Windows Analysis Report m87xfb63XU.dll

Overview

General Information

Sample Name:	m87xfb63XU.dll
Analysis ID:	500399
MD5:	5aa733e108f0fa41df88cea0a309affe
SHA1:	ce79918ca7845f2163360ea40a251912998ea226
SHA256:	1be687a0453f23ea53b94a4447c926a9b4b6e01c2788e641b76eb4a5215bd960
Tags:	BRTdllgeoGoziISFBITAUrsnif
Infos:
Most interesting Screenshot:

Detection

Ursnif

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected Ursnif

System process connects to network (likely due to code injection or exploit)

Multi AV Scanner detection for domain / URL

Writes or reads registry keys via WMI

Writes registry values via WMI

Uses 32bit PE files

One or more processes crash

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

IP address seen in connection with other malware

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Checks if the current process is being debugged

Creates a process in suspended mode (likely to inject code)

Classification

Signatures

AV Detection:

Found malware configuration

Source: 00000003.00000003.454711091.0000000002E70000.00000040.00000001.sdmp

Malware Configuration Extractor: Ursnif {"RSA Public Key": "UmEkthy8LQToWYBqtBaWyLn/P1d2KjpXi9nl2is1X7NEi7AW4Al92U7HvBiCwWHgXhs6UyTZ7q6npv3YCi+rPS7xAyorWWgcyyviEpE9CETDXviZ72XZkxmen4ztvEtct+obFAEe0tiXOsfOcC8xDsI0CHPpvmUknsexTYqAJgwcghgx1mGHx/yFM4fnPYw4mFFE6bVI7eMnbu1CuunRmAVRDHZ7MAS7zSkAmYjeo1zAzRnOEWgblRHwenmwlBtp0SFGuYCGVe3TZZ4Nndgpd5xpSeLOoSZi/fRXjtS8b6LXBS/zslRCRObMDjDX4pa1fM1uOgFHyvjANgWJpZ272bpOHjM52/hsEGZXskaNztU=", "c2_domain": ["msn.com/mail", "breuranel.website", "outlook.com/signup", "areuranel.website"], "botnet": "8899", "server": "12", "serpent_key": "56473871MNTYAIDA", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Multi AV Scanner detection for submitted file

Source: m87xfb63XU.dll	Virustotal: Detection: 18%			Perma Link
Source: m87xfb63XU.dll	ReversingLabs: Detection: 22%

Multi AV Scanner detection for domain / URL

Source: areuranel.website	Virustotal: Detection: 6%			Perma Link
Source: breuranel.website	Virustotal: Detection: 6%			Perma Link

Compliance:

Uses 32bit PE files

Source: m87xfb63XU.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: unknown	HTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.3:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.3:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.97.153.146:443 -> 192.168.2.3:49784 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.97.223.66:443 -> 192.168.2.3:49785 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.97.151.2:443 -> 192.168.2.3:49786 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.97.153.146:443 -> 192.168.2.3:49787 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.97.135.82:443 -> 192.168.2.3:49788 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.101.60.226:443 -> 192.168.2.3:49789 version: TLS 1.2

Source: m87xfb63XU.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: WinTypes.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000000D.00000003.515702652.00000000052D6000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.542683798.0000000004EA1000.00000004.00000001.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: ntmarta.pdb1 source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
Source:	Binary string: CoreMessaging.pdb_ source: WerFault.exe, 0000000F.00000003.536214635.0000000004E83000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb4 source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
Source:	Binary string: mpr.pdbHa source: WerFault.exe, 0000000F.00000003.536314357.0000000004E70000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000F.00000003.536314357.0000000004E70000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557113684.0000000005230000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
Source:	Binary string: CoreMessaging.pdb source: WerFault.exe, 0000000F.00000003.536214635.0000000004E83000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 0000000F.00000003.536346626.0000000004E74000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557031037.0000000005232000.00000004.00000040.sdmp
Source:	Binary string: CoreMessaging.pdbK source: WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
Source:	Binary string: rundll32.pdbk source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb) source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000D.00000002.533606421.0000000000D92000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000002.553574266.0000000000832000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000002.568560433.0000000000C92000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdbt source: WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
Source:	Binary string: ntmarta.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
Source:	Binary string: mpr.pdbH source: WerFault.exe, 00000013.00000003.557113684.0000000005230000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb8 source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.542887533.0000000003126000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: CoreUIComponents.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 0000000F.00000003.536314357.0000000004E70000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557113684.0000000005230000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
Source:	Binary string: iphlpapi.pdbb source: WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: WinTypes.pdb? source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdbK` source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb& source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
Source:	Binary string: WinTypes.pdbM source: WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 0000000F.00000003.536346626.0000000004E74000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557031037.0000000005232000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000013.00000003.542799224.000000000311B000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdbb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: ntmarta.pdbk source: WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb_ source: WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdb* source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000F.00000003.536346626.0000000004E74000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557031037.0000000005232000.00000004.00000040.sdmp
Source:	Binary string: CoreUIComponents.pdbKi source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdbK source: WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb2 source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: TextInputFramework.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb\ source: WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdbh source: WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdbh source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
Source:	Binary string: c:\wheel\receive\Many-rise\score.pdb source: loaddll32.exe, 00000000.00000002.697038895.000000006E78B000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.698211502.000000006E78B000.00000002.00020000.sdmp, m87xfb63XU.dll
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000F.00000003.536314357.0000000004E70000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557113684.0000000005230000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdbz source: WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000F.00000003.536346626.0000000004E74000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557031037.0000000005232000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb, source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000F.00000003.536314357.0000000004E70000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557113684.0000000005230000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000013.00000003.542887533.0000000003126000.00000004.00000001.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000F.00000003.536314357.0000000004E70000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557113684.0000000005230000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdbn source: WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000013.00000003.542852774.0000000003121000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: CoreUIComponents.pdb_ source: WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbk source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp

Networking:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: www.msn.com
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: areuranel.website
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: breuranel.website
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 40.101.60.226 187	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: outlook.office365.com
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 52.97.135.82 187	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: msn.com
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: outlook.com
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: www.outlook.com
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 40.97.153.146 187	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 13.82.28.61 187	Jump to behavior

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: ce5f3254611a8c095a3d821d44539877

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 40.97.153.146 40.97.153.146
Source: Joe Sandbox View	IP Address: 13.82.28.61 13.82.28.61

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /mail/liopolo/881KeBhik38/n4I3jisQrsLf3N/5T7WW0TVyqLiEqrYpioXw/gsBY_2B0auYDQzqy/fq_2B0_2B1d5s1X/dE8U_2Bi9e1uHEa_2F/5gbQOA71j/4SGjjTuSnP5G5SL6XFKB/ya3reo77Dd0XJ5txbLh/Z2Jzwc_2FxPLynamqWy_2B/SzxjiUxPyCdZ8/5vaLjUU_/2FbRmdxDVJSYut_2BRUXs8y/S.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
Source: global traffic	HTTP traffic detected: GET /mail/liopolo/I2vyCwQZ_2BZdOw7_2FC5/QHqYyNs8nTjA1r7w/N6UkSzFGkH0f_2F/1IQh_2Bz24bnmMcZ4_/2BpWpgK6a/MfYXdR3sp4DYLa3d1zd1/q_2BesRlkaXfNl4zUpH/oAvtXyz6Z7BEsY_2FVEEFG/s2tbS3iXa95no/TNlgDymJ/mAsry_2BV2k9xkYk3dzUg9O/zullnql4G3/M32YonxJQXyLafjIm/_2FKjkdabgYHJ/uSKzerPj.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/Lf_2Fg8f5c_2BK6/Zu9U0t2ZcTswwewFAO/OEv2PKFbN/z8b4kNhG7zvHccOv8idc/Knnm9TAFaDWeAkZRt7S/s_2FJY_2FJZ_2FiFjgDZcG/X_2FPaS4UIfT5/mU_2B6qd/RThDpvlqtg_2B_2FquXT6Oc/rU7JT5JO40/2bdRvqEsO2i_2Fk7a/RPdp6h9XEAxz/UCoD0GwK5aa/_2BLPCSSipSRAr/lNUH_2BVSP8NW1a0oO1V8/mPc3sf.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/Lf_2Fg8f5c_2BK6/Zu9U0t2ZcTswwewFAO/OEv2PKFbN/z8b4kNhG7zvHccOv8idc/Knnm9TAFaDWeAkZRt7S/s_2FJY_2FJZ_2FiFjgDZcG/X_2FPaS4UIfT5/mU_2B6qd/RThDpvlqtg_2B_2FquXT6Oc/rU7JT5JO40/2bdRvqEsO2i_2Fk7a/RPdp6h9XEAxz/UCoD0GwK5aa/_2BLPCSSipSRAr/lNUH_2BVSP8NW1a0oO1V8/mPc3sf.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/Lf_2Fg8f5c_2BK6/Zu9U0t2ZcTswwewFAO/OEv2PKFbN/z8b4kNhG7zvHccOv8idc/Knnm9TAFaDWeAkZRt7S/s_2FJY_2FJZ_2FiFjgDZcG/X_2FPaS4UIfT5/mU_2B6qd/RThDpvlqtg_2B_2FquXT6Oc/rU7JT5JO40/2bdRvqEsO2i_2Fk7a/RPdp6h9XEAxz/UCoD0GwK5aa/_2BLPCSSipSRAr/lNUH_2BVSP8NW1a0oO1V8/mPc3sf.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/tu_2FZBOhZEm_2BjC/Eeo1dbfGyNRA/5gxX_2BPT_2/FeU0eiO3g8_2Bd/o4ft4FEXI0SSJqvx69bYX/i59sx_2FafiNLas1/YucQw3tAlQFb4zA/iKo5z_2FddgGxYO4HP/KUIXOky8_/2FKdBAX0DuXXgI2ZfYY9/kP9v63o8avKNpLR1Vuu/u_2F4VkGFpqAysszotqEDO/434zYCc87r2Kg/mFe.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/tu_2FZBOhZEm_2BjC/Eeo1dbfGyNRA/5gxX_2BPT_2/FeU0eiO3g8_2Bd/o4ft4FEXI0SSJqvx69bYX/i59sx_2FafiNLas1/YucQw3tAlQFb4zA/iKo5z_2FddgGxYO4HP/KUIXOky8_/2FKdBAX0DuXXgI2ZfYY9/kP9v63o8avKNpLR1Vuu/u_2F4VkGFpqAysszotqEDO/434zYCc87r2Kg/mFe.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/tu_2FZBOhZEm_2BjC/Eeo1dbfGyNRA/5gxX_2BPT_2/FeU0eiO3g8_2Bd/o4ft4FEXI0SSJqvx69bYX/i59sx_2FafiNLas1/YucQw3tAlQFb4zA/iKo5z_2FddgGxYO4HP/KUIXOky8_/2FKdBAX0DuXXgI2ZfYY9/kP9v63o8avKNpLR1Vuu/u_2F4VkGFpqAysszotqEDO/434zYCc87r2Kg/mFe.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 1245Content-Type: text/htmlServer: Microsoft-IIS/10.0request-id: 6f408bdb-1e4d-c6ec-fa40-6761089e1892Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-CalculatedFETarget: DB9PR05CU001.internal.outlook.comX-BackEndHttpStatus: 404X-FEProxyInfo: DB9PR05CA0008.EURPRD05.PROD.OUTLOOK.COMX-CalculatedBETarget: DB8P195MB0662.EURP195.PROD.OUTLOOK.COMX-BackEndHttpStatus: 404X-RUM-Validated: 1X-Proxy-RoutingCorrectness: 1X-Proxy-BackendServerStatus: 404MS-CV: 24tAb00e7Mb6QGdhCJ4Ykg.1.1X-FEServer: DB9PR05CA0008X-Powered-By: ASP.NETX-FEServer: AM6P195CA0054Date: Mon, 11 Oct 2021 22:37:50 GMTConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 1245Content-Type: text/htmlServer: Microsoft-IIS/10.0request-id: 0ad922d7-711b-417c-0004-37a25225c4eaStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-CalculatedFETarget: DU2PR04CU012.internal.outlook.comX-BackEndHttpStatus: 404X-FEProxyInfo: DU2PR04CA0336.EURPRD04.PROD.OUTLOOK.COMX-CalculatedBETarget: DB7P194MB0346.EURP194.PROD.OUTLOOK.COMX-BackEndHttpStatus: 404X-RUM-Validated: 1X-Proxy-RoutingCorrectness: 1X-Proxy-BackendServerStatus: 404MS-CV: 1yLZChtxfEEABDeiUiXE6g.1.1X-FEServer: DU2PR04CA0336X-Powered-By: ASP.NETX-FEServer: AM5P194CA0019Date: Mon, 11 Oct 2021 22:37:54 GMTConnection: close

Source: WerFault.exe, 0000000D.00000002.542863916.00000000052E4000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000002.555554795.0000000004A95000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.566895044.0000000004E23000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: loaddll32.exe, 00000000.00000003.527597302.0000000003AA9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.531625301.0000000005529000.00000004.00000040.sdmp	String found in binary or memory: http://ogp.me/ns#
Source: loaddll32.exe, 00000000.00000003.527597302.0000000003AA9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.531625301.0000000005529000.00000004.00000040.sdmp	String found in binary or memory: http://ogp.me/ns/fb#
Source: loaddll32.exe, 00000000.00000003.527111263.0000000003B28000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.531230770.00000000055A8000.00000004.00000040.sdmp	String found in binary or memory: https://blogs.msn.com/
Source: loaddll32.exe, 00000000.00000003.527111263.0000000003B28000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.531809993.00000000055AB000.00000004.00000040.sdmp	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: loaddll32.exe, 00000000.00000003.527597302.0000000003AA9000.00000004.00000040.sdmp	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1633991829&rver
Source: rundll32.exe, 00000003.00000003.531625301.0000000005529000.00000004.00000040.sdmp	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1633991831&rver
Source: loaddll32.exe, 00000000.00000003.527597302.0000000003AA9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.531625301.0000000005529000.00000004.00000040.sdmp	String found in binary or memory: https://mem.gfx.ms/meversion/?partner=msn&market=en-us"
Source: loaddll32.exe, 00000000.00000003.527597302.0000000003AA9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.531625301.0000000005529000.00000004.00000040.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/en-us//api/modules/cdnfetch"
Source: loaddll32.exe, 00000000.00000003.527597302.0000000003AA9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.531625301.0000000005529000.00000004.00000040.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/en-us/homepage/_sc/css/d7cb56b9-3a82770e/direct
Source: WerFault.exe, 00000013.00000003.567391017.0000000004E8D000.00000004.00000001.sdmp	String found in binary or memory: https://watson.telemetry.m
Source: loaddll32.exe, 00000000.00000003.527597302.0000000003AA9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.531625301.0000000005529000.00000004.00000040.sdmp	String found in binary or memory: https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&ver=%272.1%27&a
Source: loaddll32.exe, 00000000.00000003.527597302.0000000003AA9000.00000004.00000040.sdmp	String found in binary or memory: https://www.msn.com/?refurl=%2fmail%2fliopolo%2f881KeBhik38%2fn4I3jisQrsLf3N%2f5T7WW0TVyqLiEqrYpioXw
Source: rundll32.exe, 00000003.00000003.531625301.0000000005529000.00000004.00000040.sdmp	String found in binary or memory: https://www.msn.com/?refurl=%2fmail%2fliopolo%2fI2vyCwQZ_2BZdOw7_2FC5%2fQHqYyNs8nTjA1r7w%2fN6UkSzFGk
Source: loaddll32.exe, 00000000.00000003.527597302.0000000003AA9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.531625301.0000000005529000.00000004.00000040.sdmp	String found in binary or memory: https://www.msn.com/en-us//api/modules/fetch"

Source: unknown

DNS traffic detected: queries for: msn.com

Source: global traffic	HTTP traffic detected: GET /mail/liopolo/881KeBhik38/n4I3jisQrsLf3N/5T7WW0TVyqLiEqrYpioXw/gsBY_2B0auYDQzqy/fq_2B0_2B1d5s1X/dE8U_2Bi9e1uHEa_2F/5gbQOA71j/4SGjjTuSnP5G5SL6XFKB/ya3reo77Dd0XJ5txbLh/Z2Jzwc_2FxPLynamqWy_2B/SzxjiUxPyCdZ8/5vaLjUU_/2FbRmdxDVJSYut_2BRUXs8y/S.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
Source: global traffic	HTTP traffic detected: GET /mail/liopolo/I2vyCwQZ_2BZdOw7_2FC5/QHqYyNs8nTjA1r7w/N6UkSzFGkH0f_2F/1IQh_2Bz24bnmMcZ4_/2BpWpgK6a/MfYXdR3sp4DYLa3d1zd1/q_2BesRlkaXfNl4zUpH/oAvtXyz6Z7BEsY_2FVEEFG/s2tbS3iXa95no/TNlgDymJ/mAsry_2BV2k9xkYk3dzUg9O/zullnql4G3/M32YonxJQXyLafjIm/_2FKjkdabgYHJ/uSKzerPj.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/Lf_2Fg8f5c_2BK6/Zu9U0t2ZcTswwewFAO/OEv2PKFbN/z8b4kNhG7zvHccOv8idc/Knnm9TAFaDWeAkZRt7S/s_2FJY_2FJZ_2FiFjgDZcG/X_2FPaS4UIfT5/mU_2B6qd/RThDpvlqtg_2B_2FquXT6Oc/rU7JT5JO40/2bdRvqEsO2i_2Fk7a/RPdp6h9XEAxz/UCoD0GwK5aa/_2BLPCSSipSRAr/lNUH_2BVSP8NW1a0oO1V8/mPc3sf.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/Lf_2Fg8f5c_2BK6/Zu9U0t2ZcTswwewFAO/OEv2PKFbN/z8b4kNhG7zvHccOv8idc/Knnm9TAFaDWeAkZRt7S/s_2FJY_2FJZ_2FiFjgDZcG/X_2FPaS4UIfT5/mU_2B6qd/RThDpvlqtg_2B_2FquXT6Oc/rU7JT5JO40/2bdRvqEsO2i_2Fk7a/RPdp6h9XEAxz/UCoD0GwK5aa/_2BLPCSSipSRAr/lNUH_2BVSP8NW1a0oO1V8/mPc3sf.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/Lf_2Fg8f5c_2BK6/Zu9U0t2ZcTswwewFAO/OEv2PKFbN/z8b4kNhG7zvHccOv8idc/Knnm9TAFaDWeAkZRt7S/s_2FJY_2FJZ_2FiFjgDZcG/X_2FPaS4UIfT5/mU_2B6qd/RThDpvlqtg_2B_2FquXT6Oc/rU7JT5JO40/2bdRvqEsO2i_2Fk7a/RPdp6h9XEAxz/UCoD0GwK5aa/_2BLPCSSipSRAr/lNUH_2BVSP8NW1a0oO1V8/mPc3sf.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/tu_2FZBOhZEm_2BjC/Eeo1dbfGyNRA/5gxX_2BPT_2/FeU0eiO3g8_2Bd/o4ft4FEXI0SSJqvx69bYX/i59sx_2FafiNLas1/YucQw3tAlQFb4zA/iKo5z_2FddgGxYO4HP/KUIXOky8_/2FKdBAX0DuXXgI2ZfYY9/kP9v63o8avKNpLR1Vuu/u_2F4VkGFpqAysszotqEDO/434zYCc87r2Kg/mFe.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/tu_2FZBOhZEm_2BjC/Eeo1dbfGyNRA/5gxX_2BPT_2/FeU0eiO3g8_2Bd/o4ft4FEXI0SSJqvx69bYX/i59sx_2FafiNLas1/YucQw3tAlQFb4zA/iKo5z_2FddgGxYO4HP/KUIXOky8_/2FKdBAX0DuXXgI2ZfYY9/kP9v63o8avKNpLR1Vuu/u_2F4VkGFpqAysszotqEDO/434zYCc87r2Kg/mFe.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/tu_2FZBOhZEm_2BjC/Eeo1dbfGyNRA/5gxX_2BPT_2/FeU0eiO3g8_2Bd/o4ft4FEXI0SSJqvx69bYX/i59sx_2FafiNLas1/YucQw3tAlQFb4zA/iKo5z_2FddgGxYO4HP/KUIXOky8_/2FKdBAX0DuXXgI2ZfYY9/kP9v63o8avKNpLR1Vuu/u_2F4VkGFpqAysszotqEDO/434zYCc87r2Kg/mFe.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com

Source: unknown	HTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.3:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.3:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.97.153.146:443 -> 192.168.2.3:49784 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.97.223.66:443 -> 192.168.2.3:49785 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.97.151.2:443 -> 192.168.2.3:49786 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.97.153.146:443 -> 192.168.2.3:49787 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.97.135.82:443 -> 192.168.2.3:49788 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.101.60.226:443 -> 192.168.2.3:49789 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.527111263.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.527630553.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.615631858.00000000038AD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.531230770.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.531464419.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.527327468.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.576012668.000000000542B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.531480606.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.527187841.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.659429998.00000000037AF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.531370717.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.527048423.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.531284421.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.531412078.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.531686708.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.531172047.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.570679066.00000000039AB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.624467221.000000000532D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.667937639.000000000522F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.526903678.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.531440376.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.527256439.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.526968624.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.527017763.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6316, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4536, type: MEMORYSTR
Source: Yara match	File source: 3.2.rundll32.exe.2eb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.3030000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.35794a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6e710000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.6e710000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.2dca31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.2a0a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.2dca31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.35794a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.2a0a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.265a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.265a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.2e7a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.4d394a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.143a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.2e7a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.143a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.4d394a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.697257309.0000000004D39000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.454711091.0000000002E70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.488040276.0000000002650000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.696204071.0000000003579000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.491247065.0000000001430000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.453838951.0000000002A00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.476882523.0000000002DC0000.00000040.00000001.sdmp, type: MEMORY

E-Banking Fraud:

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.527111263.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.527630553.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.615631858.00000000038AD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.531230770.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.531464419.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.527327468.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.576012668.000000000542B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.531480606.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.527187841.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.659429998.00000000037AF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.531370717.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.527048423.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.531284421.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.531412078.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.531686708.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.531172047.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.570679066.00000000039AB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.624467221.000000000532D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.667937639.000000000522F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.526903678.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.531440376.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.527256439.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.526968624.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.527017763.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6316, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4536, type: MEMORYSTR
Source: Yara match	File source: 3.2.rundll32.exe.2eb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.3030000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.35794a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6e710000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.6e710000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.2dca31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.2a0a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.2dca31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.35794a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.2a0a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.265a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.265a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.2e7a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.4d394a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.143a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.2e7a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.143a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.4d394a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.697257309.0000000004D39000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.454711091.0000000002E70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.488040276.0000000002650000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.696204071.0000000003579000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.491247065.0000000001430000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.453838951.0000000002A00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.476882523.0000000002DC0000.00000040.00000001.sdmp, type: MEMORY

System Summary:

Writes or reads registry keys via WMI

Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Uses 32bit PE files

Source: m87xfb63XU.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

One or more processes crash

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 632

Detected potential crypto function

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E7121B4	0_2_6E7121B4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0303AF24	0_2_0303AF24
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_03032B76	0_2_03032B76
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_03034C40	0_2_03034C40
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E725600	0_2_6E725600
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E75D630	0_2_6E75D630
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E773CCE	0_2_6E773CCE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E75B597	0_2_6E75B597
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E77FA78	0_2_6E77FA78
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E76A2B1	0_2_6E76A2B1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E77FB98	0_2_6E77FB98
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E74E8C0	0_2_6E74E8C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E725600	3_2_6E725600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E75D630	3_2_6E75D630
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E773CCE	3_2_6E773CCE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E75B597	3_2_6E75B597
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E76A2B1	3_2_6E76A2B1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E74E8C0	3_2_6E74E8C0

Found potential string decryption / allocating functions

Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 6E74ABD1 appears 91 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6E74ABD1 appears 91 times

Contains functionality to call native functions

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E711273 NtMapViewOfSection,	0_2_6E711273
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E7115C6 SetThreadPriority,NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,GetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,	0_2_6E7115C6
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E7113B8 GetProcAddress,NtCreateSection,memset,	0_2_6E7113B8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E7123D5 NtQueryVirtualMemory,	0_2_6E7123D5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_03035D10 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	0_2_03035D10
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0303B149 NtQueryVirtualMemory,	0_2_0303B149

Source: m87xfb63XU.dll	Virustotal: Detection: 18%
Source: m87xfb63XU.dll	ReversingLabs: Detection: 22%

Source: m87xfb63XU.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\m87xfb63XU.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\m87xfb63XU.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\m87xfb63XU.dll,BeGrass
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\m87xfb63XU.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\m87xfb63XU.dll,Fieldeight
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\m87xfb63XU.dll,Often
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 632
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 640
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 640
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\m87xfb63XU.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\m87xfb63XU.dll,BeGrass	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\m87xfb63XU.dll,Fieldeight	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\m87xfb63XU.dll,Often	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\m87xfb63XU.dll',#1	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER933.tmp

Jump to behavior

Source: classification engine

Classification label: mal96.troj.evad.winDLL@14/12@16/7

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_03034A03 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

0_2_03034A03

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\m87xfb63XU.dll,BeGrass

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4596
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4668
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4348

Source: C:\Windows\System32\loaddll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK

Source: m87xfb63XU.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: m87xfb63XU.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: WinTypes.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000000D.00000003.515702652.00000000052D6000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.542683798.0000000004EA1000.00000004.00000001.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: ntmarta.pdb1 source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
Source:	Binary string: CoreMessaging.pdb_ source: WerFault.exe, 0000000F.00000003.536214635.0000000004E83000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb4 source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
Source:	Binary string: mpr.pdbHa source: WerFault.exe, 0000000F.00000003.536314357.0000000004E70000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000F.00000003.536314357.0000000004E70000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557113684.0000000005230000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
Source:	Binary string: CoreMessaging.pdb source: WerFault.exe, 0000000F.00000003.536214635.0000000004E83000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 0000000F.00000003.536346626.0000000004E74000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557031037.0000000005232000.00000004.00000040.sdmp
Source:	Binary string: CoreMessaging.pdbK source: WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
Source:	Binary string: rundll32.pdbk source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb) source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000D.00000002.533606421.0000000000D92000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000002.553574266.0000000000832000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000002.568560433.0000000000C92000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdbt source: WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
Source:	Binary string: ntmarta.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
Source:	Binary string: mpr.pdbH source: WerFault.exe, 00000013.00000003.557113684.0000000005230000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb8 source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.542887533.0000000003126000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: CoreUIComponents.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 0000000F.00000003.536314357.0000000004E70000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557113684.0000000005230000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
Source:	Binary string: iphlpapi.pdbb source: WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: WinTypes.pdb? source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdbK` source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb& source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
Source:	Binary string: WinTypes.pdbM source: WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 0000000F.00000003.536346626.0000000004E74000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557031037.0000000005232000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000013.00000003.542799224.000000000311B000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdbb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: ntmarta.pdbk source: WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb_ source: WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdb* source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000F.00000003.536346626.0000000004E74000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557031037.0000000005232000.00000004.00000040.sdmp
Source:	Binary string: CoreUIComponents.pdbKi source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdbK source: WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb2 source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: TextInputFramework.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb\ source: WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdbh source: WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdbh source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
Source:	Binary string: c:\wheel\receive\Many-rise\score.pdb source: loaddll32.exe, 00000000.00000002.697038895.000000006E78B000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.698211502.000000006E78B000.00000002.00020000.sdmp, m87xfb63XU.dll
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000F.00000003.536314357.0000000004E70000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557113684.0000000005230000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdbz source: WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000F.00000003.536346626.0000000004E74000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557031037.0000000005232000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb, source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000F.00000003.536314357.0000000004E70000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557113684.0000000005230000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000013.00000003.542887533.0000000003126000.00000004.00000001.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000F.00000003.536314357.0000000004E70000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557113684.0000000005230000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdbn source: WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000013.00000003.542852774.0000000003121000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: CoreUIComponents.pdb_ source: WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbk source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E712150 push ecx; ret	0_2_6E712159
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E7121A3 push ecx; ret	0_2_6E7121B3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0303AF13 push ecx; ret	0_2_0303AF23
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0303ABE0 push ecx; ret	0_2_0303ABE9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E74AB9A push ecx; ret	0_2_6E74ABAD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E74AB9A push ecx; ret	3_2_6E74ABAD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_029FC806 pushad ; retf	5_2_029FC899
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_029FC857 pushad ; retf	5_2_029FC899
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0027BFA4 push esp; retn 0027h	6_2_0027BFA5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0027C330 push esp; ret	6_2_0027C331

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E711DE5 LoadLibraryA,GetProcAddress,

0_2_6E711DE5

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.527111263.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.527630553.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.615631858.00000000038AD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.531230770.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.531464419.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.527327468.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.576012668.000000000542B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.531480606.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.527187841.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.659429998.00000000037AF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.531370717.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.527048423.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.531284421.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.531412078.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.531686708.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.531172047.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.570679066.00000000039AB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.624467221.000000000532D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.667937639.000000000522F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.526903678.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.531440376.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.527256439.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.526968624.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.527017763.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6316, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4536, type: MEMORYSTR
Source: Yara match	File source: 3.2.rundll32.exe.2eb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.3030000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.35794a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6e710000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.6e710000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.2dca31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.2a0a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.2dca31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.35794a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.2a0a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.265a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.265a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.2e7a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.4d394a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.143a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.2e7a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.143a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.4d394a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.697257309.0000000004D39000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.454711091.0000000002E70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.488040276.0000000002650000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.696204071.0000000003579000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.491247065.0000000001430000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.453838951.0000000002A00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.476882523.0000000002DC0000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: WerFault.exe, 0000000D.00000002.542983024.0000000005680000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWp
Source: WerFault.exe, 0000000D.00000002.542441671.0000000005224000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.567481007.0000000004EB2000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: WerFault.exe, 0000000F.00000002.555925755.0000000004ED0000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW(
Source: WerFault.exe, 00000013.00000003.565081331.0000000004EB2000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging:

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E756CB3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_6E756CB3

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E711DE5 LoadLibraryA,GetProcAddress,

0_2_6E711DE5

Contains functionality to read the PEB

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E76C325 mov eax, dword ptr fs:[00000030h]	0_2_6E76C325
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E778861 mov eax, dword ptr fs:[00000030h]	0_2_6E778861
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E7BDFDA mov eax, dword ptr fs:[00000030h]	0_2_6E7BDFDA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E7BDEAA mov eax, dword ptr fs:[00000030h]	0_2_6E7BDEAA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E7BDBB5 push dword ptr fs:[00000030h]	0_2_6E7BDBB5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E76C325 mov eax, dword ptr fs:[00000030h]	3_2_6E76C325
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E778861 mov eax, dword ptr fs:[00000030h]	3_2_6E778861
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E7BDFDA mov eax, dword ptr fs:[00000030h]	3_2_6E7BDFDA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E7BDEAA mov eax, dword ptr fs:[00000030h]	3_2_6E7BDEAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E7BDBB5 push dword ptr fs:[00000030h]	3_2_6E7BDBB5

Checks if the current process is being debugged

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E756CB3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6E756CB3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E74B316 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_6E74B316
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E756CB3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6E756CB3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E74B316 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_6E74B316

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: www.msn.com
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: areuranel.website
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: breuranel.website
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 40.101.60.226 187	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: outlook.office365.com
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 52.97.135.82 187	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: msn.com
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: outlook.com
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: www.outlook.com
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 40.97.153.146 187	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 13.82.28.61 187	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\m87xfb63XU.dll',#1

Jump to behavior

Source: loaddll32.exe, 00000000.00000002.695464015.0000000001AD0000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.511070364.0000000002FA0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.697073866.00000000035B0000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000000.519152173.0000000003290000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000000.531338001.0000000002C10000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000002.695464015.0000000001AD0000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.511070364.0000000002FA0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.697073866.00000000035B0000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000000.519152173.0000000003290000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000000.531338001.0000000002C10000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.695464015.0000000001AD0000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.511070364.0000000002FA0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.697073866.00000000035B0000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000000.519152173.0000000003290000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000000.531338001.0000000002C10000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.695464015.0000000001AD0000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.511070364.0000000002FA0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.697073866.00000000035B0000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000000.519152173.0000000003290000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000000.531338001.0000000002C10000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,	0_2_6E770E4C
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,	0_2_6E749EB5
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	0_2_6E77E448
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	0_2_6E770429
Source: C:\Windows\System32\loaddll32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_6E77EA21
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	0_2_6E77E344
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	0_2_6E77E3AD
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_6E77E84C
Source: C:\Windows\System32\loaddll32.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_6E77E0A2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	3_2_6E770E4C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	3_2_6E749EB5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	3_2_6E77E448
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	3_2_6E770429
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	3_2_6E77EA21
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	3_2_6E77E344
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	3_2_6E77E3AD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_6E77E84C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	3_2_6E77E0A2

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_0303A82B cpuid

0_2_0303A82B

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E711172 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,

0_2_6E711172

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E76FF15 _free,_free,_free,GetTimeZoneInformation,_free,

0_2_6E76FF15

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E711825 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

0_2_6E711825

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_0303A82B RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

0_2_0303A82B

Stealing of Sensitive Information:

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.527111263.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.527630553.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.615631858.00000000038AD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.531230770.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.531464419.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.527327468.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.576012668.000000000542B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.531480606.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.527187841.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.659429998.00000000037AF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.531370717.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.527048423.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.531284421.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.531412078.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.531686708.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.531172047.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.570679066.00000000039AB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.624467221.000000000532D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.667937639.000000000522F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.526903678.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.531440376.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.527256439.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.526968624.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.527017763.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6316, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4536, type: MEMORYSTR
Source: Yara match	File source: 3.2.rundll32.exe.2eb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.3030000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.35794a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6e710000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.6e710000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.2dca31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.2a0a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.2dca31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.35794a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.2a0a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.265a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.265a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.2e7a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.4d394a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.143a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.2e7a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.143a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.4d394a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.697257309.0000000004D39000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.454711091.0000000002E70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.488040276.0000000002650000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.696204071.0000000003579000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.491247065.0000000001430000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.453838951.0000000002A00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.476882523.0000000002DC0000.00000040.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.527111263.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.527630553.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.615631858.00000000038AD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.531230770.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.531464419.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.527327468.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.576012668.000000000542B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.531480606.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.527187841.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.659429998.00000000037AF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.531370717.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.527048423.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.531284421.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.531412078.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.531686708.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.531172047.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.570679066.00000000039AB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.624467221.000000000532D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.667937639.000000000522F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.526903678.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.531440376.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.527256439.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.526968624.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.527017763.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6316, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4536, type: MEMORYSTR
Source: Yara match	File source: 3.2.rundll32.exe.2eb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.3030000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.35794a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6e710000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.6e710000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.2dca31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.2a0a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.2dca31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.35794a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.2a0a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.265a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.265a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.2e7a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.4d394a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.143a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.2e7a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.143a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.4d394a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.697257309.0000000004D39000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.454711091.0000000002E70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.488040276.0000000002650000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.696204071.0000000003579000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.491247065.0000000001430000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.453838951.0000000002A00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.476882523.0000000002DC0000.00000040.00000001.sdmp, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
52.97.223.66	HHN-efz.ms-acdc.office.com	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
52.97.135.82	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	true
52.97.151.2	FRA-efz.ms-acdc.office.com	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
40.97.153.146	outlook.com	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
13.82.28.61	msn.com	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
40.101.60.226	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	true

Private

IP
192.168.2.1

Contacted Domains

Name	IP	Active
msn.com	13.82.28.61	true
outlook.com	40.97.153.146	true
HHN-efz.ms-acdc.office.com	52.97.223.66	true
FRA-efz.ms-acdc.office.com	52.97.151.2	true
www.msn.com	unknown	unknown
www.outlook.com	unknown	unknown
areuranel.website	unknown	unknown
breuranel.website	unknown	unknown
outlook.office365.com	unknown	unknown

Contacted URLs

Name	Malicious	Reputation
https://outlook.com/signup/liopolo/Lf_2Fg8f5c_2BK6/Zu9U0t2ZcTswwewFAO/OEv2PKFbN/z8b4kNhG7zvHccOv8idc/Knnm9TAFaDWeAkZRt7S/s_2FJY_2FJZ_2FiFjgDZcG/X_2FPaS4UIfT5/mU_2B6qd/RThDpvlqtg_2B_2FquXT6Oc/rU7JT5JO40/2bdRvqEsO2i_2Fk7a/RPdp6h9XEAxz/UCoD0GwK5aa/_2BLPCSSipSRAr/lNUH_2BVSP8NW1a0oO1V8/mPc3sf.jre	false	high
https://outlook.com/signup/liopolo/tu_2FZBOhZEm_2BjC/Eeo1dbfGyNRA/5gxX_2BPT_2/FeU0eiO3g8_2Bd/o4ft4FEXI0SSJqvx69bYX/i59sx_2FafiNLas1/YucQw3tAlQFb4zA/iKo5z_2FddgGxYO4HP/KUIXOky8_/2FKdBAX0DuXXgI2ZfYY9/kP9v63o8avKNpLR1Vuu/u_2F4VkGFpqAysszotqEDO/434zYCc87r2Kg/mFe.jre	false	high
https://www.outlook.com/signup/liopolo/tu_2FZBOhZEm_2BjC/Eeo1dbfGyNRA/5gxX_2BPT_2/FeU0eiO3g8_2Bd/o4ft4FEXI0SSJqvx69bYX/i59sx_2FafiNLas1/YucQw3tAlQFb4zA/iKo5z_2FddgGxYO4HP/KUIXOky8_/2FKdBAX0DuXXgI2ZfYY9/kP9v63o8avKNpLR1Vuu/u_2F4VkGFpqAysszotqEDO/434zYCc87r2Kg/mFe.jre	false	high
https://outlook.office365.com/signup/liopolo/tu_2FZBOhZEm_2BjC/Eeo1dbfGyNRA/5gxX_2BPT_2/FeU0eiO3g8_2Bd/o4ft4FEXI0SSJqvx69bYX/i59sx_2FafiNLas1/YucQw3tAlQFb4zA/iKo5z_2FddgGxYO4HP/KUIXOky8_/2FKdBAX0DuXXgI2ZfYY9/kP9v63o8avKNpLR1Vuu/u_2F4VkGFpqAysszotqEDO/434zYCc87r2Kg/mFe.jre	false	high
https://outlook.office365.com/signup/liopolo/Lf_2Fg8f5c_2BK6/Zu9U0t2ZcTswwewFAO/OEv2PKFbN/z8b4kNhG7zvHccOv8idc/Knnm9TAFaDWeAkZRt7S/s_2FJY_2FJZ_2FiFjgDZcG/X_2FPaS4UIfT5/mU_2B6qd/RThDpvlqtg_2B_2FquXT6Oc/rU7JT5JO40/2bdRvqEsO2i_2Fk7a/RPdp6h9XEAxz/UCoD0GwK5aa/_2BLPCSSipSRAr/lNUH_2BVSP8NW1a0oO1V8/mPc3sf.jre	false	high
https://msn.com/mail/liopolo/I2vyCwQZ_2BZdOw7_2FC5/QHqYyNs8nTjA1r7w/N6UkSzFGkH0f_2F/1IQh_2Bz24bnmMcZ4_/2BpWpgK6a/MfYXdR3sp4DYLa3d1zd1/q_2BesRlkaXfNl4zUpH/oAvtXyz6Z7BEsY_2FVEEFG/s2tbS3iXa95no/TNlgDymJ/mAsry_2BV2k9xkYk3dzUg9O/zullnql4G3/M32YonxJQXyLafjIm/_2FKjkdabgYHJ/uSKzerPj.jre	false	high
https://www.outlook.com/signup/liopolo/Lf_2Fg8f5c_2BK6/Zu9U0t2ZcTswwewFAO/OEv2PKFbN/z8b4kNhG7zvHccOv8idc/Knnm9TAFaDWeAkZRt7S/s_2FJY_2FJZ_2FiFjgDZcG/X_2FPaS4UIfT5/mU_2B6qd/RThDpvlqtg_2B_2FquXT6Oc/rU7JT5JO40/2bdRvqEsO2i_2Fk7a/RPdp6h9XEAxz/UCoD0GwK5aa/_2BLPCSSipSRAr/lNUH_2BVSP8NW1a0oO1V8/mPc3sf.jre	false	high

AV Detection:

Found malware configuration

Source: 00000003.00000003.454711091.0000000002E70000.00000040.00000001.sdmp

Multi AV Scanner detection for submitted file

Source: m87xfb63XU.dll	Virustotal: Detection: 18%			Perma Link
Source: m87xfb63XU.dll	ReversingLabs: Detection: 22%

Multi AV Scanner detection for domain / URL

Source: areuranel.website	Virustotal: Detection: 6%			Perma Link
Source: breuranel.website	Virustotal: Detection: 6%			Perma Link

Compliance:

Uses 32bit PE files

Source: m87xfb63XU.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: unknown	HTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.3:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.3:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.97.153.146:443 -> 192.168.2.3:49784 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.97.223.66:443 -> 192.168.2.3:49785 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.97.151.2:443 -> 192.168.2.3:49786 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.97.153.146:443 -> 192.168.2.3:49787 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.97.135.82:443 -> 192.168.2.3:49788 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.101.60.226:443 -> 192.168.2.3:49789 version: TLS 1.2

Source: m87xfb63XU.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: WinTypes.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000000D.00000003.515702652.00000000052D6000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.542683798.0000000004EA1000.00000004.00000001.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: ntmarta.pdb1 source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
Source:	Binary string: CoreMessaging.pdb_ source: WerFault.exe, 0000000F.00000003.536214635.0000000004E83000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb4 source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
Source:	Binary string: mpr.pdbHa source: WerFault.exe, 0000000F.00000003.536314357.0000000004E70000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000F.00000003.536314357.0000000004E70000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557113684.0000000005230000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
Source:	Binary string: CoreMessaging.pdb source: WerFault.exe, 0000000F.00000003.536214635.0000000004E83000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 0000000F.00000003.536346626.0000000004E74000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557031037.0000000005232000.00000004.00000040.sdmp
Source:	Binary string: CoreMessaging.pdbK source: WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
Source:	Binary string: rundll32.pdbk source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb) source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000D.00000002.533606421.0000000000D92000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000002.553574266.0000000000832000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000002.568560433.0000000000C92000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdbt source: WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
Source:	Binary string: ntmarta.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
Source:	Binary string: mpr.pdbH source: WerFault.exe, 00000013.00000003.557113684.0000000005230000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb8 source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.542887533.0000000003126000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: CoreUIComponents.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 0000000F.00000003.536314357.0000000004E70000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557113684.0000000005230000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
Source:	Binary string: iphlpapi.pdbb source: WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: WinTypes.pdb? source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdbK` source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb& source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
Source:	Binary string: WinTypes.pdbM source: WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 0000000F.00000003.536346626.0000000004E74000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557031037.0000000005232000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000013.00000003.542799224.000000000311B000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdbb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: ntmarta.pdbk source: WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb_ source: WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdb* source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000F.00000003.536346626.0000000004E74000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557031037.0000000005232000.00000004.00000040.sdmp
Source:	Binary string: CoreUIComponents.pdbKi source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdbK source: WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb2 source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: TextInputFramework.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb\ source: WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdbh source: WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdbh source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
Source:	Binary string: c:\wheel\receive\Many-rise\score.pdb source: loaddll32.exe, 00000000.00000002.697038895.000000006E78B000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.698211502.000000006E78B000.00000002.00020000.sdmp, m87xfb63XU.dll
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000F.00000003.536314357.0000000004E70000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557113684.0000000005230000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdbz source: WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000F.00000003.536346626.0000000004E74000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557031037.0000000005232000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb, source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000F.00000003.536314357.0000000004E70000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557113684.0000000005230000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000013.00000003.542887533.0000000003126000.00000004.00000001.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000F.00000003.536314357.0000000004E70000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557113684.0000000005230000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdbn source: WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000013.00000003.542852774.0000000003121000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: CoreUIComponents.pdb_ source: WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbk source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp

Networking:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: www.msn.com
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: areuranel.website
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: breuranel.website
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 40.101.60.226 187	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: outlook.office365.com
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 52.97.135.82 187	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: msn.com
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: outlook.com
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: www.outlook.com
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 40.97.153.146 187	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 13.82.28.61 187	Jump to behavior

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: ce5f3254611a8c095a3d821d44539877

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 40.97.153.146 40.97.153.146
Source: Joe Sandbox View	IP Address: 13.82.28.61 13.82.28.61

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /mail/liopolo/881KeBhik38/n4I3jisQrsLf3N/5T7WW0TVyqLiEqrYpioXw/gsBY_2B0auYDQzqy/fq_2B0_2B1d5s1X/dE8U_2Bi9e1uHEa_2F/5gbQOA71j/4SGjjTuSnP5G5SL6XFKB/ya3reo77Dd0XJ5txbLh/Z2Jzwc_2FxPLynamqWy_2B/SzxjiUxPyCdZ8/5vaLjUU_/2FbRmdxDVJSYut_2BRUXs8y/S.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
Source: global traffic	HTTP traffic detected: GET /mail/liopolo/I2vyCwQZ_2BZdOw7_2FC5/QHqYyNs8nTjA1r7w/N6UkSzFGkH0f_2F/1IQh_2Bz24bnmMcZ4_/2BpWpgK6a/MfYXdR3sp4DYLa3d1zd1/q_2BesRlkaXfNl4zUpH/oAvtXyz6Z7BEsY_2FVEEFG/s2tbS3iXa95no/TNlgDymJ/mAsry_2BV2k9xkYk3dzUg9O/zullnql4G3/M32YonxJQXyLafjIm/_2FKjkdabgYHJ/uSKzerPj.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/Lf_2Fg8f5c_2BK6/Zu9U0t2ZcTswwewFAO/OEv2PKFbN/z8b4kNhG7zvHccOv8idc/Knnm9TAFaDWeAkZRt7S/s_2FJY_2FJZ_2FiFjgDZcG/X_2FPaS4UIfT5/mU_2B6qd/RThDpvlqtg_2B_2FquXT6Oc/rU7JT5JO40/2bdRvqEsO2i_2Fk7a/RPdp6h9XEAxz/UCoD0GwK5aa/_2BLPCSSipSRAr/lNUH_2BVSP8NW1a0oO1V8/mPc3sf.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/Lf_2Fg8f5c_2BK6/Zu9U0t2ZcTswwewFAO/OEv2PKFbN/z8b4kNhG7zvHccOv8idc/Knnm9TAFaDWeAkZRt7S/s_2FJY_2FJZ_2FiFjgDZcG/X_2FPaS4UIfT5/mU_2B6qd/RThDpvlqtg_2B_2FquXT6Oc/rU7JT5JO40/2bdRvqEsO2i_2Fk7a/RPdp6h9XEAxz/UCoD0GwK5aa/_2BLPCSSipSRAr/lNUH_2BVSP8NW1a0oO1V8/mPc3sf.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/Lf_2Fg8f5c_2BK6/Zu9U0t2ZcTswwewFAO/OEv2PKFbN/z8b4kNhG7zvHccOv8idc/Knnm9TAFaDWeAkZRt7S/s_2FJY_2FJZ_2FiFjgDZcG/X_2FPaS4UIfT5/mU_2B6qd/RThDpvlqtg_2B_2FquXT6Oc/rU7JT5JO40/2bdRvqEsO2i_2Fk7a/RPdp6h9XEAxz/UCoD0GwK5aa/_2BLPCSSipSRAr/lNUH_2BVSP8NW1a0oO1V8/mPc3sf.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/tu_2FZBOhZEm_2BjC/Eeo1dbfGyNRA/5gxX_2BPT_2/FeU0eiO3g8_2Bd/o4ft4FEXI0SSJqvx69bYX/i59sx_2FafiNLas1/YucQw3tAlQFb4zA/iKo5z_2FddgGxYO4HP/KUIXOky8_/2FKdBAX0DuXXgI2ZfYY9/kP9v63o8avKNpLR1Vuu/u_2F4VkGFpqAysszotqEDO/434zYCc87r2Kg/mFe.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/tu_2FZBOhZEm_2BjC/Eeo1dbfGyNRA/5gxX_2BPT_2/FeU0eiO3g8_2Bd/o4ft4FEXI0SSJqvx69bYX/i59sx_2FafiNLas1/YucQw3tAlQFb4zA/iKo5z_2FddgGxYO4HP/KUIXOky8_/2FKdBAX0DuXXgI2ZfYY9/kP9v63o8avKNpLR1Vuu/u_2F4VkGFpqAysszotqEDO/434zYCc87r2Kg/mFe.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/tu_2FZBOhZEm_2BjC/Eeo1dbfGyNRA/5gxX_2BPT_2/FeU0eiO3g8_2Bd/o4ft4FEXI0SSJqvx69bYX/i59sx_2FafiNLas1/YucQw3tAlQFb4zA/iKo5z_2FddgGxYO4HP/KUIXOky8_/2FKdBAX0DuXXgI2ZfYY9/kP9v63o8avKNpLR1Vuu/u_2F4VkGFpqAysszotqEDO/434zYCc87r2Kg/mFe.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 1245Content-Type: text/htmlServer: Microsoft-IIS/10.0request-id: 6f408bdb-1e4d-c6ec-fa40-6761089e1892Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-CalculatedFETarget: DB9PR05CU001.internal.outlook.comX-BackEndHttpStatus: 404X-FEProxyInfo: DB9PR05CA0008.EURPRD05.PROD.OUTLOOK.COMX-CalculatedBETarget: DB8P195MB0662.EURP195.PROD.OUTLOOK.COMX-BackEndHttpStatus: 404X-RUM-Validated: 1X-Proxy-RoutingCorrectness: 1X-Proxy-BackendServerStatus: 404MS-CV: 24tAb00e7Mb6QGdhCJ4Ykg.1.1X-FEServer: DB9PR05CA0008X-Powered-By: ASP.NETX-FEServer: AM6P195CA0054Date: Mon, 11 Oct 2021 22:37:50 GMTConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 1245Content-Type: text/htmlServer: Microsoft-IIS/10.0request-id: 0ad922d7-711b-417c-0004-37a25225c4eaStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-CalculatedFETarget: DU2PR04CU012.internal.outlook.comX-BackEndHttpStatus: 404X-FEProxyInfo: DU2PR04CA0336.EURPRD04.PROD.OUTLOOK.COMX-CalculatedBETarget: DB7P194MB0346.EURP194.PROD.OUTLOOK.COMX-BackEndHttpStatus: 404X-RUM-Validated: 1X-Proxy-RoutingCorrectness: 1X-Proxy-BackendServerStatus: 404MS-CV: 1yLZChtxfEEABDeiUiXE6g.1.1X-FEServer: DU2PR04CA0336X-Powered-By: ASP.NETX-FEServer: AM5P194CA0019Date: Mon, 11 Oct 2021 22:37:54 GMTConnection: close

Source: WerFault.exe, 0000000D.00000002.542863916.00000000052E4000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000002.555554795.0000000004A95000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.566895044.0000000004E23000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: loaddll32.exe, 00000000.00000003.527597302.0000000003AA9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.531625301.0000000005529000.00000004.00000040.sdmp	String found in binary or memory: http://ogp.me/ns#
Source: loaddll32.exe, 00000000.00000003.527597302.0000000003AA9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.531625301.0000000005529000.00000004.00000040.sdmp	String found in binary or memory: http://ogp.me/ns/fb#
Source: loaddll32.exe, 00000000.00000003.527111263.0000000003B28000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.531230770.00000000055A8000.00000004.00000040.sdmp	String found in binary or memory: https://blogs.msn.com/
Source: loaddll32.exe, 00000000.00000003.527111263.0000000003B28000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.531809993.00000000055AB000.00000004.00000040.sdmp	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: loaddll32.exe, 00000000.00000003.527597302.0000000003AA9000.00000004.00000040.sdmp	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1633991829&rver
Source: rundll32.exe, 00000003.00000003.531625301.0000000005529000.00000004.00000040.sdmp	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1633991831&rver
Source: loaddll32.exe, 00000000.00000003.527597302.0000000003AA9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.531625301.0000000005529000.00000004.00000040.sdmp	String found in binary or memory: https://mem.gfx.ms/meversion/?partner=msn&market=en-us"
Source: loaddll32.exe, 00000000.00000003.527597302.0000000003AA9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.531625301.0000000005529000.00000004.00000040.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/en-us//api/modules/cdnfetch"
Source: loaddll32.exe, 00000000.00000003.527597302.0000000003AA9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.531625301.0000000005529000.00000004.00000040.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/en-us/homepage/_sc/css/d7cb56b9-3a82770e/direct
Source: WerFault.exe, 00000013.00000003.567391017.0000000004E8D000.00000004.00000001.sdmp	String found in binary or memory: https://watson.telemetry.m
Source: loaddll32.exe, 00000000.00000003.527597302.0000000003AA9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.531625301.0000000005529000.00000004.00000040.sdmp	String found in binary or memory: https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&ver=%272.1%27&a
Source: loaddll32.exe, 00000000.00000003.527597302.0000000003AA9000.00000004.00000040.sdmp	String found in binary or memory: https://www.msn.com/?refurl=%2fmail%2fliopolo%2f881KeBhik38%2fn4I3jisQrsLf3N%2f5T7WW0TVyqLiEqrYpioXw
Source: rundll32.exe, 00000003.00000003.531625301.0000000005529000.00000004.00000040.sdmp	String found in binary or memory: https://www.msn.com/?refurl=%2fmail%2fliopolo%2fI2vyCwQZ_2BZdOw7_2FC5%2fQHqYyNs8nTjA1r7w%2fN6UkSzFGk
Source: loaddll32.exe, 00000000.00000003.527597302.0000000003AA9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.531625301.0000000005529000.00000004.00000040.sdmp	String found in binary or memory: https://www.msn.com/en-us//api/modules/fetch"

Source: unknown

DNS traffic detected: queries for: msn.com

Source: global traffic	HTTP traffic detected: GET /mail/liopolo/881KeBhik38/n4I3jisQrsLf3N/5T7WW0TVyqLiEqrYpioXw/gsBY_2B0auYDQzqy/fq_2B0_2B1d5s1X/dE8U_2Bi9e1uHEa_2F/5gbQOA71j/4SGjjTuSnP5G5SL6XFKB/ya3reo77Dd0XJ5txbLh/Z2Jzwc_2FxPLynamqWy_2B/SzxjiUxPyCdZ8/5vaLjUU_/2FbRmdxDVJSYut_2BRUXs8y/S.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
Source: global traffic	HTTP traffic detected: GET /mail/liopolo/I2vyCwQZ_2BZdOw7_2FC5/QHqYyNs8nTjA1r7w/N6UkSzFGkH0f_2F/1IQh_2Bz24bnmMcZ4_/2BpWpgK6a/MfYXdR3sp4DYLa3d1zd1/q_2BesRlkaXfNl4zUpH/oAvtXyz6Z7BEsY_2FVEEFG/s2tbS3iXa95no/TNlgDymJ/mAsry_2BV2k9xkYk3dzUg9O/zullnql4G3/M32YonxJQXyLafjIm/_2FKjkdabgYHJ/uSKzerPj.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/Lf_2Fg8f5c_2BK6/Zu9U0t2ZcTswwewFAO/OEv2PKFbN/z8b4kNhG7zvHccOv8idc/Knnm9TAFaDWeAkZRt7S/s_2FJY_2FJZ_2FiFjgDZcG/X_2FPaS4UIfT5/mU_2B6qd/RThDpvlqtg_2B_2FquXT6Oc/rU7JT5JO40/2bdRvqEsO2i_2Fk7a/RPdp6h9XEAxz/UCoD0GwK5aa/_2BLPCSSipSRAr/lNUH_2BVSP8NW1a0oO1V8/mPc3sf.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/Lf_2Fg8f5c_2BK6/Zu9U0t2ZcTswwewFAO/OEv2PKFbN/z8b4kNhG7zvHccOv8idc/Knnm9TAFaDWeAkZRt7S/s_2FJY_2FJZ_2FiFjgDZcG/X_2FPaS4UIfT5/mU_2B6qd/RThDpvlqtg_2B_2FquXT6Oc/rU7JT5JO40/2bdRvqEsO2i_2Fk7a/RPdp6h9XEAxz/UCoD0GwK5aa/_2BLPCSSipSRAr/lNUH_2BVSP8NW1a0oO1V8/mPc3sf.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/Lf_2Fg8f5c_2BK6/Zu9U0t2ZcTswwewFAO/OEv2PKFbN/z8b4kNhG7zvHccOv8idc/Knnm9TAFaDWeAkZRt7S/s_2FJY_2FJZ_2FiFjgDZcG/X_2FPaS4UIfT5/mU_2B6qd/RThDpvlqtg_2B_2FquXT6Oc/rU7JT5JO40/2bdRvqEsO2i_2Fk7a/RPdp6h9XEAxz/UCoD0GwK5aa/_2BLPCSSipSRAr/lNUH_2BVSP8NW1a0oO1V8/mPc3sf.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/tu_2FZBOhZEm_2BjC/Eeo1dbfGyNRA/5gxX_2BPT_2/FeU0eiO3g8_2Bd/o4ft4FEXI0SSJqvx69bYX/i59sx_2FafiNLas1/YucQw3tAlQFb4zA/iKo5z_2FddgGxYO4HP/KUIXOky8_/2FKdBAX0DuXXgI2ZfYY9/kP9v63o8avKNpLR1Vuu/u_2F4VkGFpqAysszotqEDO/434zYCc87r2Kg/mFe.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/tu_2FZBOhZEm_2BjC/Eeo1dbfGyNRA/5gxX_2BPT_2/FeU0eiO3g8_2Bd/o4ft4FEXI0SSJqvx69bYX/i59sx_2FafiNLas1/YucQw3tAlQFb4zA/iKo5z_2FddgGxYO4HP/KUIXOky8_/2FKdBAX0DuXXgI2ZfYY9/kP9v63o8avKNpLR1Vuu/u_2F4VkGFpqAysszotqEDO/434zYCc87r2Kg/mFe.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
Source: global traffic	HTTP traffic detected: GET /signup/liopolo/tu_2FZBOhZEm_2BjC/Eeo1dbfGyNRA/5gxX_2BPT_2/FeU0eiO3g8_2Bd/o4ft4FEXI0SSJqvx69bYX/i59sx_2FafiNLas1/YucQw3tAlQFb4zA/iKo5z_2FddgGxYO4HP/KUIXOky8_/2FKdBAX0DuXXgI2ZfYY9/kP9v63o8avKNpLR1Vuu/u_2F4VkGFpqAysszotqEDO/434zYCc87r2Kg/mFe.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com

Source: unknown	HTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.3:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.3:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.97.153.146:443 -> 192.168.2.3:49784 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.97.223.66:443 -> 192.168.2.3:49785 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.97.151.2:443 -> 192.168.2.3:49786 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.97.153.146:443 -> 192.168.2.3:49787 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.97.135.82:443 -> 192.168.2.3:49788 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.101.60.226:443 -> 192.168.2.3:49789 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.527111263.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.527630553.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.615631858.00000000038AD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.531230770.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.531464419.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.527327468.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.576012668.000000000542B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.531480606.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.527187841.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.659429998.00000000037AF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.531370717.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.527048423.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.531284421.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.531412078.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.531686708.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.531172047.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.570679066.00000000039AB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.624467221.000000000532D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.667937639.000000000522F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.526903678.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.531440376.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.527256439.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.526968624.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.527017763.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6316, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4536, type: MEMORYSTR
Source: Yara match	File source: 3.2.rundll32.exe.2eb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.3030000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.35794a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6e710000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.6e710000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.2dca31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.2a0a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.2dca31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.35794a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.2a0a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.265a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.265a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.2e7a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.4d394a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.143a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.2e7a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.143a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.4d394a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.697257309.0000000004D39000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.454711091.0000000002E70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.488040276.0000000002650000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.696204071.0000000003579000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.491247065.0000000001430000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.453838951.0000000002A00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.476882523.0000000002DC0000.00000040.00000001.sdmp, type: MEMORY

E-Banking Fraud:

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.527111263.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.527630553.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.615631858.00000000038AD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.531230770.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.531464419.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.527327468.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.576012668.000000000542B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.531480606.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.527187841.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.659429998.00000000037AF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.531370717.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.527048423.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.531284421.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.531412078.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.531686708.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.531172047.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.570679066.00000000039AB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.624467221.000000000532D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.667937639.000000000522F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.526903678.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.531440376.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.527256439.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.526968624.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.527017763.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6316, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4536, type: MEMORYSTR
Source: Yara match	File source: 3.2.rundll32.exe.2eb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.3030000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.35794a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6e710000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.6e710000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.2dca31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.2a0a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.2dca31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.35794a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.2a0a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.265a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.265a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.2e7a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.4d394a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.143a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.2e7a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.143a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.4d394a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.697257309.0000000004D39000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.454711091.0000000002E70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.488040276.0000000002650000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.696204071.0000000003579000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.491247065.0000000001430000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.453838951.0000000002A00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.476882523.0000000002DC0000.00000040.00000001.sdmp, type: MEMORY

System Summary:

Writes or reads registry keys via WMI

Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Uses 32bit PE files

Source: m87xfb63XU.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

One or more processes crash

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 632

Detected potential crypto function

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E7121B4	0_2_6E7121B4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0303AF24	0_2_0303AF24
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_03032B76	0_2_03032B76
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_03034C40	0_2_03034C40
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E725600	0_2_6E725600
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E75D630	0_2_6E75D630
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E773CCE	0_2_6E773CCE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E75B597	0_2_6E75B597
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E77FA78	0_2_6E77FA78
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E76A2B1	0_2_6E76A2B1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E77FB98	0_2_6E77FB98
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E74E8C0	0_2_6E74E8C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E725600	3_2_6E725600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E75D630	3_2_6E75D630
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E773CCE	3_2_6E773CCE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E75B597	3_2_6E75B597
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E76A2B1	3_2_6E76A2B1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E74E8C0	3_2_6E74E8C0

Found potential string decryption / allocating functions

Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 6E74ABD1 appears 91 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6E74ABD1 appears 91 times

Contains functionality to call native functions

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E711273 NtMapViewOfSection,	0_2_6E711273
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E7115C6 SetThreadPriority,NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,GetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,	0_2_6E7115C6
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E7113B8 GetProcAddress,NtCreateSection,memset,	0_2_6E7113B8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E7123D5 NtQueryVirtualMemory,	0_2_6E7123D5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_03035D10 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	0_2_03035D10
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0303B149 NtQueryVirtualMemory,	0_2_0303B149

Source: m87xfb63XU.dll	Virustotal: Detection: 18%
Source: m87xfb63XU.dll	ReversingLabs: Detection: 22%

Source: m87xfb63XU.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\m87xfb63XU.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\m87xfb63XU.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\m87xfb63XU.dll,BeGrass
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\m87xfb63XU.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\m87xfb63XU.dll,Fieldeight
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\m87xfb63XU.dll,Often
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 632
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 640
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 640
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\m87xfb63XU.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\m87xfb63XU.dll,BeGrass	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\m87xfb63XU.dll,Fieldeight	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\m87xfb63XU.dll,Often	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\m87xfb63XU.dll',#1	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER933.tmp

Jump to behavior

Source: classification engine

Classification label: mal96.troj.evad.winDLL@14/12@16/7

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_03034A03 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

0_2_03034A03

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\m87xfb63XU.dll,BeGrass

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4596
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4668
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4348

Source: C:\Windows\System32\loaddll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK

Source: m87xfb63XU.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: m87xfb63XU.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: WinTypes.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000000D.00000003.515702652.00000000052D6000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.542683798.0000000004EA1000.00000004.00000001.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: ntmarta.pdb1 source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
Source:	Binary string: CoreMessaging.pdb_ source: WerFault.exe, 0000000F.00000003.536214635.0000000004E83000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb4 source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
Source:	Binary string: mpr.pdbHa source: WerFault.exe, 0000000F.00000003.536314357.0000000004E70000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000F.00000003.536314357.0000000004E70000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557113684.0000000005230000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
Source:	Binary string: CoreMessaging.pdb source: WerFault.exe, 0000000F.00000003.536214635.0000000004E83000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 0000000F.00000003.536346626.0000000004E74000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557031037.0000000005232000.00000004.00000040.sdmp
Source:	Binary string: CoreMessaging.pdbK source: WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
Source:	Binary string: rundll32.pdbk source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb) source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000D.00000002.533606421.0000000000D92000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000002.553574266.0000000000832000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000002.568560433.0000000000C92000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdbt source: WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
Source:	Binary string: ntmarta.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
Source:	Binary string: mpr.pdbH source: WerFault.exe, 00000013.00000003.557113684.0000000005230000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb8 source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.542887533.0000000003126000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: CoreUIComponents.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 0000000F.00000003.536314357.0000000004E70000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557113684.0000000005230000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
Source:	Binary string: iphlpapi.pdbb source: WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: WinTypes.pdb? source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdbK` source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb& source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
Source:	Binary string: WinTypes.pdbM source: WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 0000000F.00000003.536346626.0000000004E74000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557031037.0000000005232000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000013.00000003.542799224.000000000311B000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdbb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: ntmarta.pdbk source: WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb_ source: WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdb* source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000F.00000003.536346626.0000000004E74000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557031037.0000000005232000.00000004.00000040.sdmp
Source:	Binary string: CoreUIComponents.pdbKi source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdbK source: WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb2 source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: TextInputFramework.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb\ source: WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdbh source: WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdbh source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
Source:	Binary string: c:\wheel\receive\Many-rise\score.pdb source: loaddll32.exe, 00000000.00000002.697038895.000000006E78B000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.698211502.000000006E78B000.00000002.00020000.sdmp, m87xfb63XU.dll
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000F.00000003.536314357.0000000004E70000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557113684.0000000005230000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdbz source: WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000F.00000003.536346626.0000000004E74000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557031037.0000000005232000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb, source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000F.00000003.536314357.0000000004E70000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557113684.0000000005230000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000013.00000003.542887533.0000000003126000.00000004.00000001.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000F.00000003.536314357.0000000004E70000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557113684.0000000005230000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdbn source: WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000013.00000003.542852774.0000000003121000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: CoreUIComponents.pdb_ source: WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbk source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E712150 push ecx; ret	0_2_6E712159
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E7121A3 push ecx; ret	0_2_6E7121B3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0303AF13 push ecx; ret	0_2_0303AF23
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0303ABE0 push ecx; ret	0_2_0303ABE9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E74AB9A push ecx; ret	0_2_6E74ABAD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E74AB9A push ecx; ret	3_2_6E74ABAD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_029FC806 pushad ; retf	5_2_029FC899
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_029FC857 pushad ; retf	5_2_029FC899
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0027BFA4 push esp; retn 0027h	6_2_0027BFA5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0027C330 push esp; ret	6_2_0027C331

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E711DE5 LoadLibraryA,GetProcAddress,

0_2_6E711DE5

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.527111263.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.527630553.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.615631858.00000000038AD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.531230770.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.531464419.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.527327468.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.576012668.000000000542B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.531480606.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.527187841.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.659429998.00000000037AF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.531370717.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.527048423.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.531284421.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.531412078.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.531686708.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.531172047.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.570679066.00000000039AB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.624467221.000000000532D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.667937639.000000000522F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.526903678.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.531440376.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.527256439.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.526968624.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.527017763.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6316, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4536, type: MEMORYSTR
Source: Yara match	File source: 3.2.rundll32.exe.2eb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.3030000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.35794a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6e710000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.6e710000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.2dca31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.2a0a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.2dca31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.35794a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.2a0a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.265a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.265a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.2e7a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.4d394a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.143a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.2e7a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.143a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.4d394a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.697257309.0000000004D39000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.454711091.0000000002E70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.488040276.0000000002650000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.696204071.0000000003579000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.491247065.0000000001430000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.453838951.0000000002A00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.476882523.0000000002DC0000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: WerFault.exe, 0000000D.00000002.542983024.0000000005680000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWp
Source: WerFault.exe, 0000000D.00000002.542441671.0000000005224000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.567481007.0000000004EB2000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: WerFault.exe, 0000000F.00000002.555925755.0000000004ED0000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW(
Source: WerFault.exe, 00000013.00000003.565081331.0000000004EB2000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging:

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E756CB3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_6E756CB3

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E711DE5 LoadLibraryA,GetProcAddress,

0_2_6E711DE5

Contains functionality to read the PEB

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E76C325 mov eax, dword ptr fs:[00000030h]	0_2_6E76C325
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E778861 mov eax, dword ptr fs:[00000030h]	0_2_6E778861
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E7BDFDA mov eax, dword ptr fs:[00000030h]	0_2_6E7BDFDA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E7BDEAA mov eax, dword ptr fs:[00000030h]	0_2_6E7BDEAA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E7BDBB5 push dword ptr fs:[00000030h]	0_2_6E7BDBB5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E76C325 mov eax, dword ptr fs:[00000030h]	3_2_6E76C325
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E778861 mov eax, dword ptr fs:[00000030h]	3_2_6E778861
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E7BDFDA mov eax, dword ptr fs:[00000030h]	3_2_6E7BDFDA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E7BDEAA mov eax, dword ptr fs:[00000030h]	3_2_6E7BDEAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E7BDBB5 push dword ptr fs:[00000030h]	3_2_6E7BDBB5

Checks if the current process is being debugged

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E756CB3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6E756CB3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E74B316 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_6E74B316
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E756CB3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6E756CB3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E74B316 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_6E74B316

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: www.msn.com
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: areuranel.website
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: breuranel.website
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 40.101.60.226 187	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: outlook.office365.com
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 52.97.135.82 187	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: msn.com
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: outlook.com
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: www.outlook.com
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 40.97.153.146 187	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 13.82.28.61 187	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\m87xfb63XU.dll',#1

Jump to behavior

Source: loaddll32.exe, 00000000.00000002.695464015.0000000001AD0000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.511070364.0000000002FA0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.697073866.00000000035B0000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000000.519152173.0000000003290000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000000.531338001.0000000002C10000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000002.695464015.0000000001AD0000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.511070364.0000000002FA0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.697073866.00000000035B0000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000000.519152173.0000000003290000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000000.531338001.0000000002C10000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.695464015.0000000001AD0000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.511070364.0000000002FA0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.697073866.00000000035B0000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000000.519152173.0000000003290000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000000.531338001.0000000002C10000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.695464015.0000000001AD0000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.511070364.0000000002FA0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.697073866.00000000035B0000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000000.519152173.0000000003290000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000000.531338001.0000000002C10000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,	0_2_6E770E4C
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,	0_2_6E749EB5
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	0_2_6E77E448
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	0_2_6E770429
Source: C:\Windows\System32\loaddll32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_6E77EA21
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	0_2_6E77E344
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	0_2_6E77E3AD
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_6E77E84C
Source: C:\Windows\System32\loaddll32.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_6E77E0A2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	3_2_6E770E4C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	3_2_6E749EB5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	3_2_6E77E448
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	3_2_6E770429
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	3_2_6E77EA21
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	3_2_6E77E344
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	3_2_6E77E3AD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_6E77E84C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	3_2_6E77E0A2

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_0303A82B cpuid

0_2_0303A82B

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E711172 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,

0_2_6E711172

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E76FF15 _free,_free,_free,GetTimeZoneInformation,_free,

0_2_6E76FF15

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E711825 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

0_2_6E711825

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_0303A82B RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

0_2_0303A82B

Stealing of Sensitive Information:

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.527111263.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.527630553.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.615631858.00000000038AD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.531230770.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.531464419.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.527327468.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.576012668.000000000542B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.531480606.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.527187841.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.659429998.00000000037AF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.531370717.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.527048423.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.531284421.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.531412078.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.531686708.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.531172047.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.570679066.00000000039AB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.624467221.000000000532D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.667937639.000000000522F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.526903678.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.531440376.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.527256439.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.526968624.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.527017763.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6316, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4536, type: MEMORYSTR
Source: Yara match	File source: 3.2.rundll32.exe.2eb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.3030000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.35794a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6e710000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.6e710000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.2dca31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.2a0a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.2dca31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.35794a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.2a0a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.265a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.265a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.2e7a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.4d394a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.143a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.2e7a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.143a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.4d394a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.697257309.0000000004D39000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.454711091.0000000002E70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.488040276.0000000002650000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.696204071.0000000003579000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.491247065.0000000001430000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.453838951.0000000002A00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.476882523.0000000002DC0000.00000040.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.527111263.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.527630553.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.615631858.00000000038AD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.531230770.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.531464419.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.527327468.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.576012668.000000000542B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.531480606.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.527187841.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.659429998.00000000037AF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.531370717.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.527048423.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.531284421.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.531412078.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.531686708.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.531172047.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.570679066.00000000039AB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.624467221.000000000532D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.667937639.000000000522F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.526903678.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.531440376.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.527256439.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.526968624.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.527017763.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6316, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4536, type: MEMORYSTR
Source: Yara match	File source: 3.2.rundll32.exe.2eb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.3030000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.35794a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6e710000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.6e710000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.2dca31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.2a0a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.2dca31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.35794a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.2a0a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.265a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.265a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.2e7a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.4d394a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.143a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.2e7a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.143a31a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.4d394a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.697257309.0000000004D39000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.454711091.0000000002E70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.488040276.0000000002650000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.696204071.0000000003579000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.491247065.0000000001430000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.453838951.0000000002A00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.476882523.0000000002DC0000.00000040.00000001.sdmp, type: MEMORY

ID:	500399
Product:	CloudBasic
Start time:	00:33:48
Start date:	12.10.2021
Sample:	m87xfb63XU.dll
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	5aa733e108f0fa41df88cea0a309affe
SHA1:	ce79918ca7845f2163360ea40a251912998ea226
SHA256:	1be687a0453f23ea53b94a4447c926a9b4b6e01c2788e641b76eb4a5215bd960
Filetype:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_58e47b16956767aaab6459884ff9566934c5f_82810a17_11c12585\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	2D536796AAB3D133D6417DE1EBC9ACF5	34D556E660BD9E46CC271D789C4359C31A7BC377	A68B4D65FD079429FE10408C1E7D6B6B2540D643A6ED3DA40A4B19E0C7DAD5DD
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_58e47b16956767aaab6459884ff9566934c5f_82810a17_12494a43\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	9B5E9E424EA5CFD77CBF080009E761AB	A85C669A2C4820B53803516D9D563A11CE64E6DA	B7FEB953DCE8100B907FC7BADC6CD3B5D853C8634600918BEDB24C5CAE2C529E
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_58e47b16956767aaab6459884ff9566934c5f_82810a17_1bc56378\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	CB53F0494ED32D4398672C2FE4FB77D0	08A86732128ECAED018F686C7462976321C4C2B5	675B69B33B8DD77A91E447650DCEC234B7014BA7AD89E9FFAA24DC1B842EC183
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1133.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	9A49EDBFE578048831C8820692773645	F39D5F2D815959F9163B485338B03CC9A9865963	EF794768396D5D452BBF5DC0771328E8A3B9D6CB53402E4628275C4FA46CD39E
C:\ProgramData\Microsoft\Windows\WER\Temp\WER13C4.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	CE10A908A63D722AACF0E8D9BE1095F8	17A9B4AE2DE575C2D7DAA39045AA4A4573F8198C	C8B824A19D5BB8A8DF2BE2EC44BAF0CD4805236B67701EA6E0829001085E1608
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1FB8.tmp.dmp	Mini DuMP crash report, 15 streams, Tue Oct 12 07:38:00 2021, 0x1205a4 type	37229BFFD03AE6C3D865065FB3BE8ADD	4BC3A558CC16977F2A40CF5E39EBBE1CD0806B65	40C79A034538717B0ED6FD23396F07EE56F600240138BFAC04E4DE16A4949059
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2FB7.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	08261C667C95C097E00AE3CBC02E477F	1322F296EACE346296D435C7168066A6F84BCA5E	97880BE30DE65452FE99D66A85FBE9073B3CDE3E383676D4FEB5684F1DF8C2B9
C:\ProgramData\Microsoft\Windows\WER\Temp\WER39AB.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	A90A74AFC22D249341C2902508382C0D	F599F8A92AAB279535FF15D8B694D02EE4CF7684	798A106451D1029F1AD81469F050639B2E0BDBEADA592BCD561960727917B587
C:\ProgramData\Microsoft\Windows\WER\Temp\WER42B2.tmp.dmp	Mini DuMP crash report, 15 streams, Tue Oct 12 07:38:10 2021, 0x1205a4 type	70FB9A6E438E3B0B1A26356C9CEC31E6	48AE79ADF9C6F37FCC652663C87CF254CC3E152A	9ECD153AED1B04D03D7752F02878B038342E08C6E54C4DEFEECDEFFC542D8850
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5253.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	41252F8B1133C148B7EA2C82407A8620	ED34F8F81B2923EDD29E322B987C044B878F5764	E2862E4DA28D1E0D61E20AF6E760AEE93787BE950879C3BF9EE9BDF2DA997DB2
C:\ProgramData\Microsoft\Windows\WER\Temp\WER55DE.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	A6C78841FF7E390BE1BE332B06DFFA0A	36D18A2AC336480437565DF1C32EF77DB3E18D73	2C5D9822FC129B455EED5C821BB41ED04D1A9EE07982E3339B95A7EFEE9856E3
C:\ProgramData\Microsoft\Windows\WER\Temp\WER933.tmp.dmp	Mini DuMP crash report, 15 streams, Tue Oct 12 07:37:54 2021, 0x1205a4 type	FCABB6B003C518E48C5567C56F819B9A	0DBEA94D03C091DBC56815F95140181C8300A2C8	8EECD01F90255527983209AAD276036206816555DEFE665D7202005D227FC907

Windows Analysis Report m87xfb63XU.dll

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs