Windows Analysis Report 616412739e268.dll

Overview

General Information

Sample Name: 616412739e268.dll
Analysis ID: 500413
MD5: 9e67e68ddbedba865b91b5469ab642ef
SHA1: f2c7b0735343081be06e48616d0fc14235a28744
SHA256: 41c0934ba1be030dbae45893107f6a2ae5f99c79d7634626263cdf809f7556ee
Tags: brtdllgoziisfbursnif
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Multi AV Scanner detection for domain / URL
Writes or reads registry keys via WMI
Writes registry values via WMI
Uses 32bit PE files
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
IP address seen in connection with other malware
Creates a DirectInput object (often for capturing keystrokes)
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000005.00000003.855981301.0000000002EC0000.00000040.00000001.sdmp Malware Configuration Extractor: Ursnif {"RSA Public Key": "UmEkthy8LQToWYBqtBaWyLn/P1d2KjpXi9nl2is1X7NEi7AW4Al92U7HvBiCwWHgXhs6UyTZ7q6npv3YCi+rPS7xAyorWWgcyyviEpE9CETDXviZ72XZkxmen4ztvEtct+obFAEe0tiXOsfOcC8xDsI0CHPpvmUknsexTYqAJgwcghgx1mGHx/yFM4fnPYw4mFFE6bVI7eMnbu1CuunRmAVRDHZ7MAS7zSkAmYjeo1zAzRnOEWgblRHwenmwlBtp0SFGuYCGVe3TZZ4Nndgpd5xpSeLOoSZi/fRXjtS8b6LXBS/zslRCRObMDjDX4pa1fM1uOgFHyvjANgWJpZ272bpOHjM52/hsEGZXskaNztU=", "c2_domain": ["msn.com/mail", "breuranel.website", "outlook.com/signup", "areuranel.website"], "botnet": "8899", "server": "12", "serpent_key": "56473871MNTYAIDA", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}
Multi AV Scanner detection for submitted file
Source: 616412739e268.dll ReversingLabs: Detection: 24%
Multi AV Scanner detection for domain / URL
Source: areuranel.website Virustotal: Detection: 6% Perma Link
Source: breuranel.website Virustotal: Detection: 6% Perma Link

Compliance:

barindex
Uses 32bit PE files
Source: 616412739e268.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: unknown HTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.4:49776 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.4:49779 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.97.116.82:443 -> 192.168.2.4:49806 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.97.183.162:443 -> 192.168.2.4:49807 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.97.218.82:443 -> 192.168.2.4:49808 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.97.153.146:443 -> 192.168.2.4:49809 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.97.218.66:443 -> 192.168.2.4:49810 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.97.137.210:443 -> 192.168.2.4:49811 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.4:49827 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.4:49829 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.97.153.146:443 -> 192.168.2.4:49860 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.98.207.194:443 -> 192.168.2.4:49861 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.101.124.226:443 -> 192.168.2.4:49862 version: TLS 1.2
Source: 616412739e268.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000009.00000003.880000220.0000000004643000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.891762437.00000000009A6000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
Source: Binary string: sfc_os.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdbJv source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000009.00000003.884376427.0000000004861000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
Source: Binary string: CoreMessaging.pdb_ source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901209747.0000000004CA3000.00000004.00000040.sdmp
Source: Binary string: sfc_os.pdbvv source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000009.00000003.884376427.0000000004861000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000009.00000003.884541519.00000000049C0000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901100128.0000000004C90000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920860048.00000000058F0000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000009.00000003.878970110.000000000067E000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.893625998.00000000009A0000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
Source: Binary string: ntmarta.pdb: source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdbnv source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
Source: Binary string: CoreMessaging.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901209747.0000000004CA3000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdbE source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
Source: Binary string: dwmapi.pdbO{ source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdbQt source: WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp
Source: Binary string: ntmarta.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000009.00000003.879277222.000000000068A000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
Source: Binary string: mpr.pdb source: WerFault.exe, 00000009.00000003.884541519.00000000049C0000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901100128.0000000004C90000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920860048.00000000058F0000.00000004.00000040.sdmp
Source: Binary string: ole32.pdbr source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp
Source: Binary string: WinTypes.pdbLy source: WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp
Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
Source: Binary string: shcore.pdbk source: WerFault.exe, 00000009.00000003.884560858.00000000049C4000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901119468.0000000004C94000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920715440.00000000058F2000.00000004.00000040.sdmp
Source: Binary string: winspool.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
Source: Binary string: dwmapi.pdbby source: WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdbXv source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
Source: Binary string: dwmapi.pdbx source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp
Source: Binary string: imagehlp.pdbQ source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdb_ source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdbet source: WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp
Source: Binary string: profapi.pdbst source: WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
Source: Binary string: AcLayers.pdb source: WerFault.exe, 00000009.00000003.884376427.0000000004861000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
Source: Binary string: c:\wheel\receive\Many-rise\score.pdb source: loaddll32.exe, 00000000.00000002.1186382182.000000006E34B000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.1187500512.000000006E34B000.00000002.00020000.sdmp, 616412739e268.dll
Source: Binary string: wsspicli.pdbWt source: WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp
Source: Binary string: sechost.pdbw source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000009.00000003.884560858.00000000049C4000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901119468.0000000004C94000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920715440.00000000058F2000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000009.00000003.884541519.00000000049C0000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901100128.0000000004C90000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920860048.00000000058F0000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
Source: Binary string: msctf.pdbCt source: WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp
Source: Binary string: rundll32.pdb source: WerFault.exe, 00000009.00000003.884376427.0000000004861000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000009.00000003.879269729.0000000000684000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.891762437.00000000009A6000.00000004.00000001.sdmp
Source: Binary string: cryptbase.pdb]t source: WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp
Source: Binary string: sfc.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
Source: Binary string: propsys.pdbbv source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdbhv source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
Source: Binary string: CoreUIComponents.pdb_ source: WerFault.exe, 0000000F.00000003.920780539.0000000005903000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000009.00000003.884376427.0000000004861000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
Source: Binary string: wUxTheme.pdbpv source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdbI source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdbOt source: WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdbk source: WerFault.exe, 00000009.00000003.884376427.0000000004861000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
Source: Binary string: propsys.pdbIt source: WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp
Source: Binary string: WinTypes.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 00000009.00000003.884560858.00000000049C4000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901119468.0000000004C94000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920715440.00000000058F2000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdbkt source: WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp
Source: Binary string: msctf.pdb|v source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000009.00000003.884376427.0000000004861000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
Source: Binary string: rundll32.pdbk source: WerFault.exe, 00000009.00000003.884376427.0000000004861000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 00000009.00000003.884376427.0000000004861000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000009.00000003.884376427.0000000004861000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
Source: Binary string: imagehlp.pdb^v source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
Source: Binary string: setupapi.pdbEm5 source: WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp
Source: Binary string: CoreUIComponents.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920780539.0000000005903000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000009.00000003.884376427.0000000004861000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
Source: Binary string: setupapi.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
Source: Binary string: winhttp.pdb source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
Source: Binary string: imagehlp.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000009.00000003.878970110.000000000067E000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.893625998.00000000009A0000.00000004.00000001.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000009.00000003.884376427.0000000004861000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
Source: Binary string: propsys.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000009.00000003.884560858.00000000049C4000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901119468.0000000004C94000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920715440.00000000058F2000.00000004.00000040.sdmp
Source: Binary string: msctf.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
Source: Binary string: TextInputFramework.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
Source: Binary string: profapi.pdb&v source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
Source: Binary string: sechost.pdbyt source: WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000009.00000003.884541519.00000000049C0000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901100128.0000000004C90000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920860048.00000000058F0000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb,v source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000009.00000003.884541519.00000000049C0000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901100128.0000000004C90000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920860048.00000000058F0000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000009.00000003.879277222.000000000068A000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.891777281.00000000009AC000.00000004.00000001.sdmp
Source: Binary string: setupapi.pdbC source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdbRv source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
Source: Binary string: combase.pdbDv source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000009.00000003.884376427.0000000004861000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp

Networking:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Domain query: www.msn.com
Source: C:\Windows\SysWOW64\rundll32.exe Domain query: areuranel.website
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 52.97.218.66 187 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Domain query: breuranel.website
Source: C:\Windows\SysWOW64\rundll32.exe Domain query: outlook.office365.com
Source: C:\Windows\SysWOW64\rundll32.exe Domain query: msn.com
Source: C:\Windows\SysWOW64\rundll32.exe Domain query: outlook.com
Source: C:\Windows\SysWOW64\rundll32.exe Domain query: www.outlook.com
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 40.97.153.146 187 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 13.82.28.61 187 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 52.97.137.210 187 Jump to behavior
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: ce5f3254611a8c095a3d821d44539877
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 40.97.153.146 40.97.153.146
Source: Joe Sandbox View IP Address: 13.82.28.61 13.82.28.61
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /mail/liopolo/31Pla_2BCXtei/1R_2BY6O/xV8Y0PePoExsKvdRsArLjMT/0HY9ewGl4d/RTh7V4sy0BSH_2Btl/9sqK23pzW1xY/kPT6lmvGYLw/Cf2IOR2fhZTyNL/tKZ289_2FYjlbDZolDbOl/xXcWSCD6IlQGRdIS/84EeVY8JQpYoU7N/sMotozvUSzPLgYoFpN/L9urq8t4YJmiCxPtVCV/XUD.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
Source: global traffic HTTP traffic detected: GET /mail/liopolo/NtZggqxIX2EF9w_2/BavTQ0jHk8z72E0/mrA_2BNo5fGf18qS53/GIhA4FNpc/qIQbJVkxLHpIx3LzJcYF/3uQz3PgIC5Pjndy7vBH/i_2FOaoK6pUzqTQ2mVu3pq/cfXt8VkJHx4pF/9i2ySYSz/e6Fwjd_2BYZ5QEKc2Ev8w_2/FX9nTU6mpV/BkgebLJcyW_2BOHak/X7QoD77ir05E/ic.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
Source: global traffic HTTP traffic detected: GET /signup/liopolo/D7_2FrbWNPWoNOhc8CKrYUD/YRyHNJx0fY/hev8f_2BW8cdb94NA/BoQXWWXay0D_/2BZ8Igd1CtC/8Zrwrke0SVrRun/EK5gc9OXOLgsoPgBxCQd1/LxUG0ef0GKyYljGP/_2FJyXjT77_2FZy/ZTRUMkvuvl3KPO1sTr/Mf1qwqvM6/BRuq80kiRu4imCu3Mccr/qTiEDWDGE96/Qopva.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
Source: global traffic HTTP traffic detected: GET /signup/liopolo/D7_2FrbWNPWoNOhc8CKrYUD/YRyHNJx0fY/hev8f_2BW8cdb94NA/BoQXWWXay0D_/2BZ8Igd1CtC/8Zrwrke0SVrRun/EK5gc9OXOLgsoPgBxCQd1/LxUG0ef0GKyYljGP/_2FJyXjT77_2FZy/ZTRUMkvuvl3KPO1sTr/Mf1qwqvM6/BRuq80kiRu4imCu3Mccr/qTiEDWDGE96/Qopva.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
Source: global traffic HTTP traffic detected: GET /signup/liopolo/D7_2FrbWNPWoNOhc8CKrYUD/YRyHNJx0fY/hev8f_2BW8cdb94NA/BoQXWWXay0D_/2BZ8Igd1CtC/8Zrwrke0SVrRun/EK5gc9OXOLgsoPgBxCQd1/LxUG0ef0GKyYljGP/_2FJyXjT77_2FZy/ZTRUMkvuvl3KPO1sTr/Mf1qwqvM6/BRuq80kiRu4imCu3Mccr/qTiEDWDGE96/Qopva.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
Source: global traffic HTTP traffic detected: GET /signup/liopolo/rNcthdwaMuA/zHzDKpXzKq0_2F/hgSdOtaWvkDNGgYpqBLqh/fnirw5AL03xUm4gv/1SKDwhrC85cQhDG/iqhTJ3hi9wsaeKx0vI/xO4E5YLZP/YP9uSugvYABSkowPk9S_/2B24KB1lGZ7pVE71wAB/PNLOy1DTAkJRmo3faOVpWQ/D9BP51I5FAmCi/mjxkDJSf_2B0/dO3cuvbU.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
Source: global traffic HTTP traffic detected: GET /signup/liopolo/rNcthdwaMuA/zHzDKpXzKq0_2F/hgSdOtaWvkDNGgYpqBLqh/fnirw5AL03xUm4gv/1SKDwhrC85cQhDG/iqhTJ3hi9wsaeKx0vI/xO4E5YLZP/YP9uSugvYABSkowPk9S_/2B24KB1lGZ7pVE71wAB/PNLOy1DTAkJRmo3faOVpWQ/D9BP51I5FAmCi/mjxkDJSf_2B0/dO3cuvbU.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
Source: global traffic HTTP traffic detected: GET /signup/liopolo/rNcthdwaMuA/zHzDKpXzKq0_2F/hgSdOtaWvkDNGgYpqBLqh/fnirw5AL03xUm4gv/1SKDwhrC85cQhDG/iqhTJ3hi9wsaeKx0vI/xO4E5YLZP/YP9uSugvYABSkowPk9S_/2B24KB1lGZ7pVE71wAB/PNLOy1DTAkJRmo3faOVpWQ/D9BP51I5FAmCi/mjxkDJSf_2B0/dO3cuvbU.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
Source: global traffic HTTP traffic detected: GET /mail/liopolo/5hHdOh6aVGIiN/xm3v7_2B/EkShunhzAo7MsZ9CmkqFWtX/3z_2Bns4ON/91CWMsZkh9K0L_2FK/DGWBtSEwajEJ/0TtpREbudd5/QgJK102N2T9j48/a7_2B8h2NmEQ_2FO6HINr/eS5x2dWmrnxEuUas/E6VYZyoESNredc4/JUFmKkMiSye_2BBKeH/JexZCfmhU/vSKjW_2B8KOY/RYzBQt1.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
Source: global traffic HTTP traffic detected: GET /mail/liopolo/QoeEw7znNY9KuZLPv/PhlDvAFg0Bnn/nVx6DnTynJS/Jqe2AOjRD8vYJs/PuqBLIn3Zd37OXyJlwD7Q/FiLhjKnVW_2ByswX/LXphFosRYtREZOL/Q6wDOp8ES889SSlI1S/AFbHRrWLn/_2F7R_2FVhgDELEonTCy/KSLPzpnW0YF_2FoB4Xy/kHR_2F88KI6KqxU9hJvbKE/it_2FLM35/c.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
Source: global traffic HTTP traffic detected: GET /signup/liopolo/dtrpOPrEQ8_2/BH4GVvmMwLv/x_2BNp_2Bcq8rr/i2sFrcRmTMjCNusY3oN7V/abYuA7gYAEh57Xzf/mKvjzhmwo0oocH6/Rx6Zaylm3INx2PjsYP/5tKNcBaCE/Tau2dKL_2B3XpLMrimMx/fEyRGxrtqJjdxkKHFLZ/nn7M4Qsmv3PPoTapEVJO6K/P8DaDVIqQXr3N/9BeM5e5l/i_2F.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
Source: global traffic HTTP traffic detected: GET /signup/liopolo/dtrpOPrEQ8_2/BH4GVvmMwLv/x_2BNp_2Bcq8rr/i2sFrcRmTMjCNusY3oN7V/abYuA7gYAEh57Xzf/mKvjzhmwo0oocH6/Rx6Zaylm3INx2PjsYP/5tKNcBaCE/Tau2dKL_2B3XpLMrimMx/fEyRGxrtqJjdxkKHFLZ/nn7M4Qsmv3PPoTapEVJO6K/P8DaDVIqQXr3N/9BeM5e5l/i_2F.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
Source: global traffic HTTP traffic detected: GET /signup/liopolo/dtrpOPrEQ8_2/BH4GVvmMwLv/x_2BNp_2Bcq8rr/i2sFrcRmTMjCNusY3oN7V/abYuA7gYAEh57Xzf/mKvjzhmwo0oocH6/Rx6Zaylm3INx2PjsYP/5tKNcBaCE/Tau2dKL_2B3XpLMrimMx/fEyRGxrtqJjdxkKHFLZ/nn7M4Qsmv3PPoTapEVJO6K/P8DaDVIqQXr3N/9BeM5e5l/i_2F.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
Source: unknown Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49862
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49861
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49860
Source: unknown Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49860 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown Network traffic detected: HTTP traffic on port 49862 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown Network traffic detected: HTTP traffic on port 49861 -> 443
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 1245Content-Type: text/htmlServer: Microsoft-IIS/10.0request-id: fee0e76a-0690-24c5-d39f-a0f3ac107e50Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-CalculatedFETarget: VI1PR0102CU003.internal.outlook.comX-BackEndHttpStatus: 404X-FEProxyInfo: VI1PR0102CA0087.EURPRD01.PROD.EXCHANGELABS.COMX-CalculatedBETarget: VI1PR04MB4495.eurprd04.prod.outlook.comX-BackEndHttpStatus: 404X-RUM-Validated: 1X-Proxy-RoutingCorrectness: 1X-Proxy-BackendServerStatus: 404MS-CV: aufg/pAGxSTTn6DzrBB+UA.1.1X-FEServer: VI1PR0102CA0087X-Powered-By: ASP.NETX-FEServer: AS8PR04CA0081Date: Mon, 11 Oct 2021 22:38:46 GMTConnection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 1245Content-Type: text/htmlServer: Microsoft-IIS/10.0request-id: 463ae588-6705-a5a4-dc70-c20dde540b89Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-CalculatedFETarget: HE1PR0202CU001.internal.outlook.comX-BackEndHttpStatus: 404X-FEProxyInfo: HE1PR0202CA0016.EURPRD02.PROD.OUTLOOK.COMX-CalculatedBETarget: HE1P194MB0201.EURP194.PROD.OUTLOOK.COMX-BackEndHttpStatus: 404X-RUM-Validated: 1X-Proxy-RoutingCorrectness: 1X-Proxy-BackendServerStatus: 404MS-CV: iOU6RgVnpKXccMIN3lQLiQ.1.1X-FEServer: HE1PR0202CA0016X-Powered-By: ASP.NETX-FEServer: AM6P194CA0062Date: Mon, 11 Oct 2021 22:38:53 GMTConnection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 1245Content-Type: text/htmlServer: Microsoft-IIS/10.0request-id: bd6df30b-3506-0654-39aa-09111fc341ceStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAlt-Svc: h3=":443",h3-29=":443"X-CalculatedFETarget: VI1PR07CU008.internal.outlook.comX-BackEndHttpStatus: 404X-FEProxyInfo: VI1PR07CA0252.EURPRD07.PROD.OUTLOOK.COMX-CalculatedBETarget: VI1PR01MB6621.EURPRD01.PROD.EXCHANGELABS.COMX-BackEndHttpStatus: 404X-RUM-Validated: 1X-Proxy-RoutingCorrectness: 1X-Proxy-BackendServerStatus: 404MS-CV: C/NtvQY1VAY5qgkRH8NBzg.1.1X-FEServer: VI1PR07CA0252X-Powered-By: ASP.NETX-FEServer: AM5PR0101CA0012Date: Mon, 11 Oct 2021 22:40:08 GMTConnection: close
Source: loaddll32.exe, 00000000.00000003.1005981116.00000000016C2000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.899844356.00000000045A7000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000002.928906655.00000000048CC000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000002.940321648.0000000005220000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: loaddll32.exe, 00000000.00000003.1093713289.0000000001713000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.917233460.0000000003B39000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.1108259014.00000000058BB000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.931465010.0000000005839000.00000004.00000040.sdmp String found in binary or memory: http://ogp.me/ns#
Source: loaddll32.exe, 00000000.00000003.1093713289.0000000001713000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.917233460.0000000003B39000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.1108259014.00000000058BB000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.931465010.0000000005839000.00000004.00000040.sdmp String found in binary or memory: http://ogp.me/ns/fb#
Source: loaddll32.exe, 00000000.00000003.916793229.0000000003BB8000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.931542596.00000000058BC000.00000004.00000040.sdmp String found in binary or memory: https://blogs.msn.com/
Source: loaddll32.exe, 00000000.00000003.1181590460.00000000016A1000.00000004.00000001.sdmp String found in binary or memory: https://breuranel.website/liopolo/q3ygJYAFVGZ_2F/lrVZdSxP5qWZx0IQW_2Fv/fatA_2F92zFSM6Wv/k_2BiVYapNB7
Source: loaddll32.exe, 00000000.00000003.1005943661.000000000169F000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.1093682966.000000000170D000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.931542596.00000000058BC000.00000004.00000040.sdmp String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: loaddll32.exe, 00000000.00000003.917233460.0000000003B39000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.917087190.00000000016FB000.00000004.00000001.sdmp String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1633991885&rver
Source: rundll32.exe, 00000003.00000003.931465010.0000000005839000.00000004.00000040.sdmp String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1633991891&rver
Source: loaddll32.exe, 00000000.00000003.1093773062.0000000003BBB000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.1093653246.0000000001716000.00000004.00000001.sdmp String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1633991967&rver
Source: rundll32.exe, 00000003.00000003.1108259014.00000000058BB000.00000004.00000040.sdmp String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1633991974&rver
Source: loaddll32.exe, 00000000.00000003.1093653246.0000000001716000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.917233460.0000000003B39000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.1093739436.0000000003BBC000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.1108208109.00000000058BC000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.931465010.0000000005839000.00000004.00000040.sdmp String found in binary or memory: https://mem.gfx.ms/meversion/?partner=msn&market=en-us"
Source: loaddll32.exe, 00000000.00000002.1183944098.000000000164B000.00000004.00000020.sdmp String found in binary or memory: https://msn.com/
Source: loaddll32.exe, 00000000.00000002.1183944098.000000000164B000.00000004.00000020.sdmp String found in binary or memory: https://msn.com/D
Source: loaddll32.exe, 00000000.00000003.917168598.0000000001701000.00000004.00000001.sdmp String found in binary or memory: https://msn.com/f
Source: loaddll32.exe, 00000000.00000003.1181590460.00000000016A1000.00000004.00000001.sdmp String found in binary or memory: https://outlook.com/signup/liopolo/dtrpOPrEQ8_2/BH4GVvmMwLv/x_2BNp_2Bcq8rr/i2sFrcRmTMjCNusY3oN7V/abY
Source: loaddll32.exe, 00000000.00000003.1005981116.00000000016C2000.00000004.00000001.sdmp String found in binary or memory: https://outlook.office365.com/
Source: loaddll32.exe, 00000000.00000003.1005981116.00000000016C2000.00000004.00000001.sdmp String found in binary or memory: https://outlook.office365.com/2H
Source: loaddll32.exe, 00000000.00000002.1184438243.00000000016C2000.00000004.00000001.sdmp String found in binary or memory: https://outlook.office365.com/9H
Source: loaddll32.exe, 00000000.00000003.1005814049.000000000170B000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.1005878880.0000000001706000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.1005753123.000000000170C000.00000004.00000001.sdmp String found in binary or memory: https://outlook.office365.com/signup/liopolo/D7_2FrbWNPWoNOhc8CKrYUD/YRyHNJx0fY/hev8f_2BW8cdb94NA/Bo
Source: loaddll32.exe, 00000000.00000003.1181590460.00000000016A1000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.1181707542.0000000001715000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000002.1183944098.000000000164B000.00000004.00000020.sdmp String found in binary or memory: https://outlook.office365.com/signup/liopolo/dtrpOPrEQ8_2/BH4GVvmMwLv/x_2BNp_2Bcq8rr/i2sFrcRmTMjCNus
Source: loaddll32.exe, 00000000.00000003.1093773062.0000000003BBB000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.1093653246.0000000001716000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.917233460.0000000003B39000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.917087190.00000000016FB000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.1108259014.00000000058BB000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.931465010.0000000005839000.00000004.00000040.sdmp String found in binary or memory: https://static-global-s-msn-com.akamaized.net/en-us//api/modules/cdnfetch"
Source: loaddll32.exe, 00000000.00000003.1093653246.0000000001716000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.917233460.0000000003B39000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.1108208109.00000000058BC000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.931465010.0000000005839000.00000004.00000040.sdmp String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/en-us/homepage/_sc/css/d7cb56b9-3a82770e/direct
Source: WerFault.exe, 0000000C.00000002.928906655.00000000048CC000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000002.929018615.0000000004983000.00000004.00000001.sdmp String found in binary or memory: https://watson.tel
Source: rundll32.exe, 00000003.00000003.930983342.00000000058B8000.00000004.00000040.sdmp String found in binary or memory: https://web.vortex.data.msn.com/collect/v1/t.gi
Source: loaddll32.exe, 00000000.00000003.1093653246.0000000001716000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.917233460.0000000003B39000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.1108208109.00000000058BC000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.931465010.0000000005839000.00000004.00000040.sdmp String found in binary or memory: https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&ver=%272.1%27&a
Source: loaddll32.exe, 00000000.00000002.1183944098.000000000164B000.00000004.00000020.sdmp String found in binary or memory: https://wwtlook.office365.com/
Source: loaddll32.exe, 00000000.00000003.917233460.0000000003B39000.00000004.00000040.sdmp String found in binary or memory: https://www.msn.com/?refurl=%2fmail%2fliopolo%2f31Pla_2BCXtei%2f1R_2BY6O%2fxV8Y0PePoExsKvdRsArLjMT%2
Source: loaddll32.exe, 00000000.00000003.1093653246.0000000001716000.00000004.00000001.sdmp String found in binary or memory: https://www.msn.com/?refurl=%2fmail%2fliopolo%2f5hHdOh6aVGIiN%2fxm3v7_2B%2fEkShunhzAo7MsZ9CmkqFWtX%2
Source: rundll32.exe, 00000003.00000003.931465010.0000000005839000.00000004.00000040.sdmp String found in binary or memory: https://www.msn.com/?refurl=%2fmail%2fliopolo%2fNtZggqxIX2EF9w_2%2fBavTQ0jHk8z72E0%2fmrA_2BNo5fGf18q
Source: rundll32.exe, 00000003.00000003.1108208109.00000000058BC000.00000004.00000040.sdmp String found in binary or memory: https://www.msn.com/?refurl=%2fmail%2fliopolo%2fQoeEw7znNY9KuZLPv%2fPhlDvAFg0Bnn%2fnVx6DnTynJS%2fJqe
Source: loaddll32.exe, 00000000.00000003.1093773062.0000000003BBB000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.1093653246.0000000001716000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.917233460.0000000003B39000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.917087190.00000000016FB000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.1108259014.00000000058BB000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.931465010.0000000005839000.00000004.00000040.sdmp String found in binary or memory: https://www.msn.com/en-us//api/modules/fetch"
Source: loaddll32.exe, 00000000.00000003.917087190.00000000016FB000.00000004.00000001.sdmp String found in binary or memory: https://www.msn.com/mail/liopolo/31Pla_2BCXtei/1R_2BY6O/xV8Y0PePoExsKvdRsArLjMT/0HY9ewGl4d/RTh7V4sy0
Source: loaddll32.exe, 00000000.00000003.1005943661.000000000169F000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.1005753123.000000000170C000.00000004.00000001.sdmp String found in binary or memory: https://www.outlook.com/signup/liopolo/D7_2FrbWNPWoNOhc8CKrYUD/YRyHNJx0fY/hev8f_2BW8cdb94NA/BoQXWWXa
Source: loaddll32.exe, 00000000.00000003.1181590460.00000000016A1000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000002.1184778471.0000000001722000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.1181707542.0000000001715000.00000004.00000001.sdmp String found in binary or memory: https://www.outlook.com/signup/liopolo/dtrpOPrEQ8_2/BH4GVvmMwLv/x_2BNp_2Bcq8rr/i2sFrcRmTMjCNusY3oN7V
Source: unknown DNS traffic detected: queries for: msn.com
Source: global traffic HTTP traffic detected: GET /mail/liopolo/31Pla_2BCXtei/1R_2BY6O/xV8Y0PePoExsKvdRsArLjMT/0HY9ewGl4d/RTh7V4sy0BSH_2Btl/9sqK23pzW1xY/kPT6lmvGYLw/Cf2IOR2fhZTyNL/tKZ289_2FYjlbDZolDbOl/xXcWSCD6IlQGRdIS/84EeVY8JQpYoU7N/sMotozvUSzPLgYoFpN/L9urq8t4YJmiCxPtVCV/XUD.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
Source: global traffic HTTP traffic detected: GET /mail/liopolo/NtZggqxIX2EF9w_2/BavTQ0jHk8z72E0/mrA_2BNo5fGf18qS53/GIhA4FNpc/qIQbJVkxLHpIx3LzJcYF/3uQz3PgIC5Pjndy7vBH/i_2FOaoK6pUzqTQ2mVu3pq/cfXt8VkJHx4pF/9i2ySYSz/e6Fwjd_2BYZ5QEKc2Ev8w_2/FX9nTU6mpV/BkgebLJcyW_2BOHak/X7QoD77ir05E/ic.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
Source: global traffic HTTP traffic detected: GET /signup/liopolo/D7_2FrbWNPWoNOhc8CKrYUD/YRyHNJx0fY/hev8f_2BW8cdb94NA/BoQXWWXay0D_/2BZ8Igd1CtC/8Zrwrke0SVrRun/EK5gc9OXOLgsoPgBxCQd1/LxUG0ef0GKyYljGP/_2FJyXjT77_2FZy/ZTRUMkvuvl3KPO1sTr/Mf1qwqvM6/BRuq80kiRu4imCu3Mccr/qTiEDWDGE96/Qopva.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
Source: global traffic HTTP traffic detected: GET /signup/liopolo/D7_2FrbWNPWoNOhc8CKrYUD/YRyHNJx0fY/hev8f_2BW8cdb94NA/BoQXWWXay0D_/2BZ8Igd1CtC/8Zrwrke0SVrRun/EK5gc9OXOLgsoPgBxCQd1/LxUG0ef0GKyYljGP/_2FJyXjT77_2FZy/ZTRUMkvuvl3KPO1sTr/Mf1qwqvM6/BRuq80kiRu4imCu3Mccr/qTiEDWDGE96/Qopva.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
Source: global traffic HTTP traffic detected: GET /signup/liopolo/D7_2FrbWNPWoNOhc8CKrYUD/YRyHNJx0fY/hev8f_2BW8cdb94NA/BoQXWWXay0D_/2BZ8Igd1CtC/8Zrwrke0SVrRun/EK5gc9OXOLgsoPgBxCQd1/LxUG0ef0GKyYljGP/_2FJyXjT77_2FZy/ZTRUMkvuvl3KPO1sTr/Mf1qwqvM6/BRuq80kiRu4imCu3Mccr/qTiEDWDGE96/Qopva.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
Source: global traffic HTTP traffic detected: GET /signup/liopolo/rNcthdwaMuA/zHzDKpXzKq0_2F/hgSdOtaWvkDNGgYpqBLqh/fnirw5AL03xUm4gv/1SKDwhrC85cQhDG/iqhTJ3hi9wsaeKx0vI/xO4E5YLZP/YP9uSugvYABSkowPk9S_/2B24KB1lGZ7pVE71wAB/PNLOy1DTAkJRmo3faOVpWQ/D9BP51I5FAmCi/mjxkDJSf_2B0/dO3cuvbU.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
Source: global traffic HTTP traffic detected: GET /signup/liopolo/rNcthdwaMuA/zHzDKpXzKq0_2F/hgSdOtaWvkDNGgYpqBLqh/fnirw5AL03xUm4gv/1SKDwhrC85cQhDG/iqhTJ3hi9wsaeKx0vI/xO4E5YLZP/YP9uSugvYABSkowPk9S_/2B24KB1lGZ7pVE71wAB/PNLOy1DTAkJRmo3faOVpWQ/D9BP51I5FAmCi/mjxkDJSf_2B0/dO3cuvbU.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
Source: global traffic HTTP traffic detected: GET /signup/liopolo/rNcthdwaMuA/zHzDKpXzKq0_2F/hgSdOtaWvkDNGgYpqBLqh/fnirw5AL03xUm4gv/1SKDwhrC85cQhDG/iqhTJ3hi9wsaeKx0vI/xO4E5YLZP/YP9uSugvYABSkowPk9S_/2B24KB1lGZ7pVE71wAB/PNLOy1DTAkJRmo3faOVpWQ/D9BP51I5FAmCi/mjxkDJSf_2B0/dO3cuvbU.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
Source: global traffic HTTP traffic detected: GET /mail/liopolo/5hHdOh6aVGIiN/xm3v7_2B/EkShunhzAo7MsZ9CmkqFWtX/3z_2Bns4ON/91CWMsZkh9K0L_2FK/DGWBtSEwajEJ/0TtpREbudd5/QgJK102N2T9j48/a7_2B8h2NmEQ_2FO6HINr/eS5x2dWmrnxEuUas/E6VYZyoESNredc4/JUFmKkMiSye_2BBKeH/JexZCfmhU/vSKjW_2B8KOY/RYzBQt1.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
Source: global traffic HTTP traffic detected: GET /mail/liopolo/QoeEw7znNY9KuZLPv/PhlDvAFg0Bnn/nVx6DnTynJS/Jqe2AOjRD8vYJs/PuqBLIn3Zd37OXyJlwD7Q/FiLhjKnVW_2ByswX/LXphFosRYtREZOL/Q6wDOp8ES889SSlI1S/AFbHRrWLn/_2F7R_2FVhgDELEonTCy/KSLPzpnW0YF_2FoB4Xy/kHR_2F88KI6KqxU9hJvbKE/it_2FLM35/c.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
Source: global traffic HTTP traffic detected: GET /signup/liopolo/dtrpOPrEQ8_2/BH4GVvmMwLv/x_2BNp_2Bcq8rr/i2sFrcRmTMjCNusY3oN7V/abYuA7gYAEh57Xzf/mKvjzhmwo0oocH6/Rx6Zaylm3INx2PjsYP/5tKNcBaCE/Tau2dKL_2B3XpLMrimMx/fEyRGxrtqJjdxkKHFLZ/nn7M4Qsmv3PPoTapEVJO6K/P8DaDVIqQXr3N/9BeM5e5l/i_2F.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
Source: global traffic HTTP traffic detected: GET /signup/liopolo/dtrpOPrEQ8_2/BH4GVvmMwLv/x_2BNp_2Bcq8rr/i2sFrcRmTMjCNusY3oN7V/abYuA7gYAEh57Xzf/mKvjzhmwo0oocH6/Rx6Zaylm3INx2PjsYP/5tKNcBaCE/Tau2dKL_2B3XpLMrimMx/fEyRGxrtqJjdxkKHFLZ/nn7M4Qsmv3PPoTapEVJO6K/P8DaDVIqQXr3N/9BeM5e5l/i_2F.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
Source: global traffic HTTP traffic detected: GET /signup/liopolo/dtrpOPrEQ8_2/BH4GVvmMwLv/x_2BNp_2Bcq8rr/i2sFrcRmTMjCNusY3oN7V/abYuA7gYAEh57Xzf/mKvjzhmwo0oocH6/Rx6Zaylm3INx2PjsYP/5tKNcBaCE/Tau2dKL_2B3XpLMrimMx/fEyRGxrtqJjdxkKHFLZ/nn7M4Qsmv3PPoTapEVJO6K/P8DaDVIqQXr3N/9BeM5e5l/i_2F.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
Source: unknown HTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.4:49776 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.4:49779 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.97.116.82:443 -> 192.168.2.4:49806 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.97.183.162:443 -> 192.168.2.4:49807 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.97.218.82:443 -> 192.168.2.4:49808 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.97.153.146:443 -> 192.168.2.4:49809 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.97.218.66:443 -> 192.168.2.4:49810 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.97.137.210:443 -> 192.168.2.4:49811 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.4:49827 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.4:49829 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.97.153.146:443 -> 192.168.2.4:49860 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.98.207.194:443 -> 192.168.2.4:49861 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.101.124.226:443 -> 192.168.2.4:49862 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.916793229.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.916426520.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.974874720.000000000573B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.916847995.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.916379765.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1049081119.000000000383F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.916579363.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1187092392.00000000054C0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.930983342.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.930624015.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.960454814.0000000003A3B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.1020193164.000000000563D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.917263832.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.930910657.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.931064048.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1185910848.00000000037C0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.930863354.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.916716758.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.916652805.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1006058312.000000000393D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.1063376109.000000000553F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.931519942.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.931136929.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.916501324.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.930715901.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.930775995.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 7036, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 7052, type: MEMORYSTR
Source: Yara match File source: 4.3.rundll32.exe.8aa31a.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.rundll32.exe.322a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.2eca31a.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.2eca31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.342a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.rundll32.exe.8aa31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.4d094a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.342a31a.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.6e2d0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.rundll32.exe.4970000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.6e2d0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.4cd0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.rundll32.exe.4970000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.35594a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.1370000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.52294a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.loaddll32.exe.139a31a.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.4d094a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.loaddll32.exe.139a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.35594a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.4970000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.rundll32.exe.322a31a.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.52294a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000003.855981301.0000000002EC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.843034391.00000000008A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.888775678.0000000004D09000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.817641494.0000000003420000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.859623257.0000000001390000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.815784536.0000000003220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1186977706.0000000005229000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1185750269.0000000003559000.00000004.00000040.sdmp, type: MEMORY
Creates a DirectInput object (often for capturing keystrokes)
Source: loaddll32.exe, 00000000.00000002.1183944098.000000000164B000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.916793229.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.916426520.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.974874720.000000000573B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.916847995.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.916379765.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1049081119.000000000383F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.916579363.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1187092392.00000000054C0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.930983342.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.930624015.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.960454814.0000000003A3B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.1020193164.000000000563D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.917263832.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.930910657.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.931064048.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1185910848.00000000037C0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.930863354.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.916716758.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.916652805.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1006058312.000000000393D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.1063376109.000000000553F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.931519942.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.931136929.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.916501324.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.930715901.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.930775995.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 7036, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 7052, type: MEMORYSTR
Source: Yara match File source: 4.3.rundll32.exe.8aa31a.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.rundll32.exe.322a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.2eca31a.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.2eca31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.342a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.rundll32.exe.8aa31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.4d094a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.342a31a.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.6e2d0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.rundll32.exe.4970000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.6e2d0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.4cd0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.rundll32.exe.4970000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.35594a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.1370000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.52294a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.loaddll32.exe.139a31a.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.4d094a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.loaddll32.exe.139a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.35594a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.4970000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.rundll32.exe.322a31a.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.52294a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000003.855981301.0000000002EC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.843034391.00000000008A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.888775678.0000000004D09000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.817641494.0000000003420000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.859623257.0000000001390000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.815784536.0000000003220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1186977706.0000000005229000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1185750269.0000000003559000.00000004.00000040.sdmp, type: MEMORY

System Summary:

barindex
Writes or reads registry keys via WMI
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Writes registry values via WMI
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Uses 32bit PE files
Source: 616412739e268.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
One or more processes crash
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7072 -s 636
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E2D21B4 0_2_6E2D21B4
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E2E5600 0_2_6E2E5600
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E31D630 0_2_6E31D630
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E333CCE 0_2_6E333CCE
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E31B597 0_2_6E31B597
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E32A2B1 0_2_6E32A2B1
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E30E8C0 0_2_6E30E8C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04CD4C40 3_2_04CD4C40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04CD2B76 3_2_04CD2B76
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04CDAF24 3_2_04CDAF24
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E2E5600 3_2_6E2E5600
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E31D630 3_2_6E31D630
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E333CCE 3_2_6E333CCE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E31B597 3_2_6E31B597
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E33FA78 3_2_6E33FA78
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E32A2B1 3_2_6E32A2B1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E33FB98 3_2_6E33FB98
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E30E8C0 3_2_6E30E8C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04974C40 5_2_04974C40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0497AF24 5_2_0497AF24
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04972B76 5_2_04972B76
Found potential string decryption / allocating functions
Source: C:\Windows\System32\loaddll32.exe Code function: String function: 6E30ABD1 appears 91 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6E30ABD1 appears 91 times
Contains functionality to call native functions
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E2D13B8 GetProcAddress,NtCreateSection,memset, 0_2_6E2D13B8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E2D1273 NtMapViewOfSection, 0_2_6E2D1273
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E2D15C6 SetThreadPriority,NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,GetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError, 0_2_6E2D15C6
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E2D23D5 NtQueryVirtualMemory, 0_2_6E2D23D5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04CD5D10 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 3_2_04CD5D10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04CDB149 NtQueryVirtualMemory, 3_2_04CDB149
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04975D10 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 5_2_04975D10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0497B149 NtQueryVirtualMemory, 5_2_0497B149
Source: 616412739e268.dll ReversingLabs: Detection: 24%
Source: 616412739e268.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\616412739e268.dll'
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\616412739e268.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\616412739e268.dll,BeGrass
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\616412739e268.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\616412739e268.dll,Fieldeight
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\616412739e268.dll,Often
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7072 -s 636
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1364 -s 644
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6464 -s 632
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\616412739e268.dll',#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\616412739e268.dll,BeGrass Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\616412739e268.dll,Fieldeight Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\616412739e268.dll,Often Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\616412739e268.dll',#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER1EDD.tmp Jump to behavior
Source: classification engine Classification label: mal96.troj.evad.winDLL@14/12@24/10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04CD4A03 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, 3_2_04CD4A03
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\616412739e268.dll,BeGrass
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6464
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7072
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1364
Source: C:\Windows\System32\loaddll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\loaddll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: 616412739e268.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: 616412739e268.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000009.00000003.880000220.0000000004643000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.891762437.00000000009A6000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
Source: Binary string: sfc_os.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdbJv source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000009.00000003.884376427.0000000004861000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
Source: Binary string: CoreMessaging.pdb_ source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901209747.0000000004CA3000.00000004.00000040.sdmp
Source: Binary string: sfc_os.pdbvv source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000009.00000003.884376427.0000000004861000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000009.00000003.884541519.00000000049C0000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901100128.0000000004C90000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920860048.00000000058F0000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000009.00000003.878970110.000000000067E000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.893625998.00000000009A0000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
Source: Binary string: ntmarta.pdb: source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdbnv source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
Source: Binary string: CoreMessaging.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901209747.0000000004CA3000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdbE source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
Source: Binary string: dwmapi.pdbO{ source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdbQt source: WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp
Source: Binary string: ntmarta.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000009.00000003.879277222.000000000068A000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
Source: Binary string: mpr.pdb source: WerFault.exe, 00000009.00000003.884541519.00000000049C0000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901100128.0000000004C90000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920860048.00000000058F0000.00000004.00000040.sdmp
Source: Binary string: ole32.pdbr source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp
Source: Binary string: WinTypes.pdbLy source: WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp
Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
Source: Binary string: shcore.pdbk source: WerFault.exe, 00000009.00000003.884560858.00000000049C4000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901119468.0000000004C94000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920715440.00000000058F2000.00000004.00000040.sdmp
Source: Binary string: winspool.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
Source: Binary string: dwmapi.pdbby source: WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdbXv source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
Source: Binary string: dwmapi.pdbx source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp
Source: Binary string: imagehlp.pdbQ source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdb_ source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdbet source: WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp
Source: Binary string: profapi.pdbst source: WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
Source: Binary string: AcLayers.pdb source: WerFault.exe, 00000009.00000003.884376427.0000000004861000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
Source: Binary string: c:\wheel\receive\Many-rise\score.pdb source: loaddll32.exe, 00000000.00000002.1186382182.000000006E34B000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.1187500512.000000006E34B000.00000002.00020000.sdmp, 616412739e268.dll
Source: Binary string: wsspicli.pdbWt source: WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp
Source: Binary string: sechost.pdbw source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000009.00000003.884560858.00000000049C4000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901119468.0000000004C94000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920715440.00000000058F2000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000009.00000003.884541519.00000000049C0000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901100128.0000000004C90000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920860048.00000000058F0000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
Source: Binary string: msctf.pdbCt source: WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp
Source: Binary string: rundll32.pdb source: WerFault.exe, 00000009.00000003.884376427.0000000004861000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000009.00000003.879269729.0000000000684000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.891762437.00000000009A6000.00000004.00000001.sdmp
Source: Binary string: cryptbase.pdb]t source: WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp
Source: Binary string: sfc.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
Source: Binary string: propsys.pdbbv source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdbhv source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
Source: Binary string: CoreUIComponents.pdb_ source: WerFault.exe, 0000000F.00000003.920780539.0000000005903000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000009.00000003.884376427.0000000004861000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
Source: Binary string: wUxTheme.pdbpv source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdbI source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdbOt source: WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdbk source: WerFault.exe, 00000009.00000003.884376427.0000000004861000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
Source: Binary string: propsys.pdbIt source: WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp
Source: Binary string: WinTypes.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 00000009.00000003.884560858.00000000049C4000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901119468.0000000004C94000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920715440.00000000058F2000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdbkt source: WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp
Source: Binary string: msctf.pdb|v source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000009.00000003.884376427.0000000004861000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
Source: Binary string: rundll32.pdbk source: WerFault.exe, 00000009.00000003.884376427.0000000004861000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 00000009.00000003.884376427.0000000004861000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000009.00000003.884376427.0000000004861000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
Source: Binary string: imagehlp.pdb^v source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
Source: Binary string: setupapi.pdbEm5 source: WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp
Source: Binary string: CoreUIComponents.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920780539.0000000005903000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000009.00000003.884376427.0000000004861000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
Source: Binary string: setupapi.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
Source: Binary string: winhttp.pdb source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
Source: Binary string: imagehlp.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000009.00000003.878970110.000000000067E000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.893625998.00000000009A0000.00000004.00000001.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000009.00000003.884376427.0000000004861000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
Source: Binary string: propsys.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000009.00000003.884560858.00000000049C4000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901119468.0000000004C94000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920715440.00000000058F2000.00000004.00000040.sdmp
Source: Binary string: msctf.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
Source: Binary string: TextInputFramework.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
Source: Binary string: profapi.pdb&v source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
Source: Binary string: sechost.pdbyt source: WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000009.00000003.884541519.00000000049C0000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901100128.0000000004C90000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920860048.00000000058F0000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb,v source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000009.00000003.884541519.00000000049C0000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901100128.0000000004C90000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920860048.00000000058F0000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000009.00000003.879277222.000000000068A000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.891777281.00000000009AC000.00000004.00000001.sdmp
Source: Binary string: setupapi.pdbC source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdbRv source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
Source: Binary string: combase.pdbDv source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000009.00000003.884376427.0000000004861000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E2D21A3 push ecx; ret 0_2_6E2D21B3
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E2D2150 push ecx; ret 0_2_6E2D2159
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E30AB9A push ecx; ret 0_2_6E30ABAD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04CDABE0 push ecx; ret 3_2_04CDABE9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04CDAF13 push ecx; ret 3_2_04CDAF23
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E30AB9A push ecx; ret 3_2_6E30ABAD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0497ABE0 push ecx; ret 5_2_0497ABE9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0497AF13 push ecx; ret 5_2_0497AF23
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E2D1DE5 LoadLibraryA,GetProcAddress, 0_2_6E2D1DE5

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.916793229.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.916426520.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.974874720.000000000573B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.916847995.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.916379765.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1049081119.000000000383F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.916579363.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1187092392.00000000054C0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.930983342.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.930624015.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.960454814.0000000003A3B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.1020193164.000000000563D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.917263832.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.930910657.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.931064048.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1185910848.00000000037C0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.930863354.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.916716758.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.916652805.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1006058312.000000000393D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.1063376109.000000000553F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.931519942.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.931136929.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.916501324.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.930715901.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.930775995.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 7036, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 7052, type: MEMORYSTR
Source: Yara match File source: 4.3.rundll32.exe.8aa31a.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.rundll32.exe.322a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.2eca31a.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.2eca31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.342a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.rundll32.exe.8aa31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.4d094a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.342a31a.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.6e2d0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.rundll32.exe.4970000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.6e2d0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.4cd0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.rundll32.exe.4970000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.35594a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.1370000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.52294a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.loaddll32.exe.139a31a.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.4d094a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.loaddll32.exe.139a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.35594a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.4970000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.rundll32.exe.322a31a.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.52294a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000003.855981301.0000000002EC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.843034391.00000000008A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.888775678.0000000004D09000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.817641494.0000000003420000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.859623257.0000000001390000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.815784536.0000000003220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1186977706.0000000005229000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1185750269.0000000003559000.00000004.00000040.sdmp, type: MEMORY
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: WerFault.exe, 0000000C.00000003.926283769.00000000048B6000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAWm32\advapi32.dll
Source: loaddll32.exe, 00000000.00000003.1005943661.000000000169F000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000002.902665043.0000000004560000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000002.928906655.00000000048CC000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.938125643.0000000005307000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: WerFault.exe, 0000000F.00000003.936044986.0000000005307000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll!

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E316CB3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6E316CB3
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E2D1DE5 LoadLibraryA,GetProcAddress, 0_2_6E2D1DE5
Contains functionality to read the PEB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E32C325 mov eax, dword ptr fs:[00000030h] 0_2_6E32C325
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E338861 mov eax, dword ptr fs:[00000030h] 0_2_6E338861
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E37DFDA mov eax, dword ptr fs:[00000030h] 0_2_6E37DFDA
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E37DEAA mov eax, dword ptr fs:[00000030h] 0_2_6E37DEAA
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E37DBB5 push dword ptr fs:[00000030h] 0_2_6E37DBB5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E32C325 mov eax, dword ptr fs:[00000030h] 3_2_6E32C325
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E338861 mov eax, dword ptr fs:[00000030h] 3_2_6E338861
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E37DFDA mov eax, dword ptr fs:[00000030h] 3_2_6E37DFDA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E37DEAA mov eax, dword ptr fs:[00000030h] 3_2_6E37DEAA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E37DBB5 push dword ptr fs:[00000030h] 3_2_6E37DBB5
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E316CB3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6E316CB3
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E30B316 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6E30B316
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E316CB3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_6E316CB3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E30B316 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_6E30B316

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Domain query: www.msn.com
Source: C:\Windows\SysWOW64\rundll32.exe Domain query: areuranel.website
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 52.97.218.66 187 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Domain query: breuranel.website
Source: C:\Windows\SysWOW64\rundll32.exe Domain query: outlook.office365.com
Source: C:\Windows\SysWOW64\rundll32.exe Domain query: msn.com
Source: C:\Windows\SysWOW64\rundll32.exe Domain query: outlook.com
Source: C:\Windows\SysWOW64\rundll32.exe Domain query: www.outlook.com
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 40.97.153.146 187 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 13.82.28.61 187 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 52.97.137.210 187 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\616412739e268.dll',#1 Jump to behavior
Source: loaddll32.exe, 00000000.00000002.1185146883.0000000001AD0000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.874775508.0000000003860000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.1186416387.00000000038B0000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.884091204.0000000002D70000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000000.892445877.00000000034A0000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000002.1185146883.0000000001AD0000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.874775508.0000000003860000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.1186416387.00000000038B0000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.884091204.0000000002D70000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000000.892445877.00000000034A0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.1185146883.0000000001AD0000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.874775508.0000000003860000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.1186416387.00000000038B0000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.884091204.0000000002D70000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000000.892445877.00000000034A0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.1185146883.0000000001AD0000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.874775508.0000000003860000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.1186416387.00000000038B0000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.884091204.0000000002D70000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000000.892445877.00000000034A0000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW, 0_2_6E330E4C
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW, 0_2_6E309EB5
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 0_2_6E330429
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 0_2_6E33E448
Source: C:\Windows\System32\loaddll32.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_6E33EA21
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 0_2_6E33E344
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 0_2_6E33E3AD
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_6E33E84C
Source: C:\Windows\System32\loaddll32.exe Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 0_2_6E33E0A2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 3_2_6E330E4C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 3_2_6E309EB5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 3_2_6E330429
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 3_2_6E33E448
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 3_2_6E33EA21
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 3_2_6E33E344
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 3_2_6E33E3AD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 3_2_6E33E84C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 3_2_6E33E0A2
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04CDA82B cpuid 3_2_04CDA82B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E2D1172 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError, 0_2_6E2D1172
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E32FF15 _free,_free,_free,GetTimeZoneInformation,_free, 0_2_6E32FF15
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E2D1825 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError, 0_2_6E2D1825
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04CDA82B RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree, 3_2_04CDA82B

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.916793229.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.916426520.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.974874720.000000000573B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.916847995.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.916379765.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1049081119.000000000383F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.916579363.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1187092392.00000000054C0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.930983342.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.930624015.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.960454814.0000000003A3B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.1020193164.000000000563D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.917263832.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.930910657.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.931064048.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1185910848.00000000037C0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.930863354.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.916716758.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.916652805.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1006058312.000000000393D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.1063376109.000000000553F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.931519942.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.931136929.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.916501324.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.930715901.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.930775995.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 7036, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 7052, type: MEMORYSTR
Source: Yara match File source: 4.3.rundll32.exe.8aa31a.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.rundll32.exe.322a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.2eca31a.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.2eca31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.342a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.rundll32.exe.8aa31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.4d094a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.342a31a.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.6e2d0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.rundll32.exe.4970000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.6e2d0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.4cd0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.rundll32.exe.4970000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.35594a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.1370000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.52294a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.loaddll32.exe.139a31a.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.4d094a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.loaddll32.exe.139a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.35594a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.4970000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.rundll32.exe.322a31a.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.52294a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000003.855981301.0000000002EC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.843034391.00000000008A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.888775678.0000000004D09000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.817641494.0000000003420000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.859623257.0000000001390000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.815784536.0000000003220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1186977706.0000000005229000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1185750269.0000000003559000.00000004.00000040.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.916793229.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.916426520.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.974874720.000000000573B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.916847995.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.916379765.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1049081119.000000000383F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.916579363.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1187092392.00000000054C0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.930983342.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.930624015.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.960454814.0000000003A3B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.1020193164.000000000563D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.917263832.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.930910657.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.931064048.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1185910848.00000000037C0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.930863354.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.916716758.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.916652805.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1006058312.000000000393D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.1063376109.000000000553F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.931519942.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.931136929.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.916501324.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.930715901.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.930775995.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 7036, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 7052, type: MEMORYSTR
Source: Yara match File source: 4.3.rundll32.exe.8aa31a.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.rundll32.exe.322a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.2eca31a.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.2eca31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.342a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.rundll32.exe.8aa31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.4d094a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.342a31a.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.6e2d0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.rundll32.exe.4970000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.6e2d0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.4cd0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.rundll32.exe.4970000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.35594a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.1370000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.52294a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.loaddll32.exe.139a31a.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.4d094a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.loaddll32.exe.139a31a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.35594a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.4970000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.rundll32.exe.322a31a.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.52294a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000003.855981301.0000000002EC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.843034391.00000000008A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.888775678.0000000004D09000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.817641494.0000000003420000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.859623257.0000000001390000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.815784536.0000000003220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1186977706.0000000005229000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1185750269.0000000003559000.00000004.00000040.sdmp, type: MEMORY
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs