Windows Analysis Report 6yDD19jMIu.dll

AV Detection:

Found malware configuration

Source: 00000006.00000003.427656191.00000000033B0000.00000040.00000001.sdmp

Malware Configuration Extractor: Ursnif {"RSA Public Key": "UmEkthy8LQToWYBqtBaWyLn/P1d2KjpXi9nl2is1X7NEi7AW4Al92U7HvBiCwWHgXhs6UyTZ7q6npv3YCi+rPS7xAyorWWgcyyviEpE9CETDXviZ72XZkxmen4ztvEtct+obFAEe0tiXOsfOcC8xDsI0CHPpvmUknsexTYqAJgwcghgx1mGHx/yFM4fnPYw4mFFE6bVI7eMnbu1CuunRmAVRDHZ7MAS7zSkAmYjeo1zAzRnOEWgblRHwenmwlBtp0SFGuYCGVe3TZZ4Nndgpd5xpSeLOoSZi/fRXjtS8b6LXBS/zslRCRObMDjDX4pa1fM1uOgFHyvjANgWJpZ272bpOHjM52/hsEGZXskaNztU=", "c2_domain": ["msn.com/mail", "breuranel.website", "outlook.com/signup", "areuranel.website"], "botnet": "8899", "server": "12", "serpent_key": "56473871MNTYAIDA", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Multi AV Scanner detection for submitted file

Source: 6yDD19jMIu.dll

Virustotal: Detection: 9%

Perma Link

Multi AV Scanner detection for domain / URL

Source: areuranel.website	Virustotal: Detection: 6%			Perma Link
Source: breuranel.website	Virustotal: Detection: 6%			Perma Link
Source: https://areuranel.website/	Virustotal: Detection: 6%			Perma Link

Compliance:

Uses 32bit PE files

Source: 6yDD19jMIu.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.7:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.7:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.97.161.50:443 -> 192.168.2.7:49771 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.101.124.210:443 -> 192.168.2.7:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.97.223.66:443 -> 192.168.2.7:49773 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.97.161.50:443 -> 192.168.2.7:49774 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.101.124.210:443 -> 192.168.2.7:49775 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.98.208.114:443 -> 192.168.2.7:49776 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.7:49810 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.7:49812 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.97.161.50:443 -> 192.168.2.7:49842 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.97.219.162:443 -> 192.168.2.7:49843 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.97.137.114:443 -> 192.168.2.7:49844 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.97.161.50:443 -> 192.168.2.7:49845 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.97.219.162:443 -> 192.168.2.7:49846 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.98.214.82:443 -> 192.168.2.7:49847 version: TLS 1.2

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: 6yDD19jMIu.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Source:	Binary string: WinTypes.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb& source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb7 source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000013.00000003.471401917.00000000050D1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.464515303.0000000005490000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.497393205.00000000052F1000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000013.00000003.471401917.00000000050D1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.474189859.0000000005741000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.497175120.00000000053F2000.00000004.00000040.sdmp
Source:	Binary string: CoreMessaging.pdb_ source: WerFault.exe, 00000013.00000003.471624682.00000000051F2000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474313547.0000000005861000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497779494.0000000005404000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000013.00000003.471401917.00000000050D1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.474189859.0000000005741000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.497393205.00000000052F1000.00000004.00000001.sdmp
Source:	Binary string: WinTypes.pdbT) source: WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdbD source: WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000013.00000003.471684835.00000000051E0000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474387635.0000000005850000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497619087.00000000053F0000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000013.00000003.471401917.00000000050D1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.465473055.00000000035AC000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.477462780.000000000324C000.00000004.00000001.sdmp
Source:	Binary string: ntmarta.pdb; source: WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb0 source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000013.00000003.471774398.00000000051E4000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474406434.0000000005854000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497646774.00000000053F5000.00000004.00000040.sdmp
Source:	Binary string: CoreMessaging.pdb source: WerFault.exe, 00000013.00000003.471624682.00000000051F2000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474313547.0000000005861000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497779494.0000000005404000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdby' source: WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000013.00000003.471401917.00000000050D1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.474189859.0000000005741000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.497393205.00000000052F1000.00000004.00000001.sdmp
Source:	Binary string: rundll32.pdbk source: WerFault.exe, 00000013.00000003.471401917.00000000050D1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.474189859.0000000005741000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdbN source: WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp
Source:	Binary string: ntmarta.pdbf) source: WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000013.00000003.471401917.00000000050D1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.474189859.0000000005741000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.497646774.00000000053F5000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdbM source: WerFault.exe, 00000013.00000003.471684835.00000000051E0000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdbk source: WerFault.exe, 00000017.00000003.497175120.00000000053F2000.00000004.00000040.sdmp
Source:	Binary string: ntmarta.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000013.00000003.471401917.00000000050D1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.474189859.0000000005741000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.497175120.00000000053F2000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdbR source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb* source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000013.00000003.471401917.00000000050D1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.465197464.00000000035B8000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.497393205.00000000052F1000.00000004.00000001.sdmp
Source:	Binary string: powrprof.pdb, source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
Source:	Binary string: CoreUIComponents.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 00000013.00000003.471684835.00000000051E0000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474387635.0000000005850000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497619087.00000000053F0000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000013.00000003.471401917.00000000050D1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.474189859.0000000005741000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.497393205.00000000052F1000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdbz source: WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 00000013.00000003.471774398.00000000051E4000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474406434.0000000005854000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497646774.00000000053F5000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000013.00000003.463108056.0000000002D40000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.465473055.00000000035AC000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.477462780.000000000324C000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdbR source: WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdbX) source: WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000013.00000003.471401917.00000000050D1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.474189859.0000000005741000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.497393205.00000000052F1000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 00000017.00000003.497646774.00000000053F5000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdbg source: WerFault.exe, 00000014.00000003.474387635.0000000005850000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000013.00000003.471774398.00000000051E4000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474406434.0000000005854000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497646774.00000000053F5000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdbX source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdbN source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 00000017.00000003.497175120.00000000053F2000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdbl) source: WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
Source:	Binary string: TextInputFramework.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
Source:	Binary string: WinTypes.pdb1 source: WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 00000013.00000003.471401917.00000000050D1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.474189859.0000000005741000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.497393205.00000000052F1000.00000004.00000001.sdmp
Source:	Binary string: wUxTheme.pdb> source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp
Source:	Binary string: c:\wheel\receive\Many-rise\score.pdb source: loaddll32.exe, 00000000.00000002.775494976.000000006E53B000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.776806344.000000006E53B000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.471242410.000000006E53B000.00000002.00020000.sdmp, 6yDD19jMIu.dll
Source:	Binary string: advapi32.pdbH source: WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000013.00000003.471684835.00000000051E0000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474387635.0000000005850000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497619087.00000000053F0000.00000004.00000040.sdmp
Source:	Binary string: CoreUIComponents.pdbN source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000013.00000003.471774398.00000000051E4000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474406434.0000000005854000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497646774.00000000053F5000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000013.00000003.463129538.0000000002D4C000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.465197464.00000000035B8000.00000004.00000001.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000013.00000003.471684835.00000000051E0000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474387635.0000000005850000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497619087.00000000053F0000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000013.00000003.471684835.00000000051E0000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474387635.0000000005850000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497619087.00000000053F0000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 00000013.00000003.471401917.00000000050D1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.474189859.0000000005741000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.497393205.00000000052F1000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000013.00000003.464251828.0000000002D46000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.465353270.00000000035B2000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000013.00000003.471401917.00000000050D1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.474189859.0000000005741000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.497393205.00000000052F1000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000013.00000003.471401917.00000000050D1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.474189859.0000000005741000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.497393205.00000000052F1000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbk source: WerFault.exe, 00000013.00000003.471401917.00000000050D1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.474189859.0000000005741000.00000004.00000001.sdmp
Source:	Binary string: sfc.pdbd source: WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp
Source:	Binary string: CoreUIComponents.pdbd source: WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb\ source: WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp

Networking:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: www.msn.com
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 52.97.219.162 187			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: areuranel.website
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 40.97.161.50 187			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: breuranel.website
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: outlook.office365.com
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 52.97.223.66 187			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 40.101.124.210 187			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: msn.com
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: outlook.com
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: www.outlook.com
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 52.97.137.114 187			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 13.82.28.61 187			Jump to behavior

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: ce5f3254611a8c095a3d821d44539877

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 40.97.161.50 40.97.161.50
Source: Joe Sandbox View	IP Address: 13.82.28.61 13.82.28.61

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /mail/liopolo/wy2L0fN2E5PVQV/dJuGUeMmesCePLL0l7Wgt/WGkNYevXDY_2B8SF/CdMZYMX0E7B4luP/Ul2jmINaYu2Q2Tpowu/zFWfPWe10/HWR9Tc92PXi2sPWtdN4v/UdHW73hHNRRgj93MpeR/gAwjHz21J0PRcDvLd3I609/yvRpibRLzjrjt/tNfBhMKC/cc7JRbI6tVdqBgZvAlBLjz4/UmIafwR6sLy9/c9juhd.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
Source: global traffic	HTTP traffic detected: GET /mail/liopolo/M47eTWImwyNJIXk/bvBUnXDqSGJkSqnZ1W/IoQdQ6MHW/B7zE09Qn2ChgYQ2HLYH_/2FQQUDoZM2fDLMcKw_2/FKAo20C9iE_2FlWT_2Bfzo/Rp1YRopF97I_2/B8CxFQdR/_2BNrlSUvWcd0EwvOdX03BY/sLHqBgEIoN/l5xSyCjNwonJQFrna/xuhuk7iqStO6/LAN01N_2FT3/qYrzxcmDBjbOke/xPgut5GCh0/QPq7LLa.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/3VnYAYtkPZmdkRft/PhukctoSJxkO8c8/Lye7Mz0DUphRm7HFMS/Ert7vY9a_/2Fh6kZ4AO5iovULa_2Bg/RWwMy2ZM2sR1_2FjWVo/tVrVc9cE14VzsJSo6j4pki/JUlhlBWv0cOdb/WT8dwYTw/fsNrVB4ij0f115XNZnOJrEB/Ph8kPiXFtx/k7Vhu_2FqmJ2l_2BS/kcHYGhIgQQBE/6Lz_2BcD7nm/sGFf8Kc2PZ_2B/1_2F.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/3VnYAYtkPZmdkRft/PhukctoSJxkO8c8/Lye7Mz0DUphRm7HFMS/Ert7vY9a_/2Fh6kZ4AO5iovULa_2Bg/RWwMy2ZM2sR1_2FjWVo/tVrVc9cE14VzsJSo6j4pki/JUlhlBWv0cOdb/WT8dwYTw/fsNrVB4ij0f115XNZnOJrEB/Ph8kPiXFtx/k7Vhu_2FqmJ2l_2BS/kcHYGhIgQQBE/6Lz_2BcD7nm/sGFf8Kc2PZ_2B/1_2F.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/3VnYAYtkPZmdkRft/PhukctoSJxkO8c8/Lye7Mz0DUphRm7HFMS/Ert7vY9a_/2Fh6kZ4AO5iovULa_2Bg/RWwMy2ZM2sR1_2FjWVo/tVrVc9cE14VzsJSo6j4pki/JUlhlBWv0cOdb/WT8dwYTw/fsNrVB4ij0f115XNZnOJrEB/Ph8kPiXFtx/k7Vhu_2FqmJ2l_2BS/kcHYGhIgQQBE/6Lz_2BcD7nm/sGFf8Kc2PZ_2B/1_2F.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/HeNOXEGhcO/DJiYgDwUOxUtDS_2F/jyyD8scRCvd_/2FyMxtVOaJ3/wtHE98SGLfSVcY/aYMs8f2LumXTliKvTeXJ_/2BDCwHs2R0k_2FBp/TwUdZVU_2BFy7BU/7Kl_2FOBfWpmXbV5T3/HLfF4XU2w/vHhM4pKHjDGx_2BGh5XJ/k3tEoRB4M6D1Hg77dr2/GhhYGYGyvzjf8tA7M4_2Fz/PcKN.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/HeNOXEGhcO/DJiYgDwUOxUtDS_2F/jyyD8scRCvd_/2FyMxtVOaJ3/wtHE98SGLfSVcY/aYMs8f2LumXTliKvTeXJ_/2BDCwHs2R0k_2FBp/TwUdZVU_2BFy7BU/7Kl_2FOBfWpmXbV5T3/HLfF4XU2w/vHhM4pKHjDGx_2BGh5XJ/k3tEoRB4M6D1Hg77dr2/GhhYGYGyvzjf8tA7M4_2Fz/PcKN.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/HeNOXEGhcO/DJiYgDwUOxUtDS_2F/jyyD8scRCvd_/2FyMxtVOaJ3/wtHE98SGLfSVcY/aYMs8f2LumXTliKvTeXJ_/2BDCwHs2R0k_2FBp/TwUdZVU_2BFy7BU/7Kl_2FOBfWpmXbV5T3/HLfF4XU2w/vHhM4pKHjDGx_2BGh5XJ/k3tEoRB4M6D1Hg77dr2/GhhYGYGyvzjf8tA7M4_2Fz/PcKN.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
Source: global traffic	HTTP traffic detected: GET /mail/liopolo/BqQVObz8g5lnocL/rDmP1N8TTzvhY7vp6N/RS6H6xMUu/qA1CfJ9oDnQhRUYDGgyu/MnijqTPatYoqwLU2Gjp/CUGc0n_2BeItdu5kr8poMa/AhSBnyUxBLy2z/WL6kh9Er/V_2FntCaBAYN2Q0pmQz73pS/plPX31iyVH/sliN48qRh7bzwYOXL/_2Bf1goPp5sf/LxXLhBSZnu3/MQi2YcecwkM/9zZah40u0/3pu.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
Source: global traffic	HTTP traffic detected: GET /mail/liopolo/ytBZeomNqV/HSfS_2F75u1_2Bgzu/fw3T9nUGqtyA/MnMc49Ew1bU/TR75BNg3t5wK_2/FZ_2BhHpRHjaoiOWsJCdm/IP7BzqL3kfOIwEpd/0v6vAk1XTaQKS4Q/4t76RFSHOBJGuOI3un/dPzfZGf9x/VMluKaNPNp_2BEHsWys0/7w8R7Qn2JCyyYRXwFiA/UZytNi_2F_2BVoKUDorTiy/Fo.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/xrfnn2_2FjAWwzmSPV2sJmp/tknhXbcO6a/ZAGJ1q_2FdrKNOunT/MWqXv5zFFG9p/by8Zf_2FtJ3/xEG2AHiWNHzGMb/5U7AZq2hWTtx5Gp_2FLrT/Jtvmik5RsI3BKCJG/qiPKwJPTBUSBiQw/RY1j9J90egtogWV_2B/CgPW8RXFg/49h8H9fZxytN8Y5j4Ua3/YD4Lz_2BMKncbFniIjR/do3Cf1aCJb1FbLOESe_2B/MC.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/xrfnn2_2FjAWwzmSPV2sJmp/tknhXbcO6a/ZAGJ1q_2FdrKNOunT/MWqXv5zFFG9p/by8Zf_2FtJ3/xEG2AHiWNHzGMb/5U7AZq2hWTtx5Gp_2FLrT/Jtvmik5RsI3BKCJG/qiPKwJPTBUSBiQw/RY1j9J90egtogWV_2B/CgPW8RXFg/49h8H9fZxytN8Y5j4Ua3/YD4Lz_2BMKncbFniIjR/do3Cf1aCJb1FbLOESe_2B/MC.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/xrfnn2_2FjAWwzmSPV2sJmp/tknhXbcO6a/ZAGJ1q_2FdrKNOunT/MWqXv5zFFG9p/by8Zf_2FtJ3/xEG2AHiWNHzGMb/5U7AZq2hWTtx5Gp_2FLrT/Jtvmik5RsI3BKCJG/qiPKwJPTBUSBiQw/RY1j9J90egtogWV_2B/CgPW8RXFg/49h8H9fZxytN8Y5j4Ua3/YD4Lz_2BMKncbFniIjR/do3Cf1aCJb1FbLOESe_2B/MC.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/bJlCFRYLHvFIRqYTrU/8RRkttIEA/t1_2BP9O_2BAm85KU_2B/aSpxz3oD7DS4GgXePzf/ia7vS0WgwZtA22jtnk2sgM/8aNHELsXc5Ipi/BMZNGN2v/65JiDOn3VthO9IJqFpTTW9Q/9POmMR2_2B/F79Rk5g05Py2gD_2B/JwjLpqa35mrg/bt4uvVPD_2F/UqHQdzYFCQmMXc/ZX0Xxi4W.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/bJlCFRYLHvFIRqYTrU/8RRkttIEA/t1_2BP9O_2BAm85KU_2B/aSpxz3oD7DS4GgXePzf/ia7vS0WgwZtA22jtnk2sgM/8aNHELsXc5Ipi/BMZNGN2v/65JiDOn3VthO9IJqFpTTW9Q/9POmMR2_2B/F79Rk5g05Py2gD_2B/JwjLpqa35mrg/bt4uvVPD_2F/UqHQdzYFCQmMXc/ZX0Xxi4W.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/bJlCFRYLHvFIRqYTrU/8RRkttIEA/t1_2BP9O_2BAm85KU_2B/aSpxz3oD7DS4GgXePzf/ia7vS0WgwZtA22jtnk2sgM/8aNHELsXc5Ipi/BMZNGN2v/65JiDOn3VthO9IJqFpTTW9Q/9POmMR2_2B/F79Rk5g05Py2gD_2B/JwjLpqa35mrg/bt4uvVPD_2F/UqHQdzYFCQmMXc/ZX0Xxi4W.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com

Uses HTTPS

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown	Network traffic detected: HTTP traffic on port 49842 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49842
Source: unknown	Network traffic detected: HTTP traffic on port 49844 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49845 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 49843 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 49846 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49846
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49845
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49844

Tries to download or post to a non-existing HTTP route (HTTP/1.1 404 Not Found / 503 Service Unavailable / 403 Forbidden)

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 1245Content-Type: text/htmlServer: Microsoft-IIS/10.0request-id: 65c8d4ee-587b-c9b1-e6a8-2fcf099847ceStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-CalculatedBETarget: AM6PR04MB5622.EURPRD04.PROD.OUTLOOK.COMX-BackEndHttpStatus: 404X-Proxy-RoutingCorrectness: 1X-Proxy-BackendServerStatus: 404MS-CV: 7tTIZXtYscnmqC/PCZhHzg.1X-Powered-By: ASP.NETX-FEServer: AS8PR04CA0145Date: Mon, 11 Oct 2021 20:36:54 GMTConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 1245Content-Type: text/htmlServer: Microsoft-IIS/10.0request-id: 4b4aee2f-6f98-79c7-950f-5c79da77b3feStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-CalculatedBETarget: AM6PR06MB4263.eurprd06.prod.outlook.comX-BackEndHttpStatus: 404X-Proxy-RoutingCorrectness: 1X-Proxy-BackendServerStatus: 404MS-CV: L+5KS5hvx3mVD1x52nez/g.1X-Powered-By: ASP.NETX-FEServer: AS9PR06CA0128Date: Mon, 11 Oct 2021 20:36:58 GMTConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 1245Content-Type: text/htmlServer: Microsoft-IIS/10.0request-id: 85b7812e-0a7c-b961-2cc4-adf543fab5aeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-CalculatedFETarget: VI1PR08CU010.internal.outlook.comX-BackEndHttpStatus: 404X-FEProxyInfo: VI1PR08CA0134.EURPRD08.PROD.OUTLOOK.COMX-CalculatedBETarget: VI1PR06MB5455.EURPRD06.PROD.OUTLOOK.COMX-BackEndHttpStatus: 404X-RUM-Validated: 1X-Proxy-RoutingCorrectness: 1X-Proxy-BackendServerStatus: 404MS-CV: LoG3hXwKYbksxK31Q/q1rg.1.1X-FEServer: VI1PR08CA0134X-Powered-By: ASP.NETX-FEServer: AS9PR06CA0260Date: Mon, 11 Oct 2021 20:38:17 GMTConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 1245Content-Type: text/htmlServer: Microsoft-IIS/10.0request-id: 295ac203-bc6e-2f15-84bf-9c5b1de6eb11Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-CalculatedFETarget: AM9P193CU001.internal.outlook.comX-BackEndHttpStatus: 404X-FEProxyInfo: AM9P193CA0023.EURP193.PROD.OUTLOOK.COMX-CalculatedBETarget: AM0PR05MB4915.eurprd05.prod.outlook.comX-BackEndHttpStatus: 404X-RUM-Validated: 1X-Proxy-RoutingCorrectness: 1X-Proxy-BackendServerStatus: 404MS-CV: A8JaKW68FS+Ev5xbHebrEQ.1.1X-FEServer: AM9P193CA0023X-Powered-By: ASP.NETX-FEServer: AS9PR05CA0054Date: Mon, 11 Oct 2021 20:38:20 GMTConnection: close

URLs found in memory or binary data

Source: loaddll32.exe, 00000000.00000002.769931525.000000000110E000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.700093416.0000000000894000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000002.500798053.0000000004D65000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000002.503518309.00000000053C2000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000002.518255520.0000000005005000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: loaddll32.exe, 00000000.00000003.484784411.0000000003519000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.484636695.0000000001174000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.478128866.0000000004BB9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.656930982.00000000008FF000.00000004.00000001.sdmp	String found in binary or memory: http://ogp.me/ns#
Source: loaddll32.exe, 00000000.00000003.484784411.0000000003519000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.484636695.0000000001174000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.478128866.0000000004BB9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.656930982.00000000008FF000.00000004.00000001.sdmp	String found in binary or memory: http://ogp.me/ns/fb#
Source: rundll32.exe, 00000003.00000003.611937576.0000000000894000.00000004.00000001.sdmp	String found in binary or memory: https://areuranel.website/
Source: rundll32.exe, 00000003.00000003.611937576.0000000000894000.00000004.00000001.sdmp	String found in binary or memory: https://areuranel.website/liopolo/gPZADesC/LIHFYPg1nfeS6qR4dfr58Og/poTvfxxfV9/7jcxdAxrxlBGvHHC2/KE8j
Source: loaddll32.exe, 00000000.00000003.484784411.0000000003519000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.477730310.0000000004C38000.00000004.00000040.sdmp	String found in binary or memory: https://blogs.msn.com/
Source: rundll32.exe, 00000003.00000003.567432017.0000000000894000.00000004.00000001.sdmp	String found in binary or memory: https://breuranel.website/8
Source: rundll32.exe, 00000003.00000003.743394786.0000000000894000.00000004.00000001.sdmp	String found in binary or memory: https://breuranel.website/X
Source: loaddll32.exe, 00000000.00000002.769931525.000000000110E000.00000004.00000001.sdmp	String found in binary or memory: https://breuranel.website/liopolo/Gu5CX9rKtqJTGdubC/vfDJzFOCWocD/fyvnSBIy2J4/FhQlzlOfNqSLAT/n_2BCGU5
Source: rundll32.exe, 00000003.00000003.743394786.0000000000894000.00000004.00000001.sdmp	String found in binary or memory: https://breuranel.website/liopolo/VQCuXOMQ58gaep/wQcyE3XNRkOUslXiuIoRn/thqxftgA7_2FvfGU/paR5aKKlYUJw
Source: rundll32.exe, 00000003.00000003.521631224.0000000000894000.00000004.00000001.sdmp	String found in binary or memory: https://breuranel.website/liopolo/oPGaMFzTwbyZJ3jE/9_2B3jdhd0kGHjG/n_2BHWHpJci47et543/_2B6aHUxi/oZM9
Source: rundll32.exe, 00000003.00000003.700093416.0000000000894000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.511056929.00000000008E9000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.478009497.00000000008E8000.00000004.00000001.sdmp	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: rundll32.exe, 00000003.00000003.478075992.00000000008ED000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/logi
Source: loaddll32.exe, 00000000.00000003.484571941.0000000001166000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ch
Source: rundll32.exe, 00000003.00000003.478128866.0000000004BB9000.00000004.00000040.sdmp	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1633984572&rver
Source: loaddll32.exe, 00000000.00000003.484784411.0000000003519000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.484484416.0000000001176000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1633984576&rver
Source: rundll32.exe, 00000003.00000003.656930982.00000000008FF000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.657034849.0000000004C3B000.00000004.00000040.sdmp	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1633984656&rver
Source: loaddll32.exe, 00000000.00000003.663941944.000000000359B000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.663859168.000000000117A000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1633984659&rver
Source: loaddll32.exe, 00000000.00000003.484784411.0000000003519000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.484484416.0000000001176000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.663914997.000000000359C000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.663859168.000000000117A000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.478128866.0000000004BB9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.657010952.0000000004C3C000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.656854025.0000000000900000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.477941064.00000000008F0000.00000004.00000001.sdmp	String found in binary or memory: https://mem.gfx.ms/meversion/?partner=msn&market=en-us"
Source: rundll32.exe, 00000003.00000003.511182314.0000000000894000.00000004.00000001.sdmp	String found in binary or memory: https://msn.com/
Source: loaddll32.exe, 00000000.00000002.768580069.00000000010C7000.00000004.00000020.sdmp	String found in binary or memory: https://msn.com/e
Source: loaddll32.exe, 00000000.00000003.663884041.0000000001176000.00000004.00000001.sdmp	String found in binary or memory: https://msn.com/f
Source: rundll32.exe, 00000003.00000003.700093416.0000000000894000.00000004.00000001.sdmp	String found in binary or memory: https://msn.com/mail/liopolo/BqQVObz8g5lnocL/rDmP1N8TTzvhY7vp6N/RS6H6xMUu/qA1CfJ9oDnQhRUYDGgyu/Mnijq
Source: rundll32.exe, 00000003.00000003.511136188.0000000000889000.00000004.00000001.sdmp	String found in binary or memory: https://msn.com/mail/liopolo/wy2L0fN2E5PVQV/dJuGUeMmesCePLL0l7Wgt/WGkNYevXDY_2B8SF/CdMZYMX0E7B4luP/U
Source: loaddll32.exe, 00000000.00000003.571505520.000000000112A000.00000004.00000001.sdmp	String found in binary or memory: https://outlook.com/
Source: loaddll32.exe, 00000000.00000003.571184163.000000000110E000.00000004.00000001.sdmp	String found in binary or memory: https://outlook.com/signup/liopolo/HeNOXEGhcO/DJiYgDwUOxUtDS_2F/jyyD8scRCvd_/2FyMxtVOaJ3/wtHE98SGLfS
Source: loaddll32.exe, 00000000.00000002.769550335.0000000001102000.00000004.00000001.sdmp	String found in binary or memory: https://outlook.office365.com
Source: loaddll32.exe, 00000000.00000002.769931525.000000000110E000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.567432017.0000000000894000.00000004.00000001.sdmp	String found in binary or memory: https://outlook.office365.com/
Source: rundll32.exe, 00000003.00000003.567432017.0000000000894000.00000004.00000001.sdmp	String found in binary or memory: https://outlook.office365.com/$
Source: rundll32.exe, 00000003.00000003.567432017.0000000000894000.00000004.00000001.sdmp	String found in binary or memory: https://outlook.office365.com/;
Source: loaddll32.exe, 00000000.00000002.769931525.000000000110E000.00000004.00000001.sdmp	String found in binary or memory: https://outlook.office365.com/C
Source: loaddll32.exe, 00000000.00000002.769931525.000000000110E000.00000004.00000001.sdmp	String found in binary or memory: https://outlook.office365.com/Q
Source: loaddll32.exe, 00000000.00000002.769931525.000000000110E000.00000004.00000001.sdmp	String found in binary or memory: https://outlook.office365.com/m
Source: rundll32.exe, 00000003.00000003.567432017.0000000000894000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.567344794.00000000008EA000.00000004.00000001.sdmp	String found in binary or memory: https://outlook.office365.com/signup/liopolo/3VnYAYtkPZmdkRft/PhukctoSJxkO8c8/Lye7Mz0DUphRm7HFMS/Ert
Source: loaddll32.exe, 00000000.00000003.576353780.0000000001176000.00000004.00000001.sdmp	String found in binary or memory: https://outlook.office365.com/signup/liopolo/HeNOXEGhcO/DJiYgDwUOxUtDS_2F/jyyD8scRCvd_/2FyMxtVOaJ3/w
Source: loaddll32.exe, 00000000.00000002.769931525.000000000110E000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.752826654.000000000110E000.00000004.00000001.sdmp	String found in binary or memory: https://outlook.office365.com/signup/liopolo/bJlCFRYLHvFIRqYTrU/8RRkttIEA/t1_2BP9O_2BAm85KU_2B/aSpxz
Source: rundll32.exe, 00000003.00000003.745980774.00000000008FF000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000002.773684613.0000000000894000.00000004.00000020.sdmp	String found in binary or memory: https://outlook.office365.com/signup/liopolo/xrfnn2_2FjAWwzmSPV2sJmp/tknhXbcO6a/ZAGJ1q_2FdrKNOunT/MW
Source: loaddll32.exe, 00000000.00000003.484784411.0000000003519000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.484484416.0000000001176000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.663941944.000000000359B000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.484571941.0000000001166000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.663859168.000000000117A000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.478128866.0000000004BB9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.656930982.00000000008FF000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.478075992.00000000008ED000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.657034849.0000000004C3B000.00000004.00000040.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/en-us//api/modules/cdnfetch"
Source: loaddll32.exe, 00000000.00000003.484784411.0000000003519000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.663914997.000000000359C000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.478128866.0000000004BB9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.657010952.0000000004C3C000.00000004.00000040.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/en-us/homepage/_sc/css/d7cb56b9-3a82770e/direct
Source: loaddll32.exe, 00000000.00000003.484784411.0000000003519000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.663914997.000000000359C000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.478128866.0000000004BB9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.700067622.0000000000889000.00000004.00000001.sdmp	String found in binary or memory: https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&ver=%272.1%27&a
Source: rundll32.exe, 00000003.00000003.511182314.0000000000894000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/
Source: rundll32.exe, 00000003.00000003.700093416.0000000000894000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/&
Source: rundll32.exe, 00000003.00000003.657010952.0000000004C3C000.00000004.00000040.sdmp	String found in binary or memory: https://www.msn.com/?refurl=%2fmail%2fliopolo%2fBqQVObz8g5lnocL%2frDmP1N8TTzvhY7vp6N%2fRS6H6xMUu%2fq
Source: loaddll32.exe, 00000000.00000003.484784411.0000000003519000.00000004.00000040.sdmp	String found in binary or memory: https://www.msn.com/?refurl=%2fmail%2fliopolo%2fM47eTWImwyNJIXk%2fbvBUnXDqSGJkSqnZ1W%2fIoQdQ6MHW%2fB
Source: rundll32.exe, 00000003.00000003.478128866.0000000004BB9000.00000004.00000040.sdmp	String found in binary or memory: https://www.msn.com/?refurl=%2fmail%2fliopolo%2fwy2L0fN2E5PVQV%2fdJuGUeMmesCePLL0l7Wgt%2fWGkNYevXDY_
Source: loaddll32.exe, 00000000.00000003.663914997.000000000359C000.00000004.00000040.sdmp	String found in binary or memory: https://www.msn.com/?refurl=%2fmail%2fliopolo%2fytBZeomNqV%2fHSfS_2F75u1_2Bgzu%2ffw3T9nUGqtyA%2fMnMc
Source: loaddll32.exe, 00000000.00000003.484784411.0000000003519000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.484484416.0000000001176000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.663941944.000000000359B000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.484571941.0000000001166000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.663859168.000000000117A000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.478128866.0000000004BB9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.656930982.00000000008FF000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.478075992.00000000008ED000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.657034849.0000000004C3B000.00000004.00000040.sdmp	String found in binary or memory: https://www.msn.com/en-us//api/modules/fetch"
Source: rundll32.exe, 00000003.00000003.700093416.0000000000894000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/mail/liopolo/BqQVObz8g5lnocL/rDmP1N8TTzvhY7vp6N/RS6H6xMUu/qA1CfJ9oDnQhRUYDGgyu/M
Source: loaddll32.exe, 00000000.00000003.484571941.0000000001166000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/mail/liopolo/M47eTWImwyNJIXk/bvBUnXDqSGJkSqnZ1W/IoQdQ6MHW/B7zE09Qn2ChgYQ2HLYH_/2
Source: rundll32.exe, 00000003.00000003.511182314.0000000000894000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/mail/liopolo/wy2L0fN2E5PVQV/dJuGUeMmesCePLL0l7Wgt/WGkNYevXDY_2B8SF/CdMZYMX0E7B4l
Source: loaddll32.exe, 00000000.00000002.769931525.000000000110E000.00000004.00000001.sdmp	String found in binary or memory: https://www.outlook.com/signup
Source: rundll32.exe, 00000003.00000003.567344794.00000000008EA000.00000004.00000001.sdmp	String found in binary or memory: https://www.outlook.com/signup/liopolo/3VnYAYtkPZmdkRft/PhukctoSJxkO8c8/Lye7Mz0DUphRm7HFMS/Ert7vY9a_
Source: loaddll32.exe, 00000000.00000002.769550335.0000000001102000.00000004.00000001.sdmp	String found in binary or memory: https://www.outlook.com/signup/liopolo/bJlCFRYLHvFIRqYTrU/8RRkttIEA/t1_2BP9O_2BAm85KU_2B/aSpxz3oD7DS

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: msn.com

Downloads files from webservers via HTTP

Source: global traffic	HTTP traffic detected: GET /mail/liopolo/wy2L0fN2E5PVQV/dJuGUeMmesCePLL0l7Wgt/WGkNYevXDY_2B8SF/CdMZYMX0E7B4luP/Ul2jmINaYu2Q2Tpowu/zFWfPWe10/HWR9Tc92PXi2sPWtdN4v/UdHW73hHNRRgj93MpeR/gAwjHz21J0PRcDvLd3I609/yvRpibRLzjrjt/tNfBhMKC/cc7JRbI6tVdqBgZvAlBLjz4/UmIafwR6sLy9/c9juhd.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
Source: global traffic	HTTP traffic detected: GET /mail/liopolo/M47eTWImwyNJIXk/bvBUnXDqSGJkSqnZ1W/IoQdQ6MHW/B7zE09Qn2ChgYQ2HLYH_/2FQQUDoZM2fDLMcKw_2/FKAo20C9iE_2FlWT_2Bfzo/Rp1YRopF97I_2/B8CxFQdR/_2BNrlSUvWcd0EwvOdX03BY/sLHqBgEIoN/l5xSyCjNwonJQFrna/xuhuk7iqStO6/LAN01N_2FT3/qYrzxcmDBjbOke/xPgut5GCh0/QPq7LLa.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/3VnYAYtkPZmdkRft/PhukctoSJxkO8c8/Lye7Mz0DUphRm7HFMS/Ert7vY9a_/2Fh6kZ4AO5iovULa_2Bg/RWwMy2ZM2sR1_2FjWVo/tVrVc9cE14VzsJSo6j4pki/JUlhlBWv0cOdb/WT8dwYTw/fsNrVB4ij0f115XNZnOJrEB/Ph8kPiXFtx/k7Vhu_2FqmJ2l_2BS/kcHYGhIgQQBE/6Lz_2BcD7nm/sGFf8Kc2PZ_2B/1_2F.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/3VnYAYtkPZmdkRft/PhukctoSJxkO8c8/Lye7Mz0DUphRm7HFMS/Ert7vY9a_/2Fh6kZ4AO5iovULa_2Bg/RWwMy2ZM2sR1_2FjWVo/tVrVc9cE14VzsJSo6j4pki/JUlhlBWv0cOdb/WT8dwYTw/fsNrVB4ij0f115XNZnOJrEB/Ph8kPiXFtx/k7Vhu_2FqmJ2l_2BS/kcHYGhIgQQBE/6Lz_2BcD7nm/sGFf8Kc2PZ_2B/1_2F.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/3VnYAYtkPZmdkRft/PhukctoSJxkO8c8/Lye7Mz0DUphRm7HFMS/Ert7vY9a_/2Fh6kZ4AO5iovULa_2Bg/RWwMy2ZM2sR1_2FjWVo/tVrVc9cE14VzsJSo6j4pki/JUlhlBWv0cOdb/WT8dwYTw/fsNrVB4ij0f115XNZnOJrEB/Ph8kPiXFtx/k7Vhu_2FqmJ2l_2BS/kcHYGhIgQQBE/6Lz_2BcD7nm/sGFf8Kc2PZ_2B/1_2F.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/HeNOXEGhcO/DJiYgDwUOxUtDS_2F/jyyD8scRCvd_/2FyMxtVOaJ3/wtHE98SGLfSVcY/aYMs8f2LumXTliKvTeXJ_/2BDCwHs2R0k_2FBp/TwUdZVU_2BFy7BU/7Kl_2FOBfWpmXbV5T3/HLfF4XU2w/vHhM4pKHjDGx_2BGh5XJ/k3tEoRB4M6D1Hg77dr2/GhhYGYGyvzjf8tA7M4_2Fz/PcKN.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/HeNOXEGhcO/DJiYgDwUOxUtDS_2F/jyyD8scRCvd_/2FyMxtVOaJ3/wtHE98SGLfSVcY/aYMs8f2LumXTliKvTeXJ_/2BDCwHs2R0k_2FBp/TwUdZVU_2BFy7BU/7Kl_2FOBfWpmXbV5T3/HLfF4XU2w/vHhM4pKHjDGx_2BGh5XJ/k3tEoRB4M6D1Hg77dr2/GhhYGYGyvzjf8tA7M4_2Fz/PcKN.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/HeNOXEGhcO/DJiYgDwUOxUtDS_2F/jyyD8scRCvd_/2FyMxtVOaJ3/wtHE98SGLfSVcY/aYMs8f2LumXTliKvTeXJ_/2BDCwHs2R0k_2FBp/TwUdZVU_2BFy7BU/7Kl_2FOBfWpmXbV5T3/HLfF4XU2w/vHhM4pKHjDGx_2BGh5XJ/k3tEoRB4M6D1Hg77dr2/GhhYGYGyvzjf8tA7M4_2Fz/PcKN.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
Source: global traffic	HTTP traffic detected: GET /mail/liopolo/BqQVObz8g5lnocL/rDmP1N8TTzvhY7vp6N/RS6H6xMUu/qA1CfJ9oDnQhRUYDGgyu/MnijqTPatYoqwLU2Gjp/CUGc0n_2BeItdu5kr8poMa/AhSBnyUxBLy2z/WL6kh9Er/V_2FntCaBAYN2Q0pmQz73pS/plPX31iyVH/sliN48qRh7bzwYOXL/_2Bf1goPp5sf/LxXLhBSZnu3/MQi2YcecwkM/9zZah40u0/3pu.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
Source: global traffic	HTTP traffic detected: GET /mail/liopolo/ytBZeomNqV/HSfS_2F75u1_2Bgzu/fw3T9nUGqtyA/MnMc49Ew1bU/TR75BNg3t5wK_2/FZ_2BhHpRHjaoiOWsJCdm/IP7BzqL3kfOIwEpd/0v6vAk1XTaQKS4Q/4t76RFSHOBJGuOI3un/dPzfZGf9x/VMluKaNPNp_2BEHsWys0/7w8R7Qn2JCyyYRXwFiA/UZytNi_2F_2BVoKUDorTiy/Fo.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/xrfnn2_2FjAWwzmSPV2sJmp/tknhXbcO6a/ZAGJ1q_2FdrKNOunT/MWqXv5zFFG9p/by8Zf_2FtJ3/xEG2AHiWNHzGMb/5U7AZq2hWTtx5Gp_2FLrT/Jtvmik5RsI3BKCJG/qiPKwJPTBUSBiQw/RY1j9J90egtogWV_2B/CgPW8RXFg/49h8H9fZxytN8Y5j4Ua3/YD4Lz_2BMKncbFniIjR/do3Cf1aCJb1FbLOESe_2B/MC.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/xrfnn2_2FjAWwzmSPV2sJmp/tknhXbcO6a/ZAGJ1q_2FdrKNOunT/MWqXv5zFFG9p/by8Zf_2FtJ3/xEG2AHiWNHzGMb/5U7AZq2hWTtx5Gp_2FLrT/Jtvmik5RsI3BKCJG/qiPKwJPTBUSBiQw/RY1j9J90egtogWV_2B/CgPW8RXFg/49h8H9fZxytN8Y5j4Ua3/YD4Lz_2BMKncbFniIjR/do3Cf1aCJb1FbLOESe_2B/MC.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/xrfnn2_2FjAWwzmSPV2sJmp/tknhXbcO6a/ZAGJ1q_2FdrKNOunT/MWqXv5zFFG9p/by8Zf_2FtJ3/xEG2AHiWNHzGMb/5U7AZq2hWTtx5Gp_2FLrT/Jtvmik5RsI3BKCJG/qiPKwJPTBUSBiQw/RY1j9J90egtogWV_2B/CgPW8RXFg/49h8H9fZxytN8Y5j4Ua3/YD4Lz_2BMKncbFniIjR/do3Cf1aCJb1FbLOESe_2B/MC.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/bJlCFRYLHvFIRqYTrU/8RRkttIEA/t1_2BP9O_2BAm85KU_2B/aSpxz3oD7DS4GgXePzf/ia7vS0WgwZtA22jtnk2sgM/8aNHELsXc5Ipi/BMZNGN2v/65JiDOn3VthO9IJqFpTTW9Q/9POmMR2_2B/F79Rk5g05Py2gD_2B/JwjLpqa35mrg/bt4uvVPD_2F/UqHQdzYFCQmMXc/ZX0Xxi4W.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/bJlCFRYLHvFIRqYTrU/8RRkttIEA/t1_2BP9O_2BAm85KU_2B/aSpxz3oD7DS4GgXePzf/ia7vS0WgwZtA22jtnk2sgM/8aNHELsXc5Ipi/BMZNGN2v/65JiDOn3VthO9IJqFpTTW9Q/9POmMR2_2B/F79Rk5g05Py2gD_2B/JwjLpqa35mrg/bt4uvVPD_2F/UqHQdzYFCQmMXc/ZX0Xxi4W.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/bJlCFRYLHvFIRqYTrU/8RRkttIEA/t1_2BP9O_2BAm85KU_2B/aSpxz3oD7DS4GgXePzf/ia7vS0WgwZtA22jtnk2sgM/8aNHELsXc5Ipi/BMZNGN2v/65JiDOn3VthO9IJqFpTTW9Q/9POmMR2_2B/F79Rk5g05Py2gD_2B/JwjLpqa35mrg/bt4uvVPD_2F/UqHQdzYFCQmMXc/ZX0Xxi4W.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.7:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.7:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.97.161.50:443 -> 192.168.2.7:49771 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.101.124.210:443 -> 192.168.2.7:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.97.223.66:443 -> 192.168.2.7:49773 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.97.161.50:443 -> 192.168.2.7:49774 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.101.124.210:443 -> 192.168.2.7:49775 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.98.208.114:443 -> 192.168.2.7:49776 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.7:49810 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.7:49812 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.97.161.50:443 -> 192.168.2.7:49842 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.97.219.162:443 -> 192.168.2.7:49843 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.97.137.114:443 -> 192.168.2.7:49844 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.97.161.50:443 -> 192.168.2.7:49845 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.97.219.162:443 -> 192.168.2.7:49846 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.98.214.82:443 -> 192.168.2.7:49847 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Source: Yara match	File source: 00000003.00000003.477730310.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.484405458.0000000003598000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.484224135.0000000003598000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.483910009.0000000003598000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.477283953.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.484141352.0000000003598000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.477436654.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.478270609.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.619486334.000000000321F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.528112034.000000000341B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.567583094.00000000049BD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.776401255.0000000004840000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.521826421.0000000004ABB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.484353267.0000000003598000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.477363484.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.477795801.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.484300889.0000000003598000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.477552233.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.576475056.000000000331D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.483984504.0000000003598000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.484055425.0000000003598000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.477498453.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.484848144.0000000003598000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.477873003.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.774526618.00000000031A0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.612038120.00000000048BF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 4668, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4712, type: MEMORYSTR
Source: Yara match	File source: 3.3.rundll32.exe.70a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.caa31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.810000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.30794a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.70a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.30794a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.6e4c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rundll32.exe.6e4c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.45794a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.45794a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.33ba31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.33ba31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.30da31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.caa31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rundll32.exe.6e4c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.c70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.30da31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.64a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.64a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6e4c0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.6e4c0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000003.427656191.00000000033B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.391175894.00000000030D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.432941083.0000000000CA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.774318149.0000000003079000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.421383177.0000000000640000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.776217854.0000000004579000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.389669380.0000000000700000.00000040.00000001.sdmp, type: MEMORY

Creates a DirectInput object (often for capturing keystrokes)

Source: loaddll32.exe, 00000000.00000002.768381910.00000000010AB000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected Ursnif

Source: Yara match	File source: 00000003.00000003.477730310.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.484405458.0000000003598000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.484224135.0000000003598000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.483910009.0000000003598000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.477283953.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.484141352.0000000003598000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.477436654.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.478270609.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.619486334.000000000321F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.528112034.000000000341B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.567583094.00000000049BD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.776401255.0000000004840000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.521826421.0000000004ABB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.484353267.0000000003598000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.477363484.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.477795801.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.484300889.0000000003598000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.477552233.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.576475056.000000000331D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.483984504.0000000003598000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.484055425.0000000003598000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.477498453.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.484848144.0000000003598000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.477873003.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.774526618.00000000031A0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.612038120.00000000048BF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 4668, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4712, type: MEMORYSTR
Source: Yara match	File source: 3.3.rundll32.exe.70a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.caa31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.810000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.30794a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.70a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.30794a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.6e4c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rundll32.exe.6e4c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.45794a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.45794a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.33ba31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.33ba31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.30da31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.caa31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rundll32.exe.6e4c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.c70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.30da31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.64a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.64a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6e4c0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.6e4c0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000003.427656191.00000000033B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.391175894.00000000030D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.432941083.0000000000CA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.774318149.0000000003079000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.421383177.0000000000640000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.776217854.0000000004579000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.389669380.0000000000700000.00000040.00000001.sdmp, type: MEMORY

System Summary:

Writes or reads registry keys via WMI

Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Uses 32bit PE files

Source: 6yDD19jMIu.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

One or more processes crash

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 892 -s 636

Detected potential crypto function

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4C21B4		0_2_6E4C21B4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4D5600		0_2_6E4D5600
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E518C9B		0_2_6E518C9B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4FE8C0		0_2_6E4FE8C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E4D5600		3_2_6E4D5600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E50D630		3_2_6E50D630
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E523CCE		3_2_6E523CCE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E50B597		3_2_6E50B597
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E52FA78		3_2_6E52FA78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E51A2B1		3_2_6E51A2B1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E52FB98		3_2_6E52FB98
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E4FE8C0		3_2_6E4FE8C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E4D5600		4_2_6E4D5600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E50D630		4_2_6E50D630
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E523CCE		4_2_6E523CCE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E50B597		4_2_6E50B597
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E51A2B1		4_2_6E51A2B1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E4FE8C0		4_2_6E4FE8C0

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6E4FAEC0 appears 38 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6E508487 appears 34 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6E4FABD1 appears 182 times

Contains functionality to call native functions

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4C15C6 SetThreadPriority,NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,GetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,		0_2_6E4C15C6
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4C1273 NtMapViewOfSection,		0_2_6E4C1273
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4C13B8 GetProcAddress,NtCreateSection,memset,		0_2_6E4C13B8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4C23D5 NtQueryVirtualMemory,		0_2_6E4C23D5

Sample is known by Antivirus

Source: 6yDD19jMIu.dll

Virustotal: Detection: 9%

PE file has an executable .text section and no other executable section

Source: 6yDD19jMIu.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Reads software policies

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Spawns processes

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\6yDD19jMIu.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\6yDD19jMIu.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6yDD19jMIu.dll,BeGrass
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\6yDD19jMIu.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6yDD19jMIu.dll,Fieldeight
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6yDD19jMIu.dll,Often
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 892 -s 636
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4040 -s 636
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 640
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\6yDD19jMIu.dll',#1			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6yDD19jMIu.dll,BeGrass			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6yDD19jMIu.dll,Fieldeight			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6yDD19jMIu.dll,Often			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\6yDD19jMIu.dll',#1			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Creates temporary files

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERFE20.tmp

Jump to behavior

Classification label

Source: classification engine

Classification label: mal96.troj.evad.winDLL@14/12@26/9

Runs a DLL by calling functions

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6yDD19jMIu.dll,BeGrass

Creates mutexes

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4040
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess892
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1820

Reads the hosts file

Source: C:\Windows\System32\loaddll32.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Found GUI installer (many successful clicks)

Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: 6yDD19jMIu.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

PE file contains a debug data directory

Source: 6yDD19jMIu.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Binary contains paths to debug symbols

Source:	Binary string: WinTypes.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb& source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb7 source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000013.00000003.471401917.00000000050D1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.464515303.0000000005490000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.497393205.00000000052F1000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000013.00000003.471401917.00000000050D1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.474189859.0000000005741000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.497175120.00000000053F2000.00000004.00000040.sdmp
Source:	Binary string: CoreMessaging.pdb_ source: WerFault.exe, 00000013.00000003.471624682.00000000051F2000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474313547.0000000005861000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497779494.0000000005404000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000013.00000003.471401917.00000000050D1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.474189859.0000000005741000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.497393205.00000000052F1000.00000004.00000001.sdmp
Source:	Binary string: WinTypes.pdbT) source: WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdbD source: WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000013.00000003.471684835.00000000051E0000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474387635.0000000005850000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497619087.00000000053F0000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000013.00000003.471401917.00000000050D1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.465473055.00000000035AC000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.477462780.000000000324C000.00000004.00000001.sdmp
Source:	Binary string: ntmarta.pdb; source: WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb0 source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000013.00000003.471774398.00000000051E4000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474406434.0000000005854000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497646774.00000000053F5000.00000004.00000040.sdmp
Source:	Binary string: CoreMessaging.pdb source: WerFault.exe, 00000013.00000003.471624682.00000000051F2000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474313547.0000000005861000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497779494.0000000005404000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdby' source: WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000013.00000003.471401917.00000000050D1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.474189859.0000000005741000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.497393205.00000000052F1000.00000004.00000001.sdmp
Source:	Binary string: rundll32.pdbk source: WerFault.exe, 00000013.00000003.471401917.00000000050D1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.474189859.0000000005741000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdbN source: WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp
Source:	Binary string: ntmarta.pdbf) source: WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000013.00000003.471401917.00000000050D1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.474189859.0000000005741000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.497646774.00000000053F5000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdbM source: WerFault.exe, 00000013.00000003.471684835.00000000051E0000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdbk source: WerFault.exe, 00000017.00000003.497175120.00000000053F2000.00000004.00000040.sdmp
Source:	Binary string: ntmarta.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000013.00000003.471401917.00000000050D1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.474189859.0000000005741000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.497175120.00000000053F2000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdbR source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb* source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000013.00000003.471401917.00000000050D1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.465197464.00000000035B8000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.497393205.00000000052F1000.00000004.00000001.sdmp
Source:	Binary string: powrprof.pdb, source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
Source:	Binary string: CoreUIComponents.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 00000013.00000003.471684835.00000000051E0000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474387635.0000000005850000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497619087.00000000053F0000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000013.00000003.471401917.00000000050D1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.474189859.0000000005741000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.497393205.00000000052F1000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdbz source: WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 00000013.00000003.471774398.00000000051E4000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474406434.0000000005854000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497646774.00000000053F5000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000013.00000003.463108056.0000000002D40000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.465473055.00000000035AC000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.477462780.000000000324C000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdbR source: WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdbX) source: WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000013.00000003.471401917.00000000050D1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.474189859.0000000005741000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.497393205.00000000052F1000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 00000017.00000003.497646774.00000000053F5000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdbg source: WerFault.exe, 00000014.00000003.474387635.0000000005850000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000013.00000003.471774398.00000000051E4000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474406434.0000000005854000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497646774.00000000053F5000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdbX source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdbN source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 00000017.00000003.497175120.00000000053F2000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdbl) source: WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
Source:	Binary string: TextInputFramework.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
Source:	Binary string: WinTypes.pdb1 source: WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 00000013.00000003.471401917.00000000050D1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.474189859.0000000005741000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.497393205.00000000052F1000.00000004.00000001.sdmp
Source:	Binary string: wUxTheme.pdb> source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp
Source:	Binary string: c:\wheel\receive\Many-rise\score.pdb source: loaddll32.exe, 00000000.00000002.775494976.000000006E53B000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.776806344.000000006E53B000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.471242410.000000006E53B000.00000002.00020000.sdmp, 6yDD19jMIu.dll
Source:	Binary string: advapi32.pdbH source: WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000013.00000003.471684835.00000000051E0000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474387635.0000000005850000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497619087.00000000053F0000.00000004.00000040.sdmp
Source:	Binary string: CoreUIComponents.pdbN source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000013.00000003.471774398.00000000051E4000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474406434.0000000005854000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497646774.00000000053F5000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000013.00000003.463129538.0000000002D4C000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.465197464.00000000035B8000.00000004.00000001.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000013.00000003.471684835.00000000051E0000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474387635.0000000005850000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497619087.00000000053F0000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000013.00000003.471684835.00000000051E0000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474387635.0000000005850000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497619087.00000000053F0000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 00000013.00000003.471401917.00000000050D1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.474189859.0000000005741000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.497393205.00000000052F1000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000013.00000003.464251828.0000000002D46000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.465353270.00000000035B2000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000013.00000003.471401917.00000000050D1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.474189859.0000000005741000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.497393205.00000000052F1000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000013.00000003.471401917.00000000050D1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.474189859.0000000005741000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.497393205.00000000052F1000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbk source: WerFault.exe, 00000013.00000003.471401917.00000000050D1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.474189859.0000000005741000.00000004.00000001.sdmp
Source:	Binary string: sfc.pdbd source: WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp
Source:	Binary string: CoreUIComponents.pdbd source: WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb\ source: WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4C2150 push ecx; ret		0_2_6E4C2159
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4C21A3 push ecx; ret		0_2_6E4C21B3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4FAB9A push ecx; ret		0_2_6E4FABAD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E4FAB9A push ecx; ret		3_2_6E4FABAD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E4FAB9A push ecx; ret		4_2_6E4FABAD

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E4C1DE5 LoadLibraryA,GetProcAddress,

0_2_6E4C1DE5

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Source: Yara match	File source: 00000003.00000003.477730310.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.484405458.0000000003598000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.484224135.0000000003598000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.483910009.0000000003598000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.477283953.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.484141352.0000000003598000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.477436654.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.478270609.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.619486334.000000000321F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.528112034.000000000341B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.567583094.00000000049BD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.776401255.0000000004840000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.521826421.0000000004ABB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.484353267.0000000003598000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.477363484.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.477795801.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.484300889.0000000003598000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.477552233.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.576475056.000000000331D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.483984504.0000000003598000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.484055425.0000000003598000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.477498453.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.484848144.0000000003598000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.477873003.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.774526618.00000000031A0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.612038120.00000000048BF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 4668, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4712, type: MEMORYSTR
Source: Yara match	File source: 3.3.rundll32.exe.70a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.caa31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.810000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.30794a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.70a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.30794a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.6e4c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rundll32.exe.6e4c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.45794a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.45794a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.33ba31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.33ba31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.30da31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.caa31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rundll32.exe.6e4c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.c70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.30da31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.64a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.64a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6e4c0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.6e4c0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000003.427656191.00000000033B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.391175894.00000000030D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.432941083.0000000000CA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.774318149.0000000003079000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.421383177.0000000000640000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.776217854.0000000004579000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.389669380.0000000000700000.00000040.00000001.sdmp, type: MEMORY

Disables application error messsages (SetErrorMode)

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: WerFault.exe, 00000013.00000002.500670226.0000000004D40000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW8
Source: loaddll32.exe, 00000000.00000002.768580069.00000000010C7000.00000004.00000020.sdmp, rundll32.exe, 00000003.00000003.700093416.0000000000894000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000002.500798053.0000000004D65000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000002.503450551.00000000053B0000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000002.518255520.0000000005005000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: WerFault.exe, 00000014.00000002.503739309.000000000548E000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWH
Source: rundll32.exe, 00000003.00000003.700067622.0000000000889000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW,
Source: loaddll32.exe, 00000000.00000002.769931525.000000000110E000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW]

Anti Debugging:

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E506CB3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_6E506CB3

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E4C1DE5 LoadLibraryA,GetProcAddress,

0_2_6E4C1DE5

Contains functionality to read the PEB

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E51C325 mov eax, dword ptr fs:[00000030h]		0_2_6E51C325
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E528861 mov eax, dword ptr fs:[00000030h]		0_2_6E528861
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E56DFDA mov eax, dword ptr fs:[00000030h]		0_2_6E56DFDA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E56DEAA mov eax, dword ptr fs:[00000030h]		0_2_6E56DEAA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E56DBB5 push dword ptr fs:[00000030h]		0_2_6E56DBB5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E51C325 mov eax, dword ptr fs:[00000030h]		3_2_6E51C325
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E528861 mov eax, dword ptr fs:[00000030h]		3_2_6E528861
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E56DFDA mov eax, dword ptr fs:[00000030h]		3_2_6E56DFDA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E56DEAA mov eax, dword ptr fs:[00000030h]		3_2_6E56DEAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E56DBB5 push dword ptr fs:[00000030h]		3_2_6E56DBB5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E51C325 mov eax, dword ptr fs:[00000030h]		4_2_6E51C325
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E528861 mov eax, dword ptr fs:[00000030h]		4_2_6E528861
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E56DEAA mov eax, dword ptr fs:[00000030h]		4_2_6E56DEAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E56E3B4 mov eax, dword ptr fs:[00000030h]		4_2_6E56E3B4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E56DBB5 push dword ptr fs:[00000030h]		4_2_6E56DBB5

Checks if the current process is being debugged

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior

Contains functionality to register its own exception handler

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E506CB3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_6E506CB3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4FB316 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_6E4FB316
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E506CB3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		3_2_6E506CB3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E4FB316 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		3_2_6E4FB316
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E506CB3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		4_2_6E506CB3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E4FB316 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		4_2_6E4FB316

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: www.msn.com
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 52.97.219.162 187			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: areuranel.website
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 40.97.161.50 187			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: breuranel.website
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: outlook.office365.com
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 52.97.223.66 187			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 40.101.124.210 187			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: msn.com
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: outlook.com
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: www.outlook.com
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 52.97.137.114 187			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 13.82.28.61 187			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\6yDD19jMIu.dll',#1

Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: loaddll32.exe, 00000000.00000002.773341401.0000000001630000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.457889197.0000000003820000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.776035012.0000000002D90000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.470562084.0000000002D70000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000000.460801376.00000000039C0000.00000002.00020000.sdmp	Binary or memory string: uProgram Manager
Source: loaddll32.exe, 00000000.00000002.773341401.0000000001630000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.457889197.0000000003820000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.776035012.0000000002D90000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.470562084.0000000002D70000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000000.460801376.00000000039C0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.773341401.0000000001630000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.457889197.0000000003820000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.776035012.0000000002D90000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.470562084.0000000002D70000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000000.460801376.00000000039C0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.773341401.0000000001630000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.457889197.0000000003820000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.776035012.0000000002D90000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.470562084.0000000002D70000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000000.460801376.00000000039C0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,		0_2_6E520E4C
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,		0_2_6E4F9EB5
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,		0_2_6E52E448
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,		0_2_6E520429
Source: C:\Windows\System32\loaddll32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,		0_2_6E52EA21
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,		0_2_6E52E344
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,		0_2_6E52E3AD
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,		0_2_6E52E84C
Source: C:\Windows\System32\loaddll32.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,		0_2_6E52E0A2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,		3_2_6E520E4C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,		3_2_6E4F9EB5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,		3_2_6E52E448
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,		3_2_6E520429
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,		3_2_6E52EA21
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,		3_2_6E52E344
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,		3_2_6E52E3AD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,		3_2_6E52E84C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,		3_2_6E52E0A2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,		4_2_6E520E4C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,		4_2_6E4F9EB5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,		4_2_6E52E448
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,		4_2_6E520429
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,		4_2_6E52EA21
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,		4_2_6E52E344
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,		4_2_6E52E3AD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,		4_2_6E52E84C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,		4_2_6E52E0A2

Contains functionality to query local / system time

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E4C1172 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,

0_2_6E4C1172

Contains functionality to query time zone information

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E51FF15 _free,_free,_free,GetTimeZoneInformation,_free,

0_2_6E51FF15

Contains functionality to query windows version

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E4C1825 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

0_2_6E4C1825

Stealing of Sensitive Information:

Yara detected Ursnif

Source: Yara match	File source: 00000003.00000003.477730310.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.484405458.0000000003598000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.484224135.0000000003598000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.483910009.0000000003598000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.477283953.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.484141352.0000000003598000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.477436654.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.478270609.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.619486334.000000000321F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.528112034.000000000341B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.567583094.00000000049BD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.776401255.0000000004840000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.521826421.0000000004ABB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.484353267.0000000003598000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.477363484.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.477795801.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.484300889.0000000003598000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.477552233.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.576475056.000000000331D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.483984504.0000000003598000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.484055425.0000000003598000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.477498453.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.484848144.0000000003598000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.477873003.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.774526618.00000000031A0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.612038120.00000000048BF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 4668, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4712, type: MEMORYSTR
Source: Yara match	File source: 3.3.rundll32.exe.70a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.caa31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.810000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.30794a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.70a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.30794a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.6e4c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rundll32.exe.6e4c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.45794a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.45794a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.33ba31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.33ba31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.30da31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.caa31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rundll32.exe.6e4c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.c70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.30da31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.64a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.64a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6e4c0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.6e4c0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000003.427656191.00000000033B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.391175894.00000000030D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.432941083.0000000000CA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.774318149.0000000003079000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.421383177.0000000000640000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.776217854.0000000004579000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.389669380.0000000000700000.00000040.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected Ursnif

Source: Yara match	File source: 00000003.00000003.477730310.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.484405458.0000000003598000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.484224135.0000000003598000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.483910009.0000000003598000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.477283953.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.484141352.0000000003598000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.477436654.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.478270609.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.619486334.000000000321F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.528112034.000000000341B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.567583094.00000000049BD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.776401255.0000000004840000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.521826421.0000000004ABB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.484353267.0000000003598000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.477363484.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.477795801.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.484300889.0000000003598000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.477552233.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.576475056.000000000331D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.483984504.0000000003598000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.484055425.0000000003598000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.477498453.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.484848144.0000000003598000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.477873003.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.774526618.00000000031A0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.612038120.00000000048BF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 4668, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4712, type: MEMORYSTR
Source: Yara match	File source: 3.3.rundll32.exe.70a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.caa31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.810000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.30794a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.70a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.30794a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.6e4c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rundll32.exe.6e4c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.45794a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.45794a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.33ba31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.33ba31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.30da31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.caa31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rundll32.exe.6e4c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.c70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.30da31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.64a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.64a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6e4c0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.6e4c0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000003.427656191.00000000033B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.391175894.00000000030D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.432941083.0000000000CA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.774318149.0000000003079000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.421383177.0000000000640000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.776217854.0000000004579000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.389669380.0000000000700000.00000040.00000001.sdmp, type: MEMORY