Windows Analysis Report 6yDD19jMIu.dll

Overview

General Information

Sample Name:	6yDD19jMIu.dll
Analysis ID:	500309
MD5:	903cf677ba834a968b42bd71e4626a9d
SHA1:	c751f3ab4612917d15967fc1f0591e674c2e56ca
SHA256:	b601a3c9c3a3df9043ea82733f1da5b413207d7585ca6b18baa8a4d923ce92d8
Tags:	BRTdllgeoGoziISFBITAUrsnif
Infos:
Most interesting Screenshot:

Detection

Ursnif

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected Ursnif

System process connects to network (likely due to code injection or exploit)

Multi AV Scanner detection for domain / URL

Writes or reads registry keys via WMI

Writes registry values via WMI

Uses 32bit PE files

One or more processes crash

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

IP address seen in connection with other malware

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Checks if the current process is being debugged

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Creates a process in suspended mode (likely to inject code)

Classification

Signatures

AV Detection:

Found malware configuration

Source: 00000000.00000003.445970079.0000000000710000.00000040.00000001.sdmp

Malware Configuration Extractor: Ursnif {"RSA Public Key": "UmEkthy8LQToWYBqtBaWyLn/P1d2KjpXi9nl2is1X7NEi7AW4Al92U7HvBiCwWHgXhs6UyTZ7q6npv3YCi+rPS7xAyorWWgcyyviEpE9CETDXviZ72XZkxmen4ztvEtct+obFAEe0tiXOsfOcC8xDsI0CHPpvmUknsexTYqAJgwcghgx1mGHx/yFM4fnPYw4mFFE6bVI7eMnbu1CuunRmAVRDHZ7MAS7zSkAmYjeo1zAzRnOEWgblRHwenmwlBtp0SFGuYCGVe3TZZ4Nndgpd5xpSeLOoSZi/fRXjtS8b6LXBS/zslRCRObMDjDX4pa1fM1uOgFHyvjANgWJpZ272bpOHjM52/hsEGZXskaNztU=", "c2_domain": ["msn.com/mail", "breuranel.website", "outlook.com/signup", "areuranel.website"], "botnet": "8899", "server": "12", "serpent_key": "56473871MNTYAIDA", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Multi AV Scanner detection for submitted file

Source: 6yDD19jMIu.dll

Virustotal: Detection: 9%

Perma Link

Multi AV Scanner detection for domain / URL

Source: areuranel.website	Virustotal: Detection: 6%			Perma Link
Source: breuranel.website	Virustotal: Detection: 6%			Perma Link

Compliance:

Uses 32bit PE files

Source: 6yDD19jMIu.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: unknown	HTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.5:49765 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.5:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.97.161.50:443 -> 192.168.2.5:49785 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.98.152.242:443 -> 192.168.2.5:49786 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.97.137.242:443 -> 192.168.2.5:49787 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.97.161.50:443 -> 192.168.2.5:49788 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.98.208.66:443 -> 192.168.2.5:49789 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.101.9.178:443 -> 192.168.2.5:49790 version: TLS 1.2

Source: 6yDD19jMIu.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: WinTypes.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000012.00000003.480895631.00000000036B4000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.482429181.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.500262352.0000000004CE3000.00000004.00000001.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdbQ source: WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
Source:	Binary string: CoreMessaging.pdb_ source: WerFault.exe, 00000013.00000003.499906922.0000000004E52000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516748528.00000000050B1000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000013.00000003.499963350.0000000004E40000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516653357.00000000050A0000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.504088333.0000000000CFC000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000013.00000003.499811887.0000000004E42000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516677135.00000000050A4000.00000004.00000040.sdmp
Source:	Binary string: CoreMessaging.pdb source: WerFault.exe, 00000013.00000003.499906922.0000000004E52000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516748528.00000000050B1000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
Source:	Binary string: rundll32.pdbk source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
Source:	Binary string: ntmarta.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdbE source: WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000012.00000003.481849190.00000000036BA000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.503709261.0000000000D08000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: CoreUIComponents.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 00000013.00000003.499963350.0000000004E40000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516653357.00000000050A0000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdbI source: WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000012.00000003.482428909.00000000036AE000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.504088333.0000000000CFC000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 00000013.00000003.499811887.0000000004E42000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516677135.00000000050A4000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdbC source: WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000013.00000003.499811887.0000000004E42000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516677135.00000000050A4000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: TextInputFramework.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
Source:	Binary string: c:\wheel\receive\Many-rise\score.pdb source: loaddll32.exe, 00000000.00000002.645023107.000000006ED5B000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.645833298.000000006ED5B000.00000002.00020000.sdmp, 6yDD19jMIu.dll
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000013.00000003.499963350.0000000004E40000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516653357.00000000050A0000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdbw source: WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000012.00000003.481849190.00000000036BA000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.503709261.0000000000D08000.00000004.00000001.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000013.00000003.499811887.0000000004E42000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516677135.00000000050A4000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000013.00000003.499963350.0000000004E40000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516653357.00000000050A0000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000013.00000003.499963350.0000000004E40000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516653357.00000000050A0000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb_ source: WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000012.00000003.480895631.00000000036B4000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.501149079.0000000000D02000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbk source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp

Networking:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 52.98.208.66 187	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: www.msn.com
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: areuranel.website
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 40.97.161.50 187	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 40.101.9.178 187	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: breuranel.website
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: outlook.office365.com
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: msn.com
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: outlook.com
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: www.outlook.com
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 13.82.28.61 187	Jump to behavior

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: ce5f3254611a8c095a3d821d44539877

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 40.97.161.50 40.97.161.50

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /mail/liopolo/jXTvRU37X/kKAN62uBd3tDT4UuvXf7/tv2pa650q_2BNc4gZx_/2FTXeKH3GDyDqufzZakfvK/_2BCNXallooq7/VODMkmNF/HLhLq8MOKcwivUMMxMgvZ_2/B7axPbB70w/pddJMbRWIrbrOmIG5/zCZ5Ye6AaaIK/UQVqKS3a0Xc/NIt9Fj3Ntaxoz6/O7VgyMdHSYlq2/ziEYeDY9/K.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
Source: global traffic	HTTP traffic detected: GET /mail/liopolo/RSTOkJCBHcQTlX372kVU/XbET532Uukq3yxPfegA/rK8jg_2FYfIiNE1Sn_2FFC/TzB3gBc22NT8W/SEpCaYBh/Nz_2FfZREcG_2BLgMz0AmZw/Hef0CX9Wer/Pdr_2B7wmmBlB9z54/C5o_2FVpVxdX/zwUkSFPzqLE/G68Q5qKTPDw9R0/3k18HoGgP18MPojxTL8vR/X_2F9xUEGn4YQSaZ/MXqGe2rtZBd9NJapOc3QD/8.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/EuZblQ13lpnT1_2FzhaYNX/9DXpZrPFMYrsq/dxj154wY/JAW5hNQoWqKA7wTGhce2uZY/F4RH4ulZh5/qZAwJe6y_2FhRpcVZ/_2FftU4d_2F1/ncf06OzMdnM/jLfWuxaFwKbqRf/GRnLiE4QaJlnb9UDHRbBZ/_2BsUw81Z38LOSBN/zOtYMdMXw3vN_2F/SJ30GHS9BmBl/h7ckpVr5N/F.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/EuZblQ13lpnT1_2FzhaYNX/9DXpZrPFMYrsq/dxj154wY/JAW5hNQoWqKA7wTGhce2uZY/F4RH4ulZh5/qZAwJe6y_2FhRpcVZ/_2FftU4d_2F1/ncf06OzMdnM/jLfWuxaFwKbqRf/GRnLiE4QaJlnb9UDHRbBZ/_2BsUw81Z38LOSBN/zOtYMdMXw3vN_2F/SJ30GHS9BmBl/h7ckpVr5N/F.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/EuZblQ13lpnT1_2FzhaYNX/9DXpZrPFMYrsq/dxj154wY/JAW5hNQoWqKA7wTGhce2uZY/F4RH4ulZh5/qZAwJe6y_2FhRpcVZ/_2FftU4d_2F1/ncf06OzMdnM/jLfWuxaFwKbqRf/GRnLiE4QaJlnb9UDHRbBZ/_2BsUw81Z38LOSBN/zOtYMdMXw3vN_2F/SJ30GHS9BmBl/h7ckpVr5N/F.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/OF4gRPjTZUDlGYAAVvEf/5pYiOfrf0jvlgxY8qHh/p55dSmorxy15cOpOjCNG64/UjL6twzH0ZDT9/vemXw0_2/BHJIawobBFS9v634s8Jd0nQ/EDL0vwxYRK/YS70ZLCNhojiUZnDZ/Tzx6t3xNPD_2/BtypzVe3uXX/kvPQnvsonQKCq7/2tOcdfZqZfkF2YDmPA0MA/3AJg52.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/OF4gRPjTZUDlGYAAVvEf/5pYiOfrf0jvlgxY8qHh/p55dSmorxy15cOpOjCNG64/UjL6twzH0ZDT9/vemXw0_2/BHJIawobBFS9v634s8Jd0nQ/EDL0vwxYRK/YS70ZLCNhojiUZnDZ/Tzx6t3xNPD_2/BtypzVe3uXX/kvPQnvsonQKCq7/2tOcdfZqZfkF2YDmPA0MA/3AJg52.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/OF4gRPjTZUDlGYAAVvEf/5pYiOfrf0jvlgxY8qHh/p55dSmorxy15cOpOjCNG64/UjL6twzH0ZDT9/vemXw0_2/BHJIawobBFS9v634s8Jd0nQ/EDL0vwxYRK/YS70ZLCNhojiUZnDZ/Tzx6t3xNPD_2/BtypzVe3uXX/kvPQnvsonQKCq7/2tOcdfZqZfkF2YDmPA0MA/3AJg52.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 1245Content-Type: text/htmlServer: Microsoft-IIS/10.0request-id: 42a9a6e9-6dd8-e4f4-89ca-fa996edc4ee9Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-CalculatedFETarget: AM0PR03CU001.internal.outlook.comX-BackEndHttpStatus: 404X-FEProxyInfo: AM0PR03CA0028.EURPRD03.PROD.OUTLOOK.COMX-CalculatedBETarget: AM0P195MB0754.EURP195.PROD.OUTLOOK.COMX-BackEndHttpStatus: 404X-RUM-Validated: 1X-Proxy-RoutingCorrectness: 1X-Proxy-BackendServerStatus: 404MS-CV: 6aapQtht9OSJyvqZbtxO6Q.1.1X-FEServer: AM0PR03CA0028X-Powered-By: ASP.NETX-FEServer: AM6P195CA0091Date: Mon, 11 Oct 2021 20:51:06 GMTConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 1245Content-Type: text/htmlServer: Microsoft-IIS/10.0request-id: 6a56c307-e9c6-c4f1-93bd-eb8372a66b3cStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-CalculatedBETarget: AM5PR0202MB2546.eurprd02.prod.outlook.comX-BackEndHttpStatus: 404X-Proxy-RoutingCorrectness: 1X-Proxy-BackendServerStatus: 404MS-CV: B8NWasbp8cSTveuDcqZrPA.1X-Powered-By: ASP.NETX-FEServer: AM5PR0201CA0014Date: Mon, 11 Oct 2021 20:51:07 GMTConnection: close

Source: WerFault.exe, 00000012.00000002.526349700.0000000005348000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.524969424.0000000004A35000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.542519805.0000000004C13000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: loaddll32.exe, 00000000.00000003.496097051.0000000002CA9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.496583081.00000000051C9000.00000004.00000040.sdmp	String found in binary or memory: http://ogp.me/ns#
Source: loaddll32.exe, 00000000.00000003.496097051.0000000002CA9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.496583081.00000000051C9000.00000004.00000040.sdmp	String found in binary or memory: http://ogp.me/ns/fb#
Source: loaddll32.exe, 00000000.00000003.496226518.0000000002D28000.00000004.00000040.sdmp	String found in binary or memory: https://blogs.msn.co
Source: loaddll32.exe, 00000000.00000003.493105528.0000000002D28000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.493384184.0000000005248000.00000004.00000040.sdmp	String found in binary or memory: https://blogs.msn.com/
Source: loaddll32.exe, 00000000.00000003.496226518.0000000002D28000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.493384184.0000000005248000.00000004.00000040.sdmp	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: loaddll32.exe, 00000000.00000003.496097051.0000000002CA9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.496583081.00000000051C9000.00000004.00000040.sdmp	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1633985424&rver
Source: loaddll32.exe, 00000000.00000003.496097051.0000000002CA9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.496583081.00000000051C9000.00000004.00000040.sdmp	String found in binary or memory: https://mem.gfx.ms/meversion/?partner=msn&market=en-us"
Source: loaddll32.exe, 00000000.00000003.496097051.0000000002CA9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.496583081.00000000051C9000.00000004.00000040.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/en-us//api/modules/cdnfetch"
Source: loaddll32.exe, 00000000.00000003.496097051.0000000002CA9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.496583081.00000000051C9000.00000004.00000040.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/en-us/homepage/_sc/css/d7cb56b9-3a82770e/direct
Source: WerFault.exe, 00000013.00000002.531558276.0000000004A0C000.00000004.00000001.sdmp	String found in binary or memory: https://watson.telemetry.microsoftv
Source: loaddll32.exe, 00000000.00000003.493105528.0000000002D28000.00000004.00000040.sdmp	String found in binary or memory: https://web.vortex.d
Source: loaddll32.exe, 00000000.00000003.496097051.0000000002CA9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.496583081.00000000051C9000.00000004.00000040.sdmp	String found in binary or memory: https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&ver=%272.1%27&a
Source: rundll32.exe, 00000003.00000003.496583081.00000000051C9000.00000004.00000040.sdmp	String found in binary or memory: https://www.msn.com/?refurl=%2fmail%2fliopolo%2fRSTOkJCBHcQTlX372kVU%2fXbET532Uukq3yxPfegA%2frK8jg_2
Source: loaddll32.exe, 00000000.00000003.496097051.0000000002CA9000.00000004.00000040.sdmp	String found in binary or memory: https://www.msn.com/?refurl=%2fmail%2fliopolo%2fjXTvRU37X%2fkKAN62uBd3tDT4UuvXf7%2ftv2pa650q_2BNc4gZ
Source: loaddll32.exe, 00000000.00000003.496097051.0000000002CA9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.496583081.00000000051C9000.00000004.00000040.sdmp	String found in binary or memory: https://www.msn.com/en-us//api/modules/fetch"

Source: unknown

DNS traffic detected: queries for: msn.com

Source: global traffic	HTTP traffic detected: GET /mail/liopolo/jXTvRU37X/kKAN62uBd3tDT4UuvXf7/tv2pa650q_2BNc4gZx_/2FTXeKH3GDyDqufzZakfvK/_2BCNXallooq7/VODMkmNF/HLhLq8MOKcwivUMMxMgvZ_2/B7axPbB70w/pddJMbRWIrbrOmIG5/zCZ5Ye6AaaIK/UQVqKS3a0Xc/NIt9Fj3Ntaxoz6/O7VgyMdHSYlq2/ziEYeDY9/K.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
Source: global traffic	HTTP traffic detected: GET /mail/liopolo/RSTOkJCBHcQTlX372kVU/XbET532Uukq3yxPfegA/rK8jg_2FYfIiNE1Sn_2FFC/TzB3gBc22NT8W/SEpCaYBh/Nz_2FfZREcG_2BLgMz0AmZw/Hef0CX9Wer/Pdr_2B7wmmBlB9z54/C5o_2FVpVxdX/zwUkSFPzqLE/G68Q5qKTPDw9R0/3k18HoGgP18MPojxTL8vR/X_2F9xUEGn4YQSaZ/MXqGe2rtZBd9NJapOc3QD/8.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/EuZblQ13lpnT1_2FzhaYNX/9DXpZrPFMYrsq/dxj154wY/JAW5hNQoWqKA7wTGhce2uZY/F4RH4ulZh5/qZAwJe6y_2FhRpcVZ/_2FftU4d_2F1/ncf06OzMdnM/jLfWuxaFwKbqRf/GRnLiE4QaJlnb9UDHRbBZ/_2BsUw81Z38LOSBN/zOtYMdMXw3vN_2F/SJ30GHS9BmBl/h7ckpVr5N/F.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/EuZblQ13lpnT1_2FzhaYNX/9DXpZrPFMYrsq/dxj154wY/JAW5hNQoWqKA7wTGhce2uZY/F4RH4ulZh5/qZAwJe6y_2FhRpcVZ/_2FftU4d_2F1/ncf06OzMdnM/jLfWuxaFwKbqRf/GRnLiE4QaJlnb9UDHRbBZ/_2BsUw81Z38LOSBN/zOtYMdMXw3vN_2F/SJ30GHS9BmBl/h7ckpVr5N/F.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/EuZblQ13lpnT1_2FzhaYNX/9DXpZrPFMYrsq/dxj154wY/JAW5hNQoWqKA7wTGhce2uZY/F4RH4ulZh5/qZAwJe6y_2FhRpcVZ/_2FftU4d_2F1/ncf06OzMdnM/jLfWuxaFwKbqRf/GRnLiE4QaJlnb9UDHRbBZ/_2BsUw81Z38LOSBN/zOtYMdMXw3vN_2F/SJ30GHS9BmBl/h7ckpVr5N/F.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/OF4gRPjTZUDlGYAAVvEf/5pYiOfrf0jvlgxY8qHh/p55dSmorxy15cOpOjCNG64/UjL6twzH0ZDT9/vemXw0_2/BHJIawobBFS9v634s8Jd0nQ/EDL0vwxYRK/YS70ZLCNhojiUZnDZ/Tzx6t3xNPD_2/BtypzVe3uXX/kvPQnvsonQKCq7/2tOcdfZqZfkF2YDmPA0MA/3AJg52.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/OF4gRPjTZUDlGYAAVvEf/5pYiOfrf0jvlgxY8qHh/p55dSmorxy15cOpOjCNG64/UjL6twzH0ZDT9/vemXw0_2/BHJIawobBFS9v634s8Jd0nQ/EDL0vwxYRK/YS70ZLCNhojiUZnDZ/Tzx6t3xNPD_2/BtypzVe3uXX/kvPQnvsonQKCq7/2tOcdfZqZfkF2YDmPA0MA/3AJg52.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/OF4gRPjTZUDlGYAAVvEf/5pYiOfrf0jvlgxY8qHh/p55dSmorxy15cOpOjCNG64/UjL6twzH0ZDT9/vemXw0_2/BHJIawobBFS9v634s8Jd0nQ/EDL0vwxYRK/YS70ZLCNhojiUZnDZ/Tzx6t3xNPD_2/BtypzVe3uXX/kvPQnvsonQKCq7/2tOcdfZqZfkF2YDmPA0MA/3AJg52.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com

Source: unknown	HTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.5:49765 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.5:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.97.161.50:443 -> 192.168.2.5:49785 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.98.152.242:443 -> 192.168.2.5:49786 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.97.137.242:443 -> 192.168.2.5:49787 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.97.161.50:443 -> 192.168.2.5:49788 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.98.208.66:443 -> 192.168.2.5:49789 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.101.9.178:443 -> 192.168.2.5:49790 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.496226518.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493105528.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.539408777.0000000002BAB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493430312.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.493384184.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493160476.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493225744.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.495833848.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.540595897.00000000050CB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493018858.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493315813.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.495340771.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.586659042.0000000004FCD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.496119591.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.627710789.00000000029AF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.495987344.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.492948682.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.495528986.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.496654306.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.496183449.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.492874402.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.496285299.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.630148889.0000000004ECF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.584685857.0000000002AAD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 3708, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5172, type: MEMORYSTR
Source: Yara match	File source: 0.2.loaddll32.exe.6ece0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.342a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.71a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.750000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.12b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.12fa31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.25c94a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.c5a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.b0a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.4d094a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.b0a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.71a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.c5a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.12fa31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.25c94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.342a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.4d094a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6ece0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.445970079.0000000000710000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.412556442.00000000012F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.413015029.0000000000C50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.643304809.00000000025C9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.444240615.0000000000B00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.436255990.0000000003420000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.645427360.0000000004D09000.00000004.00000040.sdmp, type: MEMORY

E-Banking Fraud:

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.496226518.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493105528.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.539408777.0000000002BAB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493430312.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.493384184.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493160476.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493225744.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.495833848.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.540595897.00000000050CB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493018858.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493315813.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.495340771.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.586659042.0000000004FCD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.496119591.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.627710789.00000000029AF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.495987344.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.492948682.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.495528986.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.496654306.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.496183449.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.492874402.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.496285299.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.630148889.0000000004ECF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.584685857.0000000002AAD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 3708, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5172, type: MEMORYSTR
Source: Yara match	File source: 0.2.loaddll32.exe.6ece0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.342a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.71a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.750000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.12b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.12fa31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.25c94a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.c5a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.b0a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.4d094a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.b0a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.71a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.c5a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.12fa31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.25c94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.342a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.4d094a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6ece0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.445970079.0000000000710000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.412556442.00000000012F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.413015029.0000000000C50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.643304809.00000000025C9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.444240615.0000000000B00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.436255990.0000000003420000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.645427360.0000000004D09000.00000004.00000040.sdmp, type: MEMORY

System Summary:

Writes or reads registry keys via WMI

Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Uses 32bit PE files

Source: 6yDD19jMIu.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

One or more processes crash

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6048 -s 892

Detected potential crypto function

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ECE21B4	0_2_6ECE21B4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00754C40	0_2_00754C40
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0075664C	0_2_0075664C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00752B76	0_2_00752B76
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0075954A	0_2_0075954A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0075AF24	0_2_0075AF24
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00757DEC	0_2_00757DEC
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ECF5600	0_2_6ECF5600
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED2B597	0_2_6ED2B597
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED3A2B1	0_2_6ED3A2B1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED1E8C0	0_2_6ED1E8C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_012BAF24	3_2_012BAF24
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_012B2B76	3_2_012B2B76
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_012B4C40	3_2_012B4C40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ECF5600	3_2_6ECF5600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ED2D630	3_2_6ED2D630
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ED43CCE	3_2_6ED43CCE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ED2B597	3_2_6ED2B597
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ED3A2B1	3_2_6ED3A2B1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ED1E8C0	3_2_6ED1E8C0

Found potential string decryption / allocating functions

Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 6ED1ABD1 appears 91 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6ED1ABD1 appears 91 times

Contains functionality to call native functions

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ECE15C6 SetThreadPriority,NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,GetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,	0_2_6ECE15C6
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ECE1273 NtMapViewOfSection,	0_2_6ECE1273
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ECE13B8 GetProcAddress,NtCreateSection,memset,	0_2_6ECE13B8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ECE23D5 NtQueryVirtualMemory,	0_2_6ECE23D5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00755D10 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	0_2_00755D10
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0075B149 NtQueryVirtualMemory,	0_2_0075B149
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_012B5D10 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	3_2_012B5D10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_012BB149 NtQueryVirtualMemory,	3_2_012BB149

Source: 6yDD19jMIu.dll

Virustotal: Detection: 9%

Source: 6yDD19jMIu.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\6yDD19jMIu.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\6yDD19jMIu.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6yDD19jMIu.dll,BeGrass
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\6yDD19jMIu.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6yDD19jMIu.dll,Fieldeight
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6yDD19jMIu.dll,Often
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6048 -s 892
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4680 -s 636
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 872
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\6yDD19jMIu.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6yDD19jMIu.dll,BeGrass	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6yDD19jMIu.dll,Fieldeight	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6yDD19jMIu.dll,Often	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\6yDD19jMIu.dll',#1	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER618E.tmp

Jump to behavior

Source: classification engine

Classification label: mal96.troj.evad.winDLL@14/12@14/7

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_00754A03 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

0_2_00754A03

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6yDD19jMIu.dll,BeGrass

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4680
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3056
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6048

Source: C:\Windows\System32\loaddll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK

Source: 6yDD19jMIu.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: 6yDD19jMIu.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: WinTypes.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000012.00000003.480895631.00000000036B4000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.482429181.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.500262352.0000000004CE3000.00000004.00000001.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdbQ source: WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
Source:	Binary string: CoreMessaging.pdb_ source: WerFault.exe, 00000013.00000003.499906922.0000000004E52000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516748528.00000000050B1000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000013.00000003.499963350.0000000004E40000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516653357.00000000050A0000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.504088333.0000000000CFC000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000013.00000003.499811887.0000000004E42000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516677135.00000000050A4000.00000004.00000040.sdmp
Source:	Binary string: CoreMessaging.pdb source: WerFault.exe, 00000013.00000003.499906922.0000000004E52000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516748528.00000000050B1000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
Source:	Binary string: rundll32.pdbk source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
Source:	Binary string: ntmarta.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdbE source: WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000012.00000003.481849190.00000000036BA000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.503709261.0000000000D08000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: CoreUIComponents.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 00000013.00000003.499963350.0000000004E40000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516653357.00000000050A0000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdbI source: WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000012.00000003.482428909.00000000036AE000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.504088333.0000000000CFC000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 00000013.00000003.499811887.0000000004E42000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516677135.00000000050A4000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdbC source: WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000013.00000003.499811887.0000000004E42000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516677135.00000000050A4000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: TextInputFramework.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
Source:	Binary string: c:\wheel\receive\Many-rise\score.pdb source: loaddll32.exe, 00000000.00000002.645023107.000000006ED5B000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.645833298.000000006ED5B000.00000002.00020000.sdmp, 6yDD19jMIu.dll
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000013.00000003.499963350.0000000004E40000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516653357.00000000050A0000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdbw source: WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000012.00000003.481849190.00000000036BA000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.503709261.0000000000D08000.00000004.00000001.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000013.00000003.499811887.0000000004E42000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516677135.00000000050A4000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000013.00000003.499963350.0000000004E40000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516653357.00000000050A0000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000013.00000003.499963350.0000000004E40000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516653357.00000000050A0000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb_ source: WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000012.00000003.480895631.00000000036B4000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.501149079.0000000000D02000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbk source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ECE2150 push ecx; ret	0_2_6ECE2159
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ECE21A3 push ecx; ret	0_2_6ECE21B3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0075AF13 push ecx; ret	0_2_0075AF23
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0075ABE0 push ecx; ret	0_2_0075ABE9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED1AB9A push ecx; ret	0_2_6ED1ABAD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_012BAF13 push ecx; ret	3_2_012BAF23
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_012BABE0 push ecx; ret	3_2_012BABE9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ED1AB9A push ecx; ret	3_2_6ED1ABAD

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6ECE1DE5 LoadLibraryA,GetProcAddress,

0_2_6ECE1DE5

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.496226518.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493105528.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.539408777.0000000002BAB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493430312.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.493384184.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493160476.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493225744.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.495833848.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.540595897.00000000050CB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493018858.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493315813.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.495340771.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.586659042.0000000004FCD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.496119591.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.627710789.00000000029AF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.495987344.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.492948682.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.495528986.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.496654306.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.496183449.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.492874402.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.496285299.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.630148889.0000000004ECF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.584685857.0000000002AAD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 3708, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5172, type: MEMORYSTR
Source: Yara match	File source: 0.2.loaddll32.exe.6ece0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.342a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.71a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.750000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.12b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.12fa31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.25c94a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.c5a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.b0a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.4d094a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.b0a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.71a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.c5a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.12fa31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.25c94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.342a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.4d094a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6ece0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.445970079.0000000000710000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.412556442.00000000012F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.413015029.0000000000C50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.643304809.00000000025C9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.444240615.0000000000B00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.436255990.0000000003420000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.645427360.0000000004D09000.00000004.00000040.sdmp, type: MEMORY

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Windows\System32\loaddll32.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: WerFault.exe, 00000013.00000003.524969424.0000000004A35000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW0
Source: WerFault.exe, 00000012.00000002.526051488.0000000005320000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.524764769.0000000004A1D000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000002.545662496.0000000004CD8000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: WerFault.exe, 00000017.00000002.545508557.0000000004C02000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW~
Source: WerFault.exe, 00000012.00000002.526349700.0000000005348000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW`

Anti Debugging:

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6ED26CB3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_6ED26CB3

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6ECE1DE5 LoadLibraryA,GetProcAddress,

0_2_6ECE1DE5

Contains functionality to read the PEB

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED3C325 mov eax, dword ptr fs:[00000030h]	0_2_6ED3C325
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED48861 mov eax, dword ptr fs:[00000030h]	0_2_6ED48861
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED8DFDA mov eax, dword ptr fs:[00000030h]	0_2_6ED8DFDA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED8DEAA mov eax, dword ptr fs:[00000030h]	0_2_6ED8DEAA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED8DBB5 push dword ptr fs:[00000030h]	0_2_6ED8DBB5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ED3C325 mov eax, dword ptr fs:[00000030h]	3_2_6ED3C325
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ED48861 mov eax, dword ptr fs:[00000030h]	3_2_6ED48861
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ED8DFDA mov eax, dword ptr fs:[00000030h]	3_2_6ED8DFDA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ED8DEAA mov eax, dword ptr fs:[00000030h]	3_2_6ED8DEAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ED8DBB5 push dword ptr fs:[00000030h]	3_2_6ED8DBB5

Checks if the current process is being debugged

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED26CB3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6ED26CB3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED1B316 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_6ED1B316
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ED26CB3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6ED26CB3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ED1B316 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_6ED1B316

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 52.98.208.66 187	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: www.msn.com
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: areuranel.website
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 40.97.161.50 187	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 40.101.9.178 187	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: breuranel.website
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: outlook.office365.com
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: msn.com
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: outlook.com
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: www.outlook.com
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 13.82.28.61 187	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\6yDD19jMIu.dll',#1

Jump to behavior

Source: loaddll32.exe, 00000000.00000002.642262171.0000000000E30000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.473339722.00000000039D0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.645184272.00000000033F0000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.476198950.0000000003AA0000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000000.485003177.00000000033F0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.642262171.0000000000E30000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.473339722.00000000039D0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.645184272.00000000033F0000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.476198950.0000000003AA0000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000000.485003177.00000000033F0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.642262171.0000000000E30000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.473339722.00000000039D0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.645184272.00000000033F0000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.476198950.0000000003AA0000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000000.485003177.00000000033F0000.00000002.00020000.sdmp	Binary or memory string: SProgram Managerl
Source: loaddll32.exe, 00000000.00000002.642262171.0000000000E30000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.473339722.00000000039D0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.645184272.00000000033F0000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.476198950.0000000003AA0000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000000.485003177.00000000033F0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd,
Source: loaddll32.exe, 00000000.00000002.642262171.0000000000E30000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.473339722.00000000039D0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.645184272.00000000033F0000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.476198950.0000000003AA0000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000000.485003177.00000000033F0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,	0_2_6ED19EB5
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,	0_2_6ED40E4C
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	0_2_6ED4E448
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	0_2_6ED40429
Source: C:\Windows\System32\loaddll32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_6ED4EA21
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	0_2_6ED4E3AD
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	0_2_6ED4E344
Source: C:\Windows\System32\loaddll32.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_6ED4E0A2
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_6ED4E84C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	3_2_6ED19EB5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	3_2_6ED40E4C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	3_2_6ED4E448
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	3_2_6ED40429
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	3_2_6ED4EA21
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	3_2_6ED4E3AD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	3_2_6ED4E344
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	3_2_6ED4E0A2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_6ED4E84C

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_0075A82B cpuid

0_2_0075A82B

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6ECE1172 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,

0_2_6ECE1172

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6ED3FF15 _free,_free,_free,GetTimeZoneInformation,_free,

0_2_6ED3FF15

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6ECE1825 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

0_2_6ECE1825

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_0075A82B RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

0_2_0075A82B

Stealing of Sensitive Information:

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.496226518.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493105528.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.539408777.0000000002BAB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493430312.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.493384184.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493160476.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493225744.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.495833848.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.540595897.00000000050CB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493018858.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493315813.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.495340771.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.586659042.0000000004FCD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.496119591.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.627710789.00000000029AF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.495987344.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.492948682.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.495528986.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.496654306.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.496183449.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.492874402.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.496285299.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.630148889.0000000004ECF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.584685857.0000000002AAD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 3708, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5172, type: MEMORYSTR
Source: Yara match	File source: 0.2.loaddll32.exe.6ece0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.342a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.71a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.750000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.12b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.12fa31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.25c94a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.c5a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.b0a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.4d094a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.b0a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.71a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.c5a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.12fa31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.25c94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.342a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.4d094a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6ece0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.445970079.0000000000710000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.412556442.00000000012F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.413015029.0000000000C50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.643304809.00000000025C9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.444240615.0000000000B00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.436255990.0000000003420000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.645427360.0000000004D09000.00000004.00000040.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.496226518.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493105528.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.539408777.0000000002BAB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493430312.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.493384184.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493160476.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493225744.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.495833848.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.540595897.00000000050CB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493018858.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493315813.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.495340771.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.586659042.0000000004FCD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.496119591.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.627710789.00000000029AF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.495987344.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.492948682.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.495528986.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.496654306.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.496183449.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.492874402.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.496285299.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.630148889.0000000004ECF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.584685857.0000000002AAD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 3708, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5172, type: MEMORYSTR
Source: Yara match	File source: 0.2.loaddll32.exe.6ece0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.342a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.71a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.750000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.12b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.12fa31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.25c94a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.c5a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.b0a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.4d094a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.b0a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.71a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.c5a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.12fa31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.25c94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.342a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.4d094a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6ece0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.445970079.0000000000710000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.412556442.00000000012F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.413015029.0000000000C50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.643304809.00000000025C9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.444240615.0000000000B00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.436255990.0000000003420000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.645427360.0000000004D09000.00000004.00000040.sdmp, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
52.98.208.66	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	true
40.97.161.50	outlook.com	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
52.98.152.242	HHN-efz.ms-acdc.office.com	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
40.101.9.178	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	true
52.97.137.242	FRA-efz.ms-acdc.office.com	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
13.82.28.61	msn.com	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false

Private

IP
192.168.2.1

Contacted Domains

Name	IP	Active
msn.com	13.82.28.61	true
outlook.com	40.97.161.50	true
HHN-efz.ms-acdc.office.com	52.98.152.242	true
FRA-efz.ms-acdc.office.com	52.97.137.242	true
www.msn.com	unknown	unknown
www.outlook.com	unknown	unknown
areuranel.website	unknown	unknown
breuranel.website	unknown	unknown
outlook.office365.com	unknown	unknown

Contacted URLs

Name	Malicious	Reputation
https://www.outlook.com/signup/liopolo/OF4gRPjTZUDlGYAAVvEf/5pYiOfrf0jvlgxY8qHh/p55dSmorxy15cOpOjCNG64/UjL6twzH0ZDT9/vemXw0_2/BHJIawobBFS9v634s8Jd0nQ/EDL0vwxYRK/YS70ZLCNhojiUZnDZ/Tzx6t3xNPD_2/BtypzVe3uXX/kvPQnvsonQKCq7/2tOcdfZqZfkF2YDmPA0MA/3AJg52.jre	false	high
https://outlook.com/signup/liopolo/OF4gRPjTZUDlGYAAVvEf/5pYiOfrf0jvlgxY8qHh/p55dSmorxy15cOpOjCNG64/UjL6twzH0ZDT9/vemXw0_2/BHJIawobBFS9v634s8Jd0nQ/EDL0vwxYRK/YS70ZLCNhojiUZnDZ/Tzx6t3xNPD_2/BtypzVe3uXX/kvPQnvsonQKCq7/2tOcdfZqZfkF2YDmPA0MA/3AJg52.jre	false	high
https://outlook.office365.com/signup/liopolo/OF4gRPjTZUDlGYAAVvEf/5pYiOfrf0jvlgxY8qHh/p55dSmorxy15cOpOjCNG64/UjL6twzH0ZDT9/vemXw0_2/BHJIawobBFS9v634s8Jd0nQ/EDL0vwxYRK/YS70ZLCNhojiUZnDZ/Tzx6t3xNPD_2/BtypzVe3uXX/kvPQnvsonQKCq7/2tOcdfZqZfkF2YDmPA0MA/3AJg52.jre	false	high

AV Detection:

Found malware configuration

Source: 00000000.00000003.445970079.0000000000710000.00000040.00000001.sdmp

Multi AV Scanner detection for submitted file

Source: 6yDD19jMIu.dll

Virustotal: Detection: 9%

Perma Link

Multi AV Scanner detection for domain / URL

Source: areuranel.website	Virustotal: Detection: 6%			Perma Link
Source: breuranel.website	Virustotal: Detection: 6%			Perma Link

Compliance:

Uses 32bit PE files

Source: 6yDD19jMIu.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: unknown	HTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.5:49765 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.5:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.97.161.50:443 -> 192.168.2.5:49785 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.98.152.242:443 -> 192.168.2.5:49786 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.97.137.242:443 -> 192.168.2.5:49787 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.97.161.50:443 -> 192.168.2.5:49788 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.98.208.66:443 -> 192.168.2.5:49789 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.101.9.178:443 -> 192.168.2.5:49790 version: TLS 1.2

Source: 6yDD19jMIu.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: WinTypes.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000012.00000003.480895631.00000000036B4000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.482429181.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.500262352.0000000004CE3000.00000004.00000001.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdbQ source: WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
Source:	Binary string: CoreMessaging.pdb_ source: WerFault.exe, 00000013.00000003.499906922.0000000004E52000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516748528.00000000050B1000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000013.00000003.499963350.0000000004E40000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516653357.00000000050A0000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.504088333.0000000000CFC000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000013.00000003.499811887.0000000004E42000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516677135.00000000050A4000.00000004.00000040.sdmp
Source:	Binary string: CoreMessaging.pdb source: WerFault.exe, 00000013.00000003.499906922.0000000004E52000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516748528.00000000050B1000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
Source:	Binary string: rundll32.pdbk source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
Source:	Binary string: ntmarta.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdbE source: WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000012.00000003.481849190.00000000036BA000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.503709261.0000000000D08000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: CoreUIComponents.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 00000013.00000003.499963350.0000000004E40000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516653357.00000000050A0000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdbI source: WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000012.00000003.482428909.00000000036AE000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.504088333.0000000000CFC000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 00000013.00000003.499811887.0000000004E42000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516677135.00000000050A4000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdbC source: WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000013.00000003.499811887.0000000004E42000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516677135.00000000050A4000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: TextInputFramework.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
Source:	Binary string: c:\wheel\receive\Many-rise\score.pdb source: loaddll32.exe, 00000000.00000002.645023107.000000006ED5B000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.645833298.000000006ED5B000.00000002.00020000.sdmp, 6yDD19jMIu.dll
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000013.00000003.499963350.0000000004E40000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516653357.00000000050A0000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdbw source: WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000012.00000003.481849190.00000000036BA000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.503709261.0000000000D08000.00000004.00000001.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000013.00000003.499811887.0000000004E42000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516677135.00000000050A4000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000013.00000003.499963350.0000000004E40000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516653357.00000000050A0000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000013.00000003.499963350.0000000004E40000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516653357.00000000050A0000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb_ source: WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000012.00000003.480895631.00000000036B4000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.501149079.0000000000D02000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbk source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp

Networking:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 52.98.208.66 187	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: www.msn.com
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: areuranel.website
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 40.97.161.50 187	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 40.101.9.178 187	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: breuranel.website
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: outlook.office365.com
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: msn.com
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: outlook.com
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: www.outlook.com
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 13.82.28.61 187	Jump to behavior

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: ce5f3254611a8c095a3d821d44539877

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 40.97.161.50 40.97.161.50

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /mail/liopolo/jXTvRU37X/kKAN62uBd3tDT4UuvXf7/tv2pa650q_2BNc4gZx_/2FTXeKH3GDyDqufzZakfvK/_2BCNXallooq7/VODMkmNF/HLhLq8MOKcwivUMMxMgvZ_2/B7axPbB70w/pddJMbRWIrbrOmIG5/zCZ5Ye6AaaIK/UQVqKS3a0Xc/NIt9Fj3Ntaxoz6/O7VgyMdHSYlq2/ziEYeDY9/K.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
Source: global traffic	HTTP traffic detected: GET /mail/liopolo/RSTOkJCBHcQTlX372kVU/XbET532Uukq3yxPfegA/rK8jg_2FYfIiNE1Sn_2FFC/TzB3gBc22NT8W/SEpCaYBh/Nz_2FfZREcG_2BLgMz0AmZw/Hef0CX9Wer/Pdr_2B7wmmBlB9z54/C5o_2FVpVxdX/zwUkSFPzqLE/G68Q5qKTPDw9R0/3k18HoGgP18MPojxTL8vR/X_2F9xUEGn4YQSaZ/MXqGe2rtZBd9NJapOc3QD/8.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/EuZblQ13lpnT1_2FzhaYNX/9DXpZrPFMYrsq/dxj154wY/JAW5hNQoWqKA7wTGhce2uZY/F4RH4ulZh5/qZAwJe6y_2FhRpcVZ/_2FftU4d_2F1/ncf06OzMdnM/jLfWuxaFwKbqRf/GRnLiE4QaJlnb9UDHRbBZ/_2BsUw81Z38LOSBN/zOtYMdMXw3vN_2F/SJ30GHS9BmBl/h7ckpVr5N/F.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/EuZblQ13lpnT1_2FzhaYNX/9DXpZrPFMYrsq/dxj154wY/JAW5hNQoWqKA7wTGhce2uZY/F4RH4ulZh5/qZAwJe6y_2FhRpcVZ/_2FftU4d_2F1/ncf06OzMdnM/jLfWuxaFwKbqRf/GRnLiE4QaJlnb9UDHRbBZ/_2BsUw81Z38LOSBN/zOtYMdMXw3vN_2F/SJ30GHS9BmBl/h7ckpVr5N/F.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/EuZblQ13lpnT1_2FzhaYNX/9DXpZrPFMYrsq/dxj154wY/JAW5hNQoWqKA7wTGhce2uZY/F4RH4ulZh5/qZAwJe6y_2FhRpcVZ/_2FftU4d_2F1/ncf06OzMdnM/jLfWuxaFwKbqRf/GRnLiE4QaJlnb9UDHRbBZ/_2BsUw81Z38LOSBN/zOtYMdMXw3vN_2F/SJ30GHS9BmBl/h7ckpVr5N/F.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/OF4gRPjTZUDlGYAAVvEf/5pYiOfrf0jvlgxY8qHh/p55dSmorxy15cOpOjCNG64/UjL6twzH0ZDT9/vemXw0_2/BHJIawobBFS9v634s8Jd0nQ/EDL0vwxYRK/YS70ZLCNhojiUZnDZ/Tzx6t3xNPD_2/BtypzVe3uXX/kvPQnvsonQKCq7/2tOcdfZqZfkF2YDmPA0MA/3AJg52.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/OF4gRPjTZUDlGYAAVvEf/5pYiOfrf0jvlgxY8qHh/p55dSmorxy15cOpOjCNG64/UjL6twzH0ZDT9/vemXw0_2/BHJIawobBFS9v634s8Jd0nQ/EDL0vwxYRK/YS70ZLCNhojiUZnDZ/Tzx6t3xNPD_2/BtypzVe3uXX/kvPQnvsonQKCq7/2tOcdfZqZfkF2YDmPA0MA/3AJg52.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/OF4gRPjTZUDlGYAAVvEf/5pYiOfrf0jvlgxY8qHh/p55dSmorxy15cOpOjCNG64/UjL6twzH0ZDT9/vemXw0_2/BHJIawobBFS9v634s8Jd0nQ/EDL0vwxYRK/YS70ZLCNhojiUZnDZ/Tzx6t3xNPD_2/BtypzVe3uXX/kvPQnvsonQKCq7/2tOcdfZqZfkF2YDmPA0MA/3AJg52.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 1245Content-Type: text/htmlServer: Microsoft-IIS/10.0request-id: 42a9a6e9-6dd8-e4f4-89ca-fa996edc4ee9Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-CalculatedFETarget: AM0PR03CU001.internal.outlook.comX-BackEndHttpStatus: 404X-FEProxyInfo: AM0PR03CA0028.EURPRD03.PROD.OUTLOOK.COMX-CalculatedBETarget: AM0P195MB0754.EURP195.PROD.OUTLOOK.COMX-BackEndHttpStatus: 404X-RUM-Validated: 1X-Proxy-RoutingCorrectness: 1X-Proxy-BackendServerStatus: 404MS-CV: 6aapQtht9OSJyvqZbtxO6Q.1.1X-FEServer: AM0PR03CA0028X-Powered-By: ASP.NETX-FEServer: AM6P195CA0091Date: Mon, 11 Oct 2021 20:51:06 GMTConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 1245Content-Type: text/htmlServer: Microsoft-IIS/10.0request-id: 6a56c307-e9c6-c4f1-93bd-eb8372a66b3cStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-CalculatedBETarget: AM5PR0202MB2546.eurprd02.prod.outlook.comX-BackEndHttpStatus: 404X-Proxy-RoutingCorrectness: 1X-Proxy-BackendServerStatus: 404MS-CV: B8NWasbp8cSTveuDcqZrPA.1X-Powered-By: ASP.NETX-FEServer: AM5PR0201CA0014Date: Mon, 11 Oct 2021 20:51:07 GMTConnection: close

Source: WerFault.exe, 00000012.00000002.526349700.0000000005348000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.524969424.0000000004A35000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.542519805.0000000004C13000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: loaddll32.exe, 00000000.00000003.496097051.0000000002CA9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.496583081.00000000051C9000.00000004.00000040.sdmp	String found in binary or memory: http://ogp.me/ns#
Source: loaddll32.exe, 00000000.00000003.496097051.0000000002CA9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.496583081.00000000051C9000.00000004.00000040.sdmp	String found in binary or memory: http://ogp.me/ns/fb#
Source: loaddll32.exe, 00000000.00000003.496226518.0000000002D28000.00000004.00000040.sdmp	String found in binary or memory: https://blogs.msn.co
Source: loaddll32.exe, 00000000.00000003.493105528.0000000002D28000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.493384184.0000000005248000.00000004.00000040.sdmp	String found in binary or memory: https://blogs.msn.com/
Source: loaddll32.exe, 00000000.00000003.496226518.0000000002D28000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.493384184.0000000005248000.00000004.00000040.sdmp	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: loaddll32.exe, 00000000.00000003.496097051.0000000002CA9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.496583081.00000000051C9000.00000004.00000040.sdmp	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1633985424&rver
Source: loaddll32.exe, 00000000.00000003.496097051.0000000002CA9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.496583081.00000000051C9000.00000004.00000040.sdmp	String found in binary or memory: https://mem.gfx.ms/meversion/?partner=msn&market=en-us"
Source: loaddll32.exe, 00000000.00000003.496097051.0000000002CA9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.496583081.00000000051C9000.00000004.00000040.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/en-us//api/modules/cdnfetch"
Source: loaddll32.exe, 00000000.00000003.496097051.0000000002CA9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.496583081.00000000051C9000.00000004.00000040.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/en-us/homepage/_sc/css/d7cb56b9-3a82770e/direct
Source: WerFault.exe, 00000013.00000002.531558276.0000000004A0C000.00000004.00000001.sdmp	String found in binary or memory: https://watson.telemetry.microsoftv
Source: loaddll32.exe, 00000000.00000003.493105528.0000000002D28000.00000004.00000040.sdmp	String found in binary or memory: https://web.vortex.d
Source: loaddll32.exe, 00000000.00000003.496097051.0000000002CA9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.496583081.00000000051C9000.00000004.00000040.sdmp	String found in binary or memory: https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&ver=%272.1%27&a
Source: rundll32.exe, 00000003.00000003.496583081.00000000051C9000.00000004.00000040.sdmp	String found in binary or memory: https://www.msn.com/?refurl=%2fmail%2fliopolo%2fRSTOkJCBHcQTlX372kVU%2fXbET532Uukq3yxPfegA%2frK8jg_2
Source: loaddll32.exe, 00000000.00000003.496097051.0000000002CA9000.00000004.00000040.sdmp	String found in binary or memory: https://www.msn.com/?refurl=%2fmail%2fliopolo%2fjXTvRU37X%2fkKAN62uBd3tDT4UuvXf7%2ftv2pa650q_2BNc4gZ
Source: loaddll32.exe, 00000000.00000003.496097051.0000000002CA9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.496583081.00000000051C9000.00000004.00000040.sdmp	String found in binary or memory: https://www.msn.com/en-us//api/modules/fetch"

Source: unknown

DNS traffic detected: queries for: msn.com

Source: global traffic	HTTP traffic detected: GET /mail/liopolo/jXTvRU37X/kKAN62uBd3tDT4UuvXf7/tv2pa650q_2BNc4gZx_/2FTXeKH3GDyDqufzZakfvK/_2BCNXallooq7/VODMkmNF/HLhLq8MOKcwivUMMxMgvZ_2/B7axPbB70w/pddJMbRWIrbrOmIG5/zCZ5Ye6AaaIK/UQVqKS3a0Xc/NIt9Fj3Ntaxoz6/O7VgyMdHSYlq2/ziEYeDY9/K.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
Source: global traffic	HTTP traffic detected: GET /mail/liopolo/RSTOkJCBHcQTlX372kVU/XbET532Uukq3yxPfegA/rK8jg_2FYfIiNE1Sn_2FFC/TzB3gBc22NT8W/SEpCaYBh/Nz_2FfZREcG_2BLgMz0AmZw/Hef0CX9Wer/Pdr_2B7wmmBlB9z54/C5o_2FVpVxdX/zwUkSFPzqLE/G68Q5qKTPDw9R0/3k18HoGgP18MPojxTL8vR/X_2F9xUEGn4YQSaZ/MXqGe2rtZBd9NJapOc3QD/8.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/EuZblQ13lpnT1_2FzhaYNX/9DXpZrPFMYrsq/dxj154wY/JAW5hNQoWqKA7wTGhce2uZY/F4RH4ulZh5/qZAwJe6y_2FhRpcVZ/_2FftU4d_2F1/ncf06OzMdnM/jLfWuxaFwKbqRf/GRnLiE4QaJlnb9UDHRbBZ/_2BsUw81Z38LOSBN/zOtYMdMXw3vN_2F/SJ30GHS9BmBl/h7ckpVr5N/F.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/EuZblQ13lpnT1_2FzhaYNX/9DXpZrPFMYrsq/dxj154wY/JAW5hNQoWqKA7wTGhce2uZY/F4RH4ulZh5/qZAwJe6y_2FhRpcVZ/_2FftU4d_2F1/ncf06OzMdnM/jLfWuxaFwKbqRf/GRnLiE4QaJlnb9UDHRbBZ/_2BsUw81Z38LOSBN/zOtYMdMXw3vN_2F/SJ30GHS9BmBl/h7ckpVr5N/F.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/EuZblQ13lpnT1_2FzhaYNX/9DXpZrPFMYrsq/dxj154wY/JAW5hNQoWqKA7wTGhce2uZY/F4RH4ulZh5/qZAwJe6y_2FhRpcVZ/_2FftU4d_2F1/ncf06OzMdnM/jLfWuxaFwKbqRf/GRnLiE4QaJlnb9UDHRbBZ/_2BsUw81Z38LOSBN/zOtYMdMXw3vN_2F/SJ30GHS9BmBl/h7ckpVr5N/F.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/OF4gRPjTZUDlGYAAVvEf/5pYiOfrf0jvlgxY8qHh/p55dSmorxy15cOpOjCNG64/UjL6twzH0ZDT9/vemXw0_2/BHJIawobBFS9v634s8Jd0nQ/EDL0vwxYRK/YS70ZLCNhojiUZnDZ/Tzx6t3xNPD_2/BtypzVe3uXX/kvPQnvsonQKCq7/2tOcdfZqZfkF2YDmPA0MA/3AJg52.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/OF4gRPjTZUDlGYAAVvEf/5pYiOfrf0jvlgxY8qHh/p55dSmorxy15cOpOjCNG64/UjL6twzH0ZDT9/vemXw0_2/BHJIawobBFS9v634s8Jd0nQ/EDL0vwxYRK/YS70ZLCNhojiUZnDZ/Tzx6t3xNPD_2/BtypzVe3uXX/kvPQnvsonQKCq7/2tOcdfZqZfkF2YDmPA0MA/3AJg52.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/OF4gRPjTZUDlGYAAVvEf/5pYiOfrf0jvlgxY8qHh/p55dSmorxy15cOpOjCNG64/UjL6twzH0ZDT9/vemXw0_2/BHJIawobBFS9v634s8Jd0nQ/EDL0vwxYRK/YS70ZLCNhojiUZnDZ/Tzx6t3xNPD_2/BtypzVe3uXX/kvPQnvsonQKCq7/2tOcdfZqZfkF2YDmPA0MA/3AJg52.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com

Source: unknown	HTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.5:49765 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.5:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.97.161.50:443 -> 192.168.2.5:49785 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.98.152.242:443 -> 192.168.2.5:49786 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.97.137.242:443 -> 192.168.2.5:49787 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.97.161.50:443 -> 192.168.2.5:49788 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.98.208.66:443 -> 192.168.2.5:49789 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.101.9.178:443 -> 192.168.2.5:49790 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.496226518.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493105528.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.539408777.0000000002BAB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493430312.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.493384184.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493160476.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493225744.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.495833848.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.540595897.00000000050CB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493018858.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493315813.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.495340771.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.586659042.0000000004FCD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.496119591.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.627710789.00000000029AF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.495987344.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.492948682.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.495528986.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.496654306.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.496183449.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.492874402.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.496285299.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.630148889.0000000004ECF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.584685857.0000000002AAD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 3708, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5172, type: MEMORYSTR
Source: Yara match	File source: 0.2.loaddll32.exe.6ece0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.342a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.71a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.750000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.12b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.12fa31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.25c94a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.c5a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.b0a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.4d094a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.b0a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.71a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.c5a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.12fa31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.25c94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.342a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.4d094a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6ece0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.445970079.0000000000710000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.412556442.00000000012F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.413015029.0000000000C50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.643304809.00000000025C9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.444240615.0000000000B00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.436255990.0000000003420000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.645427360.0000000004D09000.00000004.00000040.sdmp, type: MEMORY

E-Banking Fraud:

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.496226518.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493105528.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.539408777.0000000002BAB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493430312.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.493384184.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493160476.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493225744.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.495833848.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.540595897.00000000050CB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493018858.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493315813.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.495340771.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.586659042.0000000004FCD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.496119591.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.627710789.00000000029AF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.495987344.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.492948682.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.495528986.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.496654306.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.496183449.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.492874402.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.496285299.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.630148889.0000000004ECF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.584685857.0000000002AAD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 3708, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5172, type: MEMORYSTR
Source: Yara match	File source: 0.2.loaddll32.exe.6ece0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.342a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.71a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.750000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.12b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.12fa31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.25c94a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.c5a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.b0a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.4d094a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.b0a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.71a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.c5a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.12fa31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.25c94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.342a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.4d094a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6ece0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.445970079.0000000000710000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.412556442.00000000012F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.413015029.0000000000C50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.643304809.00000000025C9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.444240615.0000000000B00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.436255990.0000000003420000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.645427360.0000000004D09000.00000004.00000040.sdmp, type: MEMORY

System Summary:

Writes or reads registry keys via WMI

Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Uses 32bit PE files

Source: 6yDD19jMIu.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

One or more processes crash

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6048 -s 892

Detected potential crypto function

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ECE21B4	0_2_6ECE21B4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00754C40	0_2_00754C40
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0075664C	0_2_0075664C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00752B76	0_2_00752B76
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0075954A	0_2_0075954A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0075AF24	0_2_0075AF24
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00757DEC	0_2_00757DEC
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ECF5600	0_2_6ECF5600
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED2B597	0_2_6ED2B597
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED3A2B1	0_2_6ED3A2B1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED1E8C0	0_2_6ED1E8C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_012BAF24	3_2_012BAF24
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_012B2B76	3_2_012B2B76
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_012B4C40	3_2_012B4C40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ECF5600	3_2_6ECF5600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ED2D630	3_2_6ED2D630
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ED43CCE	3_2_6ED43CCE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ED2B597	3_2_6ED2B597
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ED3A2B1	3_2_6ED3A2B1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ED1E8C0	3_2_6ED1E8C0

Found potential string decryption / allocating functions

Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 6ED1ABD1 appears 91 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6ED1ABD1 appears 91 times

Contains functionality to call native functions

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ECE15C6 SetThreadPriority,NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,GetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,	0_2_6ECE15C6
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ECE1273 NtMapViewOfSection,	0_2_6ECE1273
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ECE13B8 GetProcAddress,NtCreateSection,memset,	0_2_6ECE13B8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ECE23D5 NtQueryVirtualMemory,	0_2_6ECE23D5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00755D10 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	0_2_00755D10
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0075B149 NtQueryVirtualMemory,	0_2_0075B149
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_012B5D10 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	3_2_012B5D10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_012BB149 NtQueryVirtualMemory,	3_2_012BB149

Source: 6yDD19jMIu.dll

Virustotal: Detection: 9%

Source: 6yDD19jMIu.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\6yDD19jMIu.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\6yDD19jMIu.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6yDD19jMIu.dll,BeGrass
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\6yDD19jMIu.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6yDD19jMIu.dll,Fieldeight
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6yDD19jMIu.dll,Often
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6048 -s 892
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4680 -s 636
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 872
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\6yDD19jMIu.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6yDD19jMIu.dll,BeGrass	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6yDD19jMIu.dll,Fieldeight	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6yDD19jMIu.dll,Often	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\6yDD19jMIu.dll',#1	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER618E.tmp

Jump to behavior

Source: classification engine

Classification label: mal96.troj.evad.winDLL@14/12@14/7

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_00754A03 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

0_2_00754A03

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6yDD19jMIu.dll,BeGrass

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4680
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3056
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6048

Source: C:\Windows\System32\loaddll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK

Source: 6yDD19jMIu.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: 6yDD19jMIu.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: WinTypes.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000012.00000003.480895631.00000000036B4000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.482429181.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.500262352.0000000004CE3000.00000004.00000001.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdbQ source: WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
Source:	Binary string: CoreMessaging.pdb_ source: WerFault.exe, 00000013.00000003.499906922.0000000004E52000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516748528.00000000050B1000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000013.00000003.499963350.0000000004E40000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516653357.00000000050A0000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.504088333.0000000000CFC000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000013.00000003.499811887.0000000004E42000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516677135.00000000050A4000.00000004.00000040.sdmp
Source:	Binary string: CoreMessaging.pdb source: WerFault.exe, 00000013.00000003.499906922.0000000004E52000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516748528.00000000050B1000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
Source:	Binary string: rundll32.pdbk source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
Source:	Binary string: ntmarta.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdbE source: WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000012.00000003.481849190.00000000036BA000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.503709261.0000000000D08000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: CoreUIComponents.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 00000013.00000003.499963350.0000000004E40000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516653357.00000000050A0000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdbI source: WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000012.00000003.482428909.00000000036AE000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.504088333.0000000000CFC000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 00000013.00000003.499811887.0000000004E42000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516677135.00000000050A4000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdbC source: WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000013.00000003.499811887.0000000004E42000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516677135.00000000050A4000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: TextInputFramework.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
Source:	Binary string: c:\wheel\receive\Many-rise\score.pdb source: loaddll32.exe, 00000000.00000002.645023107.000000006ED5B000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.645833298.000000006ED5B000.00000002.00020000.sdmp, 6yDD19jMIu.dll
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000013.00000003.499963350.0000000004E40000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516653357.00000000050A0000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdbw source: WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000012.00000003.481849190.00000000036BA000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.503709261.0000000000D08000.00000004.00000001.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000013.00000003.499811887.0000000004E42000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516677135.00000000050A4000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000013.00000003.499963350.0000000004E40000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516653357.00000000050A0000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000013.00000003.499963350.0000000004E40000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516653357.00000000050A0000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb_ source: WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000012.00000003.480895631.00000000036B4000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.501149079.0000000000D02000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbk source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ECE2150 push ecx; ret	0_2_6ECE2159
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ECE21A3 push ecx; ret	0_2_6ECE21B3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0075AF13 push ecx; ret	0_2_0075AF23
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0075ABE0 push ecx; ret	0_2_0075ABE9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED1AB9A push ecx; ret	0_2_6ED1ABAD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_012BAF13 push ecx; ret	3_2_012BAF23
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_012BABE0 push ecx; ret	3_2_012BABE9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ED1AB9A push ecx; ret	3_2_6ED1ABAD

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6ECE1DE5 LoadLibraryA,GetProcAddress,

0_2_6ECE1DE5

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.496226518.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493105528.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.539408777.0000000002BAB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493430312.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.493384184.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493160476.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493225744.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.495833848.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.540595897.00000000050CB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493018858.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493315813.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.495340771.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.586659042.0000000004FCD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.496119591.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.627710789.00000000029AF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.495987344.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.492948682.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.495528986.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.496654306.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.496183449.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.492874402.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.496285299.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.630148889.0000000004ECF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.584685857.0000000002AAD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 3708, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5172, type: MEMORYSTR
Source: Yara match	File source: 0.2.loaddll32.exe.6ece0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.342a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.71a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.750000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.12b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.12fa31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.25c94a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.c5a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.b0a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.4d094a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.b0a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.71a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.c5a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.12fa31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.25c94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.342a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.4d094a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6ece0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.445970079.0000000000710000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.412556442.00000000012F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.413015029.0000000000C50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.643304809.00000000025C9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.444240615.0000000000B00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.436255990.0000000003420000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.645427360.0000000004D09000.00000004.00000040.sdmp, type: MEMORY

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Windows\System32\loaddll32.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: WerFault.exe, 00000013.00000003.524969424.0000000004A35000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW0
Source: WerFault.exe, 00000012.00000002.526051488.0000000005320000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.524764769.0000000004A1D000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000002.545662496.0000000004CD8000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: WerFault.exe, 00000017.00000002.545508557.0000000004C02000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW~
Source: WerFault.exe, 00000012.00000002.526349700.0000000005348000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW`

Anti Debugging:

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6ED26CB3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_6ED26CB3

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6ECE1DE5 LoadLibraryA,GetProcAddress,

0_2_6ECE1DE5

Contains functionality to read the PEB

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED3C325 mov eax, dword ptr fs:[00000030h]	0_2_6ED3C325
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED48861 mov eax, dword ptr fs:[00000030h]	0_2_6ED48861
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED8DFDA mov eax, dword ptr fs:[00000030h]	0_2_6ED8DFDA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED8DEAA mov eax, dword ptr fs:[00000030h]	0_2_6ED8DEAA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED8DBB5 push dword ptr fs:[00000030h]	0_2_6ED8DBB5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ED3C325 mov eax, dword ptr fs:[00000030h]	3_2_6ED3C325
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ED48861 mov eax, dword ptr fs:[00000030h]	3_2_6ED48861
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ED8DFDA mov eax, dword ptr fs:[00000030h]	3_2_6ED8DFDA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ED8DEAA mov eax, dword ptr fs:[00000030h]	3_2_6ED8DEAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ED8DBB5 push dword ptr fs:[00000030h]	3_2_6ED8DBB5

Checks if the current process is being debugged

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED26CB3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6ED26CB3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED1B316 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_6ED1B316
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ED26CB3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6ED26CB3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ED1B316 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_6ED1B316

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 52.98.208.66 187	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: www.msn.com
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: areuranel.website
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 40.97.161.50 187	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 40.101.9.178 187	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: breuranel.website
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: outlook.office365.com
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: msn.com
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: outlook.com
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: www.outlook.com
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 13.82.28.61 187	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\6yDD19jMIu.dll',#1

Jump to behavior

Source: loaddll32.exe, 00000000.00000002.642262171.0000000000E30000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.473339722.00000000039D0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.645184272.00000000033F0000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.476198950.0000000003AA0000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000000.485003177.00000000033F0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.642262171.0000000000E30000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.473339722.00000000039D0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.645184272.00000000033F0000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.476198950.0000000003AA0000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000000.485003177.00000000033F0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.642262171.0000000000E30000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.473339722.00000000039D0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.645184272.00000000033F0000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.476198950.0000000003AA0000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000000.485003177.00000000033F0000.00000002.00020000.sdmp	Binary or memory string: SProgram Managerl
Source: loaddll32.exe, 00000000.00000002.642262171.0000000000E30000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.473339722.00000000039D0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.645184272.00000000033F0000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.476198950.0000000003AA0000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000000.485003177.00000000033F0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd,
Source: loaddll32.exe, 00000000.00000002.642262171.0000000000E30000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.473339722.00000000039D0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.645184272.00000000033F0000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.476198950.0000000003AA0000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000000.485003177.00000000033F0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,	0_2_6ED19EB5
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,	0_2_6ED40E4C
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	0_2_6ED4E448
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	0_2_6ED40429
Source: C:\Windows\System32\loaddll32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_6ED4EA21
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	0_2_6ED4E3AD
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	0_2_6ED4E344
Source: C:\Windows\System32\loaddll32.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_6ED4E0A2
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_6ED4E84C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	3_2_6ED19EB5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	3_2_6ED40E4C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	3_2_6ED4E448
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	3_2_6ED40429
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	3_2_6ED4EA21
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	3_2_6ED4E3AD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	3_2_6ED4E344
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	3_2_6ED4E0A2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_6ED4E84C

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_0075A82B cpuid

0_2_0075A82B

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6ECE1172 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,

0_2_6ECE1172

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6ED3FF15 _free,_free,_free,GetTimeZoneInformation,_free,

0_2_6ED3FF15

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6ECE1825 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

0_2_6ECE1825

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_0075A82B RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

0_2_0075A82B

Stealing of Sensitive Information:

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.496226518.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493105528.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.539408777.0000000002BAB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493430312.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.493384184.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493160476.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493225744.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.495833848.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.540595897.00000000050CB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493018858.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493315813.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.495340771.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.586659042.0000000004FCD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.496119591.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.627710789.00000000029AF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.495987344.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.492948682.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.495528986.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.496654306.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.496183449.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.492874402.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.496285299.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.630148889.0000000004ECF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.584685857.0000000002AAD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 3708, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5172, type: MEMORYSTR
Source: Yara match	File source: 0.2.loaddll32.exe.6ece0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.342a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.71a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.750000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.12b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.12fa31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.25c94a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.c5a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.b0a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.4d094a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.b0a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.71a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.c5a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.12fa31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.25c94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.342a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.4d094a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6ece0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.445970079.0000000000710000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.412556442.00000000012F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.413015029.0000000000C50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.643304809.00000000025C9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.444240615.0000000000B00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.436255990.0000000003420000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.645427360.0000000004D09000.00000004.00000040.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.496226518.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493105528.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.539408777.0000000002BAB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493430312.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.493384184.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493160476.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493225744.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.495833848.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.540595897.00000000050CB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493018858.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493315813.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.495340771.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.586659042.0000000004FCD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.496119591.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.627710789.00000000029AF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.495987344.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.492948682.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.495528986.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.496654306.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.496183449.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.492874402.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.496285299.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.630148889.0000000004ECF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.584685857.0000000002AAD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 3708, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5172, type: MEMORYSTR
Source: Yara match	File source: 0.2.loaddll32.exe.6ece0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.342a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.71a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.750000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.12b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.12fa31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.25c94a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.c5a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.b0a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.4d094a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.b0a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.71a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.c5a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.12fa31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.25c94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.342a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.4d094a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6ece0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.445970079.0000000000710000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.412556442.00000000012F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.413015029.0000000000C50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.643304809.00000000025C9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.444240615.0000000000B00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.436255990.0000000003420000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.645427360.0000000004D09000.00000004.00000040.sdmp, type: MEMORY

ID:	500309
Product:	CloudBasic
Start time:	22:47:28
Start date:	11.10.2021
Sample:	6yDD19jMIu.dll
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	903cf677ba834a968b42bd71e4626a9d
SHA1:	c751f3ab4612917d15967fc1f0591e674c2e56ca
SHA256:	b601a3c9c3a3df9043ea82733f1da5b413207d7585ca6b18baa8a4d923ce92d8
Filetype:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_69688d2812e06195cef530d1f4e704d7e967697_82810a17_00b0a647\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	731DA60D71432CA663B1FDB49265A20A	9C0CFA5DF7944AD7166177790882FA3272752727	0BD961F31FA68DC24A3ADA2BEAB0AE6165B3526DE4387C381F0BAF37E3D6DCDB
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_69688d2812e06195cef530d1f4e704d7e967697_82810a17_02b4adf8\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	D70C550DA76D4F808A527773BECBB074	B25F1C1DA411A3DCEF49B73BC09C54F7B1314AA1	DBA73B5AA4F095E9E528110B199DB20D16FEC947A77D6739678BF8C829B13B9A
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_69688d2812e06195cef530d1f4e704d7e967697_82810a17_0958cc8c\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	0A3EA743E9398450836E8532348F36CC	33729B785B208ACA681F2DF8549CBFE1B8532C85	F090C9D54A4A54E7891B1E71D7C2689704CB0B2CCBE13E5353B9AF4071BBD4AD
C:\ProgramData\Microsoft\Windows\WER\Temp\WER618E.tmp.dmp	Mini DuMP crash report, 15 streams, Tue Oct 12 05:50:24 2021, 0x1205a4 type	C980BDF6B563D30FA312FD9BF6191F93	A451988E0042DAB59BD4D52EC5312CBCB9FD969C	48ADC678ADA085ED6794FAAA554FD49664350BFFBDEAFE633BF13BA0E324BE66
C:\ProgramData\Microsoft\Windows\WER\Temp\WER641E.tmp.dmp	Mini DuMP crash report, 15 streams, Tue Oct 12 05:50:27 2021, 0x1205a4 type	ED1E5F7A96BD8C5678207BB626E3B182	5FF459096BE638E25946DA755E3B42C8BADEEE73	CFF33D2F88999800F4CB2B160AE186D60D4AC94B582D92A6FF0EC16AD2429482
C:\ProgramData\Microsoft\Windows\WER\Temp\WER78C0.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	1DA794412F26C38602614685A8EE012A	D3809FC946708E94D4C26AA87AB3A0F63D8DA902	5247CB378F8D8ED99506A57FE11CAC96B9A1852A2861162053B0B609B65FE16D
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7D74.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	C33A482127B7209EF51325AC96C085D2	7E03254FA9071E6EB0A880248E3861CCF9725C06	35F6DC0BD6946C69214D132B5212A5C3C22C3DC3576567042E006EADDC1009A7
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7EEA.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	4C0A64AF5A4E98C589035B3D6D31758A	6AAD8DFB5F4E8987147668F43141380038B7F327	065C35A21B6A897FE8122FB194D355F5A121FD9D1D46E5CEC6F006BFB58CB374
C:\ProgramData\Microsoft\Windows\WER\Temp\WER861F.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	664B4582229AD3ECE4BEBC614E508369	5238FF8643575C4C09BA5C30A1D8D61E5A15EBF2	B0742289DDACB40DBF830E5308EC88FB4CEBFE03E4BDE54992708EDCB5D0750A
C:\ProgramData\Microsoft\Windows\WER\Temp\WER8830.tmp.dmp	Mini DuMP crash report, 15 streams, Tue Oct 12 05:50:34 2021, 0x1205a4 type	8E3A91DE6D34C6B37A18863FC52FD781	F4ABB52DC5D993F6B3C7FAC44FDBCB595A6E1945	DBF4090005CFA672CDE2A08892B07517D70AE5BF79682A0C860BC3A403E14033
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9D40.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	EC2B0AB20C4D7D29A40FA0B7F2CEFB08	C3E1BE92C6AD26216F7716C7435AF8D02097BAE7	179E9395CFD91EA03A0C11DC8F20B5D00C16A50BCEC678880E0003CCB42FD713
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA35B.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	C31A63EB601F08250D9259422447EF2D	0A24CAF93C43688624BC5D8CE60C71C94A9728E9	2CFB01390B883D688A8746DBE48DE7B3586C184BE46B61229C3C9A337E00E951

Windows Analysis Report 6yDD19jMIu.dll

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs