Loading ...

Play interactive tourEdit tour

Windows Analysis Report m87xfb63XU.dll

Overview

General Information

Sample Name:m87xfb63XU.dll
Analysis ID:500399
MD5:5aa733e108f0fa41df88cea0a309affe
SHA1:ce79918ca7845f2163360ea40a251912998ea226
SHA256:1be687a0453f23ea53b94a4447c926a9b4b6e01c2788e641b76eb4a5215bd960
Tags:BRTdllgeoGoziISFBITAUrsnif
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Multi AV Scanner detection for domain / URL
Writes or reads registry keys via WMI
Writes registry values via WMI
Uses 32bit PE files
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
IP address seen in connection with other malware
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 6316 cmdline: loaddll32.exe 'C:\Users\user\Desktop\m87xfb63XU.dll' MD5: 72FCD8FB0ADC38ED9050569AD673650E)
    • cmd.exe (PID: 4524 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\m87xfb63XU.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 4536 cmdline: rundll32.exe 'C:\Users\user\Desktop\m87xfb63XU.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 4668 cmdline: rundll32.exe C:\Users\user\Desktop\m87xfb63XU.dll,BeGrass MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 4400 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 632 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 4596 cmdline: rundll32.exe C:\Users\user\Desktop\m87xfb63XU.dll,Fieldeight MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 4792 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 640 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 4348 cmdline: rundll32.exe C:\Users\user\Desktop\m87xfb63XU.dll,Often MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 6964 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 640 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "UmEkthy8LQToWYBqtBaWyLn/P1d2KjpXi9nl2is1X7NEi7AW4Al92U7HvBiCwWHgXhs6UyTZ7q6npv3YCi+rPS7xAyorWWgcyyviEpE9CETDXviZ72XZkxmen4ztvEtct+obFAEe0tiXOsfOcC8xDsI0CHPpvmUknsexTYqAJgwcghgx1mGHx/yFM4fnPYw4mFFE6bVI7eMnbu1CuunRmAVRDHZ7MAS7zSkAmYjeo1zAzRnOEWgblRHwenmwlBtp0SFGuYCGVe3TZZ4Nndgpd5xpSeLOoSZi/fRXjtS8b6LXBS/zslRCRObMDjDX4pa1fM1uOgFHyvjANgWJpZ272bpOHjM52/hsEGZXskaNztU=", "c2_domain": ["msn.com/mail", "breuranel.website", "outlook.com/signup", "areuranel.website"], "botnet": "8899", "server": "12", "serpent_key": "56473871MNTYAIDA", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.527111263.0000000003B28000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000000.00000003.527630553.0000000003B28000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000000.00000003.615631858.00000000038AD000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000003.00000003.531230770.00000000055A8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000003.00000003.531464419.00000000055A8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 28 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.2.rundll32.exe.2eb0000.0.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
              0.2.loaddll32.exe.3030000.0.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                0.2.loaddll32.exe.35794a0.1.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                  3.2.rundll32.exe.6e710000.2.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                    0.2.loaddll32.exe.6e710000.2.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                      Click to see the 13 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 00000003.00000003.454711091.0000000002E70000.00000040.00000001.sdmpMalware Configuration Extractor: Ursnif {"RSA Public Key": "UmEkthy8LQToWYBqtBaWyLn/P1d2KjpXi9nl2is1X7NEi7AW4Al92U7HvBiCwWHgXhs6UyTZ7q6npv3YCi+rPS7xAyorWWgcyyviEpE9CETDXviZ72XZkxmen4ztvEtct+obFAEe0tiXOsfOcC8xDsI0CHPpvmUknsexTYqAJgwcghgx1mGHx/yFM4fnPYw4mFFE6bVI7eMnbu1CuunRmAVRDHZ7MAS7zSkAmYjeo1zAzRnOEWgblRHwenmwlBtp0SFGuYCGVe3TZZ4Nndgpd5xpSeLOoSZi/fRXjtS8b6LXBS/zslRCRObMDjDX4pa1fM1uOgFHyvjANgWJpZ272bpOHjM52/hsEGZXskaNztU=", "c2_domain": ["msn.com/mail", "breuranel.website", "outlook.com/signup", "areuranel.website"], "botnet": "8899", "server": "12", "serpent_key": "56473871MNTYAIDA", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: m87xfb63XU.dllVirustotal: Detection: 18%Perma Link
                      Source: m87xfb63XU.dllReversingLabs: Detection: 22%
                      Multi AV Scanner detection for domain / URLShow sources
                      Source: areuranel.websiteVirustotal: Detection: 6%Perma Link
                      Source: breuranel.websiteVirustotal: Detection: 6%Perma Link
                      Source: m87xfb63XU.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: unknownHTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.3:49754 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.3:49756 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.97.153.146:443 -> 192.168.2.3:49784 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.97.223.66:443 -> 192.168.2.3:49785 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.97.151.2:443 -> 192.168.2.3:49786 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.97.153.146:443 -> 192.168.2.3:49787 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.97.135.82:443 -> 192.168.2.3:49788 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.101.60.226:443 -> 192.168.2.3:49789 version: TLS 1.2
                      Source: m87xfb63XU.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: WinTypes.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000D.00000003.515702652.00000000052D6000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.542683798.0000000004EA1000.00000004.00000001.sdmp
                      Source: Binary string: sfc_os.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: ntmarta.pdb1 source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
                      Source: Binary string: CoreMessaging.pdb_ source: WerFault.exe, 0000000F.00000003.536214635.0000000004E83000.00000004.00000040.sdmp
                      Source: Binary string: shlwapi.pdb4 source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
                      Source: Binary string: mpr.pdbHa source: WerFault.exe, 0000000F.00000003.536314357.0000000004E70000.00000004.00000040.sdmp
                      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000F.00000003.536314357.0000000004E70000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557113684.0000000005230000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
                      Source: Binary string: CoreMessaging.pdb source: WerFault.exe, 0000000F.00000003.536214635.0000000004E83000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdb source: WerFault.exe, 0000000F.00000003.536346626.0000000004E74000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557031037.0000000005232000.00000004.00000040.sdmp
                      Source: Binary string: CoreMessaging.pdbK source: WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
                      Source: Binary string: rundll32.pdbk source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
                      Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: dwmapi.pdb) source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000D.00000002.533606421.0000000000D92000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000002.553574266.0000000000832000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000002.568560433.0000000000C92000.00000004.00000001.sdmp
                      Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: setupapi.pdbt source: WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: shell32.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
                      Source: Binary string: ntmarta.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
                      Source: Binary string: mpr.pdbH source: WerFault.exe, 00000013.00000003.557113684.0000000005230000.00000004.00000040.sdmp
                      Source: Binary string: cryptbase.pdb8 source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.542887533.0000000003126000.00000004.00000001.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: CoreUIComponents.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: mpr.pdb source: WerFault.exe, 0000000F.00000003.536314357.0000000004E70000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557113684.0000000005230000.00000004.00000040.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
                      Source: Binary string: iphlpapi.pdbb source: WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: setupapi.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: WinTypes.pdb? source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
                      Source: Binary string: sfc.pdbK` source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
                      Source: Binary string: imagehlp.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: wUxTheme.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: dwmapi.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdb& source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
                      Source: Binary string: WinTypes.pdbM source: WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdbk source: WerFault.exe, 0000000F.00000003.536346626.0000000004E74000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557031037.0000000005232000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000013.00000003.542799224.000000000311B000.00000004.00000001.sdmp
                      Source: Binary string: profapi.pdbb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
                      Source: Binary string: profapi.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: ntmarta.pdbk source: WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: ole32.pdb_ source: WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: winspool.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: setupapi.pdb* source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
                      Source: Binary string: sechost.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: propsys.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000F.00000003.536346626.0000000004E74000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557031037.0000000005232000.00000004.00000040.sdmp
                      Source: Binary string: CoreUIComponents.pdbKi source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
                      Source: Binary string: sfc.pdbK source: WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: msctf.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: msctf.pdb2 source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
                      Source: Binary string: ole32.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: TextInputFramework.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: fltLib.pdb\ source: WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: AcLayers.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
                      Source: Binary string: wsspicli.pdbh source: WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: bcrypt.pdbh source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
                      Source: Binary string: c:\wheel\receive\Many-rise\score.pdb source: loaddll32.exe, 00000000.00000002.697038895.000000006E78B000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.698211502.000000006E78B000.00000002.00020000.sdmp, m87xfb63XU.dll
                      Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000F.00000003.536314357.0000000004E70000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557113684.0000000005230000.00000004.00000040.sdmp
                      Source: Binary string: oleaut32.pdbz source: WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000F.00000003.536346626.0000000004E74000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557031037.0000000005232000.00000004.00000040.sdmp
                      Source: Binary string: wUxTheme.pdb, source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000F.00000003.536314357.0000000004E70000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557113684.0000000005230000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000013.00000003.542887533.0000000003126000.00000004.00000001.sdmp
                      Source: Binary string: combase.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000F.00000003.536314357.0000000004E70000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557113684.0000000005230000.00000004.00000040.sdmp
                      Source: Binary string: propsys.pdbn source: WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: rundll32.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
                      Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000013.00000003.542852774.0000000003121000.00000004.00000001.sdmp
                      Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: sfc.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: CoreUIComponents.pdb_ source: WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdbk source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp

                      Networking:

                      barindex
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: www.msn.com
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: areuranel.website
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: breuranel.website
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 40.101.60.226 187Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: outlook.office365.com
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 52.97.135.82 187Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: msn.com
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: outlook.com
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: www.outlook.com
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 40.97.153.146 187Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 13.82.28.61 187Jump to behavior
                      Source: Joe Sandbox ViewASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS
                      Source: Joe Sandbox ViewJA3 fingerprint: ce5f3254611a8c095a3d821d44539877
                      Source: Joe Sandbox ViewIP Address: 40.97.153.146 40.97.153.146
                      Source: Joe Sandbox ViewIP Address: 13.82.28.61 13.82.28.61
                      Source: global trafficHTTP traffic detected: GET /mail/liopolo/881KeBhik38/n4I3jisQrsLf3N/5T7WW0TVyqLiEqrYpioXw/gsBY_2B0auYDQzqy/fq_2B0_2B1d5s1X/dE8U_2Bi9e1uHEa_2F/5gbQOA71j/4SGjjTuSnP5G5SL6XFKB/ya3reo77Dd0XJ5txbLh/Z2Jzwc_2FxPLynamqWy_2B/SzxjiUxPyCdZ8/5vaLjUU_/2FbRmdxDVJSYut_2BRUXs8y/S.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
                      Source: global trafficHTTP traffic detected: GET /mail/liopolo/I2vyCwQZ_2BZdOw7_2FC5/QHqYyNs8nTjA1r7w/N6UkSzFGkH0f_2F/1IQh_2Bz24bnmMcZ4_/2BpWpgK6a/MfYXdR3sp4DYLa3d1zd1/q_2BesRlkaXfNl4zUpH/oAvtXyz6Z7BEsY_2FVEEFG/s2tbS3iXa95no/TNlgDymJ/mAsry_2BV2k9xkYk3dzUg9O/zullnql4G3/M32YonxJQXyLafjIm/_2FKjkdabgYHJ/uSKzerPj.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/Lf_2Fg8f5c_2BK6/Zu9U0t2ZcTswwewFAO/OEv2PKFbN/z8b4kNhG7zvHccOv8idc/Knnm9TAFaDWeAkZRt7S/s_2FJY_2FJZ_2FiFjgDZcG/X_2FPaS4UIfT5/mU_2B6qd/RThDpvlqtg_2B_2FquXT6Oc/rU7JT5JO40/2bdRvqEsO2i_2Fk7a/RPdp6h9XEAxz/UCoD0GwK5aa/_2BLPCSSipSRAr/lNUH_2BVSP8NW1a0oO1V8/mPc3sf.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/Lf_2Fg8f5c_2BK6/Zu9U0t2ZcTswwewFAO/OEv2PKFbN/z8b4kNhG7zvHccOv8idc/Knnm9TAFaDWeAkZRt7S/s_2FJY_2FJZ_2FiFjgDZcG/X_2FPaS4UIfT5/mU_2B6qd/RThDpvlqtg_2B_2FquXT6Oc/rU7JT5JO40/2bdRvqEsO2i_2Fk7a/RPdp6h9XEAxz/UCoD0GwK5aa/_2BLPCSSipSRAr/lNUH_2BVSP8NW1a0oO1V8/mPc3sf.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/Lf_2Fg8f5c_2BK6/Zu9U0t2ZcTswwewFAO/OEv2PKFbN/z8b4kNhG7zvHccOv8idc/Knnm9TAFaDWeAkZRt7S/s_2FJY_2FJZ_2FiFjgDZcG/X_2FPaS4UIfT5/mU_2B6qd/RThDpvlqtg_2B_2FquXT6Oc/rU7JT5JO40/2bdRvqEsO2i_2Fk7a/RPdp6h9XEAxz/UCoD0GwK5aa/_2BLPCSSipSRAr/lNUH_2BVSP8NW1a0oO1V8/mPc3sf.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/tu_2FZBOhZEm_2BjC/Eeo1dbfGyNRA/5gxX_2BPT_2/FeU0eiO3g8_2Bd/o4ft4FEXI0SSJqvx69bYX/i59sx_2FafiNLas1/YucQw3tAlQFb4zA/iKo5z_2FddgGxYO4HP/KUIXOky8_/2FKdBAX0DuXXgI2ZfYY9/kP9v63o8avKNpLR1Vuu/u_2F4VkGFpqAysszotqEDO/434zYCc87r2Kg/mFe.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/tu_2FZBOhZEm_2BjC/Eeo1dbfGyNRA/5gxX_2BPT_2/FeU0eiO3g8_2Bd/o4ft4FEXI0SSJqvx69bYX/i59sx_2FafiNLas1/YucQw3tAlQFb4zA/iKo5z_2FddgGxYO4HP/KUIXOky8_/2FKdBAX0DuXXgI2ZfYY9/kP9v63o8avKNpLR1Vuu/u_2F4VkGFpqAysszotqEDO/434zYCc87r2Kg/mFe.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/tu_2FZBOhZEm_2BjC/Eeo1dbfGyNRA/5gxX_2BPT_2/FeU0eiO3g8_2Bd/o4ft4FEXI0SSJqvx69bYX/i59sx_2FafiNLas1/YucQw3tAlQFb4zA/iKo5z_2FddgGxYO4HP/KUIXOky8_/2FKdBAX0DuXXgI2ZfYY9/kP9v63o8avKNpLR1Vuu/u_2F4VkGFpqAysszotqEDO/434zYCc87r2Kg/mFe.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49788
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49787
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49786
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49785
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49784
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49786 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49789 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49787 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49788 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49785 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49784 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49789
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 1245Content-Type: text/htmlServer: Microsoft-IIS/10.0request-id: 6f408bdb-1e4d-c6ec-fa40-6761089e1892Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-CalculatedFETarget: DB9PR05CU001.internal.outlook.comX-BackEndHttpStatus: 404X-FEProxyInfo: DB9PR05CA0008.EURPRD05.PROD.OUTLOOK.COMX-CalculatedBETarget: DB8P195MB0662.EURP195.PROD.OUTLOOK.COMX-BackEndHttpStatus: 404X-RUM-Validated: 1X-Proxy-RoutingCorrectness: 1X-Proxy-BackendServerStatus: 404MS-CV: 24tAb00e7Mb6QGdhCJ4Ykg.1.1X-FEServer: DB9PR05CA0008X-Powered-By: ASP.NETX-FEServer: AM6P195CA0054Date: Mon, 11 Oct 2021 22:37:50 GMTConnection: close
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 1245Content-Type: text/htmlServer: Microsoft-IIS/10.0request-id: 0ad922d7-711b-417c-0004-37a25225c4eaStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-CalculatedFETarget: DU2PR04CU012.internal.outlook.comX-BackEndHttpStatus: 404X-FEProxyInfo: DU2PR04CA0336.EURPRD04.PROD.OUTLOOK.COMX-CalculatedBETarget: DB7P194MB0346.EURP194.PROD.OUTLOOK.COMX-BackEndHttpStatus: 404X-RUM-Validated: 1X-Proxy-RoutingCorrectness: 1X-Proxy-BackendServerStatus: 404MS-CV: 1yLZChtxfEEABDeiUiXE6g.1.1X-FEServer: DU2PR04CA0336X-Powered-By: ASP.NETX-FEServer: AM5P194CA0019Date: Mon, 11 Oct 2021 22:37:54 GMTConnection: close
                      Source: WerFault.exe, 0000000D.00000002.542863916.00000000052E4000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000002.555554795.0000000004A95000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.566895044.0000000004E23000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: loaddll32.exe, 00000000.00000003.527597302.0000000003AA9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.531625301.0000000005529000.00000004.00000040.sdmpString found in binary or memory: http://ogp.me/ns#
                      Source: loaddll32.exe, 00000000.00000003.527597302.0000000003AA9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.531625301.0000000005529000.00000004.00000040.sdmpString found in binary or memory: http://ogp.me/ns/fb#
                      Source: loaddll32.exe, 00000000.00000003.527111263.0000000003B28000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.531230770.00000000055A8000.00000004.00000040.sdmpString found in binary or memory: https://blogs.msn.com/
                      Source: loaddll32.exe, 00000000.00000003.527111263.0000000003B28000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.531809993.00000000055AB000.00000004.00000040.sdmpString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
                      Source: loaddll32.exe, 00000000.00000003.527597302.0000000003AA9000.00000004.00000040.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1633991829&rver
                      Source: rundll32.exe, 00000003.00000003.531625301.0000000005529000.00000004.00000040.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1633991831&rver
                      Source: loaddll32.exe, 00000000.00000003.527597302.0000000003AA9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.531625301.0000000005529000.00000004.00000040.sdmpString found in binary or memory: https://mem.gfx.ms/meversion/?partner=msn&market=en-us"
                      Source: loaddll32.exe, 00000000.00000003.527597302.0000000003AA9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.531625301.0000000005529000.00000004.00000040.sdmpString found in binary or memory: https://static-global-s-msn-com.akamaized.net/en-us//api/modules/cdnfetch"
                      Source: loaddll32.exe, 00000000.00000003.527597302.0000000003AA9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.531625301.0000000005529000.00000004.00000040.sdmpString found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/en-us/homepage/_sc/css/d7cb56b9-3a82770e/direct
                      Source: WerFault.exe, 00000013.00000003.567391017.0000000004E8D000.00000004.00000001.sdmpString found in binary or memory: https://watson.telemetry.m
                      Source: loaddll32.exe, 00000000.00000003.527597302.0000000003AA9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.531625301.0000000005529000.00000004.00000040.sdmpString found in binary or memory: https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&ver=%272.1%27&a
                      Source: loaddll32.exe, 00000000.00000003.527597302.0000000003AA9000.00000004.00000040.sdmpString found in binary or memory: https://www.msn.com/?refurl=%2fmail%2fliopolo%2f881KeBhik38%2fn4I3jisQrsLf3N%2f5T7WW0TVyqLiEqrYpioXw
                      Source: rundll32.exe, 00000003.00000003.531625301.0000000005529000.00000004.00000040.sdmpString found in binary or memory: https://www.msn.com/?refurl=%2fmail%2fliopolo%2fI2vyCwQZ_2BZdOw7_2FC5%2fQHqYyNs8nTjA1r7w%2fN6UkSzFGk
                      Source: loaddll32.exe, 00000000.00000003.527597302.0000000003AA9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.531625301.0000000005529000.00000004.00000040.sdmpString found in binary or memory: https://www.msn.com/en-us//api/modules/fetch"
                      Source: unknownDNS traffic detected: queries for: msn.com
                      Source: global trafficHTTP traffic detected: GET /mail/liopolo/881KeBhik38/n4I3jisQrsLf3N/5T7WW0TVyqLiEqrYpioXw/gsBY_2B0auYDQzqy/fq_2B0_2B1d5s1X/dE8U_2Bi9e1uHEa_2F/5gbQOA71j/4SGjjTuSnP5G5SL6XFKB/ya3reo77Dd0XJ5txbLh/Z2Jzwc_2FxPLynamqWy_2B/SzxjiUxPyCdZ8/5vaLjUU_/2FbRmdxDVJSYut_2BRUXs8y/S.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
                      Source: global trafficHTTP traffic detected: GET /mail/liopolo/I2vyCwQZ_2BZdOw7_2FC5/QHqYyNs8nTjA1r7w/N6UkSzFGkH0f_2F/1IQh_2Bz24bnmMcZ4_/2BpWpgK6a/MfYXdR3sp4DYLa3d1zd1/q_2BesRlkaXfNl4zUpH/oAvtXyz6Z7BEsY_2FVEEFG/s2tbS3iXa95no/TNlgDymJ/mAsry_2BV2k9xkYk3dzUg9O/zullnql4G3/M32YonxJQXyLafjIm/_2FKjkdabgYHJ/uSKzerPj.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/Lf_2Fg8f5c_2BK6/Zu9U0t2ZcTswwewFAO/OEv2PKFbN/z8b4kNhG7zvHccOv8idc/Knnm9TAFaDWeAkZRt7S/s_2FJY_2FJZ_2FiFjgDZcG/X_2FPaS4UIfT5/mU_2B6qd/RThDpvlqtg_2B_2FquXT6Oc/rU7JT5JO40/2bdRvqEsO2i_2Fk7a/RPdp6h9XEAxz/UCoD0GwK5aa/_2BLPCSSipSRAr/lNUH_2BVSP8NW1a0oO1V8/mPc3sf.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/Lf_2Fg8f5c_2BK6/Zu9U0t2ZcTswwewFAO/OEv2PKFbN/z8b4kNhG7zvHccOv8idc/Knnm9TAFaDWeAkZRt7S/s_2FJY_2FJZ_2FiFjgDZcG/X_2FPaS4UIfT5/mU_2B6qd/RThDpvlqtg_2B_2FquXT6Oc/rU7JT5JO40/2bdRvqEsO2i_2Fk7a/RPdp6h9XEAxz/UCoD0GwK5aa/_2BLPCSSipSRAr/lNUH_2BVSP8NW1a0oO1V8/mPc3sf.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/Lf_2Fg8f5c_2BK6/Zu9U0t2ZcTswwewFAO/OEv2PKFbN/z8b4kNhG7zvHccOv8idc/Knnm9TAFaDWeAkZRt7S/s_2FJY_2FJZ_2FiFjgDZcG/X_2FPaS4UIfT5/mU_2B6qd/RThDpvlqtg_2B_2FquXT6Oc/rU7JT5JO40/2bdRvqEsO2i_2Fk7a/RPdp6h9XEAxz/UCoD0GwK5aa/_2BLPCSSipSRAr/lNUH_2BVSP8NW1a0oO1V8/mPc3sf.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/tu_2FZBOhZEm_2BjC/Eeo1dbfGyNRA/5gxX_2BPT_2/FeU0eiO3g8_2Bd/o4ft4FEXI0SSJqvx69bYX/i59sx_2FafiNLas1/YucQw3tAlQFb4zA/iKo5z_2FddgGxYO4HP/KUIXOky8_/2FKdBAX0DuXXgI2ZfYY9/kP9v63o8avKNpLR1Vuu/u_2F4VkGFpqAysszotqEDO/434zYCc87r2Kg/mFe.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/tu_2FZBOhZEm_2BjC/Eeo1dbfGyNRA/5gxX_2BPT_2/FeU0eiO3g8_2Bd/o4ft4FEXI0SSJqvx69bYX/i59sx_2FafiNLas1/YucQw3tAlQFb4zA/iKo5z_2FddgGxYO4HP/KUIXOky8_/2FKdBAX0DuXXgI2ZfYY9/kP9v63o8avKNpLR1Vuu/u_2F4VkGFpqAysszotqEDO/434zYCc87r2Kg/mFe.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/tu_2FZBOhZEm_2BjC/Eeo1dbfGyNRA/5gxX_2BPT_2/FeU0eiO3g8_2Bd/o4ft4FEXI0SSJqvx69bYX/i59sx_2FafiNLas1/YucQw3tAlQFb4zA/iKo5z_2FddgGxYO4HP/KUIXOky8_/2FKdBAX0DuXXgI2ZfYY9/kP9v63o8avKNpLR1Vuu/u_2F4VkGFpqAysszotqEDO/434zYCc87r2Kg/mFe.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
                      Source: unknownHTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.3:49754 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.3:49756 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.97.153.146:443 -> 192.168.2.3:49784 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.97.223.66:443 -> 192.168.2.3:49785 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.97.151.2:443 -> 192.168.2.3:49786 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.97.153.146:443 -> 192.168.2.3:49787 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.97.135.82:443 -> 192.168.2.3:49788 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.101.60.226:443 -> 192.168.2.3:49789 version: TLS 1.2

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000000.00000003.527111263.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.527630553.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.615631858.00000000038AD000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.531230770.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.531464419.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.527327468.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.576012668.000000000542B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.531480606.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.527187841.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.659429998.00000000037AF000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.531370717.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.527048423.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.531284421.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.531412078.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.531686708.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.531172047.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.570679066.00000000039AB000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.624467221.000000000532D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.667937639.000000000522F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.526903678.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.531440376.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.527256439.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.526968624.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.527017763.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6316, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4536, type: MEMORYSTR
                      Source: Yara matchFile source: 3.2.rundll32.exe.2eb0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.3030000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.35794a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.6e710000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.6e710000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.2dca31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.2a0a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.2dca31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.35794a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.2a0a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.rundll32.exe.265a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.rundll32.exe.265a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.2e7a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4d394a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.143a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.2e7a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.143a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4d394a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000002.697257309.0000000004D39000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.454711091.0000000002E70000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.488040276.0000000002650000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.696204071.0000000003579000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.491247065.0000000001430000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.453838951.0000000002A00000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.476882523.0000000002DC0000.00000040.00000001.sdmp, type: MEMORY

                      E-Banking Fraud:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000000.00000003.527111263.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.527630553.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.615631858.00000000038AD000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.531230770.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.531464419.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.527327468.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.576012668.000000000542B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.531480606.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.527187841.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.659429998.00000000037AF000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.531370717.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.527048423.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.531284421.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.531412078.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.531686708.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.531172047.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.570679066.00000000039AB000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.624467221.000000000532D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.667937639.000000000522F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.526903678.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.531440376.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.527256439.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.526968624.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.527017763.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6316, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4536, type: MEMORYSTR
                      Source: Yara matchFile source: 3.2.rundll32.exe.2eb0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.3030000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.35794a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.6e710000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.6e710000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.2dca31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.2a0a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.2dca31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.35794a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.2a0a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.rundll32.exe.265a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.rundll32.exe.265a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.2e7a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4d394a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.143a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.2e7a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.143a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4d394a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000002.697257309.0000000004D39000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.454711091.0000000002E70000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.488040276.0000000002650000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.696204071.0000000003579000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.491247065.0000000001430000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.453838951.0000000002A00000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.476882523.0000000002DC0000.00000040.00000001.sdmp, type: MEMORY

                      System Summary:

                      barindex
                      Writes or reads registry keys via WMIShow sources
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Writes registry values via WMIShow sources
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: m87xfb63XU.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 632
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7121B40_2_6E7121B4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0303AF240_2_0303AF24
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_03032B760_2_03032B76
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_03034C400_2_03034C40
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7256000_2_6E725600
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E75D6300_2_6E75D630
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E773CCE0_2_6E773CCE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E75B5970_2_6E75B597
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E77FA780_2_6E77FA78
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E76A2B10_2_6E76A2B1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E77FB980_2_6E77FB98
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E74E8C00_2_6E74E8C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E7256003_2_6E725600
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E75D6303_2_6E75D630
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E773CCE3_2_6E773CCE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E75B5973_2_6E75B597
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E76A2B13_2_6E76A2B1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E74E8C03_2_6E74E8C0
                      Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6E74ABD1 appears 91 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6E74ABD1 appears 91 times
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E711273 NtMapViewOfSection,0_2_6E711273
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7115C6 SetThreadPriority,NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,GetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,0_2_6E7115C6
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7113B8 GetProcAddress,NtCreateSection,memset,0_2_6E7113B8
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7123D5 NtQueryVirtualMemory,0_2_6E7123D5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_03035D10 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,0_2_03035D10
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0303B149 NtQueryVirtualMemory,0_2_0303B149
                      Source: m87xfb63XU.dllVirustotal: Detection: 18%
                      Source: m87xfb63XU.dllReversingLabs: Detection: 22%
                      Source: m87xfb63XU.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\m87xfb63XU.dll'
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\m87xfb63XU.dll',#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\m87xfb63XU.dll,BeGrass
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\m87xfb63XU.dll',#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\m87xfb63XU.dll,Fieldeight
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\m87xfb63XU.dll,Often
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 632
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 640
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 640
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\m87xfb63XU.dll',#1Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\m87xfb63XU.dll,BeGrassJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\m87xfb63XU.dll,FieldeightJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\m87xfb63XU.dll,OftenJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\m87xfb63XU.dll',#1Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER933.tmpJump to behavior
                      Source: classification engineClassification label: mal96.troj.evad.winDLL@14/12@16/7
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_03034A03 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_03034A03
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\m87xfb63XU.dll,BeGrass
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4596
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4668
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4348
                      Source: C:\Windows\System32\loaddll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: m87xfb63XU.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: m87xfb63XU.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: WinTypes.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000D.00000003.515702652.00000000052D6000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.542683798.0000000004EA1000.00000004.00000001.sdmp
                      Source: Binary string: sfc_os.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: ntmarta.pdb1 source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
                      Source: Binary string: CoreMessaging.pdb_ source: WerFault.exe, 0000000F.00000003.536214635.0000000004E83000.00000004.00000040.sdmp
                      Source: Binary string: shlwapi.pdb4 source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
                      Source: Binary string: mpr.pdbHa source: WerFault.exe, 0000000F.00000003.536314357.0000000004E70000.00000004.00000040.sdmp
                      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000F.00000003.536314357.0000000004E70000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557113684.0000000005230000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
                      Source: Binary string: CoreMessaging.pdb source: WerFault.exe, 0000000F.00000003.536214635.0000000004E83000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdb source: WerFault.exe, 0000000F.00000003.536346626.0000000004E74000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557031037.0000000005232000.00000004.00000040.sdmp
                      Source: Binary string: CoreMessaging.pdbK source: WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
                      Source: Binary string: rundll32.pdbk source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
                      Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: dwmapi.pdb) source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000D.00000002.533606421.0000000000D92000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000002.553574266.0000000000832000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000002.568560433.0000000000C92000.00000004.00000001.sdmp
                      Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: setupapi.pdbt source: WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: shell32.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
                      Source: Binary string: ntmarta.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
                      Source: Binary string: mpr.pdbH source: WerFault.exe, 00000013.00000003.557113684.0000000005230000.00000004.00000040.sdmp
                      Source: Binary string: cryptbase.pdb8 source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.542887533.0000000003126000.00000004.00000001.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: CoreUIComponents.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: mpr.pdb source: WerFault.exe, 0000000F.00000003.536314357.0000000004E70000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557113684.0000000005230000.00000004.00000040.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
                      Source: Binary string: iphlpapi.pdbb source: WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: setupapi.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: WinTypes.pdb? source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
                      Source: Binary string: sfc.pdbK` source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
                      Source: Binary string: imagehlp.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: wUxTheme.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: dwmapi.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdb& source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
                      Source: Binary string: WinTypes.pdbM source: WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdbk source: WerFault.exe, 0000000F.00000003.536346626.0000000004E74000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557031037.0000000005232000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000013.00000003.542799224.000000000311B000.00000004.00000001.sdmp
                      Source: Binary string: profapi.pdbb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
                      Source: Binary string: profapi.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: ntmarta.pdbk source: WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: ole32.pdb_ source: WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: winspool.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: setupapi.pdb* source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
                      Source: Binary string: sechost.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: propsys.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000F.00000003.536346626.0000000004E74000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557031037.0000000005232000.00000004.00000040.sdmp
                      Source: Binary string: CoreUIComponents.pdbKi source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
                      Source: Binary string: sfc.pdbK source: WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: msctf.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: msctf.pdb2 source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
                      Source: Binary string: ole32.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: TextInputFramework.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: fltLib.pdb\ source: WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: AcLayers.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
                      Source: Binary string: wsspicli.pdbh source: WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: bcrypt.pdbh source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
                      Source: Binary string: c:\wheel\receive\Many-rise\score.pdb source: loaddll32.exe, 00000000.00000002.697038895.000000006E78B000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.698211502.000000006E78B000.00000002.00020000.sdmp, m87xfb63XU.dll
                      Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000F.00000003.536314357.0000000004E70000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557113684.00000