Loading ...

Play interactive tourEdit tour

Windows Analysis Report 616412739e268.dll

Overview

General Information

Sample Name:616412739e268.dll
Analysis ID:500413
MD5:9e67e68ddbedba865b91b5469ab642ef
SHA1:f2c7b0735343081be06e48616d0fc14235a28744
SHA256:41c0934ba1be030dbae45893107f6a2ae5f99c79d7634626263cdf809f7556ee
Tags:brtdllgoziisfbursnif
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Multi AV Scanner detection for domain / URL
Writes or reads registry keys via WMI
Writes registry values via WMI
Uses 32bit PE files
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
IP address seen in connection with other malware
Creates a DirectInput object (often for capturing keystrokes)
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 7036 cmdline: loaddll32.exe 'C:\Users\user\Desktop\616412739e268.dll' MD5: 72FCD8FB0ADC38ED9050569AD673650E)
    • cmd.exe (PID: 7040 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\616412739e268.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 7052 cmdline: rundll32.exe 'C:\Users\user\Desktop\616412739e268.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 7072 cmdline: rundll32.exe C:\Users\user\Desktop\616412739e268.dll,BeGrass MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 6452 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7072 -s 636 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 1364 cmdline: rundll32.exe C:\Users\user\Desktop\616412739e268.dll,Fieldeight MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 6824 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1364 -s 644 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 6464 cmdline: rundll32.exe C:\Users\user\Desktop\616412739e268.dll,Often MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 6368 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6464 -s 632 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "UmEkthy8LQToWYBqtBaWyLn/P1d2KjpXi9nl2is1X7NEi7AW4Al92U7HvBiCwWHgXhs6UyTZ7q6npv3YCi+rPS7xAyorWWgcyyviEpE9CETDXviZ72XZkxmen4ztvEtct+obFAEe0tiXOsfOcC8xDsI0CHPpvmUknsexTYqAJgwcghgx1mGHx/yFM4fnPYw4mFFE6bVI7eMnbu1CuunRmAVRDHZ7MAS7zSkAmYjeo1zAzRnOEWgblRHwenmwlBtp0SFGuYCGVe3TZZ4Nndgpd5xpSeLOoSZi/fRXjtS8b6LXBS/zslRCRObMDjDX4pa1fM1uOgFHyvjANgWJpZ272bpOHjM52/hsEGZXskaNztU=", "c2_domain": ["msn.com/mail", "breuranel.website", "outlook.com/signup", "areuranel.website"], "botnet": "8899", "server": "12", "serpent_key": "56473871MNTYAIDA", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.916793229.0000000003BB8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000000.00000003.916426520.0000000003BB8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000003.00000003.974874720.000000000573B000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000000.00000003.916847995.0000000003BB8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000005.00000003.855981301.0000000002EC0000.00000040.00000001.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
            Click to see the 31 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.3.rundll32.exe.8aa31a.0.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
              2.3.rundll32.exe.322a31a.0.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                5.3.rundll32.exe.2eca31a.0.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                  5.3.rundll32.exe.2eca31a.0.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                    3.3.rundll32.exe.342a31a.0.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                      Click to see the 18 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 00000005.00000003.855981301.0000000002EC0000.00000040.00000001.sdmpMalware Configuration Extractor: Ursnif {"RSA Public Key": "UmEkthy8LQToWYBqtBaWyLn/P1d2KjpXi9nl2is1X7NEi7AW4Al92U7HvBiCwWHgXhs6UyTZ7q6npv3YCi+rPS7xAyorWWgcyyviEpE9CETDXviZ72XZkxmen4ztvEtct+obFAEe0tiXOsfOcC8xDsI0CHPpvmUknsexTYqAJgwcghgx1mGHx/yFM4fnPYw4mFFE6bVI7eMnbu1CuunRmAVRDHZ7MAS7zSkAmYjeo1zAzRnOEWgblRHwenmwlBtp0SFGuYCGVe3TZZ4Nndgpd5xpSeLOoSZi/fRXjtS8b6LXBS/zslRCRObMDjDX4pa1fM1uOgFHyvjANgWJpZ272bpOHjM52/hsEGZXskaNztU=", "c2_domain": ["msn.com/mail", "breuranel.website", "outlook.com/signup", "areuranel.website"], "botnet": "8899", "server": "12", "serpent_key": "56473871MNTYAIDA", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: 616412739e268.dllReversingLabs: Detection: 24%
                      Multi AV Scanner detection for domain / URLShow sources
                      Source: areuranel.websiteVirustotal: Detection: 6%Perma Link
                      Source: breuranel.websiteVirustotal: Detection: 6%Perma Link
                      Source: 616412739e268.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: unknownHTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.4:49776 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.4:49779 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.97.116.82:443 -> 192.168.2.4:49806 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.97.183.162:443 -> 192.168.2.4:49807 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.97.218.82:443 -> 192.168.2.4:49808 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.97.153.146:443 -> 192.168.2.4:49809 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.97.218.66:443 -> 192.168.2.4:49810 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.97.137.210:443 -> 192.168.2.4:49811 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.4:49827 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.4:49829 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.97.153.146:443 -> 192.168.2.4:49860 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.98.207.194:443 -> 192.168.2.4:49861 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.101.124.226:443 -> 192.168.2.4:49862 version: TLS 1.2
                      Source: 616412739e268.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000009.00000003.880000220.0000000004643000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.891762437.00000000009A6000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: sfc_os.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: wimm32.pdbJv source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000009.00000003.884376427.0000000004861000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: CoreMessaging.pdb_ source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901209747.0000000004CA3000.00000004.00000040.sdmp
                      Source: Binary string: sfc_os.pdbvv source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000009.00000003.884376427.0000000004861000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000009.00000003.884541519.00000000049C0000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901100128.0000000004C90000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920860048.00000000058F0000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 00000009.00000003.878970110.000000000067E000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.893625998.00000000009A0000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: ntmarta.pdb: source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp
                      Source: Binary string: oleaut32.pdbnv source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: CoreMessaging.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901209747.0000000004CA3000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: cryptbase.pdbE source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp
                      Source: Binary string: advapi32.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: dwmapi.pdbO{ source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: wimm32.pdbQt source: WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp
                      Source: Binary string: ntmarta.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000009.00000003.879277222.000000000068A000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: mpr.pdb source: WerFault.exe, 00000009.00000003.884541519.00000000049C0000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901100128.0000000004C90000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920860048.00000000058F0000.00000004.00000040.sdmp
                      Source: Binary string: ole32.pdbr source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp
                      Source: Binary string: WinTypes.pdbLy source: WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp
                      Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdbk source: WerFault.exe, 00000009.00000003.884560858.00000000049C4000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901119468.0000000004C94000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920715440.00000000058F2000.00000004.00000040.sdmp
                      Source: Binary string: winspool.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: dwmapi.pdbby source: WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp
                      Source: Binary string: bcrypt.pdbXv source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: dwmapi.pdbx source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp
                      Source: Binary string: imagehlp.pdbQ source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp
                      Source: Binary string: wsspicli.pdb_ source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdbet source: WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp
                      Source: Binary string: profapi.pdbst source: WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp
                      Source: Binary string: powrprof.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: ole32.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: AcLayers.pdb source: WerFault.exe, 00000009.00000003.884376427.0000000004861000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: c:\wheel\receive\Many-rise\score.pdb source: loaddll32.exe, 00000000.00000002.1186382182.000000006E34B000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.1187500512.000000006E34B000.00000002.00020000.sdmp, 616412739e268.dll
                      Source: Binary string: wsspicli.pdbWt source: WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdbw source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp
                      Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000009.00000003.884560858.00000000049C4000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901119468.0000000004C94000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920715440.00000000058F2000.00000004.00000040.sdmp
                      Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000009.00000003.884541519.00000000049C0000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901100128.0000000004C90000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920860048.00000000058F0000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: msctf.pdbCt source: WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp
                      Source: Binary string: rundll32.pdb source: WerFault.exe, 00000009.00000003.884376427.0000000004861000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000009.00000003.879269729.0000000000684000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.891762437.00000000009A6000.00000004.00000001.sdmp
                      Source: Binary string: cryptbase.pdb]t source: WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp
                      Source: Binary string: sfc.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: propsys.pdbbv source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: wsspicli.pdbhv source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: CoreUIComponents.pdb_ source: WerFault.exe, 0000000F.00000003.920780539.0000000005903000.00000004.00000040.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 00000009.00000003.884376427.0000000004861000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: wUxTheme.pdbpv source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: shlwapi.pdbI source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp
                      Source: Binary string: wUxTheme.pdbOt source: WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdbk source: WerFault.exe, 00000009.00000003.884376427.0000000004861000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: propsys.pdbIt source: WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp
                      Source: Binary string: WinTypes.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdb source: WerFault.exe, 00000009.00000003.884560858.00000000049C4000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901119468.0000000004C94000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920715440.00000000058F2000.00000004.00000040.sdmp
                      Source: Binary string: bcrypt.pdbkt source: WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp
                      Source: Binary string: msctf.pdb|v source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000009.00000003.884376427.0000000004861000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: fltLib.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: rundll32.pdbk source: WerFault.exe, 00000009.00000003.884376427.0000000004861000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: shell32.pdb source: WerFault.exe, 00000009.00000003.884376427.0000000004861000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000009.00000003.884376427.0000000004861000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: imagehlp.pdb^v source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: setupapi.pdbEm5 source: WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp
                      Source: Binary string: CoreUIComponents.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920780539.0000000005903000.00000004.00000040.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000009.00000003.884376427.0000000004861000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: setupapi.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: winhttp.pdb source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: imagehlp.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000009.00000003.878970110.000000000067E000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.893625998.00000000009A0000.00000004.00000001.sdmp
                      Source: Binary string: profapi.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000009.00000003.884376427.0000000004861000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: sechost.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: propsys.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000009.00000003.884560858.00000000049C4000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901119468.0000000004C94000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920715440.00000000058F2000.00000004.00000040.sdmp
                      Source: Binary string: msctf.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: TextInputFramework.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: profapi.pdb&v source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdbyt source: WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp
                      Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000009.00000003.884541519.00000000049C0000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901100128.0000000004C90000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920860048.00000000058F0000.00000004.00000040.sdmp
                      Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: powrprof.pdb,v source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000009.00000003.884541519.00000000049C0000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901100128.0000000004C90000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920860048.00000000058F0000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000009.00000003.879277222.000000000068A000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.891777281.00000000009AC000.00000004.00000001.sdmp
                      Source: Binary string: setupapi.pdbC source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp
                      Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdbRv source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdbDv source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 00000009.00000003.884376427.0000000004861000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp

                      Networking:

                      barindex
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: www.msn.com
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: areuranel.website
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 52.97.218.66 187Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: breuranel.website
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: outlook.office365.com
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: msn.com
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: outlook.com
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: www.outlook.com
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 40.97.153.146 187Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 13.82.28.61 187Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 52.97.137.210 187Jump to behavior
                      Source: Joe Sandbox ViewASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS
                      Source: Joe Sandbox ViewJA3 fingerprint: ce5f3254611a8c095a3d821d44539877
                      Source: Joe Sandbox ViewIP Address: 40.97.153.146 40.97.153.146
                      Source: Joe Sandbox ViewIP Address: 13.82.28.61 13.82.28.61
                      Source: global trafficHTTP traffic detected: GET /mail/liopolo/31Pla_2BCXtei/1R_2BY6O/xV8Y0PePoExsKvdRsArLjMT/0HY9ewGl4d/RTh7V4sy0BSH_2Btl/9sqK23pzW1xY/kPT6lmvGYLw/Cf2IOR2fhZTyNL/tKZ289_2FYjlbDZolDbOl/xXcWSCD6IlQGRdIS/84EeVY8JQpYoU7N/sMotozvUSzPLgYoFpN/L9urq8t4YJmiCxPtVCV/XUD.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
                      Source: global trafficHTTP traffic detected: GET /mail/liopolo/NtZggqxIX2EF9w_2/BavTQ0jHk8z72E0/mrA_2BNo5fGf18qS53/GIhA4FNpc/qIQbJVkxLHpIx3LzJcYF/3uQz3PgIC5Pjndy7vBH/i_2FOaoK6pUzqTQ2mVu3pq/cfXt8VkJHx4pF/9i2ySYSz/e6Fwjd_2BYZ5QEKc2Ev8w_2/FX9nTU6mpV/BkgebLJcyW_2BOHak/X7QoD77ir05E/ic.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/D7_2FrbWNPWoNOhc8CKrYUD/YRyHNJx0fY/hev8f_2BW8cdb94NA/BoQXWWXay0D_/2BZ8Igd1CtC/8Zrwrke0SVrRun/EK5gc9OXOLgsoPgBxCQd1/LxUG0ef0GKyYljGP/_2FJyXjT77_2FZy/ZTRUMkvuvl3KPO1sTr/Mf1qwqvM6/BRuq80kiRu4imCu3Mccr/qTiEDWDGE96/Qopva.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/D7_2FrbWNPWoNOhc8CKrYUD/YRyHNJx0fY/hev8f_2BW8cdb94NA/BoQXWWXay0D_/2BZ8Igd1CtC/8Zrwrke0SVrRun/EK5gc9OXOLgsoPgBxCQd1/LxUG0ef0GKyYljGP/_2FJyXjT77_2FZy/ZTRUMkvuvl3KPO1sTr/Mf1qwqvM6/BRuq80kiRu4imCu3Mccr/qTiEDWDGE96/Qopva.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/D7_2FrbWNPWoNOhc8CKrYUD/YRyHNJx0fY/hev8f_2BW8cdb94NA/BoQXWWXay0D_/2BZ8Igd1CtC/8Zrwrke0SVrRun/EK5gc9OXOLgsoPgBxCQd1/LxUG0ef0GKyYljGP/_2FJyXjT77_2FZy/ZTRUMkvuvl3KPO1sTr/Mf1qwqvM6/BRuq80kiRu4imCu3Mccr/qTiEDWDGE96/Qopva.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/rNcthdwaMuA/zHzDKpXzKq0_2F/hgSdOtaWvkDNGgYpqBLqh/fnirw5AL03xUm4gv/1SKDwhrC85cQhDG/iqhTJ3hi9wsaeKx0vI/xO4E5YLZP/YP9uSugvYABSkowPk9S_/2B24KB1lGZ7pVE71wAB/PNLOy1DTAkJRmo3faOVpWQ/D9BP51I5FAmCi/mjxkDJSf_2B0/dO3cuvbU.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/rNcthdwaMuA/zHzDKpXzKq0_2F/hgSdOtaWvkDNGgYpqBLqh/fnirw5AL03xUm4gv/1SKDwhrC85cQhDG/iqhTJ3hi9wsaeKx0vI/xO4E5YLZP/YP9uSugvYABSkowPk9S_/2B24KB1lGZ7pVE71wAB/PNLOy1DTAkJRmo3faOVpWQ/D9BP51I5FAmCi/mjxkDJSf_2B0/dO3cuvbU.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/rNcthdwaMuA/zHzDKpXzKq0_2F/hgSdOtaWvkDNGgYpqBLqh/fnirw5AL03xUm4gv/1SKDwhrC85cQhDG/iqhTJ3hi9wsaeKx0vI/xO4E5YLZP/YP9uSugvYABSkowPk9S_/2B24KB1lGZ7pVE71wAB/PNLOy1DTAkJRmo3faOVpWQ/D9BP51I5FAmCi/mjxkDJSf_2B0/dO3cuvbU.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
                      Source: global trafficHTTP traffic detected: GET /mail/liopolo/5hHdOh6aVGIiN/xm3v7_2B/EkShunhzAo7MsZ9CmkqFWtX/3z_2Bns4ON/91CWMsZkh9K0L_2FK/DGWBtSEwajEJ/0TtpREbudd5/QgJK102N2T9j48/a7_2B8h2NmEQ_2FO6HINr/eS5x2dWmrnxEuUas/E6VYZyoESNredc4/JUFmKkMiSye_2BBKeH/JexZCfmhU/vSKjW_2B8KOY/RYzBQt1.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
                      Source: global trafficHTTP traffic detected: GET /mail/liopolo/QoeEw7znNY9KuZLPv/PhlDvAFg0Bnn/nVx6DnTynJS/Jqe2AOjRD8vYJs/PuqBLIn3Zd37OXyJlwD7Q/FiLhjKnVW_2ByswX/LXphFosRYtREZOL/Q6wDOp8ES889SSlI1S/AFbHRrWLn/_2F7R_2FVhgDELEonTCy/KSLPzpnW0YF_2FoB4Xy/kHR_2F88KI6KqxU9hJvbKE/it_2FLM35/c.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/dtrpOPrEQ8_2/BH4GVvmMwLv/x_2BNp_2Bcq8rr/i2sFrcRmTMjCNusY3oN7V/abYuA7gYAEh57Xzf/mKvjzhmwo0oocH6/Rx6Zaylm3INx2PjsYP/5tKNcBaCE/Tau2dKL_2B3XpLMrimMx/fEyRGxrtqJjdxkKHFLZ/nn7M4Qsmv3PPoTapEVJO6K/P8DaDVIqQXr3N/9BeM5e5l/i_2F.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/dtrpOPrEQ8_2/BH4GVvmMwLv/x_2BNp_2Bcq8rr/i2sFrcRmTMjCNusY3oN7V/abYuA7gYAEh57Xzf/mKvjzhmwo0oocH6/Rx6Zaylm3INx2PjsYP/5tKNcBaCE/Tau2dKL_2B3XpLMrimMx/fEyRGxrtqJjdxkKHFLZ/nn7M4Qsmv3PPoTapEVJO6K/P8DaDVIqQXr3N/9BeM5e5l/i_2F.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/dtrpOPrEQ8_2/BH4GVvmMwLv/x_2BNp_2Bcq8rr/i2sFrcRmTMjCNusY3oN7V/abYuA7gYAEh57Xzf/mKvjzhmwo0oocH6/Rx6Zaylm3INx2PjsYP/5tKNcBaCE/Tau2dKL_2B3XpLMrimMx/fEyRGxrtqJjdxkKHFLZ/nn7M4Qsmv3PPoTapEVJO6K/P8DaDVIqQXr3N/9BeM5e5l/i_2F.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49779 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49862
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49861
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49860
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49807 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49810 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49809 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49776 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49860 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49779
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49811
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49810
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49776
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49862 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49827 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49829 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49808 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49809
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49806 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49808
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49807
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49829
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49811 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49806
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49827
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49861 -> 443
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 1245Content-Type: text/htmlServer: Microsoft-IIS/10.0request-id: fee0e76a-0690-24c5-d39f-a0f3ac107e50Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-CalculatedFETarget: VI1PR0102CU003.internal.outlook.comX-BackEndHttpStatus: 404X-FEProxyInfo: VI1PR0102CA0087.EURPRD01.PROD.EXCHANGELABS.COMX-CalculatedBETarget: VI1PR04MB4495.eurprd04.prod.outlook.comX-BackEndHttpStatus: 404X-RUM-Validated: 1X-Proxy-RoutingCorrectness: 1X-Proxy-BackendServerStatus: 404MS-CV: aufg/pAGxSTTn6DzrBB+UA.1.1X-FEServer: VI1PR0102CA0087X-Powered-By: ASP.NETX-FEServer: AS8PR04CA0081Date: Mon, 11 Oct 2021 22:38:46 GMTConnection: close
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 1245Content-Type: text/htmlServer: Microsoft-IIS/10.0request-id: 463ae588-6705-a5a4-dc70-c20dde540b89Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-CalculatedFETarget: HE1PR0202CU001.internal.outlook.comX-BackEndHttpStatus: 404X-FEProxyInfo: HE1PR0202CA0016.EURPRD02.PROD.OUTLOOK.COMX-CalculatedBETarget: HE1P194MB0201.EURP194.PROD.OUTLOOK.COMX-BackEndHttpStatus: 404X-RUM-Validated: 1X-Proxy-RoutingCorrectness: 1X-Proxy-BackendServerStatus: 404MS-CV: iOU6RgVnpKXccMIN3lQLiQ.1.1X-FEServer: HE1PR0202CA0016X-Powered-By: ASP.NETX-FEServer: AM6P194CA0062Date: Mon, 11 Oct 2021 22:38:53 GMTConnection: close
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 1245Content-Type: text/htmlServer: Microsoft-IIS/10.0request-id: bd6df30b-3506-0654-39aa-09111fc341ceStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAlt-Svc: h3=":443",h3-29=":443"X-CalculatedFETarget: VI1PR07CU008.internal.outlook.comX-BackEndHttpStatus: 404X-FEProxyInfo: VI1PR07CA0252.EURPRD07.PROD.OUTLOOK.COMX-CalculatedBETarget: VI1PR01MB6621.EURPRD01.PROD.EXCHANGELABS.COMX-BackEndHttpStatus: 404X-RUM-Validated: 1X-Proxy-RoutingCorrectness: 1X-Proxy-BackendServerStatus: 404MS-CV: C/NtvQY1VAY5qgkRH8NBzg.1.1X-FEServer: VI1PR07CA0252X-Powered-By: ASP.NETX-FEServer: AM5PR0101CA0012Date: Mon, 11 Oct 2021 22:40:08 GMTConnection: close
                      Source: loaddll32.exe, 00000000.00000003.1005981116.00000000016C2000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.899844356.00000000045A7000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000002.928906655.00000000048CC000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000002.940321648.0000000005220000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: loaddll32.exe, 00000000.00000003.1093713289.0000000001713000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.917233460.0000000003B39000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.1108259014.00000000058BB000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.931465010.0000000005839000.00000004.00000040.sdmpString found in binary or memory: http://ogp.me/ns#
                      Source: loaddll32.exe, 00000000.00000003.1093713289.0000000001713000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.917233460.0000000003B39000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.1108259014.00000000058BB000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.931465010.0000000005839000.00000004.00000040.sdmpString found in binary or memory: http://ogp.me/ns/fb#
                      Source: loaddll32.exe, 00000000.00000003.916793229.0000000003BB8000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.931542596.00000000058BC000.00000004.00000040.sdmpString found in binary or memory: https://blogs.msn.com/
                      Source: loaddll32.exe, 00000000.00000003.1181590460.00000000016A1000.00000004.00000001.sdmpString found in binary or memory: https://breuranel.website/liopolo/q3ygJYAFVGZ_2F/lrVZdSxP5qWZx0IQW_2Fv/fatA_2F92zFSM6Wv/k_2BiVYapNB7
                      Source: loaddll32.exe, 00000000.00000003.1005943661.000000000169F000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.1093682966.000000000170D000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.931542596.00000000058BC000.00000004.00000040.sdmpString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
                      Source: loaddll32.exe, 00000000.00000003.917233460.0000000003B39000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.917087190.00000000016FB000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1633991885&rver
                      Source: rundll32.exe, 00000003.00000003.931465010.0000000005839000.00000004.00000040.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1633991891&rver
                      Source: loaddll32.exe, 00000000.00000003.1093773062.0000000003BBB000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.1093653246.0000000001716000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1633991967&rver
                      Source: rundll32.exe, 00000003.00000003.1108259014.00000000058BB000.00000004.00000040.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1633991974&rver
                      Source: loaddll32.exe, 00000000.00000003.1093653246.0000000001716000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.917233460.0000000003B39000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.1093739436.0000000003BBC000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.1108208109.00000000058BC000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.931465010.0000000005839000.00000004.00000040.sdmpString found in binary or memory: https://mem.gfx.ms/meversion/?partner=msn&market=en-us"
                      Source: loaddll32.exe, 00000000.00000002.1183944098.000000000164B000.00000004.00000020.sdmpString found in binary or memory: https://msn.com/
                      Source: loaddll32.exe, 00000000.00000002.1183944098.000000000164B000.00000004.00000020.sdmpString found in binary or memory: https://msn.com/D
                      Source: loaddll32.exe, 00000000.00000003.917168598.0000000001701000.00000004.00000001.sdmpString found in binary or memory: https://msn.com/f
                      Source: loaddll32.exe, 00000000.00000003.1181590460.00000000016A1000.00000004.00000001.sdmpString found in binary or memory: https://outlook.com/signup/liopolo/dtrpOPrEQ8_2/BH4GVvmMwLv/x_2BNp_2Bcq8rr/i2sFrcRmTMjCNusY3oN7V/abY
                      Source: loaddll32.exe, 00000000.00000003.1005981116.00000000016C2000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com/
                      Source: loaddll32.exe, 00000000.00000003.1005981116.00000000016C2000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com/2H
                      Source: loaddll32.exe, 00000000.00000002.1184438243.00000000016C2000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com/9H
                      Source: loaddll32.exe, 00000000.00000003.1005814049.000000000170B000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.1005878880.0000000001706000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.1005753123.000000000170C000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com/signup/liopolo/D7_2FrbWNPWoNOhc8CKrYUD/YRyHNJx0fY/hev8f_2BW8cdb94NA/Bo
                      Source: loaddll32.exe, 00000000.00000003.1181590460.00000000016A1000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.1181707542.0000000001715000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000002.1183944098.000000000164B000.00000004.00000020.sdmpString found in binary or memory: https://outlook.office365.com/signup/liopolo/dtrpOPrEQ8_2/BH4GVvmMwLv/x_2BNp_2Bcq8rr/i2sFrcRmTMjCNus
                      Source: loaddll32.exe, 00000000.00000003.1093773062.0000000003BBB000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.1093653246.0000000001716000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.917233460.0000000003B39000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.917087190.00000000016FB000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.1108259014.00000000058BB000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.931465010.0000000005839000.00000004.00000040.sdmpString found in binary or memory: https://static-global-s-msn-com.akamaized.net/en-us//api/modules/cdnfetch"
                      Source: loaddll32.exe, 00000000.00000003.1093653246.0000000001716000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.917233460.0000000003B39000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.1108208109.00000000058BC000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.931465010.0000000005839000.00000004.00000040.sdmpString found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/en-us/homepage/_sc/css/d7cb56b9-3a82770e/direct
                      Source: WerFault.exe, 0000000C.00000002.928906655.00000000048CC000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000002.929018615.0000000004983000.00000004.00000001.sdmpString found in binary or memory: https://watson.tel
                      Source: rundll32.exe, 00000003.00000003.930983342.00000000058B8000.00000004.00000040.sdmpString found in binary or memory: https://web.vortex.data.msn.com/collect/v1/t.gi
                      Source: loaddll32.exe, 00000000.00000003.1093653246.0000000001716000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.917233460.0000000003B39000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.1108208109.00000000058BC000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.931465010.0000000005839000.00000004.00000040.sdmpString found in binary or memory: https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&ver=%272.1%27&a
                      Source: loaddll32.exe, 00000000.00000002.1183944098.000000000164B000.00000004.00000020.sdmpString found in binary or memory: https://wwtlook.office365.com/
                      Source: loaddll32.exe, 00000000.00000003.917233460.0000000003B39000.00000004.00000040.sdmpString found in binary or memory: https://www.msn.com/?refurl=%2fmail%2fliopolo%2f31Pla_2BCXtei%2f1R_2BY6O%2fxV8Y0PePoExsKvdRsArLjMT%2
                      Source: loaddll32.exe, 00000000.00000003.1093653246.0000000001716000.00000004.00000001.sdmpString found in binary or memory: https://www.msn.com/?refurl=%2fmail%2fliopolo%2f5hHdOh6aVGIiN%2fxm3v7_2B%2fEkShunhzAo7MsZ9CmkqFWtX%2
                      Source: rundll32.exe, 00000003.00000003.931465010.0000000005839000.00000004.00000040.sdmpString found in binary or memory: https://www.msn.com/?refurl=%2fmail%2fliopolo%2fNtZggqxIX2EF9w_2%2fBavTQ0jHk8z72E0%2fmrA_2BNo5fGf18q
                      Source: rundll32.exe, 00000003.00000003.1108208109.00000000058BC000.00000004.00000040.sdmpString found in binary or memory: https://www.msn.com/?refurl=%2fmail%2fliopolo%2fQoeEw7znNY9KuZLPv%2fPhlDvAFg0Bnn%2fnVx6DnTynJS%2fJqe
                      Source: loaddll32.exe, 00000000.00000003.1093773062.0000000003BBB000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.1093653246.0000000001716000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.917233460.0000000003B39000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.917087190.00000000016FB000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.1108259014.00000000058BB000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.931465010.0000000005839000.00000004.00000040.sdmpString found in binary or memory: https://www.msn.com/en-us//api/modules/fetch"
                      Source: loaddll32.exe, 00000000.00000003.917087190.00000000016FB000.00000004.00000001.sdmpString found in binary or memory: https://www.msn.com/mail/liopolo/31Pla_2BCXtei/1R_2BY6O/xV8Y0PePoExsKvdRsArLjMT/0HY9ewGl4d/RTh7V4sy0
                      Source: loaddll32.exe, 00000000.00000003.1005943661.000000000169F000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.1005753123.000000000170C000.00000004.00000001.sdmpString found in binary or memory: https://www.outlook.com/signup/liopolo/D7_2FrbWNPWoNOhc8CKrYUD/YRyHNJx0fY/hev8f_2BW8cdb94NA/BoQXWWXa
                      Source: loaddll32.exe, 00000000.00000003.1181590460.00000000016A1000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000002.1184778471.0000000001722000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.1181707542.0000000001715000.00000004.00000001.sdmpString found in binary or memory: https://www.outlook.com/signup/liopolo/dtrpOPrEQ8_2/BH4GVvmMwLv/x_2BNp_2Bcq8rr/i2sFrcRmTMjCNusY3oN7V
                      Source: unknownDNS traffic detected: queries for: msn.com
                      Source: global trafficHTTP traffic detected: GET /mail/liopolo/31Pla_2BCXtei/1R_2BY6O/xV8Y0PePoExsKvdRsArLjMT/0HY9ewGl4d/RTh7V4sy0BSH_2Btl/9sqK23pzW1xY/kPT6lmvGYLw/Cf2IOR2fhZTyNL/tKZ289_2FYjlbDZolDbOl/xXcWSCD6IlQGRdIS/84EeVY8JQpYoU7N/sMotozvUSzPLgYoFpN/L9urq8t4YJmiCxPtVCV/XUD.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
                      Source: global trafficHTTP traffic detected: GET /mail/liopolo/NtZggqxIX2EF9w_2/BavTQ0jHk8z72E0/mrA_2BNo5fGf18qS53/GIhA4FNpc/qIQbJVkxLHpIx3LzJcYF/3uQz3PgIC5Pjndy7vBH/i_2FOaoK6pUzqTQ2mVu3pq/cfXt8VkJHx4pF/9i2ySYSz/e6Fwjd_2BYZ5QEKc2Ev8w_2/FX9nTU6mpV/BkgebLJcyW_2BOHak/X7QoD77ir05E/ic.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/D7_2FrbWNPWoNOhc8CKrYUD/YRyHNJx0fY/hev8f_2BW8cdb94NA/BoQXWWXay0D_/2BZ8Igd1CtC/8Zrwrke0SVrRun/EK5gc9OXOLgsoPgBxCQd1/LxUG0ef0GKyYljGP/_2FJyXjT77_2FZy/ZTRUMkvuvl3KPO1sTr/Mf1qwqvM6/BRuq80kiRu4imCu3Mccr/qTiEDWDGE96/Qopva.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/D7_2FrbWNPWoNOhc8CKrYUD/YRyHNJx0fY/hev8f_2BW8cdb94NA/BoQXWWXay0D_/2BZ8Igd1CtC/8Zrwrke0SVrRun/EK5gc9OXOLgsoPgBxCQd1/LxUG0ef0GKyYljGP/_2FJyXjT77_2FZy/ZTRUMkvuvl3KPO1sTr/Mf1qwqvM6/BRuq80kiRu4imCu3Mccr/qTiEDWDGE96/Qopva.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/D7_2FrbWNPWoNOhc8CKrYUD/YRyHNJx0fY/hev8f_2BW8cdb94NA/BoQXWWXay0D_/2BZ8Igd1CtC/8Zrwrke0SVrRun/EK5gc9OXOLgsoPgBxCQd1/LxUG0ef0GKyYljGP/_2FJyXjT77_2FZy/ZTRUMkvuvl3KPO1sTr/Mf1qwqvM6/BRuq80kiRu4imCu3Mccr/qTiEDWDGE96/Qopva.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/rNcthdwaMuA/zHzDKpXzKq0_2F/hgSdOtaWvkDNGgYpqBLqh/fnirw5AL03xUm4gv/1SKDwhrC85cQhDG/iqhTJ3hi9wsaeKx0vI/xO4E5YLZP/YP9uSugvYABSkowPk9S_/2B24KB1lGZ7pVE71wAB/PNLOy1DTAkJRmo3faOVpWQ/D9BP51I5FAmCi/mjxkDJSf_2B0/dO3cuvbU.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/rNcthdwaMuA/zHzDKpXzKq0_2F/hgSdOtaWvkDNGgYpqBLqh/fnirw5AL03xUm4gv/1SKDwhrC85cQhDG/iqhTJ3hi9wsaeKx0vI/xO4E5YLZP/YP9uSugvYABSkowPk9S_/2B24KB1lGZ7pVE71wAB/PNLOy1DTAkJRmo3faOVpWQ/D9BP51I5FAmCi/mjxkDJSf_2B0/dO3cuvbU.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/rNcthdwaMuA/zHzDKpXzKq0_2F/hgSdOtaWvkDNGgYpqBLqh/fnirw5AL03xUm4gv/1SKDwhrC85cQhDG/iqhTJ3hi9wsaeKx0vI/xO4E5YLZP/YP9uSugvYABSkowPk9S_/2B24KB1lGZ7pVE71wAB/PNLOy1DTAkJRmo3faOVpWQ/D9BP51I5FAmCi/mjxkDJSf_2B0/dO3cuvbU.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
                      Source: global trafficHTTP traffic detected: GET /mail/liopolo/5hHdOh6aVGIiN/xm3v7_2B/EkShunhzAo7MsZ9CmkqFWtX/3z_2Bns4ON/91CWMsZkh9K0L_2FK/DGWBtSEwajEJ/0TtpREbudd5/QgJK102N2T9j48/a7_2B8h2NmEQ_2FO6HINr/eS5x2dWmrnxEuUas/E6VYZyoESNredc4/JUFmKkMiSye_2BBKeH/JexZCfmhU/vSKjW_2B8KOY/RYzBQt1.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
                      Source: global trafficHTTP traffic detected: GET /mail/liopolo/QoeEw7znNY9KuZLPv/PhlDvAFg0Bnn/nVx6DnTynJS/Jqe2AOjRD8vYJs/PuqBLIn3Zd37OXyJlwD7Q/FiLhjKnVW_2ByswX/LXphFosRYtREZOL/Q6wDOp8ES889SSlI1S/AFbHRrWLn/_2F7R_2FVhgDELEonTCy/KSLPzpnW0YF_2FoB4Xy/kHR_2F88KI6KqxU9hJvbKE/it_2FLM35/c.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/dtrpOPrEQ8_2/BH4GVvmMwLv/x_2BNp_2Bcq8rr/i2sFrcRmTMjCNusY3oN7V/abYuA7gYAEh57Xzf/mKvjzhmwo0oocH6/Rx6Zaylm3INx2PjsYP/5tKNcBaCE/Tau2dKL_2B3XpLMrimMx/fEyRGxrtqJjdxkKHFLZ/nn7M4Qsmv3PPoTapEVJO6K/P8DaDVIqQXr3N/9BeM5e5l/i_2F.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/dtrpOPrEQ8_2/BH4GVvmMwLv/x_2BNp_2Bcq8rr/i2sFrcRmTMjCNusY3oN7V/abYuA7gYAEh57Xzf/mKvjzhmwo0oocH6/Rx6Zaylm3INx2PjsYP/5tKNcBaCE/Tau2dKL_2B3XpLMrimMx/fEyRGxrtqJjdxkKHFLZ/nn7M4Qsmv3PPoTapEVJO6K/P8DaDVIqQXr3N/9BeM5e5l/i_2F.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/dtrpOPrEQ8_2/BH4GVvmMwLv/x_2BNp_2Bcq8rr/i2sFrcRmTMjCNusY3oN7V/abYuA7gYAEh57Xzf/mKvjzhmwo0oocH6/Rx6Zaylm3INx2PjsYP/5tKNcBaCE/Tau2dKL_2B3XpLMrimMx/fEyRGxrtqJjdxkKHFLZ/nn7M4Qsmv3PPoTapEVJO6K/P8DaDVIqQXr3N/9BeM5e5l/i_2F.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
                      Source: unknownHTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.4:49776 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.4:49779 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.97.116.82:443 -> 192.168.2.4:49806 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.97.183.162:443 -> 192.168.2.4:49807 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.97.218.82:443 -> 192.168.2.4:49808 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.97.153.146:443 -> 192.168.2.4:49809 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.97.218.66:443 -> 192.168.2.4:49810 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.97.137.210:443 -> 192.168.2.4:49811 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.4:49827 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.4:49829 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.97.153.146:443 -> 192.168.2.4:49860 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.98.207.194:443 -> 192.168.2.4:49861 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.101.124.226:443 -> 192.168.2.4:49862 version: TLS 1.2

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000000.00000003.916793229.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.916426520.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.974874720.000000000573B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.916847995.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.916379765.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.1049081119.000000000383F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.916579363.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.1187092392.00000000054C0000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.930983342.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.930624015.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.960454814.0000000003A3B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.1020193164.000000000563D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.917263832.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.930910657.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.931064048.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1185910848.00000000037C0000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.930863354.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.916716758.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.916652805.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.1006058312.000000000393D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.1063376109.000000000553F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.931519942.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.931136929.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.916501324.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.930715901.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.930775995.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 7036, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7052, type: MEMORYSTR
                      Source: Yara matchFile source: 4.3.rundll32.exe.8aa31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.322a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.2eca31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.2eca31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.342a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.8aa31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.4d094a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.342a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.6e2d0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.rundll32.exe.4970000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.6e2d0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4cd0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.rundll32.exe.4970000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.35594a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.1370000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.52294a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.139a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.4d094a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.139a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.35594a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4970000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.322a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.52294a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000003.855981301.0000000002EC0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.843034391.00000000008A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.888775678.0000000004D09000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.817641494.0000000003420000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.859623257.0000000001390000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.815784536.0000000003220000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.1186977706.0000000005229000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1185750269.0000000003559000.00000004.00000040.sdmp, type: MEMORY
                      Source: loaddll32.exe, 00000000.00000002.1183944098.000000000164B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      E-Banking Fraud:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000000.00000003.916793229.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.916426520.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.974874720.000000000573B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.916847995.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.916379765.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.1049081119.000000000383F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.916579363.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.1187092392.00000000054C0000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.930983342.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.930624015.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.960454814.0000000003A3B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.1020193164.000000000563D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.917263832.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.930910657.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.931064048.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1185910848.00000000037C0000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.930863354.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.916716758.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.916652805.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.1006058312.000000000393D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.1063376109.000000000553F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.931519942.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.931136929.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.916501324.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.930715901.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.930775995.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 7036, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7052, type: MEMORYSTR
                      Source: Yara matchFile source: 4.3.rundll32.exe.8aa31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.322a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.2eca31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.2eca31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.342a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.8aa31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.4d094a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.342a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.6e2d0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.rundll32.exe.4970000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.6e2d0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4cd0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.rundll32.exe.4970000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.35594a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.1370000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.52294a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.139a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.4d094a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.139a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.35594a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4970000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.322a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.52294a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000003.855981301.0000000002EC0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.843034391.00000000008A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.888775678.0000000004D09000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.817641494.0000000003420000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.859623257.0000000001390000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.815784536.0000000003220000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.1186977706.0000000005229000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1185750269.0000000003559000.00000004.00000040.sdmp, type: MEMORY

                      System Summary:

                      barindex
                      Writes or reads registry keys via WMIShow sources
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Writes registry values via WMIShow sources
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: 616412739e268.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7072 -s 636
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E2D21B40_2_6E2D21B4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E2E56000_2_6E2E5600
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E31D6300_2_6E31D630
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E333CCE0_2_6E333CCE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E31B5970_2_6E31B597
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E32A2B10_2_6E32A2B1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E30E8C00_2_6E30E8C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04CD4C403_2_04CD4C40
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04CD2B763_2_04CD2B76
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04CDAF243_2_04CDAF24
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E2E56003_2_6E2E5600
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E31D6303_2_6E31D630
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E333CCE3_2_6E333CCE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E31B5973_2_6E31B597
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E33FA783_2_6E33FA78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E32A2B13_2_6E32A2B1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E33FB983_2_6E33FB98
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E30E8C03_2_6E30E8C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04974C405_2_04974C40
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0497AF245_2_0497AF24
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04972B765_2_04972B76
                      Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6E30ABD1 appears 91 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6E30ABD1 appears 91 times
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E2D13B8 GetProcAddress,NtCreateSection,memset,0_2_6E2D13B8
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E2D1273 NtMapViewOfSection,0_2_6E2D1273
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E2D15C6 SetThreadPriority,NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,GetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,0_2_6E2D15C6
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E2D23D5 NtQueryVirtualMemory,0_2_6E2D23D5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04CD5D10 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,3_2_04CD5D10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04CDB149 NtQueryVirtualMemory,3_2_04CDB149
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04975D10 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,5_2_04975D10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0497B149 NtQueryVirtualMemory,5_2_0497B149
                      Source: 616412739e268.dllReversingLabs: Detection: 24%
                      Source: 616412739e268.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\616412739e268.dll'
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\616412739e268.dll',#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\616412739e268.dll,BeGrass
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\616412739e268.dll',#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\616412739e268.dll,Fieldeight
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\616412739e268.dll,Often
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7072 -s 636
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1364 -s 644
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6464 -s 632
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\616412739e268.dll',#1Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\616412739e268.dll,BeGrassJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\616412739e268.dll,FieldeightJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\616412739e268.dll,OftenJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\616412739e268.dll',#1Jump to behavior