Windows Analysis Report m87xfb63XU.dll

AV Detection:

Found malware configuration

Source: 00000000.00000003.512556680.0000000000D50000.00000040.00000001.sdmp

Malware Configuration Extractor: Ursnif {"RSA Public Key": "UmEkthy8LQToWYBqtBaWyLn/P1d2KjpXi9nl2is1X7NEi7AW4Al92U7HvBiCwWHgXhs6UyTZ7q6npv3YCi+rPS7xAyorWWgcyyviEpE9CETDXviZ72XZkxmen4ztvEtct+obFAEe0tiXOsfOcC8xDsI0CHPpvmUknsexTYqAJgwcghgx1mGHx/yFM4fnPYw4mFFE6bVI7eMnbu1CuunRmAVRDHZ7MAS7zSkAmYjeo1zAzRnOEWgblRHwenmwlBtp0SFGuYCGVe3TZZ4Nndgpd5xpSeLOoSZi/fRXjtS8b6LXBS/zslRCRObMDjDX4pa1fM1uOgFHyvjANgWJpZ272bpOHjM52/hsEGZXskaNztU=", "c2_domain": ["msn.com/mail", "breuranel.website", "outlook.com/signup", "areuranel.website"], "botnet": "8899", "server": "12", "serpent_key": "56473871MNTYAIDA", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Multi AV Scanner detection for submitted file

Source: m87xfb63XU.dll

ReversingLabs: Detection: 22%

Compliance:

Uses 32bit PE files

Source: m87xfb63XU.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.3:49782 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.3:49784 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.97.161.50:443 -> 192.168.2.3:49793 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.101.60.226:443 -> 192.168.2.3:49794 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.97.151.82:443 -> 192.168.2.3:49795 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.97.161.50:443 -> 192.168.2.3:49796 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.97.151.2:443 -> 192.168.2.3:49797 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.97.151.66:443 -> 192.168.2.3:49798 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.3:49846 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.3:49848 version: TLS 1.2

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: m87xfb63XU.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Source:	Binary string: WinTypes.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb{: source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000000D.00000003.560886556.0000000005121000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.557399888.00000000034E1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.593393717.0000000004DC1000.00000004.00000001.sdmp
Source:	Binary string: iphlpapi.pdb_:IE source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdb_POei source: WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 0000000D.00000003.560886556.0000000005121000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.580492113.0000000005731000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.593393717.0000000004DC1000.00000004.00000001.sdmp
Source:	Binary string: cryptbase.pdbT$ source: WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
Source:	Binary string: CoreMessaging.pdb_ source: WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593784866.0000000004EF2000.00000004.00000040.sdmp
Source:	Binary string: lbase.pdb source: WerFault.exe, 0000000D.00000003.552510597.0000000004D73000.00000004.00000001.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 0000000D.00000003.560886556.0000000005121000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.580492113.0000000005731000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.593393717.0000000004DC1000.00000004.00000001.sdmp
Source:	Binary string: wUxTheme.pdbK@q source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdbi: source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000D.00000003.561052377.00000000050F0000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580812723.0000000005700000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593688376.0000000004EE0000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 0000000D.00000003.560886556.0000000005121000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.557389440.00000000034DB000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.593393717.0000000004DC1000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdbEPue source: WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 0000000D.00000003.560947472.00000000050F2000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580864219.0000000005704000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593490738.0000000004EE2000.00000004.00000040.sdmp
Source:	Binary string: CoreMessaging.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593784866.0000000004EF2000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdbQPIer source: WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 0000000D.00000003.560886556.0000000005121000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.580492113.0000000005731000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.593393717.0000000004DC1000.00000004.00000001.sdmp
Source:	Binary string: rundll32.pdbk source: WerFault.exe, 0000000D.00000003.560886556.0000000005121000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.580492113.0000000005731000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.593393717.0000000004DC1000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
Source:	Binary string: oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000D.00000002.586318313.00000000008D2000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000002.594044860.0000000002FE2000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 0000000D.00000003.560886556.0000000005121000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.580492113.0000000005731000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.593393717.0000000004DC1000.00000004.00000001.sdmp
Source:	Binary string: ntmarta.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 0000000D.00000003.560886556.0000000005121000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.580492113.0000000005731000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.593393717.0000000004DC1000.00000004.00000001.sdmp
Source:	Binary string: powrprof.pdbf$ source: WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdbM:{E source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb@$ source: WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000000D.00000003.560886556.0000000005121000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.580492113.0000000005731000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.593393717.0000000004DC1000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
Source:	Binary string: CoreUIComponents.pdb source: WerFault.exe, 0000000D.00000003.561222548.0000000005102000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 0000000D.00000003.561052377.00000000050F0000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580812723.0000000005700000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593688376.0000000004EE0000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 0000000D.00000003.560886556.0000000005121000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.580492113.0000000005731000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.593393717.0000000004DC1000.00000004.00000001.sdmp
Source:	Binary string: mpr.pdb@ source: WerFault.exe, 00000014.00000003.593688376.0000000004EE0000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb+:EE source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
Source:	Binary string: upwntdll.pdb source: WerFault.exe, 00000014.00000003.578932063.0000000004B9E000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdbX$ source: WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdbe: source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdbU:CEt source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 0000000D.00000003.560947472.00000000050F2000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580864219.0000000005704000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593490738.0000000004EE2000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000010.00000003.557389440.00000000034DB000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdbC:}E source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 0000000D.00000003.560886556.0000000005121000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.580492113.0000000005731000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.593393717.0000000004DC1000.00000004.00000001.sdmp
Source:	Binary string: winspool.pdbCP{e. source: WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdbq:oE source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000D.00000003.560947472.00000000050F2000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580864219.0000000005704000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593490738.0000000004EE2000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
Source:	Binary string: WinTypes.pdbj7 source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
Source:	Binary string: TextInputFramework.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 0000000D.00000003.560886556.0000000005121000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.580492113.0000000005731000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.593393717.0000000004DC1000.00000004.00000001.sdmp
Source:	Binary string: CoreUIComponents.pdbC source: WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdbC source: WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
Source:	Binary string: c:\wheel\receive\Many-rise\score.pdb source: loaddll32.exe, 00000000.00000002.828952358.000000006E83B000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.829929626.000000006E83B000.00000002.00020000.sdmp, m87xfb63XU.dll
Source:	Binary string: sechost.pdbw:aE source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000D.00000003.561052377.00000000050F0000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580812723.0000000005700000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593688376.0000000004EE0000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000D.00000003.552382095.0000000002F9A000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.558219704.00000000034E6000.00000004.00000001.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000D.00000003.560947472.00000000050F2000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580864219.0000000005704000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593490738.0000000004EE2000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000D.00000003.561052377.00000000050F0000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580812723.0000000005700000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593688376.0000000004EE0000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdb!:_Er source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000D.00000003.561052377.00000000050F0000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580812723.0000000005700000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593688376.0000000004EE0000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdbY:wE source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 0000000D.00000003.560886556.0000000005121000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.580492113.0000000005731000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.593393717.0000000004DC1000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000010.00000003.557399888.00000000034E1000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdbIPae source: WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp
Source:	Binary string: ntmarta.pdbH7|E source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdbN$ source: WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
Source:	Binary string: CoreUIComponents.pdb_ source: WerFault.exe, 0000000D.00000003.561222548.0000000005102000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 0000000D.00000003.560886556.0000000005121000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.580492113.0000000005731000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.593393717.0000000004DC1000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 0000000D.00000003.560886556.0000000005121000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.580492113.0000000005731000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.593393717.0000000004DC1000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbk source: WerFault.exe, 0000000D.00000003.560886556.0000000005121000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.580492113.0000000005731000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.593393717.0000000004DC1000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdbo: source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdbR$ source: WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdbwPge source: WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp

Networking:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: www.msn.com
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: areuranel.website
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 40.97.161.50 187			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: breuranel.website
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: outlook.office365.com
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: msn.com
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 52.97.151.2 187			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: outlook.com
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: www.outlook.com
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 13.82.28.61 187			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 52.97.151.66 187			Jump to behavior

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: ce5f3254611a8c095a3d821d44539877

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 40.97.161.50 40.97.161.50
Source: Joe Sandbox View	IP Address: 13.82.28.61 13.82.28.61

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /mail/liopolo/r_2FdFpkR4VdtsN08a/_2BmiRrdo/iRPVi0tWAScg5sVGfo66/hUF_2BDb_2BTvse5vT2/OGVc4TNxI8ONXMjzPJH1kn/iiKryEX2ymN0T/2YX_2Bs_/2FUMTLKLdgRo4Z6EcuiEOOc/8fsAz5_2Fq/UDZOXONJb9G0Jl7Sh/YwJHU3HBZfrx/Rr2RrnGmK6E/ePg9xCsP_2FGO_/2FHvWeMzr/F7gd5.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
Source: global traffic	HTTP traffic detected: GET /mail/liopolo/C3nZ3ojPKuvLDFaD_2FVNtz/i_2BIT_2FM/PkJe7W3e825Ul_2Ff/m4m7583Exh_2/FXgqIY2YIG4/C7y4oW_2FqnMiT/UXE8adViqK_2F0elSuUWK/zwOfFpRmM9Pcjtlo/mhxUAWIol_2Bidj/ZyUBkmkt9UDUf59heB/_2Fa01_2F/fe5khD18VNL3grTs1oBD/Gp7Xm3KoaUrn2NbkVi4/PAUVXoXppe_2FqPWphraUo/OvKmQ_2F/8LQ.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/_2F1953bLKh6Aa9Zni5pUB/uu476XRXRXdwS/zStiAL1i/ws5BIrlWLA2GdJ9e0xq88Zi/DBztcvZHmo/mcGQqmXKrqNjP4iG6/7aTDT9GSE9D6/8jXJ0EFBBnJ/89lvGSm0UsN_2B/DpWUyWVECg62e9A86zQtW/yv5TQxo2fX2Xv7gp/5xHugEiGC5l_2Bc/jIp0JWV7N33_2F/EkcA.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/_2F1953bLKh6Aa9Zni5pUB/uu476XRXRXdwS/zStiAL1i/ws5BIrlWLA2GdJ9e0xq88Zi/DBztcvZHmo/mcGQqmXKrqNjP4iG6/7aTDT9GSE9D6/8jXJ0EFBBnJ/89lvGSm0UsN_2B/DpWUyWVECg62e9A86zQtW/yv5TQxo2fX2Xv7gp/5xHugEiGC5l_2Bc/jIp0JWV7N33_2F/EkcA.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/_2F1953bLKh6Aa9Zni5pUB/uu476XRXRXdwS/zStiAL1i/ws5BIrlWLA2GdJ9e0xq88Zi/DBztcvZHmo/mcGQqmXKrqNjP4iG6/7aTDT9GSE9D6/8jXJ0EFBBnJ/89lvGSm0UsN_2B/DpWUyWVECg62e9A86zQtW/yv5TQxo2fX2Xv7gp/5xHugEiGC5l_2Bc/jIp0JWV7N33_2F/EkcA.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/jh_2BJAUni/lkDaKSs6NPU7K6NDS/e_2FibHZsZ5a/s4oEo9go0c6/pciek84ucCmHqd/ux_2BgaSfPaBMcDfNjzb3/rbrRSArhJJpb3rOW/xdA1Wy83LoKT_2F/eny3XPOONMNlhwdGDb/HeEQC75Ox/PYv0ijHf_2BV06O4iZeM/ZM8mz_2FbpTp5AwODR0/XLpKCg0_2Ffc7auFjvx4p8/3b.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/jh_2BJAUni/lkDaKSs6NPU7K6NDS/e_2FibHZsZ5a/s4oEo9go0c6/pciek84ucCmHqd/ux_2BgaSfPaBMcDfNjzb3/rbrRSArhJJpb3rOW/xdA1Wy83LoKT_2F/eny3XPOONMNlhwdGDb/HeEQC75Ox/PYv0ijHf_2BV06O4iZeM/ZM8mz_2FbpTp5AwODR0/XLpKCg0_2Ffc7auFjvx4p8/3b.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/jh_2BJAUni/lkDaKSs6NPU7K6NDS/e_2FibHZsZ5a/s4oEo9go0c6/pciek84ucCmHqd/ux_2BgaSfPaBMcDfNjzb3/rbrRSArhJJpb3rOW/xdA1Wy83LoKT_2F/eny3XPOONMNlhwdGDb/HeEQC75Ox/PYv0ijHf_2BV06O4iZeM/ZM8mz_2FbpTp5AwODR0/XLpKCg0_2Ffc7auFjvx4p8/3b.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
Source: global traffic	HTTP traffic detected: GET /mail/liopolo/jpKr3VzL6CFU/K4QwQLlZ56e/n3MZDuNS62Sf0R/mD2lfs_2FQXwlgYrd0DFL/pEDSMAvGReZoZ8Jm/OSgzsTstfQRz_2F/2Bp8zA9yijiTKRH09Q/Mwm_2F7JH/xI5SfnAXURadBpSsyjtC/_2BEE4TT4VBjXUCp_2B/cYd5vNurcHADHrS6HheJd6/UAnImB8Jw2Ynr/9pKHwbRP/FStf.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
Source: global traffic	HTTP traffic detected: GET /mail/liopolo/QXqV1Cwmdgy9RAxuvo/eyRDOSF4h/n5Xdvl6macAzIHUi6g_2/FnMxm3OFSbW9k15b3rD/GOZ7HTzmadDT3EaU6FMaux/8v8OfzSGDIfuI/2JFzbGpa/48oXcRIDJ4CWvryCIOce07l/PRm5ekLf_2/FWrUO776bg5a24LJQ/ndIkg4SZse4c/jL7OG2Z00xG/sTPur68E_2BxS_/2FjGzTP4SxNpm_2FiKI7j/WPoFKl4.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com

Uses HTTPS

Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49848 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49846 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49848
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49846

Tries to download or post to a non-existing HTTP route (HTTP/1.1 404 Not Found / 503 Service Unavailable / 403 Forbidden)

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 1245Content-Type: text/htmlServer: Microsoft-IIS/10.0request-id: 0c8d249e-2aa6-4c4b-c0dd-a86db3f73cbeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-CalculatedFETarget: AM0PR02CU003.internal.outlook.comX-BackEndHttpStatus: 404X-FEProxyInfo: AM0PR02CA0079.EURPRD02.PROD.OUTLOOK.COMX-CalculatedBETarget: AM0PR10MB2530.EURPRD10.PROD.OUTLOOK.COMX-BackEndHttpStatus: 404X-RUM-Validated: 1X-Proxy-RoutingCorrectness: 1X-Proxy-BackendServerStatus: 404MS-CV: niSNDKYqS0zA3ahts/c8vg.1.1X-FEServer: AM0PR02CA0079X-Powered-By: ASP.NETX-FEServer: AM6PR10CA0074Date: Mon, 11 Oct 2021 22:23:43 GMTConnection: close

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 1245Content-Type: text/htmlServer: Microsoft-IIS/10.0request-id: 404aa930-782f-c767-6fa8-22dabae1af7bStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAlt-Svc: h3=":443",h3-29=":443"X-CalculatedFETarget: VI1PR04CU006.internal.outlook.comX-BackEndHttpStatus: 404X-FEProxyInfo: VI1PR04CA0106.EURPRD04.PROD.OUTLOOK.COMX-CalculatedBETarget: VI1P191MB0174.EURP191.PROD.OUTLOOK.COMX-BackEndHttpStatus: 404X-RUM-Validated: 1X-Proxy-RoutingCorrectness: 1X-Proxy-BackendServerStatus: 404MS-CV: MKlKQC94Z8dvqCLauuGvew.1.1X-FEServer: VI1PR04CA0106X-Powered-By: ASP.NETX-FEServer: AM6P191CA0036Date: Mon, 11 Oct 2021 22:23:43 GMTConnection: close

URLs found in memory or binary data

Source: loaddll32.exe, 00000000.00000003.661990897.0000000000E0F000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000002.828806436.0000000002C7E000.00000004.00000020.sdmp, WerFault.exe, 00000010.00000003.592082392.00000000052F7000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.603683328.0000000004B23000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: WerFault.exe, 00000010.00000003.590261619.000000000536E000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-op
Source: loaddll32.exe, 00000000.00000003.575764706.0000000003449000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.752071962.00000000034CB000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.578061869.0000000002CDF000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.799504067.0000000002C72000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.578191957.0000000005049000.00000004.00000040.sdmp	String found in binary or memory: http://ogp.me/ns#
Source: loaddll32.exe, 00000000.00000003.575764706.0000000003449000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.752071962.00000000034CB000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.578061869.0000000002CDF000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.799504067.0000000002C72000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.578191957.0000000005049000.00000004.00000040.sdmp	String found in binary or memory: http://ogp.me/ns/fb#
Source: rundll32.exe, 00000003.00000003.754496414.0000000002CB9000.00000004.00000001.sdmp	String found in binary or memory: https://areuranel.website/#
Source: rundll32.exe, 00000003.00000003.754370458.0000000002C7E000.00000004.00000001.sdmp	String found in binary or memory: https://areuranel.website/liopolo/C_2BfXb0gV5jtbUa/IZmGbVhjqtQp_2F/7qZce0oXF332X4bIP1/uoX46bOOY/izB1
Source: loaddll32.exe, 00000000.00000003.575544981.0000000000E52000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.756366397.00000000050CC000.00000004.00000040.sdmp	String found in binary or memory: https://blogs.msn.com/
Source: loaddll32.exe, 00000000.00000003.662022513.0000000000E31000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000002.826574665.0000000000E31000.00000004.00000020.sdmp, rundll32.exe, 00000003.00000002.828429749.0000000002C1A000.00000004.00000020.sdmp	String found in binary or memory: https://breuranel.website/
Source: rundll32.exe, 00000003.00000002.828429749.0000000002C1A000.00000004.00000020.sdmp	String found in binary or memory: https://breuranel.website/liopolo/53U65wbAztycwApkbN/Nm6o3zX96/bvCraxUdm00FZ4WM5Wps/p_2FNPk5Ls6JTWqI
Source: rundll32.exe, 00000003.00000003.665024714.0000000002C7E000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.664845337.0000000002CE0000.00000004.00000001.sdmp	String found in binary or memory: https://breuranel.website/liopolo/wv4vNBBA798s7/I_2FCPxa/4F4kPL6kvjyV14SrT2YW8wi/GOKS69LDnM/P4sY8Z0h
Source: rundll32.exe, 00000003.00000003.602334968.0000000002C72000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.756181648.0000000002CDE000.00000004.00000001.sdmp	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: loaddll32.exe, 00000000.00000003.575764706.0000000003449000.00000004.00000040.sdmp	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1633990980&rver
Source: rundll32.exe, 00000003.00000003.602334968.0000000002C72000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.578191957.0000000005049000.00000004.00000040.sdmp	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1633990982&rver
Source: loaddll32.exe, 00000000.00000003.752071962.00000000034CB000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.752019684.0000000000E6A000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1633991064&rver
Source: rundll32.exe, 00000003.00000003.799504067.0000000002C72000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.756150081.0000000002CF0000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.756394618.00000000050CB000.00000004.00000040.sdmp	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1633991065&rver
Source: loaddll32.exe, 00000000.00000003.751977589.0000000000E6C000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.575764706.0000000003449000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.752047110.00000000034CC000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.756366397.00000000050CC000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.578191957.0000000005049000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.756150081.0000000002CF0000.00000004.00000001.sdmp	String found in binary or memory: https://mem.gfx.ms/meversion/?partner=msn&market=en-us"
Source: loaddll32.exe, 00000000.00000002.827255923.0000000000E66000.00000004.00000020.sdmp, rundll32.exe, 00000003.00000003.602499638.0000000002C6E000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000002.828429749.0000000002C1A000.00000004.00000020.sdmp, rundll32.exe, 00000003.00000003.799504067.0000000002C72000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.756167295.0000000002CEC000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.602351410.0000000002C7E000.00000004.00000001.sdmp	String found in binary or memory: https://msn.com/
Source: loaddll32.exe, 00000000.00000003.661990897.0000000000E0F000.00000004.00000001.sdmp	String found in binary or memory: https://msn.com/&&
Source: rundll32.exe, 00000003.00000003.799504067.0000000002C72000.00000004.00000001.sdmp	String found in binary or memory: https://msn.com/mail/liopolo/QXqV1Cwmdgy9RAxuvo/eyRDOSF4h/n5Xdvl6macAzIHUi6g_2/FnMxm3OFSbW9k15b3rD/G
Source: rundll32.exe, 00000003.00000003.799456741.0000000002CE3000.00000004.00000001.sdmp	String found in binary or memory: https://msn.com:443/mail/liopolo/QXqV1Cwmdgy9RAxuvo/eyRDOSF4h/n5Xdvl6macAzIHUi6g_2/FnMxm3OFSbW9k15b3
Source: loaddll32.exe, 00000000.00000003.662022513.0000000000E31000.00000004.00000001.sdmp	String found in binary or memory: https://outlook.com/
Source: rundll32.exe, 00000003.00000003.710988432.0000000002C7E000.00000004.00000001.sdmp	String found in binary or memory: https://outlook.office365.com/
Source: rundll32.exe, 00000003.00000003.710988432.0000000002C7E000.00000004.00000001.sdmp	String found in binary or memory: https://outlook.office365.com/GS
Source: rundll32.exe, 00000003.00000003.754595048.0000000002C6E000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.710988432.0000000002C7E000.00000004.00000001.sdmp	String found in binary or memory: https://outlook.office365.com/signup/liopolo/jh_2BJAUni/lkDaKSs6NPU7K6NDS/e_2FibHZsZ5a/s4oEo9go0c6/p
Source: loaddll32.exe, 00000000.00000003.575764706.0000000003449000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.752071962.00000000034CB000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.752019684.0000000000E6A000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.799504067.0000000002C72000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.602334968.0000000002C72000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.578191957.0000000005049000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.756150081.0000000002CF0000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.756394618.00000000050CB000.00000004.00000040.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/en-us//api/modules/cdnfetch"
Source: loaddll32.exe, 00000000.00000003.751977589.0000000000E6C000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.575764706.0000000003449000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.756366397.00000000050CC000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.578191957.0000000005049000.00000004.00000040.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/en-us/homepage/_sc/css/d7cb56b9-3a82770e/direct
Source: loaddll32.exe, 00000000.00000003.573182276.00000000034C8000.00000004.00000040.sdmp	String found in binary or memory: https://web.vortex.data.msn.com
Source: loaddll32.exe, 00000000.00000003.575544981.0000000000E52000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.751977589.0000000000E6C000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.756366397.00000000050CC000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.577966306.0000000002CD9000.00000004.00000001.sdmp	String found in binary or memory: https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&ver=%272.1%27&a
Source: rundll32.exe, 00000003.00000003.602425029.0000000002CB9000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/
Source: rundll32.exe, 00000003.00000003.578191957.0000000005049000.00000004.00000040.sdmp	String found in binary or memory: https://www.msn.com/?refurl=%2fmail%2fliopolo%2fC3nZ3ojPKuvLDFaD_2FVNtz%2fi_2BIT_2FM%2fPkJe7W3e825Ul
Source: rundll32.exe, 00000003.00000003.756366397.00000000050CC000.00000004.00000040.sdmp	String found in binary or memory: https://www.msn.com/?refurl=%2fmail%2fliopolo%2fQXqV1Cwmdgy9RAxuvo%2feyRDOSF4h%2fn5Xdvl6macAzIHUi6g_
Source: loaddll32.exe, 00000000.00000003.751977589.0000000000E6C000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/?refurl=%2fmail%2fliopolo%2fjpKr3VzL6CFU%2fK4QwQLlZ56e%2fn3MZDuNS62Sf0R%2fmD2lfs
Source: loaddll32.exe, 00000000.00000003.575764706.0000000003449000.00000004.00000040.sdmp	String found in binary or memory: https://www.msn.com/?refurl=%2fmail%2fliopolo%2fr_2FdFpkR4VdtsN08a%2f_2BmiRrdo%2fiRPVi0tWAScg5sVGfo6
Source: loaddll32.exe, 00000000.00000003.575764706.0000000003449000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.752071962.00000000034CB000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.752019684.0000000000E6A000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.799504067.0000000002C72000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.602334968.0000000002C72000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.578191957.0000000005049000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.756150081.0000000002CF0000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.756394618.00000000050CB000.00000004.00000040.sdmp	String found in binary or memory: https://www.msn.com/en-us//api/modules/fetch"
Source: rundll32.exe, 00000003.00000003.602425029.0000000002CB9000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.602351410.0000000002C7E000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/mail/liopolo/C3nZ3ojPKuvLDFaD_2FVNtz/i_2BIT_2FM/PkJe7W3e825Ul_2Ff/m4m7583Exh_2/F
Source: rundll32.exe, 00000003.00000003.799456741.0000000002CE3000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.799504067.0000000002C72000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.799523846.0000000002C7E000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/mail/liopolo/QXqV1Cwmdgy9RAxuvo/eyRDOSF4h/n5Xdvl6macAzIHUi6g_2/FnMxm3OFSbW9k15b3
Source: loaddll32.exe, 00000000.00000003.575544981.0000000000E52000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.662022513.0000000000E31000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/mail/liopolo/r_2FdFpkR4VdtsN08a/_2BmiRrdo/iRPVi0tWAScg5sVGfo66/hUF_2BDb_2BTvse5v
Source: rundll32.exe, 00000003.00000003.710948632.0000000002CDD000.00000004.00000001.sdmp	String found in binary or memory: https://www.outlook.com
Source: loaddll32.exe, 00000000.00000003.664473384.0000000000E64000.00000004.00000001.sdmp	String found in binary or memory: https://www.outlook.com/signup/liopolo/_2F1953bLKh6Aa9Zni5pUB/uu476XRXRXdwS/zStiAL1i/ws5BIrlWLA2GdJ9
Source: rundll32.exe, 00000003.00000003.710948632.0000000002CDD000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.754370458.0000000002C7E000.00000004.00000001.sdmp	String found in binary or memory: https://www.outlook.com/signup/liopolo/jh_2BJAUni/lkDaKSs6NPU7K6NDS/e_2FibHZsZ5a/s4oEo9go0c6/pciek84

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: msn.com

Downloads files from webservers via HTTP

Source: global traffic	HTTP traffic detected: GET /mail/liopolo/r_2FdFpkR4VdtsN08a/_2BmiRrdo/iRPVi0tWAScg5sVGfo66/hUF_2BDb_2BTvse5vT2/OGVc4TNxI8ONXMjzPJH1kn/iiKryEX2ymN0T/2YX_2Bs_/2FUMTLKLdgRo4Z6EcuiEOOc/8fsAz5_2Fq/UDZOXONJb9G0Jl7Sh/YwJHU3HBZfrx/Rr2RrnGmK6E/ePg9xCsP_2FGO_/2FHvWeMzr/F7gd5.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
Source: global traffic	HTTP traffic detected: GET /mail/liopolo/C3nZ3ojPKuvLDFaD_2FVNtz/i_2BIT_2FM/PkJe7W3e825Ul_2Ff/m4m7583Exh_2/FXgqIY2YIG4/C7y4oW_2FqnMiT/UXE8adViqK_2F0elSuUWK/zwOfFpRmM9Pcjtlo/mhxUAWIol_2Bidj/ZyUBkmkt9UDUf59heB/_2Fa01_2F/fe5khD18VNL3grTs1oBD/Gp7Xm3KoaUrn2NbkVi4/PAUVXoXppe_2FqPWphraUo/OvKmQ_2F/8LQ.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/_2F1953bLKh6Aa9Zni5pUB/uu476XRXRXdwS/zStiAL1i/ws5BIrlWLA2GdJ9e0xq88Zi/DBztcvZHmo/mcGQqmXKrqNjP4iG6/7aTDT9GSE9D6/8jXJ0EFBBnJ/89lvGSm0UsN_2B/DpWUyWVECg62e9A86zQtW/yv5TQxo2fX2Xv7gp/5xHugEiGC5l_2Bc/jIp0JWV7N33_2F/EkcA.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/_2F1953bLKh6Aa9Zni5pUB/uu476XRXRXdwS/zStiAL1i/ws5BIrlWLA2GdJ9e0xq88Zi/DBztcvZHmo/mcGQqmXKrqNjP4iG6/7aTDT9GSE9D6/8jXJ0EFBBnJ/89lvGSm0UsN_2B/DpWUyWVECg62e9A86zQtW/yv5TQxo2fX2Xv7gp/5xHugEiGC5l_2Bc/jIp0JWV7N33_2F/EkcA.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/_2F1953bLKh6Aa9Zni5pUB/uu476XRXRXdwS/zStiAL1i/ws5BIrlWLA2GdJ9e0xq88Zi/DBztcvZHmo/mcGQqmXKrqNjP4iG6/7aTDT9GSE9D6/8jXJ0EFBBnJ/89lvGSm0UsN_2B/DpWUyWVECg62e9A86zQtW/yv5TQxo2fX2Xv7gp/5xHugEiGC5l_2Bc/jIp0JWV7N33_2F/EkcA.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/jh_2BJAUni/lkDaKSs6NPU7K6NDS/e_2FibHZsZ5a/s4oEo9go0c6/pciek84ucCmHqd/ux_2BgaSfPaBMcDfNjzb3/rbrRSArhJJpb3rOW/xdA1Wy83LoKT_2F/eny3XPOONMNlhwdGDb/HeEQC75Ox/PYv0ijHf_2BV06O4iZeM/ZM8mz_2FbpTp5AwODR0/XLpKCg0_2Ffc7auFjvx4p8/3b.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/jh_2BJAUni/lkDaKSs6NPU7K6NDS/e_2FibHZsZ5a/s4oEo9go0c6/pciek84ucCmHqd/ux_2BgaSfPaBMcDfNjzb3/rbrRSArhJJpb3rOW/xdA1Wy83LoKT_2F/eny3XPOONMNlhwdGDb/HeEQC75Ox/PYv0ijHf_2BV06O4iZeM/ZM8mz_2FbpTp5AwODR0/XLpKCg0_2Ffc7auFjvx4p8/3b.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/jh_2BJAUni/lkDaKSs6NPU7K6NDS/e_2FibHZsZ5a/s4oEo9go0c6/pciek84ucCmHqd/ux_2BgaSfPaBMcDfNjzb3/rbrRSArhJJpb3rOW/xdA1Wy83LoKT_2F/eny3XPOONMNlhwdGDb/HeEQC75Ox/PYv0ijHf_2BV06O4iZeM/ZM8mz_2FbpTp5AwODR0/XLpKCg0_2Ffc7auFjvx4p8/3b.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
Source: global traffic	HTTP traffic detected: GET /mail/liopolo/jpKr3VzL6CFU/K4QwQLlZ56e/n3MZDuNS62Sf0R/mD2lfs_2FQXwlgYrd0DFL/pEDSMAvGReZoZ8Jm/OSgzsTstfQRz_2F/2Bp8zA9yijiTKRH09Q/Mwm_2F7JH/xI5SfnAXURadBpSsyjtC/_2BEE4TT4VBjXUCp_2B/cYd5vNurcHADHrS6HheJd6/UAnImB8Jw2Ynr/9pKHwbRP/FStf.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
Source: global traffic	HTTP traffic detected: GET /mail/liopolo/QXqV1Cwmdgy9RAxuvo/eyRDOSF4h/n5Xdvl6macAzIHUi6g_2/FnMxm3OFSbW9k15b3rD/GOZ7HTzmadDT3EaU6FMaux/8v8OfzSGDIfuI/2JFzbGpa/48oXcRIDJ4CWvryCIOce07l/PRm5ekLf_2/FWrUO776bg5a24LJQ/ndIkg4SZse4c/jL7OG2Z00xG/sTPur68E_2BxS_/2FjGzTP4SxNpm_2FiKI7j/WPoFKl4.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.3:49782 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.3:49784 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.97.161.50:443 -> 192.168.2.3:49793 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.101.60.226:443 -> 192.168.2.3:49794 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.97.151.82:443 -> 192.168.2.3:49795 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.97.161.50:443 -> 192.168.2.3:49796 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.97.151.2:443 -> 192.168.2.3:49797 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.97.151.66:443 -> 192.168.2.3:49798 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.3:49846 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.3:49848 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Source: Yara match	File source: 00000003.00000002.829711196.0000000004CD0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.573182276.00000000034C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.575886663.00000000034C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.577592974.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.577142287.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.621678183.0000000004F4B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.574590732.00000000034C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.573615076.00000000034C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.828440646.00000000030D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.574198555.00000000034C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.573998703.00000000034C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.576726243.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.619056224.000000000334B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.577395162.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.578289206.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.576921901.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.573750690.00000000034C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.573091337.00000000034C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.707612619.000000000314F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.574533141.00000000034C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.711256543.0000000004D4F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.576829931.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.664577952.000000000324D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.667981816.0000000004E4D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.577047375.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.576567742.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6444, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4352, type: MEMORYSTR
Source: Yara match	File source: 2.3.rundll32.exe.2f3a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.2f194a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.2f3a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.d5a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.68a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.4da31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.49494a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.68a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.c40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6e7c0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.49494a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.d5a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.8da31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.8da31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.4da31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.2f194a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.8f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.6e7c0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.828285916.0000000002F19000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.512556680.0000000000D50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.492597168.00000000008D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.829472336.0000000004949000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.512003320.00000000004D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.506220086.0000000000680000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.492790466.0000000002F30000.00000040.00000001.sdmp, type: MEMORY

E-Banking Fraud:

Yara detected Ursnif

Source: Yara match	File source: 00000003.00000002.829711196.0000000004CD0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.573182276.00000000034C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.575886663.00000000034C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.577592974.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.577142287.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.621678183.0000000004F4B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.574590732.00000000034C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.573615076.00000000034C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.828440646.00000000030D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.574198555.00000000034C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.573998703.00000000034C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.576726243.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.619056224.000000000334B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.577395162.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.578289206.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.576921901.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.573750690.00000000034C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.573091337.00000000034C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.707612619.000000000314F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.574533141.00000000034C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.711256543.0000000004D4F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.576829931.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.664577952.000000000324D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.667981816.0000000004E4D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.577047375.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.576567742.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6444, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4352, type: MEMORYSTR
Source: Yara match	File source: 2.3.rundll32.exe.2f3a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.2f194a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.2f3a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.d5a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.68a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.4da31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.49494a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.68a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.c40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6e7c0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.49494a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.d5a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.8da31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.8da31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.4da31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.2f194a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.8f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.6e7c0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.828285916.0000000002F19000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.512556680.0000000000D50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.492597168.00000000008D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.829472336.0000000004949000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.512003320.00000000004D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.506220086.0000000000680000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.492790466.0000000002F30000.00000040.00000001.sdmp, type: MEMORY

System Summary:

Writes or reads registry keys via WMI

Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Uses 32bit PE files

Source: m87xfb63XU.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

One or more processes crash

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 876

Detected potential crypto function

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E7C21B4		0_2_6E7C21B4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00C44C40		0_2_00C44C40
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00C42B76		0_2_00C42B76
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00C4AF24		0_2_00C4AF24
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E7D5600		0_2_6E7D5600
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E80D630		0_2_6E80D630
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E823CCE		0_2_6E823CCE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E80B597		0_2_6E80B597
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E81A2B1		0_2_6E81A2B1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E7FE8C0		0_2_6E7FE8C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_008F4C40		3_2_008F4C40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_008FAF24		3_2_008FAF24
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_008F2B76		3_2_008F2B76
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E7D5600		3_2_6E7D5600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E80D630		3_2_6E80D630
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E80B597		3_2_6E80B597
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E81A2B1		3_2_6E81A2B1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E7FE8C0		3_2_6E7FE8C0

Found potential string decryption / allocating functions

Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 6E7FABD1 appears 91 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6E7FABD1 appears 91 times

Contains functionality to call native functions

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E7C1273 NtMapViewOfSection,		0_2_6E7C1273
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E7C15C6 SetThreadPriority,NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,GetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,		0_2_6E7C15C6
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E7C13B8 GetProcAddress,NtCreateSection,memset,		0_2_6E7C13B8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E7C23D5 NtQueryVirtualMemory,		0_2_6E7C23D5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00C45D10 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,		0_2_00C45D10
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00C4B149 NtQueryVirtualMemory,		0_2_00C4B149
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_008F5D10 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,		3_2_008F5D10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_008FB149 NtQueryVirtualMemory,		3_2_008FB149

Sample is known by Antivirus

Source: m87xfb63XU.dll

ReversingLabs: Detection: 22%

PE file has an executable .text section and no other executable section

Source: m87xfb63XU.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Reads software policies

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Spawns processes

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\m87xfb63XU.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\m87xfb63XU.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\m87xfb63XU.dll,BeGrass
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\m87xfb63XU.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\m87xfb63XU.dll,Fieldeight
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\m87xfb63XU.dll,Often
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 876
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6936 -s 832
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6952 -s 640
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6952 -s 640
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\m87xfb63XU.dll',#1			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\m87xfb63XU.dll,BeGrass			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\m87xfb63XU.dll,Fieldeight			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\m87xfb63XU.dll,Often			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\m87xfb63XU.dll',#1			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6952 -s 640			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Creates temporary files

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERAFBA.tmp

Jump to behavior

Classification label

Source: classification engine

Classification label: mal88.troj.evad.winDLL@17/12@22/6

Contains functionality to enum processes or threads

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_00C44A03 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

0_2_00C44A03

Runs a DLL by calling functions

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\m87xfb63XU.dll,BeGrass

Creates mutexes

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6936
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6952
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4520

Reads the hosts file

Source: C:\Windows\System32\loaddll32.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Found GUI installer (many successful clicks)

Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: m87xfb63XU.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

PE file contains a debug data directory

Source: m87xfb63XU.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Binary contains paths to debug symbols

Source:	Binary string: WinTypes.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb{: source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000000D.00000003.560886556.0000000005121000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.557399888.00000000034E1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.593393717.0000000004DC1000.00000004.00000001.sdmp
Source:	Binary string: iphlpapi.pdb_:IE source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdb_POei source: WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 0000000D.00000003.560886556.0000000005121000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.580492113.0000000005731000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.593393717.0000000004DC1000.00000004.00000001.sdmp
Source:	Binary string: cryptbase.pdbT$ source: WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
Source:	Binary string: CoreMessaging.pdb_ source: WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593784866.0000000004EF2000.00000004.00000040.sdmp
Source:	Binary string: lbase.pdb source: WerFault.exe, 0000000D.00000003.552510597.0000000004D73000.00000004.00000001.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 0000000D.00000003.560886556.0000000005121000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.580492113.0000000005731000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.593393717.0000000004DC1000.00000004.00000001.sdmp
Source:	Binary string: wUxTheme.pdbK@q source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdbi: source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000D.00000003.561052377.00000000050F0000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580812723.0000000005700000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593688376.0000000004EE0000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 0000000D.00000003.560886556.0000000005121000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.557389440.00000000034DB000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.593393717.0000000004DC1000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdbEPue source: WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 0000000D.00000003.560947472.00000000050F2000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580864219.0000000005704000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593490738.0000000004EE2000.00000004.00000040.sdmp
Source:	Binary string: CoreMessaging.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593784866.0000000004EF2000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdbQPIer source: WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 0000000D.00000003.560886556.0000000005121000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.580492113.0000000005731000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.593393717.0000000004DC1000.00000004.00000001.sdmp
Source:	Binary string: rundll32.pdbk source: WerFault.exe, 0000000D.00000003.560886556.0000000005121000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.580492113.0000000005731000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.593393717.0000000004DC1000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
Source:	Binary string: oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000D.00000002.586318313.00000000008D2000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000002.594044860.0000000002FE2000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 0000000D.00000003.560886556.0000000005121000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.580492113.0000000005731000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.593393717.0000000004DC1000.00000004.00000001.sdmp
Source:	Binary string: ntmarta.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 0000000D.00000003.560886556.0000000005121000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.580492113.0000000005731000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.593393717.0000000004DC1000.00000004.00000001.sdmp
Source:	Binary string: powrprof.pdbf$ source: WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdbM:{E source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb@$ source: WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000000D.00000003.560886556.0000000005121000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.580492113.0000000005731000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.593393717.0000000004DC1000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
Source:	Binary string: CoreUIComponents.pdb source: WerFault.exe, 0000000D.00000003.561222548.0000000005102000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 0000000D.00000003.561052377.00000000050F0000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580812723.0000000005700000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593688376.0000000004EE0000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 0000000D.00000003.560886556.0000000005121000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.580492113.0000000005731000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.593393717.0000000004DC1000.00000004.00000001.sdmp
Source:	Binary string: mpr.pdb@ source: WerFault.exe, 00000014.00000003.593688376.0000000004EE0000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb+:EE source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
Source:	Binary string: upwntdll.pdb source: WerFault.exe, 00000014.00000003.578932063.0000000004B9E000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdbX$ source: WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdbe: source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdbU:CEt source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 0000000D.00000003.560947472.00000000050F2000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580864219.0000000005704000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593490738.0000000004EE2000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000010.00000003.557389440.00000000034DB000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdbC:}E source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 0000000D.00000003.560886556.0000000005121000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.580492113.0000000005731000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.593393717.0000000004DC1000.00000004.00000001.sdmp
Source:	Binary string: winspool.pdbCP{e. source: WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdbq:oE source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000D.00000003.560947472.00000000050F2000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580864219.0000000005704000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593490738.0000000004EE2000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
Source:	Binary string: WinTypes.pdbj7 source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
Source:	Binary string: TextInputFramework.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 0000000D.00000003.560886556.0000000005121000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.580492113.0000000005731000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.593393717.0000000004DC1000.00000004.00000001.sdmp
Source:	Binary string: CoreUIComponents.pdbC source: WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdbC source: WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
Source:	Binary string: c:\wheel\receive\Many-rise\score.pdb source: loaddll32.exe, 00000000.00000002.828952358.000000006E83B000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.829929626.000000006E83B000.00000002.00020000.sdmp, m87xfb63XU.dll
Source:	Binary string: sechost.pdbw:aE source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000D.00000003.561052377.00000000050F0000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580812723.0000000005700000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593688376.0000000004EE0000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000D.00000003.552382095.0000000002F9A000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.558219704.00000000034E6000.00000004.00000001.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000D.00000003.560947472.00000000050F2000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580864219.0000000005704000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593490738.0000000004EE2000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000D.00000003.561052377.00000000050F0000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580812723.0000000005700000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593688376.0000000004EE0000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdb!:_Er source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000D.00000003.561052377.00000000050F0000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580812723.0000000005700000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593688376.0000000004EE0000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdbY:wE source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 0000000D.00000003.560886556.0000000005121000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.580492113.0000000005731000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.593393717.0000000004DC1000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000010.00000003.557399888.00000000034E1000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdbIPae source: WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp
Source:	Binary string: ntmarta.pdbH7|E source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdbN$ source: WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
Source:	Binary string: CoreUIComponents.pdb_ source: WerFault.exe, 0000000D.00000003.561222548.0000000005102000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 0000000D.00000003.560886556.0000000005121000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.580492113.0000000005731000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.593393717.0000000004DC1000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 0000000D.00000003.560886556.0000000005121000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.580492113.0000000005731000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.593393717.0000000004DC1000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbk source: WerFault.exe, 0000000D.00000003.560886556.0000000005121000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.580492113.0000000005731000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.593393717.0000000004DC1000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdbo: source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdbR$ source: WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdbwPge source: WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E7C2150 push ecx; ret		0_2_6E7C2159
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E7C21A3 push ecx; ret		0_2_6E7C21B3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00C4ABE0 push ecx; ret		0_2_00C4ABE9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00C4AF13 push ecx; ret		0_2_00C4AF23
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E7FAB9A push ecx; ret		0_2_6E7FABAD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_008FABE0 push ecx; ret		3_2_008FABE9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_008FAF13 push ecx; ret		3_2_008FAF23
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E7FAB9A push ecx; ret		3_2_6E7FABAD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0043CA68 push esp; retf 0043h		5_2_0043CA71

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E7C1DE5 LoadLibraryA,GetProcAddress,

0_2_6E7C1DE5

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Source: Yara match	File source: 00000003.00000002.829711196.0000000004CD0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.573182276.00000000034C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.575886663.00000000034C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.577592974.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.577142287.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.621678183.0000000004F4B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.574590732.00000000034C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.573615076.00000000034C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.828440646.00000000030D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.574198555.00000000034C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.573998703.00000000034C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.576726243.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.619056224.000000000334B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.577395162.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.578289206.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.576921901.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.573750690.00000000034C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.573091337.00000000034C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.707612619.000000000314F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.574533141.00000000034C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.711256543.0000000004D4F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.576829931.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.664577952.000000000324D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.667981816.0000000004E4D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.577047375.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.576567742.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6444, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4352, type: MEMORYSTR
Source: Yara match	File source: 2.3.rundll32.exe.2f3a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.2f194a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.2f3a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.d5a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.68a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.4da31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.49494a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.68a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.c40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6e7c0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.49494a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.d5a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.8da31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.8da31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.4da31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.2f194a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.8f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.6e7c0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.828285916.0000000002F19000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.512556680.0000000000D50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.492597168.00000000008D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.829472336.0000000004949000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.512003320.00000000004D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.506220086.0000000000680000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.492790466.0000000002F30000.00000040.00000001.sdmp, type: MEMORY

Disables application error messsages (SetErrorMode)

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX			Jump to behavior

Malware Analysis System Evasion:

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: WerFault.exe, 00000010.00000002.594844091.0000000005290000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWX
Source: rundll32.exe, 00000003.00000002.828429749.0000000002C1A000.00000004.00000020.sdmp, WerFault.exe, 00000010.00000002.594924398.00000000052E2000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000002.605872218.0000000004B13000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: rundll32.exe, 00000003.00000003.710966842.0000000002C72000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWen-USn
Source: WerFault.exe, 0000000D.00000002.591098165.0000000004CA2000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW

Anti Debugging:

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E806CB3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_6E806CB3

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E7C1DE5 LoadLibraryA,GetProcAddress,

0_2_6E7C1DE5

Contains functionality to read the PEB

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E81C325 mov eax, dword ptr fs:[00000030h]		0_2_6E81C325
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E828861 mov eax, dword ptr fs:[00000030h]		0_2_6E828861
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E86DFDA mov eax, dword ptr fs:[00000030h]		0_2_6E86DFDA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E86DEAA mov eax, dword ptr fs:[00000030h]		0_2_6E86DEAA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E86DBB5 push dword ptr fs:[00000030h]		0_2_6E86DBB5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E81C325 mov eax, dword ptr fs:[00000030h]		3_2_6E81C325
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E828861 mov eax, dword ptr fs:[00000030h]		3_2_6E828861
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E86DFDA mov eax, dword ptr fs:[00000030h]		3_2_6E86DFDA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E86DEAA mov eax, dword ptr fs:[00000030h]		3_2_6E86DEAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E86DBB5 push dword ptr fs:[00000030h]		3_2_6E86DBB5

Checks if the current process is being debugged

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior

Launches processes in debugging mode, may be used to hinder debugging

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6952 -s 640

Jump to behavior

Contains functionality to register its own exception handler

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E806CB3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_6E806CB3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E7FB316 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_6E7FB316
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E806CB3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		3_2_6E806CB3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E7FB316 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		3_2_6E7FB316

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: www.msn.com
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: areuranel.website
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 40.97.161.50 187			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: breuranel.website
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: outlook.office365.com
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: msn.com
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 52.97.151.2 187			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: outlook.com
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: www.outlook.com
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 13.82.28.61 187			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 52.97.151.66 187			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\m87xfb63XU.dll',#1			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6952 -s 640			Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: loaddll32.exe, 00000000.00000002.827633044.0000000001500000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.541716339.0000000003190000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.829291690.00000000030A0000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.562409150.0000000002BC0000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000000.551988515.0000000002C30000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000002.827633044.0000000001500000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.541716339.0000000003190000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.829291690.00000000030A0000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.562409150.0000000002BC0000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000000.551988515.0000000002C30000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.827633044.0000000001500000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.541716339.0000000003190000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.829291690.00000000030A0000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.562409150.0000000002BC0000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000000.551988515.0000000002C30000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.827633044.0000000001500000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.541716339.0000000003190000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.829291690.00000000030A0000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.562409150.0000000002BC0000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000000.551988515.0000000002C30000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,		0_2_6E7F9EB5
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,		0_2_6E820E4C
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,		0_2_6E820429
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,		0_2_6E82E448
Source: C:\Windows\System32\loaddll32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,		0_2_6E82EA21
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,		0_2_6E82E3AD
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,		0_2_6E82E344
Source: C:\Windows\System32\loaddll32.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,		0_2_6E82E0A2
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,		0_2_6E82E84C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,		3_2_6E7F9EB5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,		3_2_6E820E4C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,		3_2_6E820429
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,		3_2_6E82E448
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,		3_2_6E82EA21
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,		3_2_6E82E3AD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,		3_2_6E82E344
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,		3_2_6E82E0A2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,		3_2_6E82E84C

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_00C4A82B cpuid

0_2_00C4A82B

Contains functionality to query local / system time

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E7C1172 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,

0_2_6E7C1172

Contains functionality to query time zone information

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E81FF15 _free,_free,_free,GetTimeZoneInformation,_free,

0_2_6E81FF15

Contains functionality to query windows version

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E7C1825 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

0_2_6E7C1825

Contains functionality to query the account / user name

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_00C4A82B RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

0_2_00C4A82B

Stealing of Sensitive Information:

Yara detected Ursnif

Source: Yara match	File source: 00000003.00000002.829711196.0000000004CD0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.573182276.00000000034C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.575886663.00000000034C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.577592974.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.577142287.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.621678183.0000000004F4B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.574590732.00000000034C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.573615076.00000000034C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.828440646.00000000030D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.574198555.00000000034C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.573998703.00000000034C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.576726243.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.619056224.000000000334B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.577395162.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.578289206.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.576921901.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.573750690.00000000034C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.573091337.00000000034C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.707612619.000000000314F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.574533141.00000000034C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.711256543.0000000004D4F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.576829931.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.664577952.000000000324D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.667981816.0000000004E4D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.577047375.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.576567742.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6444, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4352, type: MEMORYSTR
Source: Yara match	File source: 2.3.rundll32.exe.2f3a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.2f194a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.2f3a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.d5a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.68a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.4da31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.49494a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.68a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.c40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6e7c0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.49494a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.d5a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.8da31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.8da31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.4da31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.2f194a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.8f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.6e7c0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.828285916.0000000002F19000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.512556680.0000000000D50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.492597168.00000000008D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.829472336.0000000004949000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.512003320.00000000004D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.506220086.0000000000680000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.492790466.0000000002F30000.00000040.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected Ursnif

Source: Yara match	File source: 00000003.00000002.829711196.0000000004CD0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.573182276.00000000034C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.575886663.00000000034C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.577592974.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.577142287.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.621678183.0000000004F4B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.574590732.00000000034C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.573615076.00000000034C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.828440646.00000000030D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.574198555.00000000034C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.573998703.00000000034C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.576726243.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.619056224.000000000334B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.577395162.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.578289206.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.576921901.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.573750690.00000000034C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.573091337.00000000034C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.707612619.000000000314F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.574533141.00000000034C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.711256543.0000000004D4F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.576829931.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.664577952.000000000324D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.667981816.0000000004E4D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.577047375.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.576567742.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6444, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4352, type: MEMORYSTR
Source: Yara match	File source: 2.3.rundll32.exe.2f3a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.2f194a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.2f3a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.d5a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.68a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.4da31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.49494a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.68a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.c40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6e7c0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.49494a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.d5a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.8da31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.8da31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.4da31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.2f194a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.8f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.6e7c0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.828285916.0000000002F19000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.512556680.0000000000D50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.492597168.00000000008D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.829472336.0000000004949000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.512003320.00000000004D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.506220086.0000000000680000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.492790466.0000000002F30000.00000040.00000001.sdmp, type: MEMORY