Loading ...

Play interactive tourEdit tour

Windows Analysis Report 6yDD19jMIu.dll

Overview

General Information

Sample Name:6yDD19jMIu.dll
Analysis ID:500309
MD5:903cf677ba834a968b42bd71e4626a9d
SHA1:c751f3ab4612917d15967fc1f0591e674c2e56ca
SHA256:b601a3c9c3a3df9043ea82733f1da5b413207d7585ca6b18baa8a4d923ce92d8
Tags:BRTdllgeoGoziISFBITAUrsnif
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Multi AV Scanner detection for domain / URL
Writes or reads registry keys via WMI
Writes registry values via WMI
Uses 32bit PE files
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
IP address seen in connection with other malware
Creates a DirectInput object (often for capturing keystrokes)
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 4668 cmdline: loaddll32.exe 'C:\Users\user\Desktop\6yDD19jMIu.dll' MD5: 72FCD8FB0ADC38ED9050569AD673650E)
    • cmd.exe (PID: 1656 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\6yDD19jMIu.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 4712 cmdline: rundll32.exe 'C:\Users\user\Desktop\6yDD19jMIu.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 892 cmdline: rundll32.exe C:\Users\user\Desktop\6yDD19jMIu.dll,BeGrass MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 3052 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 892 -s 636 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 1820 cmdline: rundll32.exe C:\Users\user\Desktop\6yDD19jMIu.dll,Fieldeight MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 2304 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 640 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 4040 cmdline: rundll32.exe C:\Users\user\Desktop\6yDD19jMIu.dll,Often MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 4500 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4040 -s 636 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "UmEkthy8LQToWYBqtBaWyLn/P1d2KjpXi9nl2is1X7NEi7AW4Al92U7HvBiCwWHgXhs6UyTZ7q6npv3YCi+rPS7xAyorWWgcyyviEpE9CETDXviZ72XZkxmen4ztvEtct+obFAEe0tiXOsfOcC8xDsI0CHPpvmUknsexTYqAJgwcghgx1mGHx/yFM4fnPYw4mFFE6bVI7eMnbu1CuunRmAVRDHZ7MAS7zSkAmYjeo1zAzRnOEWgblRHwenmwlBtp0SFGuYCGVe3TZZ4Nndgpd5xpSeLOoSZi/fRXjtS8b6LXBS/zslRCRObMDjDX4pa1fM1uOgFHyvjANgWJpZ272bpOHjM52/hsEGZXskaNztU=", "c2_domain": ["msn.com/mail", "breuranel.website", "outlook.com/signup", "areuranel.website"], "botnet": "8899", "server": "12", "serpent_key": "56473871MNTYAIDA", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000003.477730310.0000000004C38000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000006.00000003.427656191.00000000033B0000.00000040.00000001.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
      00000000.00000003.484405458.0000000003598000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000000.00000003.484224135.0000000003598000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000000.00000003.483910009.0000000003598000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 30 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.3.rundll32.exe.70a31a.0.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
              0.3.loaddll32.exe.caa31a.0.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                3.2.rundll32.exe.810000.0.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                  0.2.loaddll32.exe.30794a0.1.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                    3.3.rundll32.exe.70a31a.0.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                      Click to see the 16 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 00000006.00000003.427656191.00000000033B0000.00000040.00000001.sdmpMalware Configuration Extractor: Ursnif {"RSA Public Key": "UmEkthy8LQToWYBqtBaWyLn/P1d2KjpXi9nl2is1X7NEi7AW4Al92U7HvBiCwWHgXhs6UyTZ7q6npv3YCi+rPS7xAyorWWgcyyviEpE9CETDXviZ72XZkxmen4ztvEtct+obFAEe0tiXOsfOcC8xDsI0CHPpvmUknsexTYqAJgwcghgx1mGHx/yFM4fnPYw4mFFE6bVI7eMnbu1CuunRmAVRDHZ7MAS7zSkAmYjeo1zAzRnOEWgblRHwenmwlBtp0SFGuYCGVe3TZZ4Nndgpd5xpSeLOoSZi/fRXjtS8b6LXBS/zslRCRObMDjDX4pa1fM1uOgFHyvjANgWJpZ272bpOHjM52/hsEGZXskaNztU=", "c2_domain": ["msn.com/mail", "breuranel.website", "outlook.com/signup", "areuranel.website"], "botnet": "8899", "server": "12", "serpent_key": "56473871MNTYAIDA", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: 6yDD19jMIu.dllVirustotal: Detection: 9%Perma Link
                      Multi AV Scanner detection for domain / URLShow sources
                      Source: areuranel.websiteVirustotal: Detection: 6%Perma Link
                      Source: breuranel.websiteVirustotal: Detection: 6%Perma Link
                      Source: https://areuranel.website/Virustotal: Detection: 6%Perma Link
                      Source: 6yDD19jMIu.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: unknownHTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.7:49749 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.7:49751 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.97.161.50:443 -> 192.168.2.7:49771 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.101.124.210:443 -> 192.168.2.7:49772 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.97.223.66:443 -> 192.168.2.7:49773 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.97.161.50:443 -> 192.168.2.7:49774 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.101.124.210:443 -> 192.168.2.7:49775 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.98.208.114:443 -> 192.168.2.7:49776 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.7:49810 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.7:49812 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.97.161.50:443 -> 192.168.2.7:49842 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.97.219.162:443 -> 192.168.2.7:49843 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.97.137.114:443 -> 192.168.2.7:49844 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.97.161.50:443 -> 192.168.2.7:49845 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.97.219.162:443 -> 192.168.2.7:49846 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.98.214.82:443 -> 192.168.2.7:49847 version: TLS 1.2
                      Source: 6yDD19jMIu.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: WinTypes.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: profapi.pdb& source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp
                      Source: Binary string: dwmapi.pdb7 source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000013.00000003.471401917.00000000050D1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.464515303.0000000005490000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.497393205.00000000052F1000.00000004.00000001.sdmp
                      Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: sfc_os.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000013.00000003.471401917.00000000050D1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.474189859.0000000005741000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.497175120.00000000053F2000.00000004.00000040.sdmp
                      Source: Binary string: CoreMessaging.pdb_ source: WerFault.exe, 00000013.00000003.471624682.00000000051F2000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474313547.0000000005861000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497779494.0000000005404000.00000004.00000040.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000013.00000003.471401917.00000000050D1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.474189859.0000000005741000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.497393205.00000000052F1000.00000004.00000001.sdmp
                      Source: Binary string: WinTypes.pdbT) source: WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdbD source: WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp
                      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000013.00000003.471684835.00000000051E0000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474387635.0000000005850000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497619087.00000000053F0000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 00000013.00000003.471401917.00000000050D1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.465473055.00000000035AC000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.477462780.000000000324C000.00000004.00000001.sdmp
                      Source: Binary string: ntmarta.pdb; source: WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp
                      Source: Binary string: imagehlp.pdb0 source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdb source: WerFault.exe, 00000013.00000003.471774398.00000000051E4000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474406434.0000000005854000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497646774.00000000053F5000.00000004.00000040.sdmp
                      Source: Binary string: CoreMessaging.pdb source: WerFault.exe, 00000013.00000003.471624682.00000000051F2000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474313547.0000000005861000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497779494.0000000005404000.00000004.00000040.sdmp
                      Source: Binary string: powrprof.pdby' source: WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000013.00000003.471401917.00000000050D1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.474189859.0000000005741000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.497393205.00000000052F1000.00000004.00000001.sdmp
                      Source: Binary string: rundll32.pdbk source: WerFault.exe, 00000013.00000003.471401917.00000000050D1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.474189859.0000000005741000.00000004.00000001.sdmp
                      Source: Binary string: fltLib.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: advapi32.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: cryptbase.pdbN source: WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp
                      Source: Binary string: ntmarta.pdbf) source: WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: shell32.pdb source: WerFault.exe, 00000013.00000003.471401917.00000000050D1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.474189859.0000000005741000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.497646774.00000000053F5000.00000004.00000040.sdmp
                      Source: Binary string: mpr.pdbM source: WerFault.exe, 00000013.00000003.471684835.00000000051E0000.00000004.00000040.sdmp
                      Source: Binary string: msvcp_win.pdbk source: WerFault.exe, 00000017.00000003.497175120.00000000053F2000.00000004.00000040.sdmp
                      Source: Binary string: ntmarta.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000013.00000003.471401917.00000000050D1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.474189859.0000000005741000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.497175120.00000000053F2000.00000004.00000040.sdmp
                      Source: Binary string: fltLib.pdbR source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp
                      Source: Binary string: wimm32.pdb* source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000013.00000003.471401917.00000000050D1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.465197464.00000000035B8000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.497393205.00000000052F1000.00000004.00000001.sdmp
                      Source: Binary string: powrprof.pdb, source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: CoreUIComponents.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: mpr.pdb source: WerFault.exe, 00000013.00000003.471684835.00000000051E0000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474387635.0000000005850000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497619087.00000000053F0000.00000004.00000040.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000013.00000003.471401917.00000000050D1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.474189859.0000000005741000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.497393205.00000000052F1000.00000004.00000001.sdmp
                      Source: Binary string: setupapi.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: imagehlp.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: shlwapi.pdbz source: WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp
                      Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdbk source: WerFault.exe, 00000013.00000003.471774398.00000000051E4000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474406434.0000000005854000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497646774.00000000053F5000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000013.00000003.463108056.0000000002D40000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.465473055.00000000035AC000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.477462780.000000000324C000.00000004.00000001.sdmp
                      Source: Binary string: profapi.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: wsspicli.pdbR source: WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp
                      Source: Binary string: dwmapi.pdbX) source: WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: winspool.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000013.00000003.471401917.00000000050D1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.474189859.0000000005741000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.497393205.00000000052F1000.00000004.00000001.sdmp
                      Source: Binary string: shell32.pdbk source: WerFault.exe, 00000017.00000003.497646774.00000000053F5000.00000004.00000040.sdmp
                      Source: Binary string: mpr.pdbg source: WerFault.exe, 00000014.00000003.474387635.0000000005850000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: propsys.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000013.00000003.471774398.00000000051E4000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474406434.0000000005854000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497646774.00000000053F5000.00000004.00000040.sdmp
                      Source: Binary string: bcrypt.pdbX source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp
                      Source: Binary string: sfc.pdbN source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000017.00000003.497175120.00000000053F2000.00000004.00000040.sdmp
                      Source: Binary string: ole32.pdbl) source: WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: powrprof.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: msctf.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: ole32.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: TextInputFramework.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: WinTypes.pdb1 source: WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp
                      Source: Binary string: AcLayers.pdb source: WerFault.exe, 00000013.00000003.471401917.00000000050D1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.474189859.0000000005741000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.497393205.00000000052F1000.00000004.00000001.sdmp
                      Source: Binary string: wUxTheme.pdb> source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp
                      Source: Binary string: c:\wheel\receive\Many-rise\score.pdb source: loaddll32.exe, 00000000.00000002.775494976.000000006E53B000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.776806344.000000006E53B000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.471242410.000000006E53B000.00000002.00020000.sdmp, 6yDD19jMIu.dll
                      Source: Binary string: advapi32.pdbH source: WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp
                      Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000013.00000003.471684835.00000000051E0000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474387635.0000000005850000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497619087.00000000053F0000.00000004.00000040.sdmp
                      Source: Binary string: CoreUIComponents.pdbN source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp
                      Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000013.00000003.471774398.00000000051E4000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474406434.0000000005854000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497646774.00000000053F5000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000013.00000003.463129538.0000000002D4C000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.465197464.00000000035B8000.00000004.00000001.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000013.00000003.471684835.00000000051E0000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474387635.0000000005850000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497619087.00000000053F0000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000013.00000003.471684835.00000000051E0000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474387635.0000000005850000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497619087.00000000053F0000.00000004.00000040.sdmp
                      Source: Binary string: rundll32.pdb source: WerFault.exe, 00000013.00000003.471401917.00000000050D1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.474189859.0000000005741000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.497393205.00000000052F1000.00000004.00000001.sdmp
                      Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000013.00000003.464251828.0000000002D46000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.465353270.00000000035B2000.00000004.00000001.sdmp
                      Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: sfc.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 00000013.00000003.471401917.00000000050D1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.474189859.0000000005741000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.497393205.00000000052F1000.00000004.00000001.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 00000013.00000003.471401917.00000000050D1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.474189859.0000000005741000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.497393205.00000000052F1000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdbk source: WerFault.exe, 00000013.00000003.471401917.00000000050D1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.474189859.0000000005741000.00000004.00000001.sdmp
                      Source: Binary string: sfc.pdbd source: WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp
                      Source: Binary string: CoreUIComponents.pdbd source: WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp
                      Source: Binary string: winspool.pdb\ source: WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp

                      Networking:

                      barindex
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: www.msn.com
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 52.97.219.162 187Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: areuranel.website
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 40.97.161.50 187Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: breuranel.website
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: outlook.office365.com
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 52.97.223.66 187Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 40.101.124.210 187Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: msn.com
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: outlook.com
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: www.outlook.com
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 52.97.137.114 187Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 13.82.28.61 187Jump to behavior
                      Source: Joe Sandbox ViewASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS
                      Source: Joe Sandbox ViewJA3 fingerprint: ce5f3254611a8c095a3d821d44539877
                      Source: Joe Sandbox ViewIP Address: 40.97.161.50 40.97.161.50
                      Source: Joe Sandbox ViewIP Address: 13.82.28.61 13.82.28.61
                      Source: global trafficHTTP traffic detected: GET /mail/liopolo/wy2L0fN2E5PVQV/dJuGUeMmesCePLL0l7Wgt/WGkNYevXDY_2B8SF/CdMZYMX0E7B4luP/Ul2jmINaYu2Q2Tpowu/zFWfPWe10/HWR9Tc92PXi2sPWtdN4v/UdHW73hHNRRgj93MpeR/gAwjHz21J0PRcDvLd3I609/yvRpibRLzjrjt/tNfBhMKC/cc7JRbI6tVdqBgZvAlBLjz4/UmIafwR6sLy9/c9juhd.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
                      Source: global trafficHTTP traffic detected: GET /mail/liopolo/M47eTWImwyNJIXk/bvBUnXDqSGJkSqnZ1W/IoQdQ6MHW/B7zE09Qn2ChgYQ2HLYH_/2FQQUDoZM2fDLMcKw_2/FKAo20C9iE_2FlWT_2Bfzo/Rp1YRopF97I_2/B8CxFQdR/_2BNrlSUvWcd0EwvOdX03BY/sLHqBgEIoN/l5xSyCjNwonJQFrna/xuhuk7iqStO6/LAN01N_2FT3/qYrzxcmDBjbOke/xPgut5GCh0/QPq7LLa.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/3VnYAYtkPZmdkRft/PhukctoSJxkO8c8/Lye7Mz0DUphRm7HFMS/Ert7vY9a_/2Fh6kZ4AO5iovULa_2Bg/RWwMy2ZM2sR1_2FjWVo/tVrVc9cE14VzsJSo6j4pki/JUlhlBWv0cOdb/WT8dwYTw/fsNrVB4ij0f115XNZnOJrEB/Ph8kPiXFtx/k7Vhu_2FqmJ2l_2BS/kcHYGhIgQQBE/6Lz_2BcD7nm/sGFf8Kc2PZ_2B/1_2F.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/3VnYAYtkPZmdkRft/PhukctoSJxkO8c8/Lye7Mz0DUphRm7HFMS/Ert7vY9a_/2Fh6kZ4AO5iovULa_2Bg/RWwMy2ZM2sR1_2FjWVo/tVrVc9cE14VzsJSo6j4pki/JUlhlBWv0cOdb/WT8dwYTw/fsNrVB4ij0f115XNZnOJrEB/Ph8kPiXFtx/k7Vhu_2FqmJ2l_2BS/kcHYGhIgQQBE/6Lz_2BcD7nm/sGFf8Kc2PZ_2B/1_2F.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/3VnYAYtkPZmdkRft/PhukctoSJxkO8c8/Lye7Mz0DUphRm7HFMS/Ert7vY9a_/2Fh6kZ4AO5iovULa_2Bg/RWwMy2ZM2sR1_2FjWVo/tVrVc9cE14VzsJSo6j4pki/JUlhlBWv0cOdb/WT8dwYTw/fsNrVB4ij0f115XNZnOJrEB/Ph8kPiXFtx/k7Vhu_2FqmJ2l_2BS/kcHYGhIgQQBE/6Lz_2BcD7nm/sGFf8Kc2PZ_2B/1_2F.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/HeNOXEGhcO/DJiYgDwUOxUtDS_2F/jyyD8scRCvd_/2FyMxtVOaJ3/wtHE98SGLfSVcY/aYMs8f2LumXTliKvTeXJ_/2BDCwHs2R0k_2FBp/TwUdZVU_2BFy7BU/7Kl_2FOBfWpmXbV5T3/HLfF4XU2w/vHhM4pKHjDGx_2BGh5XJ/k3tEoRB4M6D1Hg77dr2/GhhYGYGyvzjf8tA7M4_2Fz/PcKN.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/HeNOXEGhcO/DJiYgDwUOxUtDS_2F/jyyD8scRCvd_/2FyMxtVOaJ3/wtHE98SGLfSVcY/aYMs8f2LumXTliKvTeXJ_/2BDCwHs2R0k_2FBp/TwUdZVU_2BFy7BU/7Kl_2FOBfWpmXbV5T3/HLfF4XU2w/vHhM4pKHjDGx_2BGh5XJ/k3tEoRB4M6D1Hg77dr2/GhhYGYGyvzjf8tA7M4_2Fz/PcKN.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/HeNOXEGhcO/DJiYgDwUOxUtDS_2F/jyyD8scRCvd_/2FyMxtVOaJ3/wtHE98SGLfSVcY/aYMs8f2LumXTliKvTeXJ_/2BDCwHs2R0k_2FBp/TwUdZVU_2BFy7BU/7Kl_2FOBfWpmXbV5T3/HLfF4XU2w/vHhM4pKHjDGx_2BGh5XJ/k3tEoRB4M6D1Hg77dr2/GhhYGYGyvzjf8tA7M4_2Fz/PcKN.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
                      Source: global trafficHTTP traffic detected: GET /mail/liopolo/BqQVObz8g5lnocL/rDmP1N8TTzvhY7vp6N/RS6H6xMUu/qA1CfJ9oDnQhRUYDGgyu/MnijqTPatYoqwLU2Gjp/CUGc0n_2BeItdu5kr8poMa/AhSBnyUxBLy2z/WL6kh9Er/V_2FntCaBAYN2Q0pmQz73pS/plPX31iyVH/sliN48qRh7bzwYOXL/_2Bf1goPp5sf/LxXLhBSZnu3/MQi2YcecwkM/9zZah40u0/3pu.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
                      Source: global trafficHTTP traffic detected: GET /mail/liopolo/ytBZeomNqV/HSfS_2F75u1_2Bgzu/fw3T9nUGqtyA/MnMc49Ew1bU/TR75BNg3t5wK_2/FZ_2BhHpRHjaoiOWsJCdm/IP7BzqL3kfOIwEpd/0v6vAk1XTaQKS4Q/4t76RFSHOBJGuOI3un/dPzfZGf9x/VMluKaNPNp_2BEHsWys0/7w8R7Qn2JCyyYRXwFiA/UZytNi_2F_2BVoKUDorTiy/Fo.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/xrfnn2_2FjAWwzmSPV2sJmp/tknhXbcO6a/ZAGJ1q_2FdrKNOunT/MWqXv5zFFG9p/by8Zf_2FtJ3/xEG2AHiWNHzGMb/5U7AZq2hWTtx5Gp_2FLrT/Jtvmik5RsI3BKCJG/qiPKwJPTBUSBiQw/RY1j9J90egtogWV_2B/CgPW8RXFg/49h8H9fZxytN8Y5j4Ua3/YD4Lz_2BMKncbFniIjR/do3Cf1aCJb1FbLOESe_2B/MC.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/xrfnn2_2FjAWwzmSPV2sJmp/tknhXbcO6a/ZAGJ1q_2FdrKNOunT/MWqXv5zFFG9p/by8Zf_2FtJ3/xEG2AHiWNHzGMb/5U7AZq2hWTtx5Gp_2FLrT/Jtvmik5RsI3BKCJG/qiPKwJPTBUSBiQw/RY1j9J90egtogWV_2B/CgPW8RXFg/49h8H9fZxytN8Y5j4Ua3/YD4Lz_2BMKncbFniIjR/do3Cf1aCJb1FbLOESe_2B/MC.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/xrfnn2_2FjAWwzmSPV2sJmp/tknhXbcO6a/ZAGJ1q_2FdrKNOunT/MWqXv5zFFG9p/by8Zf_2FtJ3/xEG2AHiWNHzGMb/5U7AZq2hWTtx5Gp_2FLrT/Jtvmik5RsI3BKCJG/qiPKwJPTBUSBiQw/RY1j9J90egtogWV_2B/CgPW8RXFg/49h8H9fZxytN8Y5j4Ua3/YD4Lz_2BMKncbFniIjR/do3Cf1aCJb1FbLOESe_2B/MC.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/bJlCFRYLHvFIRqYTrU/8RRkttIEA/t1_2BP9O_2BAm85KU_2B/aSpxz3oD7DS4GgXePzf/ia7vS0WgwZtA22jtnk2sgM/8aNHELsXc5Ipi/BMZNGN2v/65JiDOn3VthO9IJqFpTTW9Q/9POmMR2_2B/F79Rk5g05Py2gD_2B/JwjLpqa35mrg/bt4uvVPD_2F/UqHQdzYFCQmMXc/ZX0Xxi4W.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/bJlCFRYLHvFIRqYTrU/8RRkttIEA/t1_2BP9O_2BAm85KU_2B/aSpxz3oD7DS4GgXePzf/ia7vS0WgwZtA22jtnk2sgM/8aNHELsXc5Ipi/BMZNGN2v/65JiDOn3VthO9IJqFpTTW9Q/9POmMR2_2B/F79Rk5g05Py2gD_2B/JwjLpqa35mrg/bt4uvVPD_2F/UqHQdzYFCQmMXc/ZX0Xxi4W.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/bJlCFRYLHvFIRqYTrU/8RRkttIEA/t1_2BP9O_2BAm85KU_2B/aSpxz3oD7DS4GgXePzf/ia7vS0WgwZtA22jtnk2sgM/8aNHELsXc5Ipi/BMZNGN2v/65JiDOn3VthO9IJqFpTTW9Q/9POmMR2_2B/F79Rk5g05Py2gD_2B/JwjLpqa35mrg/bt4uvVPD_2F/UqHQdzYFCQmMXc/ZX0Xxi4W.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49843
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49842 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49842
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49844 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49776 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49810 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49845 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49847 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49774 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49812
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49810
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49776
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49775
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49774
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49773
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49772
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49843 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49771
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49812 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49775 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49846 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49773 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49847
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49846
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49845
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49771 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49844
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 1245Content-Type: text/htmlServer: Microsoft-IIS/10.0request-id: 65c8d4ee-587b-c9b1-e6a8-2fcf099847ceStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-CalculatedBETarget: AM6PR04MB5622.EURPRD04.PROD.OUTLOOK.COMX-BackEndHttpStatus: 404X-Proxy-RoutingCorrectness: 1X-Proxy-BackendServerStatus: 404MS-CV: 7tTIZXtYscnmqC/PCZhHzg.1X-Powered-By: ASP.NETX-FEServer: AS8PR04CA0145Date: Mon, 11 Oct 2021 20:36:54 GMTConnection: close
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 1245Content-Type: text/htmlServer: Microsoft-IIS/10.0request-id: 4b4aee2f-6f98-79c7-950f-5c79da77b3feStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-CalculatedBETarget: AM6PR06MB4263.eurprd06.prod.outlook.comX-BackEndHttpStatus: 404X-Proxy-RoutingCorrectness: 1X-Proxy-BackendServerStatus: 404MS-CV: L+5KS5hvx3mVD1x52nez/g.1X-Powered-By: ASP.NETX-FEServer: AS9PR06CA0128Date: Mon, 11 Oct 2021 20:36:58 GMTConnection: close
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 1245Content-Type: text/htmlServer: Microsoft-IIS/10.0request-id: 85b7812e-0a7c-b961-2cc4-adf543fab5aeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-CalculatedFETarget: VI1PR08CU010.internal.outlook.comX-BackEndHttpStatus: 404X-FEProxyInfo: VI1PR08CA0134.EURPRD08.PROD.OUTLOOK.COMX-CalculatedBETarget: VI1PR06MB5455.EURPRD06.PROD.OUTLOOK.COMX-BackEndHttpStatus: 404X-RUM-Validated: 1X-Proxy-RoutingCorrectness: 1X-Proxy-BackendServerStatus: 404MS-CV: LoG3hXwKYbksxK31Q/q1rg.1.1X-FEServer: VI1PR08CA0134X-Powered-By: ASP.NETX-FEServer: AS9PR06CA0260Date: Mon, 11 Oct 2021 20:38:17 GMTConnection: close
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 1245Content-Type: text/htmlServer: Microsoft-IIS/10.0request-id: 295ac203-bc6e-2f15-84bf-9c5b1de6eb11Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-CalculatedFETarget: AM9P193CU001.internal.outlook.comX-BackEndHttpStatus: 404X-FEProxyInfo: AM9P193CA0023.EURP193.PROD.OUTLOOK.COMX-CalculatedBETarget: AM0PR05MB4915.eurprd05.prod.outlook.comX-BackEndHttpStatus: 404X-RUM-Validated: 1X-Proxy-RoutingCorrectness: 1X-Proxy-BackendServerStatus: 404MS-CV: A8JaKW68FS+Ev5xbHebrEQ.1.1X-FEServer: AM9P193CA0023X-Powered-By: ASP.NETX-FEServer: AS9PR05CA0054Date: Mon, 11 Oct 2021 20:38:20 GMTConnection: close
                      Source: loaddll32.exe, 00000000.00000002.769931525.000000000110E000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.700093416.0000000000894000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000002.500798053.0000000004D65000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000002.503518309.00000000053C2000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000002.518255520.0000000005005000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: loaddll32.exe, 00000000.00000003.484784411.0000000003519000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.484636695.0000000001174000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.478128866.0000000004BB9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.656930982.00000000008FF000.00000004.00000001.sdmpString found in binary or memory: http://ogp.me/ns#
                      Source: loaddll32.exe, 00000000.00000003.484784411.0000000003519000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.484636695.0000000001174000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.478128866.0000000004BB9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.656930982.00000000008FF000.00000004.00000001.sdmpString found in binary or memory: http://ogp.me/ns/fb#
                      Source: rundll32.exe, 00000003.00000003.611937576.0000000000894000.00000004.00000001.sdmpString found in binary or memory: https://areuranel.website/
                      Source: rundll32.exe, 00000003.00000003.611937576.0000000000894000.00000004.00000001.sdmpString found in binary or memory: https://areuranel.website/liopolo/gPZADesC/LIHFYPg1nfeS6qR4dfr58Og/poTvfxxfV9/7jcxdAxrxlBGvHHC2/KE8j
                      Source: loaddll32.exe, 00000000.00000003.484784411.0000000003519000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.477730310.0000000004C38000.00000004.00000040.sdmpString found in binary or memory: https://blogs.msn.com/
                      Source: rundll32.exe, 00000003.00000003.567432017.0000000000894000.00000004.00000001.sdmpString found in binary or memory: https://breuranel.website/8
                      Source: rundll32.exe, 00000003.00000003.743394786.0000000000894000.00000004.00000001.sdmpString found in binary or memory: https://breuranel.website/X
                      Source: loaddll32.exe, 00000000.00000002.769931525.000000000110E000.00000004.00000001.sdmpString found in binary or memory: https://breuranel.website/liopolo/Gu5CX9rKtqJTGdubC/vfDJzFOCWocD/fyvnSBIy2J4/FhQlzlOfNqSLAT/n_2BCGU5
                      Source: rundll32.exe, 00000003.00000003.743394786.0000000000894000.00000004.00000001.sdmpString found in binary or memory: https://breuranel.website/liopolo/VQCuXOMQ58gaep/wQcyE3XNRkOUslXiuIoRn/thqxftgA7_2FvfGU/paR5aKKlYUJw
                      Source: rundll32.exe, 00000003.00000003.521631224.0000000000894000.00000004.00000001.sdmpString found in binary or memory: https://breuranel.website/liopolo/oPGaMFzTwbyZJ3jE/9_2B3jdhd0kGHjG/n_2BHWHpJci47et543/_2B6aHUxi/oZM9
                      Source: rundll32.exe, 00000003.00000003.700093416.0000000000894000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.511056929.00000000008E9000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.478009497.00000000008E8000.00000004.00000001.sdmpString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
                      Source: rundll32.exe, 00000003.00000003.478075992.00000000008ED000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/logi
                      Source: loaddll32.exe, 00000000.00000003.484571941.0000000001166000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ch
                      Source: rundll32.exe, 00000003.00000003.478128866.0000000004BB9000.00000004.00000040.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1633984572&rver
                      Source: loaddll32.exe, 00000000.00000003.484784411.0000000003519000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.484484416.0000000001176000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1633984576&rver
                      Source: rundll32.exe, 00000003.00000003.656930982.00000000008FF000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.657034849.0000000004C3B000.00000004.00000040.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1633984656&rver
                      Source: loaddll32.exe, 00000000.00000003.663941944.000000000359B000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.663859168.000000000117A000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1633984659&rver
                      Source: loaddll32.exe, 00000000.00000003.484784411.0000000003519000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.484484416.0000000001176000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.663914997.000000000359C000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.663859168.000000000117A000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.478128866.0000000004BB9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.657010952.0000000004C3C000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.656854025.0000000000900000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.477941064.00000000008F0000.00000004.00000001.sdmpString found in binary or memory: https://mem.gfx.ms/meversion/?partner=msn&market=en-us"
                      Source: rundll32.exe, 00000003.00000003.511182314.0000000000894000.00000004.00000001.sdmpString found in binary or memory: https://msn.com/
                      Source: loaddll32.exe, 00000000.00000002.768580069.00000000010C7000.00000004.00000020.sdmpString found in binary or memory: https://msn.com/e
                      Source: loaddll32.exe, 00000000.00000003.663884041.0000000001176000.00000004.00000001.sdmpString found in binary or memory: https://msn.com/f
                      Source: rundll32.exe, 00000003.00000003.700093416.0000000000894000.00000004.00000001.sdmpString found in binary or memory: https://msn.com/mail/liopolo/BqQVObz8g5lnocL/rDmP1N8TTzvhY7vp6N/RS6H6xMUu/qA1CfJ9oDnQhRUYDGgyu/Mnijq
                      Source: rundll32.exe, 00000003.00000003.511136188.0000000000889000.00000004.00000001.sdmpString found in binary or memory: https://msn.com/mail/liopolo/wy2L0fN2E5PVQV/dJuGUeMmesCePLL0l7Wgt/WGkNYevXDY_2B8SF/CdMZYMX0E7B4luP/U
                      Source: loaddll32.exe, 00000000.00000003.571505520.000000000112A000.00000004.00000001.sdmpString found in binary or memory: https://outlook.com/
                      Source: loaddll32.exe, 00000000.00000003.571184163.000000000110E000.00000004.00000001.sdmpString found in binary or memory: https://outlook.com/signup/liopolo/HeNOXEGhcO/DJiYgDwUOxUtDS_2F/jyyD8scRCvd_/2FyMxtVOaJ3/wtHE98SGLfS
                      Source: loaddll32.exe, 00000000.00000002.769550335.0000000001102000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com
                      Source: loaddll32.exe, 00000000.00000002.769931525.000000000110E000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.567432017.0000000000894000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com/
                      Source: rundll32.exe, 00000003.00000003.567432017.0000000000894000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com/$
                      Source: rundll32.exe, 00000003.00000003.567432017.0000000000894000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com/;
                      Source: loaddll32.exe, 00000000.00000002.769931525.000000000110E000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com/C
                      Source: loaddll32.exe, 00000000.00000002.769931525.000000000110E000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com/Q
                      Source: loaddll32.exe, 00000000.00000002.769931525.000000000110E000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com/m
                      Source: rundll32.exe, 00000003.00000003.567432017.0000000000894000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.567344794.00000000008EA000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com/signup/liopolo/3VnYAYtkPZmdkRft/PhukctoSJxkO8c8/Lye7Mz0DUphRm7HFMS/Ert
                      Source: loaddll32.exe, 00000000.00000003.576353780.0000000001176000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com/signup/liopolo/HeNOXEGhcO/DJiYgDwUOxUtDS_2F/jyyD8scRCvd_/2FyMxtVOaJ3/w
                      Source: loaddll32.exe, 00000000.00000002.769931525.000000000110E000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.752826654.000000000110E000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com/signup/liopolo/bJlCFRYLHvFIRqYTrU/8RRkttIEA/t1_2BP9O_2BAm85KU_2B/aSpxz
                      Source: rundll32.exe, 00000003.00000003.745980774.00000000008FF000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000002.773684613.0000000000894000.00000004.00000020.sdmpString found in binary or memory: https://outlook.office365.com/signup/liopolo/xrfnn2_2FjAWwzmSPV2sJmp/tknhXbcO6a/ZAGJ1q_2FdrKNOunT/MW
                      Source: loaddll32.exe, 00000000.00000003.484784411.0000000003519000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.484484416.0000000001176000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.663941944.000000000359B000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.484571941.0000000001166000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.663859168.000000000117A000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.478128866.0000000004BB9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.656930982.00000000008FF000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.478075992.00000000008ED000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.657034849.0000000004C3B000.00000004.00000040.sdmpString found in binary or memory: https://static-global-s-msn-com.akamaized.net/en-us//api/modules/cdnfetch"
                      Source: loaddll32.exe, 00000000.00000003.484784411.0000000003519000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.663914997.000000000359C000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.478128866.0000000004BB9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.657010952.0000000004C3C000.00000004.00000040.sdmpString found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/en-us/homepage/_sc/css/d7cb56b9-3a82770e/direct
                      Source: loaddll32.exe, 00000000.00000003.484784411.0000000003519000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.663914997.000000000359C000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.478128866.0000000004BB9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.700067622.0000000000889000.00000004.00000001.sdmpString found in binary or memory: https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&ver=%272.1%27&a
                      Source: rundll32.exe, 00000003.00000003.511182314.0000000000894000.00000004.00000001.sdmpString found in binary or memory: https://www.msn.com/
                      Source: rundll32.exe, 00000003.00000003.700093416.0000000000894000.00000004.00000001.sdmpString found in binary or memory: https://www.msn.com/&
                      Source: rundll32.exe, 00000003.00000003.657010952.0000000004C3C000.00000004.00000040.sdmpString found in binary or memory: https://www.msn.com/?refurl=%2fmail%2fliopolo%2fBqQVObz8g5lnocL%2frDmP1N8TTzvhY7vp6N%2fRS6H6xMUu%2fq
                      Source: loaddll32.exe, 00000000.00000003.484784411.0000000003519000.00000004.00000040.sdmpString found in binary or memory: https://www.msn.com/?refurl=%2fmail%2fliopolo%2fM47eTWImwyNJIXk%2fbvBUnXDqSGJkSqnZ1W%2fIoQdQ6MHW%2fB
                      Source: rundll32.exe, 00000003.00000003.478128866.0000000004BB9000.00000004.00000040.sdmpString found in binary or memory: https://www.msn.com/?refurl=%2fmail%2fliopolo%2fwy2L0fN2E5PVQV%2fdJuGUeMmesCePLL0l7Wgt%2fWGkNYevXDY_
                      Source: loaddll32.exe, 00000000.00000003.663914997.000000000359C000.00000004.00000040.sdmpString found in binary or memory: https://www.msn.com/?refurl=%2fmail%2fliopolo%2fytBZeomNqV%2fHSfS_2F75u1_2Bgzu%2ffw3T9nUGqtyA%2fMnMc
                      Source: loaddll32.exe, 00000000.00000003.484784411.0000000003519000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.484484416.0000000001176000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.663941944.000000000359B000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.484571941.0000000001166000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.663859168.000000000117A000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.478128866.0000000004BB9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.656930982.00000000008FF000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.478075992.00000000008ED000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.657034849.0000000004C3B000.00000004.00000040.sdmpString found in binary or memory: https://www.msn.com/en-us//api/modules/fetch"
                      Source: rundll32.exe, 00000003.00000003.700093416.0000000000894000.00000004.00000001.sdmpString found in binary or memory: https://www.msn.com/mail/liopolo/BqQVObz8g5lnocL/rDmP1N8TTzvhY7vp6N/RS6H6xMUu/qA1CfJ9oDnQhRUYDGgyu/M
                      Source: loaddll32.exe, 00000000.00000003.484571941.0000000001166000.00000004.00000001.sdmpString found in binary or memory: https://www.msn.com/mail/liopolo/M47eTWImwyNJIXk/bvBUnXDqSGJkSqnZ1W/IoQdQ6MHW/B7zE09Qn2ChgYQ2HLYH_/2
                      Source: rundll32.exe, 00000003.00000003.511182314.0000000000894000.00000004.00000001.sdmpString found in binary or memory: https://www.msn.com/mail/liopolo/wy2L0fN2E5PVQV/dJuGUeMmesCePLL0l7Wgt/WGkNYevXDY_2B8SF/CdMZYMX0E7B4l
                      Source: loaddll32.exe, 00000000.00000002.769931525.000000000110E000.00000004.00000001.sdmpString found in binary or memory: https://www.outlook.com/signup
                      Source: rundll32.exe, 00000003.00000003.567344794.00000000008EA000.00000004.00000001.sdmpString found in binary or memory: https://www.outlook.com/signup/liopolo/3VnYAYtkPZmdkRft/PhukctoSJxkO8c8/Lye7Mz0DUphRm7HFMS/Ert7vY9a_
                      Source: loaddll32.exe, 00000000.00000002.769550335.0000000001102000.00000004.00000001.sdmpString found in binary or memory: https://www.outlook.com/signup/liopolo/bJlCFRYLHvFIRqYTrU/8RRkttIEA/t1_2BP9O_2BAm85KU_2B/aSpxz3oD7DS
                      Source: unknownDNS traffic detected: queries for: msn.com
                      Source: global trafficHTTP traffic detected: GET /mail/liopolo/wy2L0fN2E5PVQV/dJuGUeMmesCePLL0l7Wgt/WGkNYevXDY_2B8SF/CdMZYMX0E7B4luP/Ul2jmINaYu2Q2Tpowu/zFWfPWe10/HWR9Tc92PXi2sPWtdN4v/UdHW73hHNRRgj93MpeR/gAwjHz21J0PRcDvLd3I609/yvRpibRLzjrjt/tNfBhMKC/cc7JRbI6tVdqBgZvAlBLjz4/UmIafwR6sLy9/c9juhd.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
                      Source: global trafficHTTP traffic detected: GET /mail/liopolo/M47eTWImwyNJIXk/bvBUnXDqSGJkSqnZ1W/IoQdQ6MHW/B7zE09Qn2ChgYQ2HLYH_/2FQQUDoZM2fDLMcKw_2/FKAo20C9iE_2FlWT_2Bfzo/Rp1YRopF97I_2/B8CxFQdR/_2BNrlSUvWcd0EwvOdX03BY/sLHqBgEIoN/l5xSyCjNwonJQFrna/xuhuk7iqStO6/LAN01N_2FT3/qYrzxcmDBjbOke/xPgut5GCh0/QPq7LLa.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/3VnYAYtkPZmdkRft/PhukctoSJxkO8c8/Lye7Mz0DUphRm7HFMS/Ert7vY9a_/2Fh6kZ4AO5iovULa_2Bg/RWwMy2ZM2sR1_2FjWVo/tVrVc9cE14VzsJSo6j4pki/JUlhlBWv0cOdb/WT8dwYTw/fsNrVB4ij0f115XNZnOJrEB/Ph8kPiXFtx/k7Vhu_2FqmJ2l_2BS/kcHYGhIgQQBE/6Lz_2BcD7nm/sGFf8Kc2PZ_2B/1_2F.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/3VnYAYtkPZmdkRft/PhukctoSJxkO8c8/Lye7Mz0DUphRm7HFMS/Ert7vY9a_/2Fh6kZ4AO5iovULa_2Bg/RWwMy2ZM2sR1_2FjWVo/tVrVc9cE14VzsJSo6j4pki/JUlhlBWv0cOdb/WT8dwYTw/fsNrVB4ij0f115XNZnOJrEB/Ph8kPiXFtx/k7Vhu_2FqmJ2l_2BS/kcHYGhIgQQBE/6Lz_2BcD7nm/sGFf8Kc2PZ_2B/1_2F.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/3VnYAYtkPZmdkRft/PhukctoSJxkO8c8/Lye7Mz0DUphRm7HFMS/Ert7vY9a_/2Fh6kZ4AO5iovULa_2Bg/RWwMy2ZM2sR1_2FjWVo/tVrVc9cE14VzsJSo6j4pki/JUlhlBWv0cOdb/WT8dwYTw/fsNrVB4ij0f115XNZnOJrEB/Ph8kPiXFtx/k7Vhu_2FqmJ2l_2BS/kcHYGhIgQQBE/6Lz_2BcD7nm/sGFf8Kc2PZ_2B/1_2F.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/HeNOXEGhcO/DJiYgDwUOxUtDS_2F/jyyD8scRCvd_/2FyMxtVOaJ3/wtHE98SGLfSVcY/aYMs8f2LumXTliKvTeXJ_/2BDCwHs2R0k_2FBp/TwUdZVU_2BFy7BU/7Kl_2FOBfWpmXbV5T3/HLfF4XU2w/vHhM4pKHjDGx_2BGh5XJ/k3tEoRB4M6D1Hg77dr2/GhhYGYGyvzjf8tA7M4_2Fz/PcKN.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/HeNOXEGhcO/DJiYgDwUOxUtDS_2F/jyyD8scRCvd_/2FyMxtVOaJ3/wtHE98SGLfSVcY/aYMs8f2LumXTliKvTeXJ_/2BDCwHs2R0k_2FBp/TwUdZVU_2BFy7BU/7Kl_2FOBfWpmXbV5T3/HLfF4XU2w/vHhM4pKHjDGx_2BGh5XJ/k3tEoRB4M6D1Hg77dr2/GhhYGYGyvzjf8tA7M4_2Fz/PcKN.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/HeNOXEGhcO/DJiYgDwUOxUtDS_2F/jyyD8scRCvd_/2FyMxtVOaJ3/wtHE98SGLfSVcY/aYMs8f2LumXTliKvTeXJ_/2BDCwHs2R0k_2FBp/TwUdZVU_2BFy7BU/7Kl_2FOBfWpmXbV5T3/HLfF4XU2w/vHhM4pKHjDGx_2BGh5XJ/k3tEoRB4M6D1Hg77dr2/GhhYGYGyvzjf8tA7M4_2Fz/PcKN.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
                      Source: global trafficHTTP traffic detected: GET /mail/liopolo/BqQVObz8g5lnocL/rDmP1N8TTzvhY7vp6N/RS6H6xMUu/qA1CfJ9oDnQhRUYDGgyu/MnijqTPatYoqwLU2Gjp/CUGc0n_2BeItdu5kr8poMa/AhSBnyUxBLy2z/WL6kh9Er/V_2FntCaBAYN2Q0pmQz73pS/plPX31iyVH/sliN48qRh7bzwYOXL/_2Bf1goPp5sf/LxXLhBSZnu3/MQi2YcecwkM/9zZah40u0/3pu.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
                      Source: global trafficHTTP traffic detected: GET /mail/liopolo/ytBZeomNqV/HSfS_2F75u1_2Bgzu/fw3T9nUGqtyA/MnMc49Ew1bU/TR75BNg3t5wK_2/FZ_2BhHpRHjaoiOWsJCdm/IP7BzqL3kfOIwEpd/0v6vAk1XTaQKS4Q/4t76RFSHOBJGuOI3un/dPzfZGf9x/VMluKaNPNp_2BEHsWys0/7w8R7Qn2JCyyYRXwFiA/UZytNi_2F_2BVoKUDorTiy/Fo.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/xrfnn2_2FjAWwzmSPV2sJmp/tknhXbcO6a/ZAGJ1q_2FdrKNOunT/MWqXv5zFFG9p/by8Zf_2FtJ3/xEG2AHiWNHzGMb/5U7AZq2hWTtx5Gp_2FLrT/Jtvmik5RsI3BKCJG/qiPKwJPTBUSBiQw/RY1j9J90egtogWV_2B/CgPW8RXFg/49h8H9fZxytN8Y5j4Ua3/YD4Lz_2BMKncbFniIjR/do3Cf1aCJb1FbLOESe_2B/MC.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/xrfnn2_2FjAWwzmSPV2sJmp/tknhXbcO6a/ZAGJ1q_2FdrKNOunT/MWqXv5zFFG9p/by8Zf_2FtJ3/xEG2AHiWNHzGMb/5U7AZq2hWTtx5Gp_2FLrT/Jtvmik5RsI3BKCJG/qiPKwJPTBUSBiQw/RY1j9J90egtogWV_2B/CgPW8RXFg/49h8H9fZxytN8Y5j4Ua3/YD4Lz_2BMKncbFniIjR/do3Cf1aCJb1FbLOESe_2B/MC.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/xrfnn2_2FjAWwzmSPV2sJmp/tknhXbcO6a/ZAGJ1q_2FdrKNOunT/MWqXv5zFFG9p/by8Zf_2FtJ3/xEG2AHiWNHzGMb/5U7AZq2hWTtx5Gp_2FLrT/Jtvmik5RsI3BKCJG/qiPKwJPTBUSBiQw/RY1j9J90egtogWV_2B/CgPW8RXFg/49h8H9fZxytN8Y5j4Ua3/YD4Lz_2BMKncbFniIjR/do3Cf1aCJb1FbLOESe_2B/MC.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/bJlCFRYLHvFIRqYTrU/8RRkttIEA/t1_2BP9O_2BAm85KU_2B/aSpxz3oD7DS4GgXePzf/ia7vS0WgwZtA22jtnk2sgM/8aNHELsXc5Ipi/BMZNGN2v/65JiDOn3VthO9IJqFpTTW9Q/9POmMR2_2B/F79Rk5g05Py2gD_2B/JwjLpqa35mrg/bt4uvVPD_2F/UqHQdzYFCQmMXc/ZX0Xxi4W.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/bJlCFRYLHvFIRqYTrU/8RRkttIEA/t1_2BP9O_2BAm85KU_2B/aSpxz3oD7DS4GgXePzf/ia7vS0WgwZtA22jtnk2sgM/8aNHELsXc5Ipi/BMZNGN2v/65JiDOn3VthO9IJqFpTTW9Q/9POmMR2_2B/F79Rk5g05Py2gD_2B/JwjLpqa35mrg/bt4uvVPD_2F/UqHQdzYFCQmMXc/ZX0Xxi4W.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/bJlCFRYLHvFIRqYTrU/8RRkttIEA/t1_2BP9O_2BAm85KU_2B/aSpxz3oD7DS4GgXePzf/ia7vS0WgwZtA22jtnk2sgM/8aNHELsXc5Ipi/BMZNGN2v/65JiDOn3VthO9IJqFpTTW9Q/9POmMR2_2B/F79Rk5g05Py2gD_2B/JwjLpqa35mrg/bt4uvVPD_2F/UqHQdzYFCQmMXc/ZX0Xxi4W.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
                      Source: unknownHTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.7:49749 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.7:49751 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.97.161.50:443 -> 192.168.2.7:49771 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.101.124.210:443 -> 192.168.2.7:49772 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.97.223.66:443 -> 192.168.2.7:49773 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.97.161.50:443 -> 192.168.2.7:49774 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.101.124.210:443 -> 192.168.2.7:49775 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.98.208.114:443 -> 192.168.2.7:49776 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.7:49810 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.7:49812 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.97.161.50:443 -> 192.168.2.7:49842 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.97.219.162:443 -> 192.168.2.7:49843 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.97.137.114:443 -> 192.168.2.7:49844 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.97.161.50:443 -> 192.168.2.7:49845 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.97.219.162:443 -> 192.168.2.7:49846 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.98.214.82:443 -> 192.168.2.7:49847 version: TLS 1.2

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000003.00000003.477730310.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.484405458.0000000003598000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.484224135.0000000003598000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.483910009.0000000003598000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.477283953.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.484141352.0000000003598000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.477436654.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.478270609.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.619486334.000000000321F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.528112034.000000000341B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.567583094.00000000049BD000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.776401255.0000000004840000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.521826421.0000000004ABB000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.484353267.0000000003598000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.477363484.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.477795801.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.484300889.0000000003598000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.477552233.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.576475056.000000000331D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.483984504.0000000003598000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.484055425.0000000003598000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.477498453.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.484848144.0000000003598000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.477873003.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.774526618.00000000031A0000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.612038120.00000000048BF000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 4668, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4712, type: MEMORYSTR
                      Source: Yara matchFile source: 3.3.rundll32.exe.70a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.caa31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.810000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.30794a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.70a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.30794a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.6e4c0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.rundll32.exe.6e4c0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.45794a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.45794a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.rundll32.exe.33ba31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.rundll32.exe.33ba31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.30da31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.caa31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.rundll32.exe.6e4c0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.c70000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.30da31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.64a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.64a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.6e4c0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.6e4c0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000006.00000003.427656191.00000000033B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.391175894.00000000030D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.432941083.0000000000CA0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.774318149.0000000003079000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.421383177.0000000000640000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.776217854.0000000004579000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.389669380.0000000000700000.00000040.00000001.sdmp, type: MEMORY
                      Source: loaddll32.exe, 00000000.00000002.768381910.00000000010AB000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      E-Banking Fraud:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000003.00000003.477730310.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.484405458.0000000003598000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.484224135.0000000003598000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.483910009.0000000003598000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.477283953.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.484141352.0000000003598000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.477436654.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.478270609.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.619486334.000000000321F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.528112034.000000000341B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.567583094.00000000049BD000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.776401255.0000000004840000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.521826421.0000000004ABB000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.484353267.0000000003598000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.477363484.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.477795801.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.484300889.0000000003598000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.477552233.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.576475056.000000000331D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.483984504.0000000003598000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.484055425.0000000003598000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.477498453.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.484848144.0000000003598000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.477873003.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.774526618.00000000031A0000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.612038120.00000000048BF000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 4668, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4712, type: MEMORYSTR
                      Source: Yara matchFile source: 3.3.rundll32.exe.70a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.caa31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.810000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.30794a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.70a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.30794a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.6e4c0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.rundll32.exe.6e4c0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.45794a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.45794a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.rundll32.exe.33ba31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.rundll32.exe.33ba31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.30da31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.caa31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.rundll32.exe.6e4c0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.c70000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.30da31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.64a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.64a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.6e4c0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.6e4c0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000006.00000003.427656191.00000000033B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.391175894.00000000030D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.432941083.0000000000CA0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.774318149.0000000003079000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.421383177.0000000000640000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.776217854.0000000004579000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.389669380.0000000000700000.00000040.00000001.sdmp, type: MEMORY

                      System Summary:

                      barindex
                      Writes or reads registry keys via WMIShow sources
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Writes registry values via WMIShow sources
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: 6yDD19jMIu.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 892 -s 636
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4C21B40_2_6E4C21B4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4D56000_2_6E4D5600
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E518C9B0_2_6E518C9B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4FE8C00_2_6E4FE8C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E4D56003_2_6E4D5600
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E50D6303_2_6E50D630
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E523CCE3_2_6E523CCE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E50B5973_2_6E50B597
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E52FA783_2_6E52FA78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E51A2B13_2_6E51A2B1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E52FB983_2_6E52FB98
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E4FE8C03_2_6E4FE8C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E4D56004_2_6E4D5600
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E50D6304_2_6E50D630
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E523CCE4_2_6E523CCE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E50B5974_2_6E50B597
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E51A2B14_2_6E51A2B1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E4FE8C04_2_6E4FE8C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6E4FAEC0 appears 38 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6E508487 appears 34 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String fun