97.161.50192.168.2.6
                                                                                                          Oct 11, 2021 22:36:18.383008957 CEST49778443192.168.2.652.98.199.194
                                                                                                          Oct 11, 2021 22:36:18.383053064 CEST4434977852.98.199.194192.168.2.6
                                                                                                          Oct 11, 2021 22:36:18.386106014 CEST49778443192.168.2.652.98.199.194
                                                                                                          Oct 11, 2021 22:36:18.386921883 CEST49778443192.168.2.652.98.199.194
                                                                                                          Oct 11, 2021 22:36:18.386948109 CEST4434977852.98.199.194192.168.2.6
                                                                                                          Oct 11, 2021 22:36:18.481684923 CEST4434977852.98.199.194192.168.2.6
                                                                                                          Oct 11, 2021 22:36:18.481864929 CEST49778443192.168.2.652.98.199.194
                                                                                                          Oct 11, 2021 22:36:18.488152981 CEST49778443192.168.2.652.98.199.194
                                                                                                          Oct 11, 2021 22:36:18.488179922 CEST4434977852.98.199.194192.168.2.6
                                                                                                          Oct 11, 2021 22:36:18.488593102 CEST4434977852.98.199.194192.168.2.6
                                                                                                          Oct 11, 2021 22:36:18.491640091 CEST49778443192.168.2.652.98.199.194
                                                                                                          Oct 11, 2021 22:36:18.521219969 CEST4434977852.98.199.194192.168.2.6
                                                                                                          Oct 11, 2021 22:36:18.521337032 CEST4434977852.98.199.194192.168.2.6
                                                                                                          Oct 11, 2021 22:36:18.521491051 CEST49778443192.168.2.652.98.199.194
                                                                                                          Oct 11, 2021 22:36:18.521552086 CEST49778443192.168.2.652.98.199.194
                                                                                                          Oct 11, 2021 22:36:18.521565914 CEST4434977852.98.199.194192.168.2.6
                                                                                                          Oct 11, 2021 22:36:18.521938086 CEST49778443192.168.2.652.98.199.194
                                                                                                          Oct 11, 2021 22:36:18.521955013 CEST4434977852.98.199.194192.168.2.6
                                                                                                          Oct 11, 2021 22:36:18.550992966 CEST49779443192.168.2.652.98.208.66
                                                                                                          Oct 11, 2021 22:36:18.551038980 CEST4434977952.98.208.66192.168.2.6
                                                                                                          Oct 11, 2021 22:36:18.551259995 CEST49779443192.168.2.652.98.208.66
                                                                                                          Oct 11, 2021 22:36:18.552093983 CEST49779443192.168.2.652.98.208.66
                                                                                                          Oct 11, 2021 22:36:18.552125931 CEST4434977952.98.208.66192.168.2.6
                                                                                                          Oct 11, 2021 22:36:18.647032022 CEST4434977952.98.208.66192.168.2.6
                                                                                                          Oct 11, 2021 22:36:18.647165060 CEST49779443192.168.2.652.98.208.66
                                                                                                          Oct 11, 2021 22:36:18.651844978 CEST49779443192.168.2.652.98.208.66
                                                                                                          Oct 11, 2021 22:36:18.651861906 CEST4434977952.98.208.66192.168.2.6
                                                                                                          Oct 11, 2021 22:36:18.652160883 CEST4434977952.98.208.66192.168.2.6
                                                                                                          Oct 11, 2021 22:36:18.654882908 CEST49779443192.168.2.652.98.208.66
                                                                                                          Oct 11, 2021 22:36:18.695138931 CEST4434977952.98.208.66192.168.2.6
                                                                                                          Oct 11, 2021 22:36:18.718173981 CEST4434977952.98.208.66192.168.2.6
                                                                                                          Oct 11, 2021 22:36:18.718261957 CEST4434977952.98.208.66192.168.2.6
                                                                                                          Oct 11, 2021 22:36:18.718323946 CEST49779443192.168.2.652.98.208.66
                                                                                                          Oct 11, 2021 22:36:18.726743937 CEST49779443192.168.2.652.98.208.66
                                                                                                          Oct 11, 2021 22:36:18.726766109 CEST4434977952.98.208.66192.168.2.6
                                                                                                          Oct 11, 2021 22:36:18.785830975 CEST49780443192.168.2.640.97.161.50
                                                                                                          Oct 11, 2021 22:36:18.785887957 CEST4434978040.97.161.50192.168.2.6
                                                                                                          Oct 11, 2021 22:36:18.786026955 CEST49780443192.168.2.640.97.161.50
                                                                                                          Oct 11, 2021 22:36:18.786667109 CEST49780443192.168.2.640.97.161.50
                                                                                                          Oct 11, 2021 22:36:18.786684990 CEST4434978040.97.161.50192.168.2.6
                                                                                                          Oct 11, 2021 22:36:19.294521093 CEST4434978040.97.161.50192.168.2.6
                                                                                                          Oct 11, 2021 22:36:19.294776917 CEST49780443192.168.2.640.97.161.50
                                                                                                          Oct 11, 2021 22:36:19.297009945 CEST49780443192.168.2.640.97.161.50

                                                                                                          UDP Packets

                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                          Oct 11, 2021 22:35:35.229856014 CEST6426753192.168.2.68.8.8.8
                                                                                                          Oct 11, 2021 22:35:35.245790005 CEST53642678.8.8.8192.168.2.6
                                                                                                          Oct 11, 2021 22:35:36.111063957 CEST4944853192.168.2.68.8.8.8
                                                                                                          Oct 11, 2021 22:35:36.687268019 CEST6034253192.168.2.68.8.8.8
                                                                                                          Oct 11, 2021 22:35:36.708036900 CEST53603428.8.8.8192.168.2.6
                                                                                                          Oct 11, 2021 22:35:37.600009918 CEST6134653192.168.2.68.8.8.8
                                                                                                          Oct 11, 2021 22:35:57.504539967 CEST6026153192.168.2.68.8.8.8
                                                                                                          Oct 11, 2021 22:35:57.524563074 CEST53602618.8.8.8192.168.2.6
                                                                                                          Oct 11, 2021 22:35:58.419724941 CEST5606153192.168.2.68.8.8.8
                                                                                                          Oct 11, 2021 22:35:58.437235117 CEST53560618.8.8.8192.168.2.6
                                                                                                          Oct 11, 2021 22:36:17.590590954 CEST5406453192.168.2.68.8.8.8
                                                                                                          Oct 11, 2021 22:36:17.608792067 CEST53540648.8.8.8192.168.2.6
                                                                                                          Oct 11, 2021 22:36:18.361334085 CEST5281153192.168.2.68.8.8.8
                                                                                                          Oct 11, 2021 22:36:18.380968094 CEST53528118.8.8.8192.168.2.6
                                                                                                          Oct 11, 2021 22:36:18.529942036 CEST5529953192.168.2.68.8.8.8
                                                                                                          Oct 11, 2021 22:36:18.546534061 CEST53552998.8.8.8192.168.2.6
                                                                                                          Oct 11, 2021 22:36:18.767518044 CEST6374553192.168.2.68.8.8.8
                                                                                                          Oct 11, 2021 22:36:18.784348965 CEST53637458.8.8.8192.168.2.6
                                                                                                          Oct 11, 2021 22:36:19.477575064 CEST5005553192.168.2.68.8.8.8
                                                                                                          Oct 11, 2021 22:36:19.494900942 CEST53500558.8.8.8192.168.2.6
                                                                                                          Oct 11, 2021 22:36:19.675849915 CEST6137453192.168.2.68.8.8.8
                                                                                                          Oct 11, 2021 22:36:19.693698883 CEST53613748.8.8.8192.168.2.6
                                                                                                          Oct 11, 2021 22:36:38.823678970 CEST5181853192.168.2.68.8.8.8
                                                                                                          Oct 11, 2021 22:36:38.844248056 CEST53518188.8.8.8192.168.2.6
                                                                                                          Oct 11, 2021 22:36:40.759514093 CEST5662853192.168.2.68.8.8.8
                                                                                                          Oct 11, 2021 22:36:40.780013084 CEST53566288.8.8.8192.168.2.6

                                                                                                          DNS Queries

                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                          Oct 11, 2021 22:35:35.229856014 CEST192.168.2.68.8.8.80x6aaeStandard query (0)msn.comA (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:35:36.111063957 CEST192.168.2.68.8.8.80x3e28Standard query (0)www.msn.comA (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:35:36.687268019 CEST192.168.2.68.8.8.80x7b05Standard query (0)msn.comA (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:35:37.600009918 CEST192.168.2.68.8.8.80x28e1Standard query (0)www.msn.comA (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:35:57.504539967 CEST192.168.2.68.8.8.80x9ef7Standard query (0)breuranel.websiteA (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:35:58.419724941 CEST192.168.2.68.8.8.80x42f7Standard query (0)breuranel.websiteA (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:17.590590954 CEST192.168.2.68.8.8.80x4c3eStandard query (0)outlook.comA (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:18.361334085 CEST192.168.2.68.8.8.80xd19aStandard query (0)www.outlook.comA (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:18.529942036 CEST192.168.2.68.8.8.80x1f03Standard query (0)outlook.office365.comA (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:18.767518044 CEST192.168.2.68.8.8.80x7ff6Standard query (0)outlook.comA (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:19.477575064 CEST192.168.2.68.8.8.80x382dStandard query (0)www.outlook.comA (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:19.675849915 CEST192.168.2.68.8.8.80xa1ebStandard query (0)outlook.office365.comA (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:38.823678970 CEST192.168.2.68.8.8.80xa792Standard query (0)areuranel.websiteA (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:40.759514093 CEST192.168.2.68.8.8.80x5f89Standard query (0)areuranel.websiteA (IP address)IN (0x0001)

                                                                                                          DNS Answers

                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                          Oct 11, 2021 22:35:35.245790005 CEST8.8.8.8192.168.2.60x6aaeNo error (0)msn.com13.82.28.61A (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:35:36.128932953 CEST8.8.8.8192.168.2.60x3e28No error (0)www.msn.comwww-msn-com.a-0003.a-msedge.netCNAME (Canonical name)IN (0x0001)
                                                                                                          Oct 11, 2021 22:35:36.708036900 CEST8.8.8.8192.168.2.60x7b05No error (0)msn.com13.82.28.61A (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:35:37.618123055 CEST8.8.8.8192.168.2.60x28e1No error (0)www.msn.comwww-msn-com.a-0003.a-msedge.netCNAME (Canonical name)IN (0x0001)
                                                                                                          Oct 11, 2021 22:35:57.524563074 CEST8.8.8.8192.168.2.60x9ef7Name error (3)breuranel.websitenonenoneA (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:35:58.437235117 CEST8.8.8.8192.168.2.60x42f7Name error (3)breuranel.websitenonenoneA (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:17.608792067 CEST8.8.8.8192.168.2.60x4c3eNo error (0)outlook.com40.97.161.50A (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:17.608792067 CEST8.8.8.8192.168.2.60x4c3eNo error (0)outlook.com40.97.156.114A (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:17.608792067 CEST8.8.8.8192.168.2.60x4c3eNo error (0)outlook.com40.97.160.2A (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:17.608792067 CEST8.8.8.8192.168.2.60x4c3eNo error (0)outlook.com40.97.128.194A (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:17.608792067 CEST8.8.8.8192.168.2.60x4c3eNo error (0)outlook.com40.97.164.146A (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:17.608792067 CEST8.8.8.8192.168.2.60x4c3eNo error (0)outlook.com40.97.153.146A (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:17.608792067 CEST8.8.8.8192.168.2.60x4c3eNo error (0)outlook.com40.97.116.82A (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:17.608792067 CEST8.8.8.8192.168.2.60x4c3eNo error (0)outlook.com40.97.148.226A (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:18.380968094 CEST8.8.8.8192.168.2.60xd19aNo error (0)www.outlook.comoutlook.office365.comCNAME (Canonical name)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:18.380968094 CEST8.8.8.8192.168.2.60xd19aNo error (0)outlook.office365.comoutlook.ha.office365.comCNAME (Canonical name)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:18.380968094 CEST8.8.8.8192.168.2.60xd19aNo error (0)outlook.ha.office365.comoutlook.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:18.380968094 CEST8.8.8.8192.168.2.60xd19aNo error (0)outlook.ms-acdc.office.comHHN-efz.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:18.380968094 CEST8.8.8.8192.168.2.60xd19aNo error (0)HHN-efz.ms-acdc.office.com52.98.199.194A (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:18.380968094 CEST8.8.8.8192.168.2.60xd19aNo error (0)HHN-efz.ms-acdc.office.com52.98.214.82A (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:18.380968094 CEST8.8.8.8192.168.2.60xd19aNo error (0)HHN-efz.ms-acdc.office.com40.101.124.2A (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:18.380968094 CEST8.8.8.8192.168.2.60xd19aNo error (0)HHN-efz.ms-acdc.office.com52.98.152.194A (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:18.546534061 CEST8.8.8.8192.168.2.60x1f03No error (0)outlook.office365.comoutlook.ha.office365.comCNAME (Canonical name)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:18.546534061 CEST8.8.8.8192.168.2.60x1f03No error (0)outlook.ha.office365.comoutlook.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:18.546534061 CEST8.8.8.8192.168.2.60x1f03No error (0)outlook.ms-acdc.office.comFRA-efz.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:18.546534061 CEST8.8.8.8192.168.2.60x1f03No error (0)FRA-efz.ms-acdc.office.com52.98.208.66A (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:18.546534061 CEST8.8.8.8192.168.2.60x1f03No error (0)FRA-efz.ms-acdc.office.com52.97.212.34A (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:18.546534061 CEST8.8.8.8192.168.2.60x1f03No error (0)FRA-efz.ms-acdc.office.com52.97.157.162A (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:18.784348965 CEST8.8.8.8192.168.2.60x7ff6No error (0)outlook.com40.97.161.50A (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:18.784348965 CEST8.8.8.8192.168.2.60x7ff6No error (0)outlook.com40.97.156.114A (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:18.784348965 CEST8.8.8.8192.168.2.60x7ff6No error (0)outlook.com40.97.160.2A (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:18.784348965 CEST8.8.8.8192.168.2.60x7ff6No error (0)outlook.com40.97.128.194A (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:18.784348965 CEST8.8.8.8192.168.2.60x7ff6No error (0)outlook.com40.97.164.146A (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:18.784348965 CEST8.8.8.8192.168.2.60x7ff6No error (0)outlook.com40.97.153.146A (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:18.784348965 CEST8.8.8.8192.168.2.60x7ff6No error (0)outlook.com40.97.116.82A (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:18.784348965 CEST8.8.8.8192.168.2.60x7ff6No error (0)outlook.com40.97.148.226A (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:19.494900942 CEST8.8.8.8192.168.2.60x382dNo error (0)www.outlook.comoutlook.office365.comCNAME (Canonical name)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:19.494900942 CEST8.8.8.8192.168.2.60x382dNo error (0)outlook.office365.comoutlook.ha.office365.comCNAME (Canonical name)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:19.494900942 CEST8.8.8.8192.168.2.60x382dNo error (0)outlook.ha.office365.comoutlook.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:19.494900942 CEST8.8.8.8192.168.2.60x382dNo error (0)outlook.ms-acdc.office.comHHN-efz.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:19.494900942 CEST8.8.8.8192.168.2.60x382dNo error (0)HHN-efz.ms-acdc.office.com52.97.178.34A (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:19.494900942 CEST8.8.8.8192.168.2.60x382dNo error (0)HHN-efz.ms-acdc.office.com52.97.135.82A (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:19.494900942 CEST8.8.8.8192.168.2.60x382dNo error (0)HHN-efz.ms-acdc.office.com52.98.208.66A (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:19.494900942 CEST8.8.8.8192.168.2.60x382dNo error (0)HHN-efz.ms-acdc.office.com52.98.208.50A (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:19.693698883 CEST8.8.8.8192.168.2.60xa1ebNo error (0)outlook.office365.comoutlook.ha.office365.comCNAME (Canonical name)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:19.693698883 CEST8.8.8.8192.168.2.60xa1ebNo error (0)outlook.ha.office365.comoutlook.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:19.693698883 CEST8.8.8.8192.168.2.60xa1ebNo error (0)outlook.ms-acdc.office.comHHN-efz.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:19.693698883 CEST8.8.8.8192.168.2.60xa1ebNo error (0)HHN-efz.ms-acdc.office.com52.97.178.98A (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:19.693698883 CEST8.8.8.8192.168.2.60xa1ebNo error (0)HHN-efz.ms-acdc.office.com52.97.183.162A (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:19.693698883 CEST8.8.8.8192.168.2.60xa1ebNo error (0)HHN-efz.ms-acdc.office.com52.97.223.66A (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:19.693698883 CEST8.8.8.8192.168.2.60xa1ebNo error (0)HHN-efz.ms-acdc.office.com52.97.151.98A (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:38.844248056 CEST8.8.8.8192.168.2.60xa792Name error (3)areuranel.websitenonenoneA (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:40.780013084 CEST8.8.8.8192.168.2.60x5f89Name error (3)areuranel.websitenonenoneA (IP address)IN (0x0001)

                                                                                                          HTTP Request Dependency Graph

                                                                                                          • msn.com
                                                                                                          • outlook.com
                                                                                                          • www.outlook.com
                                                                                                          • outlook.office365.com

                                                                                                          HTTPS Proxied Packets

                                                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                          0192.168.2.64976113.82.28.61443C:\Windows\System32\loaddll32.exe
                                                                                                          TimestampkBytes transferredDirectionData
                                                                                                          2021-10-11 20:35:35 UTC0OUTGET /mail/liopolo/g1XXBsAxpar6N9kYzRnrf3/OQX2uNrM13y9W/Ob_2BksA/x8bQpkLjYsruIhPFJi3ZErA/tgPZIh6fnf/T9Sy6miArqkO107Ts/8FGy1p_2BKcs/IbQATX6Vpot/p9H1S_2FBpU5gj/XH9RZi7pSy90EfKCN0xoX/QAyaPWXD19YFLug2/I6ErSp8Uq8hZ5g3/WwbSra7jr8/n3VI4u.jre HTTP/1.1
                                                                                                          Cache-Control: no-cache
                                                                                                          Connection: Keep-Alive
                                                                                                          Pragma: no-cache
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                                          Host: msn.com
                                                                                                          2021-10-11 20:35:36 UTC0INHTTP/1.1 301 Moved Permanently
                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                          Location: https://www.msn.com/mail/liopolo/g1XXBsAxpar6N9kYzRnrf3/OQX2uNrM13y9W/Ob_2BksA/x8bQpkLjYsruIhPFJi3ZErA/tgPZIh6fnf/T9Sy6miArqkO107Ts/8FGy1p_2BKcs/IbQATX6Vpot/p9H1S_2FBpU5gj/XH9RZi7pSy90EfKCN0xoX/QAyaPWXD19YFLug2/I6ErSp8Uq8hZ5g3/WwbSra7jr8/n3VI4u.jre
                                                                                                          Server: Microsoft-IIS/8.5
                                                                                                          X-Powered-By: ASP.NET
                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                          Date: Mon, 11 Oct 2021 20:35:35 GMT
                                                                                                          Connection: close
                                                                                                          Content-Length: 371
                                                                                                          2021-10-11 20:35:36 UTC0INData Raw: 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 44 6f 63 75 6d 65 6e 74 20 4d 6f 76 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 68 31 3e 4f 62 6a 65 63 74 20 4d 6f 76 65 64 3c 2f 68 31 3e 54 68 69 73 20 64 6f 63 75 6d 65 6e 74 20 6d 61 79 20 62 65 20 66 6f 75 6e 64 20 3c 61 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6d 73 6e 2e 63 6f 6d 2f 6d 61 69 6c 2f 6c 69 6f 70 6f 6c 6f 2f 67 31 58 58 42 73 41 78 70 61 72 36 4e 39 6b 59 7a 52 6e 72 66 33 2f 4f 51 58 32 75 4e 72 4d 31 33 79 39 57 2f 4f 62 5f 32 42 6b 73 41 2f 78 38 62 51 70 6b 4c 6a 59 73 72 75 49 68 50 46 4a 69 33 5a 45 72 41 2f 74 67 50 5a 49 68 36 66 6e 66 2f 54 39 53 79 36 6d 69 41 72 71 6b 4f 31 30 37 54 73 2f 38 46 47 79 31 70 5f 32 42 4b 63 73 2f 49 62 51 41
                                                                                                          Data Ascii: <head><title>Document Moved</title></head><body><h1>Object Moved</h1>This document may be found <a HREF="https://www.msn.com/mail/liopolo/g1XXBsAxpar6N9kYzRnrf3/OQX2uNrM13y9W/Ob_2BksA/x8bQpkLjYsruIhPFJi3ZErA/tgPZIh6fnf/T9Sy6miArqkO107Ts/8FGy1p_2BKcs/IbQA


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                          1192.168.2.64976313.82.28.61443C:\Windows\System32\loaddll32.exe
                                                                                                          TimestampkBytes transferredDirectionData
                                                                                                          2021-10-11 20:35:37 UTC1OUTGET /mail/liopolo/Y72qNipk37Ef6u/yMdIBjS0TF0zySEk6QqaV/RM1KEI93T2ySqpPS/3a9271HiYU26bKL/CuRYvP0IHiJcR1Om5j/v_2BngoS3/PTV0r6xFeitoJIhrqq8c/AEX9VsNnHNbr2POb3_2/FNC3movbIQSikKNXB2GV0p/4fgFX9c16BwP9/WREoUF91/5ZKv3_2F1kKAcsEj_2FjVau/em3Y7wQlz5/TIVYBPW_2/FO9688N.jre HTTP/1.1
                                                                                                          Cache-Control: no-cache
                                                                                                          Connection: Keep-Alive
                                                                                                          Pragma: no-cache
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                                          Host: msn.com
                                                                                                          2021-10-11 20:35:37 UTC1INHTTP/1.1 301 Moved Permanently
                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                          Location: https://www.msn.com/mail/liopolo/Y72qNipk37Ef6u/yMdIBjS0TF0zySEk6QqaV/RM1KEI93T2ySqpPS/3a9271HiYU26bKL/CuRYvP0IHiJcR1Om5j/v_2BngoS3/PTV0r6xFeitoJIhrqq8c/AEX9VsNnHNbr2POb3_2/FNC3movbIQSikKNXB2GV0p/4fgFX9c16BwP9/WREoUF91/5ZKv3_2F1kKAcsEj_2FjVau/em3Y7wQlz5/TIVYBPW_2/FO9688N.jre
                                                                                                          Server: Microsoft-IIS/8.5
                                                                                                          X-Powered-By: ASP.NET
                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                          Date: Mon, 11 Oct 2021 20:35:37 GMT
                                                                                                          Connection: close
                                                                                                          Content-Length: 398
                                                                                                          2021-10-11 20:35:37 UTC2INData Raw: 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 44 6f 63 75 6d 65 6e 74 20 4d 6f 76 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 68 31 3e 4f 62 6a 65 63 74 20 4d 6f 76 65 64 3c 2f 68 31 3e 54 68 69 73 20 64 6f 63 75 6d 65 6e 74 20 6d 61 79 20 62 65 20 66 6f 75 6e 64 20 3c 61 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6d 73 6e 2e 63 6f 6d 2f 6d 61 69 6c 2f 6c 69 6f 70 6f 6c 6f 2f 59 37 32 71 4e 69 70 6b 33 37 45 66 36 75 2f 79 4d 64 49 42 6a 53 30 54 46 30 7a 79 53 45 6b 36 51 71 61 56 2f 52 4d 31 4b 45 49 39 33 54 32 79 53 71 70 50 53 2f 33 61 39 32 37 31 48 69 59 55 32 36 62 4b 4c 2f 43 75 52 59 76 50 30 49 48 69 4a 63 52 31 4f 6d 35 6a 2f 76 5f 32 42 6e 67 6f 53 33 2f 50 54 56 30 72 36 78 46 65 69 74 6f 4a 49 68 72 71
                                                                                                          Data Ascii: <head><title>Document Moved</title></head><body><h1>Object Moved</h1>This document may be found <a HREF="https://www.msn.com/mail/liopolo/Y72qNipk37Ef6u/yMdIBjS0TF0zySEk6QqaV/RM1KEI93T2ySqpPS/3a9271HiYU26bKL/CuRYvP0IHiJcR1Om5j/v_2BngoS3/PTV0r6xFeitoJIhrq


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                          2192.168.2.64977740.97.161.50443C:\Windows\System32\loaddll32.exe
                                                                                                          TimestampkBytes transferredDirectionData
                                                                                                          2021-10-11 20:36:18 UTC2OUTGET /signup/liopolo/jxoib0nr0xisi2eIVGGk/Kbu0JPj_2B3fu4js1D7/jxotlkFcz1f8cNsX_2FadD/dwubn6X7zOguR/iMUlQrL6/BThA9h9Clk92iCx0cavsxkl/4fdI4nS6Sj/yihCHX4r_2Bf1xsG_/2BUKQzRucv09/S5UJEFULHgR/sYI2tOST5SUskI/G4qeFHRMNjcHJ2CVjy9gn/wxByXeY0/co.jre HTTP/1.1
                                                                                                          Cache-Control: no-cache
                                                                                                          Connection: Keep-Alive
                                                                                                          Pragma: no-cache
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                                          Host: outlook.com
                                                                                                          2021-10-11 20:36:18 UTC3INHTTP/1.1 301 Moved Permanently
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Location: https://www.outlook.com/signup/liopolo/jxoib0nr0xisi2eIVGGk/Kbu0JPj_2B3fu4js1D7/jxotlkFcz1f8cNsX_2FadD/dwubn6X7zOguR/iMUlQrL6/BThA9h9Clk92iCx0cavsxkl/4fdI4nS6Sj/yihCHX4r_2Bf1xsG_/2BUKQzRucv09/S5UJEFULHgR/sYI2tOST5SUskI/G4qeFHRMNjcHJ2CVjy9gn/wxByXeY0/co.jre
                                                                                                          Server: Microsoft-IIS/10.0
                                                                                                          request-id: 6e1f0e87-1066-4faf-c046-ce5e26254186
                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                          X-FEServer: MWHPR11CA0029
                                                                                                          X-RequestId: 628d9d53-49e4-4ca4-94c4-b11208e638b5
                                                                                                          MS-CV: hw4fbmYQr0/ARs5eJiVBhg.0
                                                                                                          X-Powered-By: ASP.NET
                                                                                                          X-FEServer: MWHPR11CA0029
                                                                                                          Date: Mon, 11 Oct 2021 20:36:18 GMT
                                                                                                          Connection: close
                                                                                                          Content-Length: 0


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                          3192.168.2.64977852.98.199.194443C:\Windows\System32\loaddll32.exe
                                                                                                          TimestampkBytes transferredDirectionData
                                                                                                          2021-10-11 20:36:18 UTC3OUTGET /signup/liopolo/jxoib0nr0xisi2eIVGGk/Kbu0JPj_2B3fu4js1D7/jxotlkFcz1f8cNsX_2FadD/dwubn6X7zOguR/iMUlQrL6/BThA9h9Clk92iCx0cavsxkl/4fdI4nS6Sj/yihCHX4r_2Bf1xsG_/2BUKQzRucv09/S5UJEFULHgR/sYI2tOST5SUskI/G4qeFHRMNjcHJ2CVjy9gn/wxByXeY0/co.jre HTTP/1.1
                                                                                                          Cache-Control: no-cache
                                                                                                          Connection: Keep-Alive
                                                                                                          Pragma: no-cache
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                                          Host: www.outlook.com
                                                                                                          2021-10-11 20:36:18 UTC4INHTTP/1.1 301 Moved Permanently
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Location: https://outlook.office365.com/signup/liopolo/jxoib0nr0xisi2eIVGGk/Kbu0JPj_2B3fu4js1D7/jxotlkFcz1f8cNsX_2FadD/dwubn6X7zOguR/iMUlQrL6/BThA9h9Clk92iCx0cavsxkl/4fdI4nS6Sj/yihCHX4r_2Bf1xsG_/2BUKQzRucv09/S5UJEFULHgR/sYI2tOST5SUskI/G4qeFHRMNjcHJ2CVjy9gn/wxByXeY0/co.jre
                                                                                                          Server: Microsoft-IIS/10.0
                                                                                                          request-id: 0cc5d072-33f2-6f76-f015-ee91bb583d6b
                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                          X-FEServer: AS8P189CA0023
                                                                                                          X-RequestId: 1ed9ec8f-eb8c-4b13-9095-f7b5e6ea2573
                                                                                                          MS-CV: ctDFDPIzdm/wFe6Ru1g9aw.0
                                                                                                          X-Powered-By: ASP.NET
                                                                                                          X-FEServer: AS8P189CA0023
                                                                                                          Date: Mon, 11 Oct 2021 20:36:17 GMT
                                                                                                          Connection: close
                                                                                                          Content-Length: 0


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                          4192.168.2.64977952.98.208.66443C:\Windows\System32\loaddll32.exe
                                                                                                          TimestampkBytes transferredDirectionData
                                                                                                          2021-10-11 20:36:18 UTC4OUTGET /signup/liopolo/jxoib0nr0xisi2eIVGGk/Kbu0JPj_2B3fu4js1D7/jxotlkFcz1f8cNsX_2FadD/dwubn6X7zOguR/iMUlQrL6/BThA9h9Clk92iCx0cavsxkl/4fdI4nS6Sj/yihCHX4r_2Bf1xsG_/2BUKQzRucv09/S5UJEFULHgR/sYI2tOST5SUskI/G4qeFHRMNjcHJ2CVjy9gn/wxByXeY0/co.jre HTTP/1.1
                                                                                                          Cache-Control: no-cache
                                                                                                          Connection: Keep-Alive
                                                                                                          Pragma: no-cache
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                                          Host: outlook.office365.com
                                                                                                          2021-10-11 20:36:18 UTC5INHTTP/1.1 404 Not Found
                                                                                                          Content-Length: 1245
                                                                                                          Content-Type: text/html
                                                                                                          Server: Microsoft-IIS/10.0
                                                                                                          request-id: 5c2fdc38-15df-1f17-392b-827de99c6af9
                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                          X-CalculatedFETarget: VI1PR0101CU002.internal.outlook.com
                                                                                                          X-BackEndHttpStatus: 404
                                                                                                          X-FEProxyInfo: VI1PR0101CA0050.EURPRD01.PROD.EXCHANGELABS.COM
                                                                                                          X-CalculatedBETarget: VI1PR06MB6510.eurprd06.prod.outlook.com
                                                                                                          X-BackEndHttpStatus: 404
                                                                                                          X-RUM-Validated: 1
                                                                                                          X-Proxy-RoutingCorrectness: 1
                                                                                                          X-Proxy-BackendServerStatus: 404
                                                                                                          MS-CV: ONwvXN8VFx85K4J96Zxq+Q.1.1
                                                                                                          X-FEServer: VI1PR0101CA0050
                                                                                                          X-Powered-By: ASP.NET
                                                                                                          X-FEServer: AS9PR06CA0070
                                                                                                          Date: Mon, 11 Oct 2021 20:36:17 GMT
                                                                                                          Connection: close
                                                                                                          2021-10-11 20:36:18 UTC5INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c
                                                                                                          Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/><title>404 - Fil


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                          5192.168.2.64978040.97.161.50443C:\Windows\System32\loaddll32.exe
                                                                                                          TimestampkBytes transferredDirectionData
                                                                                                          2021-10-11 20:36:19 UTC7OUTGET /signup/liopolo/wJxSKqxKoIs4hl6/RPgHanWG_2BhdmCUvh/kPMaptHHD/74uKkWxVzwFhyaQkkp7I/NkZBZMfOWiOvGyR07Yg/UdsHK_2BhDWC9S_2Bq5qwQ/tic9OPnwrqPJ8/sBs9ep3g/eQ_2FbCMldJx8QkchMeY_2F/9VT2Y68DG0/T_2Fo8PaFlf7e2wiH/yMWBWkxn2yOC/D8kmhJaVYSvP5/Yp7bf.jre HTTP/1.1
                                                                                                          Cache-Control: no-cache
                                                                                                          Connection: Keep-Alive
                                                                                                          Pragma: no-cache
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                                          Host: outlook.com
                                                                                                          2021-10-11 20:36:19 UTC7INHTTP/1.1 301 Moved Permanently
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Location: https://www.outlook.com/signup/liopolo/wJxSKqxKoIs4hl6/RPgHanWG_2BhdmCUvh/kPMaptHHD/74uKkWxVzwFhyaQkkp7I/NkZBZMfOWiOvGyR07Yg/UdsHK_2BhDWC9S_2Bq5qwQ/tic9OPnwrqPJ8/sBs9ep3g/eQ_2FbCMldJx8QkchMeY_2F/9VT2Y68DG0/T_2Fo8PaFlf7e2wiH/yMWBWkxn2yOC/D8kmhJaVYSvP5/Yp7bf.jre
                                                                                                          Server: Microsoft-IIS/10.0
                                                                                                          request-id: 788ce384-07aa-8879-d946-2cc1b02eb792
                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                          X-FEServer: MWHPR11CA0026
                                                                                                          X-RequestId: 738ef795-5233-4365-a8d0-c1e1bcdbffa8
                                                                                                          MS-CV: hOOMeKoHeYjZRizBsC63kg.0
                                                                                                          X-Powered-By: ASP.NET
                                                                                                          X-FEServer: MWHPR11CA0026
                                                                                                          Date: Mon, 11 Oct 2021 20:36:19 GMT
                                                                                                          Connection: close
                                                                                                          Content-Length: 0


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                          6192.168.2.64978152.97.178.34443C:\Windows\SysWOW64\rundll32.exe
                                                                                                          TimestampkBytes transferredDirectionData
                                                                                                          2021-10-11 20:36:19 UTC8OUTGET /signup/liopolo/wJxSKqxKoIs4hl6/RPgHanWG_2BhdmCUvh/kPMaptHHD/74uKkWxVzwFhyaQkkp7I/NkZBZMfOWiOvGyR07Yg/UdsHK_2BhDWC9S_2Bq5qwQ/tic9OPnwrqPJ8/sBs9ep3g/eQ_2FbCMldJx8QkchMeY_2F/9VT2Y68DG0/T_2Fo8PaFlf7e2wiH/yMWBWkxn2yOC/D8kmhJaVYSvP5/Yp7bf.jre HTTP/1.1
                                                                                                          Cache-Control: no-cache
                                                                                                          Connection: Keep-Alive
                                                                                                          Pragma: no-cache
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                                          Host: www.outlook.com
                                                                                                          2021-10-11 20:36:19 UTC8INHTTP/1.1 301 Moved Permanently
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Location: https://outlook.office365.com/signup/liopolo/wJxSKqxKoIs4hl6/RPgHanWG_2BhdmCUvh/kPMaptHHD/74uKkWxVzwFhyaQkkp7I/NkZBZMfOWiOvGyR07Yg/UdsHK_2BhDWC9S_2Bq5qwQ/tic9OPnwrqPJ8/sBs9ep3g/eQ_2FbCMldJx8QkchMeY_2F/9VT2Y68DG0/T_2Fo8PaFlf7e2wiH/yMWBWkxn2yOC/D8kmhJaVYSvP5/Yp7bf.jre
                                                                                                          Server: Microsoft-IIS/10.0
                                                                                                          request-id: e3fdf5a0-ef19-6991-ae02-d09d6eb6eb6d
                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                          X-FEServer: AM7PR02CA0012
                                                                                                          X-RequestId: 28d1f2b0-6ee7-49fb-91b3-38f8f9eb5739
                                                                                                          MS-CV: oPX94xnvkWmuAtCdbrbrbQ.0
                                                                                                          X-Powered-By: ASP.NET
                                                                                                          X-FEServer: AM7PR02CA0012
                                                                                                          Date: Mon, 11 Oct 2021 20:36:19 GMT
                                                                                                          Connection: close
                                                                                                          Content-Length: 0


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                          7192.168.2.64978252.97.178.98443C:\Windows\SysWOW64\rundll32.exe
                                                                                                          TimestampkBytes transferredDirectionData
                                                                                                          2021-10-11 20:36:19 UTC9OUTGET /signup/liopolo/wJxSKqxKoIs4hl6/RPgHanWG_2BhdmCUvh/kPMaptHHD/74uKkWxVzwFhyaQkkp7I/NkZBZMfOWiOvGyR07Yg/UdsHK_2BhDWC9S_2Bq5qwQ/tic9OPnwrqPJ8/sBs9ep3g/eQ_2FbCMldJx8QkchMeY_2F/9VT2Y68DG0/T_2Fo8PaFlf7e2wiH/yMWBWkxn2yOC/D8kmhJaVYSvP5/Yp7bf.jre HTTP/1.1
                                                                                                          Cache-Control: no-cache
                                                                                                          Connection: Keep-Alive
                                                                                                          Pragma: no-cache
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                                          Host: outlook.office365.com
                                                                                                          2021-10-11 20:36:19 UTC9INHTTP/1.1 404 Not Found
                                                                                                          Content-Length: 1245
                                                                                                          Content-Type: text/html
                                                                                                          Server: Microsoft-IIS/10.0
                                                                                                          request-id: 8895e295-2c4a-97c0-6a4c-33e5a4e5782a
                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                          X-CalculatedFETarget: VI1PR08CU014.internal.outlook.com
                                                                                                          X-BackEndHttpStatus: 404
                                                                                                          X-FEProxyInfo: VI1PR08CA0260.EURPRD08.PROD.OUTLOOK.COM
                                                                                                          X-CalculatedBETarget: VI1PR0401MB2509.EURPRD04.PROD.OUTLOOK.COM
                                                                                                          X-BackEndHttpStatus: 404
                                                                                                          X-RUM-Validated: 1
                                                                                                          X-Proxy-RoutingCorrectness: 1
                                                                                                          X-Proxy-BackendServerStatus: 404
                                                                                                          MS-CV: leKViEoswJdqTDPlpOV4Kg.1.1
                                                                                                          X-FEServer: VI1PR08CA0260
                                                                                                          X-Powered-By: ASP.NET
                                                                                                          X-FEServer: AM7PR04CA0027
                                                                                                          Date: Mon, 11 Oct 2021 20:36:19 GMT
                                                                                                          Connection: close
                                                                                                          2021-10-11 20:36:19 UTC10INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c
                                                                                                          Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/><title>404 - Fil


                                                                                                          Code Manipulations

                                                                                                          Statistics

                                                                                                          Behavior

                                                                                                          Click to jump to process

                                                                                                          System Behavior

                                                                                                          Analysis Process: loaddll32.exe PID: 3272 Parent PID: 1724

                                                                                                          General

                                                                                                          Start time:22:33:41
                                                                                                          Start date:11/10/2021
                                                                                                          Path:C:\Windows\System32\loaddll32.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:loaddll32.exe 'C:\Users\user\Desktop\B6VQd36tt6.dll'
                                                                                                          Imagebase:0x1320000
                                                                                                          File size:893440 bytes
                                                                                                          MD5 hash:72FCD8FB0ADC38ED9050569AD673650E
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.596720166.00000000034D8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.597214572.00000000034D8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.597886088.00000000034D8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.597021606.00000000034D8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.596902134.00000000034D8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.686530956.000000000325D000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.641044169.000000000335B000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.729588115.000000000315F000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.597111833.00000000034D8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.596646171.00000000034D8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000003.540888918.0000000000E90000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.597301011.00000000034D8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000002.749793100.0000000002D09000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.596793912.00000000034D8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                          Reputation:moderate

                                                                                                          Analysis Process: cmd.exe PID: 3144 Parent PID: 3272

                                                                                                          General

                                                                                                          Start time:22:33:41
                                                                                                          Start date:11/10/2021
                                                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\B6VQd36tt6.dll',#1
                                                                                                          Imagebase:0x2a0000
                                                                                                          File size:232960 bytes
                                                                                                          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high

                                                                                                          Analysis Process: rundll32.exe PID: 5256 Parent PID: 3272

                                                                                                          General

                                                                                                          Start time:22:33:42
                                                                                                          Start date:11/10/2021
                                                                                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:rundll32.exe C:\Users\user\Desktop\B6VQd36tt6.dll,BeGrass
                                                                                                          Imagebase:0x880000
                                                                                                          File size:61952 bytes
                                                                                                          MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000002.00000003.492494632.0000000002E20000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                          Reputation:high

                                                                                                          Analysis Process: rundll32.exe PID: 5692 Parent PID: 3144

                                                                                                          General

                                                                                                          Start time:22:33:42
                                                                                                          Start date:11/10/2021
                                                                                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:rundll32.exe 'C:\Users\user\Desktop\B6VQd36tt6.dll',#1
                                                                                                          Imagebase:0x880000
                                                                                                          File size:61952 bytes
                                                                                                          MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.598864684.0000000005318000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.689258244.000000000509D000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.598927334.0000000005318000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.642989614.000000000519B000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000003.00000002.752028518.0000000004C39000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.598779799.0000000005318000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000003.00000003.492791250.0000000002E10000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.599125921.0000000005318000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.598981939.0000000005318000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.599214026.0000000005318000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.599055381.0000000005318000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.599169417.0000000005318000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.733741499.0000000004F9F000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.599525991.0000000005318000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                          Reputation:high

                                                                                                          Analysis Process: rundll32.exe PID: 6284 Parent PID: 3272

                                                                                                          General

                                                                                                          Start time:22:33:46
                                                                                                          Start date:11/10/2021
                                                                                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:rundll32.exe C:\Users\user\Desktop\B6VQd36tt6.dll,Fieldeight
                                                                                                          Imagebase:0x880000
                                                                                                          File size:61952 bytes
                                                                                                          MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000004.00000003.513458257.0000000003220000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                          Reputation:high

                                                                                                          Analysis Process: rundll32.exe PID: 2772 Parent PID: 3272

                                                                                                          General

                                                                                                          Start time:22:33:52
                                                                                                          Start date:11/10/2021
                                                                                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:rundll32.exe C:\Users\user\Desktop\B6VQd36tt6.dll,Often
                                                                                                          Imagebase:0x880000
                                                                                                          File size:61952 bytes
                                                                                                          MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000005.00000003.536008305.0000000002D20000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                          Reputation:high

                                                                                                          Analysis Process: WerFault.exe PID: 2032 Parent PID: 5256

                                                                                                          General

                                                                                                          Start time:22:35:22
                                                                                                          Start date:11/10/2021
                                                                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5256 -s 868
                                                                                                          Imagebase:0x70000
                                                                                                          File size:434592 bytes
                                                                                                          MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language

                                                                                                          Analysis Process: WerFault.exe PID: 2192 Parent PID: 6284

                                                                                                          General

                                                                                                          Start time:22:35:32
                                                                                                          Start date:11/10/2021
                                                                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6284 -s 832
                                                                                                          Imagebase:0x70000
                                                                                                          File size:434592 bytes
                                                                                                          MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language

                                                                                                          Analysis Process: WerFault.exe PID: 1984 Parent PID: 2772

                                                                                                          General

                                                                                                          Start time:22:35:34
                                                                                                          Start date:11/10/2021
                                                                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 644
                                                                                                          Imagebase:0x70000
                                                                                                          File size:434592 bytes
                                                                                                          MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language

                                                                                                          Disassembly

                                                                                                          Code Analysis

                                                                                                          Reset < >