Edit tour

Windows Analysis Report
mirabon.msi

Overview

General Information

Sample name:	mirabon.msi
Analysis ID:	1578371
MD5:	a9abe7b0d625cb55adb1e9c3e7df498b
SHA1:	8fc950287aa5bd3db8449b9ebdeecf9cbd0a4d57
SHA256:	d500d26f09f5419ca83d0604defe1cc7b17b16530ee2667eff4cec07bdec2f99
Tags:	msiuser-pr0xylife
Infos:

Detection

BruteRatel, Latrodectus

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected BruteRatel

Yara detected Latrodectus

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to inject threads in other processes

Creates a thread in another existing process (thread injection)

Injects a PE file into a foreign processes

Injects code into the Windows Explorer (explorer.exe)

Modifies the context of a thread in another process (thread injection)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Sets debug register (to hijack the execution of another thread)

Sigma detected: RunDLL32 Spawning Explorer

Writes to foreign memory regions

Checks for available system drives (often done to infect USB drives)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains functionality to query network adapater information

Creates files inside the system directory

Deletes files inside the Windows folder

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Launches processes in debugging mode, may be used to hinder debugging

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains an invalid checksum

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

msiexec.exe (PID: 576 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\mirabon.msi" MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 6760 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 3020 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding AC2828E810036024BC5181D16A644983 MD5: 9D09DC1EDA745A5F87553048E57620CF)

rundll32.exe (PID: 3920 cmdline: C:/Windows/System32/rundll32.exe gpufault.dll, GfeXcodeFunc MD5: EF3179D498793BF4234F708D3BE28633)

explorer.exe (PID: 4056 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

WerFault.exe (PID: 812 cmdline: C:\Windows\system32\WerFault.exe -u -p 4056 -s 7000 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

explorer.exe (PID: 4940 cmdline: explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Brute Ratel C4, BruteRatel	Brute Ratel C4 (BRC4) is a commercial framework for red-teaming and adversarial attack simulation, which made its first appearance in December 2020. It was specifically designed to evade detection by endpoint detection and response (EDR) and antivirus (AV) capabilities. BRC4 allows operators to deploy a backdoor agent known as Badger (aka BOLDBADGER) within a target environment.This agent enables arbitrary command execution, facilitating lateral movement, privilege escalation, and the establishment of additional persistence avenues. The Badger backdoor agent can communicate with a remote server via DNS over HTTPS, HTTP, HTTPS, SMB, and TCP, using custom encrypted channels. It supports a variety of backdoor commands including shell command execution, file transfers, file execution, and credential harvesting. Additionally, the Badger agent can perform tasks such as port scanning, screenshot capturing, and keystroke logging. Notably, in September 2022, a cracked version of Brute Ratel C4 was leaked in the cybercriminal underground, leading to its use by threat actors.	No Attribution	https://0xdarkvortex.dev/hiding-in-plainsight/ https://0xdarkvortex.dev/proxying-dll-loads-for-hiding-etwti-stack-tracing/ https://andreafortuna.org/2023/02/23/how-to-detect-brute-ratel-activities https://blog.krakz.fr/articles/latrodectus/ https://blog.reveng.ai/latrodectus-distribution-via-brc4/	https://malpedia.caad.fkie.fraunhofer.de/details/win.brute_ratel_c4

Name	Description	Attribution	Blogpost URLs	Link
Latrodectus, Latrodectus	First discovered in October 2023, BLACKWIDOW is a backdoor written in C that communicates over HTTP using RC4 encrypted requests. The malware has the capability to execute discovery commands, query information about the victim's machine, update itself, as well as download and execute an EXE, DLL, or shellcode. The malware is believed to have been developed by LUNAR SPIDER, the creators of IcedID (aka BokBot) Malware.	No Attribution	https://0x0d4y.blog/case-study-analyzing-and-implementing-string-decryption-algorithms-latrodectus/ https://0x0d4y.blog/latrodectus-technical-analysis-of-the-new-icedid/ https://any.run/malware-trends/latrodectus https://blog.krakz.fr/articles/latrodectus/ https://blog.reveng.ai/latrodectus-distribution-via-brc4/	https://malpedia.caad.fkie.fraunhofer.de/details/win.latrodectus

Malware Configuration

Threatname: Latrodectus

{"C2 url": ["https://proliforetka.com/test/", "https://dogirafer.com/test/"], "Group Name": "Lambda", "Campaign ID": 3306744842}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
0000000A.00000002.3181432738.00000000099DB000.00000004.00000010.00020000.00000000.sdmp	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
00000004.00000003.2301509386.0000027F9288B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BruteRatel_1	Yara detected BruteRatel	Joe Security
Process Memory Space: rundll32.exe PID: 3920	JoeSecurity_BruteRatel_1	Yara detected BruteRatel	Joe Security
Process Memory Space: explorer.exe PID: 4056	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
decrypted.memstr	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security

Sigma Signatures

System Summary

Sigma detected: RunDLL32 Spawning Explorer

Source: Process started

Author: elhoim, CD_ROM_: Data: Command: C:\Windows\Explorer.EXE, CommandLine: C:\Windows\Explorer.EXE, CommandLine|base64offset|contains: , Image: C:\Windows\explorer.exe, NewProcessName: C:\Windows\explorer.exe, OriginalFileName: C:\Windows\explorer.exe, ParentCommandLine: C:/Windows/System32/rundll32.exe gpufault.dll, GfeXcodeFunc, ParentImage: C:\Windows\System32\rundll32.exe, ParentProcessId: 3920, ParentProcessName: rundll32.exe, ProcessCommandLine: C:\Windows\Explorer.EXE, ProcessId: 4056, ProcessName: explorer.exe

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-19T16:12:20.475672+0100	2028371	3	Unknown Traffic	192.168.2.7	49714	188.114.97.6	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack

Malware Configuration Extractor: Latrodectus {"C2 url": ["https://proliforetka.com/test/", "https://dogirafer.com/test/"], "Group Name": "Lambda", "Campaign ID": 3306744842}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\gpuset\gpufault.dll

ReversingLabs: Detection: 23%

Multi AV Scanner detection for submitted file

Source: mirabon.msi

ReversingLabs: Detection: 18%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.7% probability

Sample uses string decryption to hide its real strings

Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: /c ipconfig /all
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: /c systeminfo
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: /c nltest /domain_trusts
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: /c net view /all
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: /c nltest /domain_trusts /all_trusts
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: /c net view /all /domain
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: &ipconfig=
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: /c net group "Domain Admins" /domain
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: C:\Windows\System32\wbem\wmic.exe
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: /c net config workstation
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: /c wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName \| findstr /V /B /C:displayName \|\| echo No Antivirus installed
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: /c whoami /groups
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: &systeminfo=
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: &domain_trusts=
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: &domain_trusts_all=
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: &net_view_all_domain=
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: &net_view_all=
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: &net_group=
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: &wmic=
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: &net_config_ws=
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: &net_wmic_av=
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: &whoami_group=
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: "pid":
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: "%d",
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: "proc":
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: "%s",
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: "subproc": [
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: &proclist=[
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: "pid":
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: "%d",
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: "proc":
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: "%s",
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: "subproc": [
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: &desklinks=[
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: .
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: "%s"
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: Update_%x
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: Custom_update
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: .dll
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: .exe
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: Error
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: runnung
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: %s/%s
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: front
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: /files/
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: Lambda
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: Cookie:
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: POST
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: GET
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: curl/7.88.1
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: CLEARURL
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: URLS
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: COMMAND
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: ERROR
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: aPQLnCcYDT5xeVCxMvCCPmDCealRt4Sb1tyrV5j5ovSSvsA5cZQIJDlIqsBkNLFA
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: [{"data":"
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: "}]
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: &dpost=
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: https://proliforetka.com/test/
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: https://dogirafer.com/test/
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: \*.dll
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: AppData
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: Desktop
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: Startup
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: Personal
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: Local AppData
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: <html>
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: <!DOCTYPE
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: %s%d.dll
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: C:\WINDOWS\SYSTEM32\rundll32.exe %s,%s
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: Content-Length: 0
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: C:\WINDOWS\SYSTEM32\rundll32.exe %s
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: Content-Type: application/dns-message
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: Content-Type: application/ocsp-request
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: 12345
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: 12345
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: &stiller=
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: %s%d.exe
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: %x%x
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: &mac=
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: %02x
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: :%02x
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: &computername=%s
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: &domain=%s
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: %04X%04X%04X%04X%08X%04X
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: LogonTrigger
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: %04X%04X%04X%04X%08X%04X
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: \Registry\Machine\
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: TimeTrigger
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: PT0H%02dM
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: %04d-%02d-%02dT%02d:%02d:%02d
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: PT0S
Source: 4.3.rundll32.exe.7df498ea0000.0.raw.unpack	String decryptor: \update_data.dat

Source: unknown

HTTPS traffic detected: 188.114.97.6:443 -> 192.168.2.7:49714 version: TLS 1.2

Source:	Binary string: C:\dvs\p4\build\sw\rel\gfclient\rel_03&3!ZxZQ9rbTQA!n8N>7T3de\GfeXCode\win7_amd64_release\GfeXCode64.pdb source: gpufault.dll.2.dr
Source:	Binary string: de\GfeXCode\win7_amd64_release\GfeXCode64.pdb source: gpufault.dll.2.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: mirabon.msi, MSI26E5.tmp.2.dr, 6c24ff.msi.2.dr, MSI2618.tmp.2.dr, MSI26B5.tmp.2.dr, MSI2715.tmp.2.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbn source: mirabon.msi, MSI26E5.tmp.2.dr, 6c24ff.msi.2.dr, MSI2618.tmp.2.dr, MSI26B5.tmp.2.dr, MSI2715.tmp.2.dr

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: d:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Windows\explorer.exe	Code function: 10_2_02E1A8E0 FindFirstFileW,FindNextFileW,LoadLibraryW,LoadLibraryExW,		10_2_02E1A8E0
Source: C:\Windows\explorer.exe	Code function: 10_2_02E12B28 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,		10_2_02E12B28

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\rundll32.exe	Network Connect: 94.232.46.11 8817	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Network Connect: 94.232.40.41 8817	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 188.114.97.6 443	Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: https://proliforetka.com/test/
Source: Malware configuration extractor	URLs: https://dogirafer.com/test/

Source: global traffic	TCP traffic: 192.168.2.7:49705 -> 94.232.40.41:8817
Source: global traffic	TCP traffic: 192.168.2.7:49711 -> 94.232.46.11:8817

Source: Joe Sandbox View	IP Address: 188.114.97.6 188.114.97.6
Source: Joe Sandbox View	IP Address: 188.114.97.6 188.114.97.6
Source: Joe Sandbox View	IP Address: 94.232.46.11 94.232.46.11
Source: Joe Sandbox View	IP Address: 94.232.40.41 94.232.40.41

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic

Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49714 -> 188.114.97.6:443

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\explorer.exe

Code function: 10_2_02E15078 InternetReadFile,

10_2_02E15078

Source: global traffic	DNS traffic detected: DNS query: cronoze.com
Source: global traffic	DNS traffic detected: DNS query: muuxxu.com
Source: global traffic	DNS traffic detected: DNS query: proliforetka.com
Source: global traffic	DNS traffic detected: DNS query: api.msn.com

Source: mirabon.msi, MSI26E5.tmp.2.dr, 6c24ff.msi.2.dr, MSI2618.tmp.2.dr, MSI26B5.tmp.2.dr, MSI2715.tmp.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: explorer.exe, 0000000A.00000002.3179387517.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2315203432.000000000730B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3177886513.000000000730B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2317048902.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3235994670.00000000081EC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3230328902.00000000081EC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3237298470.00000000081DA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3225779796.00000000081E5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3229916248.00000000081E5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3237933978.00000000081DA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3237874954.00000000081EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: mirabon.msi, MSI26E5.tmp.2.dr, 6c24ff.msi.2.dr, MSI2618.tmp.2.dr, MSI26B5.tmp.2.dr, MSI2715.tmp.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: mirabon.msi, MSI26E5.tmp.2.dr, 6c24ff.msi.2.dr, MSI2618.tmp.2.dr, MSI26B5.tmp.2.dr, MSI2715.tmp.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: explorer.exe, 0000000A.00000002.3179387517.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2315203432.000000000730B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3177886513.000000000730B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2317048902.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3235994670.00000000081EC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3230328902.00000000081EC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3237298470.00000000081DA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3225779796.00000000081E5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3229916248.00000000081E5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3237933978.00000000081DA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3237874954.00000000081EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: mirabon.msi, MSI26E5.tmp.2.dr, 6c24ff.msi.2.dr, MSI2618.tmp.2.dr, MSI26B5.tmp.2.dr, MSI2715.tmp.2.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: mirabon.msi, MSI26E5.tmp.2.dr, 6c24ff.msi.2.dr, MSI2618.tmp.2.dr, MSI26B5.tmp.2.dr, MSI2715.tmp.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: explorer.exe, 0000000A.00000002.3179387517.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2315203432.000000000730B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3177886513.000000000730B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2317048902.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3235994670.00000000081EC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3230328902.00000000081EC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3237298470.00000000081DA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3225779796.00000000081E5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3229916248.00000000081E5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3237933978.00000000081DA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3237874954.00000000081EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: mirabon.msi, MSI26E5.tmp.2.dr, 6c24ff.msi.2.dr, MSI2618.tmp.2.dr, MSI26B5.tmp.2.dr, MSI2715.tmp.2.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: explorer.exe, 0000000A.00000002.3179387517.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2315203432.000000000730B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3177886513.000000000730B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2317048902.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3235994670.00000000081EC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3230328902.00000000081EC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3237298470.00000000081DA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3225779796.00000000081E5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3229916248.00000000081E5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3237933978.00000000081DA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3237874954.00000000081EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: mirabon.msi, MSI26E5.tmp.2.dr, 6c24ff.msi.2.dr, MSI2618.tmp.2.dr, MSI26B5.tmp.2.dr, MSI2715.tmp.2.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: mirabon.msi, MSI26E5.tmp.2.dr, 6c24ff.msi.2.dr, MSI2618.tmp.2.dr, MSI26B5.tmp.2.dr, MSI2715.tmp.2.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: explorer.exe, 0000000A.00000000.2314262850.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3177112525.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: rundll32.exe, 00000004.00000003.2332477990.0000027F8ED75000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3660374742.0000027F8ED74000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2301320408.0000027F8ED9E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1837829758.0000027F8ED4C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2301394137.0000027F8ED9F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3660211148.0000027F9291F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3660320394.0000027F8ED9E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1837895324.0000027F8ECFF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2301320408.0000027F8ED71000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2332477990.0000027F8EDA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r11.i.lencr.org/0
Source: rundll32.exe, 00000004.00000003.2332477990.0000027F8ED75000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3660374742.0000027F8ED74000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2301320408.0000027F8ED9E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1837829758.0000027F8ED4C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2301394137.0000027F8ED9F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3660211148.0000027F9291F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3660320394.0000027F8ED9E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1837895324.0000027F8ECFF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2301320408.0000027F8ED71000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2332477990.0000027F8EDA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r11.o.lencr.org0#
Source: explorer.exe, 0000000A.00000000.2316566178.0000000008810000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000002.3178353597.0000000007C70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.2316589833.0000000008820000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: mirabon.msi, MSI26E5.tmp.2.dr, 6c24ff.msi.2.dr, MSI2618.tmp.2.dr, MSI26B5.tmp.2.dr, MSI2715.tmp.2.dr	String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: mirabon.msi, MSI26E5.tmp.2.dr, 6c24ff.msi.2.dr, MSI2618.tmp.2.dr, MSI26B5.tmp.2.dr, MSI2715.tmp.2.dr	String found in binary or memory: http://t2.symcb.com0
Source: mirabon.msi, MSI26E5.tmp.2.dr, 6c24ff.msi.2.dr, MSI2618.tmp.2.dr, MSI26B5.tmp.2.dr, MSI2715.tmp.2.dr	String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: mirabon.msi, MSI26E5.tmp.2.dr, 6c24ff.msi.2.dr, MSI2618.tmp.2.dr, MSI26B5.tmp.2.dr, MSI2715.tmp.2.dr	String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: mirabon.msi, MSI26E5.tmp.2.dr, 6c24ff.msi.2.dr, MSI2618.tmp.2.dr, MSI26B5.tmp.2.dr, MSI2715.tmp.2.dr	String found in binary or memory: http://tl.symcd.com0&
Source: mirabon.msi, MSI26E5.tmp.2.dr, 6c24ff.msi.2.dr, MSI2618.tmp.2.dr, MSI26B5.tmp.2.dr, MSI2715.tmp.2.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: explorer.exe, 0000000A.00000000.2314262850.00000000071B1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.foreca.com
Source: rundll32.exe, 00000004.00000003.3660374742.0000027F8ED74000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2301320408.0000027F8ED9E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1837829758.0000027F8ED4C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1837952366.0000027F8ED68000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2301394137.0000027F8ED9F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3660211148.0000027F9291F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3660320394.0000027F8ED9E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1837895324.0000027F8ECFF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2332477990.0000027F8EDA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: rundll32.exe, 00000004.00000003.3660374742.0000027F8ED74000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2301320408.0000027F8ED9E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1837829758.0000027F8ED4C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1837952366.0000027F8ED68000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2301394137.0000027F8ED9F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3660211148.0000027F9291F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3660320394.0000027F8ED9E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1837895324.0000027F8ECFF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2332477990.0000027F8EDA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: explorer.exe, 0000000A.00000002.3179387517.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2317048902.0000000008F83000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
Source: explorer.exe, 0000000A.00000000.2317548863.000000000913F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 0000000A.00000002.3179387517.0000000008F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3237298470.00000000080E5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3224541053.00000000080E5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3237933978.00000000080E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 0000000F.00000003.3237298470.00000000080E5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3224541053.00000000080E5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3237933978.00000000080E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/b
Source: explorer.exe, 0000000F.00000003.3237933978.0000000007F88000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3239417409.0000000004F12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 0000000A.00000000.2317048902.0000000008F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3179387517.0000000008F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3237298470.00000000080E5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3224541053.00000000080E5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3237933978.00000000080E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 0000000A.00000000.2314262850.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3177112525.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=DD4083B70FE54739AB05D6BBA3484042&timeOut=5000&oc
Source: explorer.exe, 0000000A.00000000.2314262850.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3177112525.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3237298470.00000000080E5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3224541053.00000000080E5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3237933978.00000000080E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 0000000A.00000000.2314262850.0000000007276000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3177112525.0000000007276000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?t
Source: explorer.exe, 0000000A.00000000.2317048902.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3179387517.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3225443832.0000000007F7C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3225648983.0000000007FA4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3229858561.0000000007FA4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3237298470.0000000007F88000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3237933978.0000000007F88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 0000000A.00000002.3177112525.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 0000000A.00000002.3177112525.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg
Source: explorer.exe, 0000000A.00000000.2314262850.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3177112525.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 0000000A.00000000.2314262850.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3177112525.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 0000000A.00000000.2314262850.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3177112525.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT
Source: explorer.exe, 0000000A.00000000.2314262850.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3177112525.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark
Source: rundll32.exe, 00000004.00000003.1837895324.0000027F8ED1F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cronoze.com/
Source: rundll32.exe, 00000004.00000003.3660211148.0000027F9291F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1837895324.0000027F8ED1F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cronoze.com:8817/intel.php
Source: rundll32.exe, 00000004.00000003.1837895324.0000027F8ED1F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cronoze.com:8817/intel.phprS
Source: explorer.exe, 0000000A.00000002.3181337306.000000000969D000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/test/
Source: explorer.exe, 0000000A.00000002.3181337306.000000000969D000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/test/t/
Source: explorer.exe, 0000000A.00000000.2320253258.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3184648582.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3237933978.00000000081FC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3237298470.00000000081FC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3235994670.00000000081FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 0000000A.00000000.2314262850.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3177112525.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA11f7Wa.img
Source: explorer.exe, 0000000A.00000000.2314262850.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3177112525.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 0000000A.00000000.2314262850.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3177112525.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1bjET8.img
Source: explorer.exe, 0000000A.00000000.2314262850.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3177112525.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1c9Jin.img
Source: explorer.exe, 0000000A.00000000.2314262850.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3177112525.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBNvr53.img
Source: explorer.exe, 0000000A.00000000.2320253258.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3184648582.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3237298470.00000000081FC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3235994670.00000000081FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com
Source: explorer.exe, 0000000A.00000000.2320253258.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3184648582.000000000C091000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.com
Source: explorer.exe, 0000000F.00000003.3237298470.00000000080E5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3237933978.00000000080E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comEM
Source: explorer.exe, 0000000A.00000002.3180139457.000000000913F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3185367946.000000000C143000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3186986735.000000000C40E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://proliforetka.com/
Source: explorer.exe, 0000000A.00000002.3171729396.0000000003249000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://proliforetka.com/5117-2476756634-1003
Source: explorer.exe, 0000000A.00000002.3180139457.000000000913F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://proliforetka.com/A
Source: explorer.exe, 0000000A.00000002.3186986735.000000000C40E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://proliforetka.com/jM
Source: explorer.exe, 0000000A.00000002.3187326408.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3171729396.0000000003249000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3171729396.0000000003230000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3180139457.0000000009013000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3185367946.000000000C1F7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://proliforetka.com/test/
Source: explorer.exe, 0000000A.00000002.3171729396.0000000003230000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://proliforetka.com/test/%b
Source: explorer.exe, 0000000A.00000002.3180139457.0000000009013000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://proliforetka.com/test/4E
Source: explorer.exe, 0000000A.00000002.3187326408.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://proliforetka.com/test/53
Source: explorer.exe, 0000000A.00000002.3185367946.000000000C214000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://proliforetka.com/test/CIu
Source: explorer.exe, 0000000A.00000002.3185367946.000000000C214000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://proliforetka.com/test/uIO
Source: explorer.exe, 0000000A.00000000.2314262850.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3177112525.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 0000000A.00000000.2314262850.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3177112525.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 0000000A.00000000.2317548863.00000000090F2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/
Source: explorer.exe, 0000000A.00000000.2320253258.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3184648582.000000000C091000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com
Source: explorer.exe, 0000000F.00000003.3237933978.00000000081FC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3237298470.00000000081FC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3235994670.00000000081FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://word.office.comola-
Source: mirabon.msi, MSI26E5.tmp.2.dr, 6c24ff.msi.2.dr, MSI2618.tmp.2.dr, MSI26B5.tmp.2.dr, MSI2715.tmp.2.dr	String found in binary or memory: https://www.advancedinstaller.com
Source: mirabon.msi, MSI26E5.tmp.2.dr, 6c24ff.msi.2.dr, MSI2618.tmp.2.dr, MSI26B5.tmp.2.dr, MSI2715.tmp.2.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: explorer.exe, 0000000A.00000000.2314262850.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3177112525.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/what-to-do-if-a-worst-case-nuclear-scenario-actua
Source: explorer.exe, 0000000A.00000000.2314262850.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3177112525.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-b
Source: explorer.exe, 0000000A.00000000.2314262850.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3177112525.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-it
Source: explorer.exe, 0000000A.00000000.2314262850.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3177112525.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-
Source: explorer.exe, 0000000A.00000000.2314262850.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3177112525.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/music/news/6-rock-ballads-that-tug-at-the-heartstrings/ar-AA1hIdsm
Source: explorer.exe, 0000000A.00000000.2314262850.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3177112525.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/vi
Source: explorer.exe, 0000000A.00000000.2314262850.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3177112525.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/technology/prehistoric-comet-impacted-earth-and-triggered-the-switch-
Source: explorer.exe, 0000000A.00000000.2314262850.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3177112525.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
Source: explorer.exe, 0000000A.00000000.2314262850.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3177112525.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-world
Source: explorer.exe, 0000000A.00000000.2314262850.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3177112525.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/accuweather-el-ni
Source: explorer.exe, 0000000A.00000000.2314262850.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3177112525.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/here-s-who-could-see-above-average-snowfall-this-winter
Source: explorer.exe, 0000000A.00000000.2314262850.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3177112525.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINt
Source: explorer.exe, 0000000A.00000000.2314262850.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3177112525.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: explorer.exe, 0000000A.00000000.2314262850.00000000071B1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.pollensense.com/
Source: mirabon.msi, MSI26E5.tmp.2.dr, 6c24ff.msi.2.dr, MSI2618.tmp.2.dr, MSI26B5.tmp.2.dr, MSI2715.tmp.2.dr	String found in binary or memory: https://www.thawte.com/cps0/
Source: mirabon.msi, MSI26E5.tmp.2.dr, 6c24ff.msi.2.dr, MSI2618.tmp.2.dr, MSI26B5.tmp.2.dr, MSI2715.tmp.2.dr	String found in binary or memory: https://www.thawte.com/repository0W

Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714

Source: unknown

HTTPS traffic detected: 188.114.97.6:443 -> 192.168.2.7:49714 version: TLS 1.2

Source: C:\Windows\System32\rundll32.exe	Code function: 4_3_0000027F9253D2E0 NtProtectVirtualMemory,	4_3_0000027F9253D2E0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_3_0000027F9253D270 NtAllocateVirtualMemory,	4_3_0000027F9253D270
Source: C:\Windows\explorer.exe	Code function: 10_2_02E182B4 NtFreeVirtualMemory,	10_2_02E182B4
Source: C:\Windows\explorer.exe	Code function: 10_2_02E1B388 NtAllocateVirtualMemory,	10_2_02E1B388
Source: C:\Windows\explorer.exe	Code function: 10_2_02E1C704 NtDelayExecution,	10_2_02E1C704
Source: C:\Windows\explorer.exe	Code function: 10_2_02E180B8 RtlInitUnicodeString,NtCreateFile,	10_2_02E180B8
Source: C:\Windows\explorer.exe	Code function: 10_2_02E18240 NtClose,	10_2_02E18240
Source: C:\Windows\explorer.exe	Code function: 10_2_02E181C8 NtWriteFile,	10_2_02E181C8
Source: C:\Windows\explorer.exe	Code function: 10_2_02E201A0 NtFreeVirtualMemory,	10_2_02E201A0
Source: C:\Windows\explorer.exe	Code function: 10_2_02E20130 NtAllocateVirtualMemory,	10_2_02E20130

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6c24ff.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI2618.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI26B5.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI26E5.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI2715.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{6526CBB4-D28A-4CBC-AF93-907FED1F0EB9}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI2793.tmp	Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI2618.tmp

Jump to behavior

Source: C:\Windows\explorer.exe	Code function: 10_2_02E202E0	10_2_02E202E0
Source: C:\Windows\explorer.exe	Code function: 10_2_02E202A8	10_2_02E202A8
Source: C:\Windows\explorer.exe	Code function: 10_2_02E11A8C	10_2_02E11A8C
Source: C:\Windows\explorer.exe	Code function: 10_2_02E11A7C	10_2_02E11A7C
Source: C:\Windows\explorer.exe	Code function: 10_2_02E203E8	10_2_02E203E8
Source: C:\Windows\explorer.exe	Code function: 10_2_02E203C8	10_2_02E203C8
Source: C:\Windows\explorer.exe	Code function: 10_2_02E201A0	10_2_02E201A0
Source: C:\Windows\explorer.exe	Code function: 10_2_02E12164	10_2_02E12164
Source: C:\Windows\explorer.exe	Code function: 10_2_02E20328	10_2_02E20328

Source: Joe Sandbox View

Dropped File: C:\Windows\Installer\MSI2618.tmp 426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD

Source: C:\Windows\explorer.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4056 -s 7000

Source: gpufault.dll.2.dr

Static PE information: Number of sections : 12 > 10

Source: mirabon.msi

Binary or memory string: OriginalFilenameAICustAct.dllF vs mirabon.msi

Source: classification engine

Classification label: mal100.troj.evad.winMSI@8/31@5/3

Source: C:\Windows\System32\rundll32.exe

Code function: 4_3_00007DF498EC0000 CreateToolhelp32Snapshot,Process32First,CloseHandle,

4_3_00007DF498EC0000

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\CML2A3F.tmp

Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Mutant created: NULL
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4056

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\TEMP\~DF6C6DEB475CB79BA7.TMP

Jump to behavior

Source: unknown

Process created: C:\Windows\explorer.exe

Source: C:\Windows\explorer.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Process created: C:\Windows\System32\rundll32.exe C:/Windows/System32/rundll32.exe gpufault.dll, GfeXcodeFunc

Source: mirabon.msi

ReversingLabs: Detection: 18%

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\mirabon.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding AC2828E810036024BC5181D16A644983
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\rundll32.exe C:/Windows/System32/rundll32.exe gpufault.dll, GfeXcodeFunc
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4056 -s 7000
Source: unknown	Process created: C:\Windows\explorer.exe explorer.exe
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding AC2828E810036024BC5181D16A644983	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\rundll32.exe C:/Windows/System32/rundll32.exe gpufault.dll, GfeXcodeFunc	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.schema.shell.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ninput.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: starttiledata.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: usermgrproxy.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.applicationmodel.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: idstore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wlidprov.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.staterepositoryclient.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: sndvolsso.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mmdevapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: appextension.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.schema.shell.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cldapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: fltlib.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: tiledatarepository.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: staterepository.core.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.staterepository.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.staterepositorycore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mrmcorer.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: languageoverlayutil.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: bcp47mrm.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: thumbcache.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: twinui.pcshell.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wincorlib.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cdp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.immersiveshell.serviceprovider.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: photometadatahandler.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ehstorshell.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cscui.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: provsvc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: twinui.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: twinui.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: applicationframe.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: holographicextensions.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: virtualmonitormanager.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.ui.immersive.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: abovelockapphost.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: npsm.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.shell.bluelightreduction.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.web.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mscms.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: coloradapterclient.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.internal.signals.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.staterepositorybroker.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mfplat.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: rtworkq.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.system.launcher.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: stobject.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wmiclnt.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: workfoldersshell.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: taskflowdataengine.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: structuredquery.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: actxprxy.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.shell.servicehostbuilder.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.security.authentication.web.core.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.data.activities.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.internal.ui.shell.windowtabmanager.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.devices.enumeration.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: notificationcontrollerps.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.globalization.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: icu.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mswb7.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: devdispitemprovider.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.networking.connectivity.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.ui.core.textinput.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windowsudk.shellcommon.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dictationmanager.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: uianimation.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: pcshellcommonproxystub.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cryptngc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cflapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: shellcommoncommonproxystub.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: daxexec.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: container.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: uiautomationcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: batmeter.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: inputswitch.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.ui.shell.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: prnfldr.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: capabilityaccessmanagerclient.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wpnclient.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dxp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: syncreg.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: actioncenter.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: audioses.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: storageusage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wer.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wscinterop.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wscapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: pnidui.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mobilenetworking.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dusmapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: networkuxbroker.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ethernetmediamanager.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ncsi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: werconcpl.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: hcproviders.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wpdshserviceobj.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: portabledevicetypes.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: portabledeviceapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cscobj.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: srchadmin.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.search.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: synccenter.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: imapi2.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: bluetoothapis.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: settingsync.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: settingsynccore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: bluetoothapis.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.ui.xaml.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windowsinternal.composableshell.desktophosting.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: uiamanager.dll	Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: mirabon.msi

Static file information: File size 2416640 > 1048576

Source:	Binary string: C:\dvs\p4\build\sw\rel\gfclient\rel_03&3!ZxZQ9rbTQA!n8N>7T3de\GfeXCode\win7_amd64_release\GfeXCode64.pdb source: gpufault.dll.2.dr
Source:	Binary string: de\GfeXCode\win7_amd64_release\GfeXCode64.pdb source: gpufault.dll.2.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: mirabon.msi, MSI26E5.tmp.2.dr, 6c24ff.msi.2.dr, MSI2618.tmp.2.dr, MSI26B5.tmp.2.dr, MSI2715.tmp.2.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbn source: mirabon.msi, MSI26E5.tmp.2.dr, 6c24ff.msi.2.dr, MSI2618.tmp.2.dr, MSI26B5.tmp.2.dr, MSI2715.tmp.2.dr

Source: gpufault.dll.2.dr

Static PE information: real checksum: 0x32b556 should be: 0x3d4d56

Source: gpufault.dll.2.dr	Static PE information: section name: .giats
Source: gpufault.dll.2.dr	Static PE information: section name: minATL
Source: gpufault.dll.2.dr	Static PE information: section name: .00cfg

Source: C:\Windows\explorer.exe	Code function: 10_2_02E1E690 push rbx; retf	10_2_02E1E697
Source: C:\Windows\explorer.exe	Code function: 10_2_02E1E3E7 push 62DF9C6Fh; iretd	10_2_02E1E3EC
Source: C:\Windows\explorer.exe	Code function: 10_2_02E1F551 push rsi; retf	10_2_02E1F552

Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\gpuset\gpufault.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI26E5.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI2715.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI2618.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI26B5.tmp	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI26E5.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI2715.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI2618.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI26B5.tmp	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Windows\explorer.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Windows\explorer.exe

File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Windows\explorer.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,	10_2_02E17274
Source: C:\Windows\explorer.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,wsprintfA,wsprintfA,wsprintfA,GetComputerNameExA,wsprintfA,GetComputerNameExA,wsprintfA,	10_2_02E18424
Source: C:\Windows\explorer.exe	Code function: GetAdaptersInfo,	10_2_02E20610

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 5823	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 382	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 3255	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 894	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI26E5.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI2715.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI2618.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI26B5.tmp	Jump to dropped file

Source: C:\Windows\explorer.exe TID: 5076	Thread sleep count: 5823 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5076	Thread sleep time: -5823000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6108	Thread sleep count: 382 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6108	Thread sleep time: -38200s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5076	Thread sleep count: 3255 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5076	Thread sleep time: -3255000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Windows\explorer.exe	Code function: 10_2_02E1A8E0 FindFirstFileW,FindNextFileW,LoadLibraryW,LoadLibraryExW,		10_2_02E1A8E0
Source: C:\Windows\explorer.exe	Code function: 10_2_02E12B28 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,		10_2_02E12B28

Source: explorer.exe, 0000000F.00000003.3237933978.00000000080E5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 0000000F.00000003.3415299366.000000000C64D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}\
Source: explorer.exe, 0000000F.00000003.3237933978.00000000080E5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 4NECVMWar VMware SATA CD0W
Source: explorer.exe, 0000000F.00000003.3281574082.000000000C592000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _VMware_SATA_CD00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000A.00000000.2307534447.0000000000C74000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000I
Source: explorer.exe, 0000000F.00000003.3237933978.00000000080E5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 0000000F.00000003.3237933978.00000000080E5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: JVMware Virtual d
Source: explorer.exe, 0000000F.00000003.3315948771.000000000C5BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000A.00000000.2309163328.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: explorer.exe, 0000000F.00000003.3457434097.000000000C4DA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:Y
Source: explorer.exe, 0000000F.00000003.3415299366.000000000C64D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8b}\6M
Source: explorer.exe, 0000000F.00000003.3276196760.000000000C3BF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: BBSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 0000000F.00000003.3315948771.000000000C5BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}@
Source: rundll32.exe, 00000004.00000003.1837877357.0000027F8ED37000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3179387517.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2317048902.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3237933978.00000000081FC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3237298470.00000000081FC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3235994670.00000000081FC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3224541053.00000000081FC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3229792308.0000000008200000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3225740847.00000000081FD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 0000000F.00000003.3224541053.0000000008029000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3237298470.0000000008029000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3237933978.0000000008029000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWverWindowiverStore\en-US\msmouse.inf_loc;l
Source: explorer.exe, 0000000A.00000000.2309163328.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.NoneVMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9dVMware20,1
Source: explorer.exe, 0000000F.00000003.3276196760.000000000C3BF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 0000000F.00000003.3276867556.000000000C65F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000A.00000000.2309163328.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.VMW201.00V.20829224.B64.221121184211/21/2022
Source: explorer.exe, 0000000A.00000000.2309163328.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: explorer.exe, 0000000F.00000003.3237298470.00000000081BC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3229916248.00000000081BC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3225779796.00000000081BC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3237933978.00000000081BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 0000000A.00000002.3177886513.000000000730B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: War&Prod_VMware_xU1
Source: explorer.exe, 0000000F.00000003.3457434097.000000000C4DA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: War&Prod_VMware_
Source: explorer.exe, 0000000A.00000002.3179387517.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
Source: explorer.exe, 0000000F.00000003.3276797981.000000000C5EE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 0000000A.00000000.2317048902.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000I}~"
Source: explorer.exe, 0000000A.00000002.3180139457.0000000009052000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000}io
Source: explorer.exe, 0000000A.00000000.2317048902.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 0000000A.00000000.2317048902.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3179387517.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWystem32\DriverStore\en-US\machine.inf_loc5
Source: explorer.exe, 0000000A.00000000.2309163328.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware20,1
Source: explorer.exe, 0000000A.00000000.2309163328.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware Virtual RAM00000001VMW-4096MBRAM slot #0RAM slot #0
Source: explorer.exe, 0000000A.00000002.3179387517.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMWare
Source: explorer.exe, 0000000A.00000002.3180139457.0000000009052000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000'
Source: explorer.exe, 0000000A.00000002.3177886513.000000000730B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: War&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: explorer.exe, 0000000F.00000003.3224541053.00000000080E5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @oem2.infloc.vmwarebusdevicedescVMware VMCI Bus Deviceoem2.inff
Source: explorer.exe, 0000000F.00000003.3457434097.000000000C4F6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00h8
Source: explorer.exe, 0000000A.00000000.2317048902.0000000008F27000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3179387517.0000000008F27000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWT`
Source: explorer.exe, 0000000F.00000003.3415299366.000000000C64D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}
Source: explorer.exe, 0000000A.00000000.2309163328.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SVGA IIES1371
Source: explorer.exe, 0000000A.00000000.2309163328.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware Virtual RAM
Source: explorer.exe, 0000000F.00000003.3237933978.00000000080E5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: oc.vmwarebusdevicedesc%;VMware VMCI Bus Device
Source: explorer.exe, 0000000F.00000003.3457434097.000000000C4F6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00*
Source: explorer.exe, 0000000A.00000000.2309163328.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: explorer.exe, 0000000A.00000000.2307534447.0000000000C74000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 0000000A.00000002.3179387517.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000A.00000000.2307534447.0000000000C74000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\explorer.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\explorer.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Process created: C:\Windows\System32\rundll32.exe C:/Windows/System32/rundll32.exe gpufault.dll, GfeXcodeFunc

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\rundll32.exe	Network Connect: 94.232.46.11 8817	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Network Connect: 94.232.40.41 8817	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 188.114.97.6 443	Jump to behavior

Allocates memory in foreign processes

Source: C:\Windows\System32\rundll32.exe

Memory allocated: C:\Windows\explorer.exe base: 2E10000 protect: page execute and read and write

Jump to behavior

Contains functionality to inject threads in other processes

Source: C:\Windows\System32\rundll32.exe

Code function: 4_3_00007DF498EC0100 VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,

4_3_00007DF498EC0100

Creates a thread in another existing process (thread injection)

Source: C:\Windows\System32\rundll32.exe

Thread created: C:\Windows\explorer.exe EIP: 2E10000

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Windows\System32\rundll32.exe

Memory written: C:\Windows\explorer.exe base: 2E10000 value starts with: 4D5A

Jump to behavior

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\System32\rundll32.exe

Memory written: PID: 4056 base: 2E10000 value: 4D

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: 3020			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: 3020			Jump to behavior

Sets debug register (to hijack the execution of another thread)

Source: C:\Windows\System32\rundll32.exe

Thread register set: 3020 1

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\System32\rundll32.exe

Memory written: C:\Windows\explorer.exe base: 2E10000

Jump to behavior

Source: explorer.exe, 0000000A.00000002.3177020998.0000000004880000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2317548863.0000000009013000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3180139457.0000000009013000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000A.00000000.2308690721.0000000001441000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000F.00000003.3275740423.0000000004EEC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3269595783.0000000004EDD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000000A.00000000.2308690721.0000000001441000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: ?Program Manager
Source: explorer.exe, 0000000A.00000000.2307534447.0000000000C59000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3168709537.0000000000C59000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1Progman
Source: explorer.exe, 0000000A.00000000.2308690721.0000000001441000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Windows\explorer.exe

Code function: 10_2_02E18D3C GetUserNameA,wsprintfA,

10_2_02E18D3C

Source: C:\Windows\explorer.exe

Code function: 10_2_02E200E8 RtlGetVersion,

10_2_02E200E8

Stealing of Sensitive Information

Yara detected BruteRatel

Source: Yara match	File source: 00000004.00000003.2301509386.0000027F9288B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 3920, type: MEMORYSTR

Yara detected Latrodectus

Source: Yara match	File source: 0000000A.00000002.3181432738.00000000099DB000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 4056, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected BruteRatel

Source: Yara match	File source: 00000004.00000003.2301509386.0000027F9288B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 3920, type: MEMORYSTR

Yara detected Latrodectus

Source: Yara match	File source: 0000000A.00000002.3181432738.00000000099DB000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 4056, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	Windows Management Instrumentation	1 DLL Side-Loading	92 Process Injection	21 Masquerading	OS Credential Dumping	221 Security Software Discovery	Remote Services	1 Archive Collected Data	12 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	13 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	13 Virtualization/Sandbox Evasion	Security Account Manager	3 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	92 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	1 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	11 Peripheral Device Discovery	SSH	Keylogging	12 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Rundll32	Cached Domain Credentials	1 Account Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	1 System Owner/User Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 File Deletion	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	2 File and Directory Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	13 System Information Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
mirabon.msi	18%	ReversingLabs	Win64.Trojan.Latrodectus

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\gpuset\gpufault.dll	24%	ReversingLabs	Win64.Trojan.Latrodectus
C:\Windows\Installer\MSI2618.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI26B5.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI26E5.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI2715.tmp	0%	ReversingLabs

Name	IP	Active	Malicious	Reputation
cronoze.com	94.232.40.41	true	false	high
proliforetka.com	188.114.97.6	true	true	unknown
muuxxu.com	94.232.46.11	true	false	high
api.msn.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://dogirafer.com/test/	true		unknown
https://proliforetka.com/test/	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://api.msn.com/v1/news/Feed/Windows?	explorer.exe, 0000000A.00000000.2317048902.0000000008F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3179387517.0000000008F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3237298470.00000000080E5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3224541053.00000000080E5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3237933978.00000000080E5000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.msn.com/en-us/lifestyle/lifestyle-buzz/what-to-do-if-a-worst-case-nuclear-scenario-actua	explorer.exe, 0000000A.00000000.2314262850.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3177112525.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	high
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT	explorer.exe, 0000000A.00000000.2314262850.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3177112525.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	high
https://www.pollensense.com/	explorer.exe, 0000000A.00000000.2314262850.00000000071B1000.00000004.00000001.00020000.00000000.sdmp	false	unknown
https://api.msn.com:443/v1/news/Feed/Windows?t	explorer.exe, 0000000A.00000000.2314262850.0000000007276000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3177112525.0000000007276000.00000004.00000001.00020000.00000000.sdmp	false	high
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	explorer.exe, 0000000A.00000000.2314262850.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3177112525.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	high
https://proliforetka.com/test/53	explorer.exe, 0000000A.00000002.3187326408.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp	false	unknown
https://proliforetka.com/test/uIO	explorer.exe, 0000000A.00000002.3185367946.000000000C214000.00000004.00000001.00020000.00000000.sdmp	false	unknown
https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-world	explorer.exe, 0000000A.00000000.2314262850.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3177112525.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	high
https://api.msn.com:443/v1/news/Feed/Windows?	explorer.exe, 0000000A.00000000.2314262850.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3177112525.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3237298470.00000000080E5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3224541053.00000000080E5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3237933978.00000000080E5000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.msn.com/en-us/weather/topstories/here-s-who-could-see-above-average-snowfall-this-winter	explorer.exe, 0000000A.00000000.2314262850.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3177112525.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	high
https://proliforetka.com/5117-2476756634-1003	explorer.exe, 0000000A.00000002.3171729396.0000000003249000.00000004.00000001.00020000.00000000.sdmp	false	unknown
https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/vi	explorer.exe, 0000000A.00000000.2314262850.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3177112525.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	high
https://excel.office.com	explorer.exe, 0000000A.00000000.2320253258.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3184648582.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3237933978.00000000081FC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3237298470.00000000081FC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3235994670.00000000081FC000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-	explorer.exe, 0000000A.00000000.2314262850.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3177112525.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	high
https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-b	explorer.exe, 0000000A.00000000.2314262850.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3177112525.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	high
http://schemas.micro	explorer.exe, 0000000A.00000000.2316566178.0000000008810000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000002.3178353597.0000000007C70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.2316589833.0000000008820000.00000002.00000001.00040000.00000000.sdmp	false	high
https://powerpoint.office.comEM	explorer.exe, 0000000F.00000003.3237298470.00000000080E5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3237933978.00000000080E5000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://proliforetka.com/test/4E	explorer.exe, 0000000A.00000002.3180139457.0000000009013000.00000004.00000001.00020000.00000000.sdmp	false	unknown
https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINt	explorer.exe, 0000000A.00000000.2314262850.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3177112525.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	high
https://proliforetka.com/A	explorer.exe, 0000000A.00000002.3180139457.000000000913F000.00000004.00000001.00020000.00000000.sdmp	false	unknown
https://www.msn.com/en-us/news/technology/prehistoric-comet-impacted-earth-and-triggered-the-switch-	explorer.exe, 0000000A.00000000.2314262850.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3177112525.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	high
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 0000000A.00000000.2314262850.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3177112525.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	high
https://cronoze.com/	rundll32.exe, 00000004.00000003.1837895324.0000027F8ED1F000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://x1.c.lencr.org/0	rundll32.exe, 00000004.00000003.3660374742.0000027F8ED74000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2301320408.0000027F8ED9E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1837829758.0000027F8ED4C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1837952366.0000027F8ED68000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2301394137.0000027F8ED9F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3660211148.0000027F9291F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3660320394.0000027F8ED9E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1837895324.0000027F8ECFF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2332477990.0000027F8EDA0000.00000004.00000020.00020000.00000000.sdmp	false	high
http://x1.i.lencr.org/0	rundll32.exe, 00000004.00000003.3660374742.0000027F8ED74000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2301320408.0000027F8ED9E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1837829758.0000027F8ED4C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1837952366.0000027F8ED68000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2301394137.0000027F8ED9F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3660211148.0000027F9291F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3660320394.0000027F8ED9E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1837895324.0000027F8ECFF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2332477990.0000027F8EDA0000.00000004.00000020.00020000.00000000.sdmp	false	high
https://cronoze.com:8817/intel.phprS	rundll32.exe, 00000004.00000003.1837895324.0000027F8ED1F000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-it	explorer.exe, 0000000A.00000000.2314262850.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3177112525.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	high
https://api.msn.com/v1/news/Feed/Windows?activityId=DD4083B70FE54739AB05D6BBA3484042&timeOut=5000&oc	explorer.exe, 0000000A.00000000.2314262850.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3177112525.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	high
https://proliforetka.com/	explorer.exe, 0000000A.00000002.3180139457.000000000913F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3185367946.000000000C143000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3186986735.000000000C40E000.00000004.00000001.00020000.00000000.sdmp	true	unknown
https://wns.windows.com/	explorer.exe, 0000000A.00000000.2317548863.00000000090F2000.00000004.00000001.00020000.00000000.sdmp	false	high
https://api.msn.com/b	explorer.exe, 0000000F.00000003.3237298470.00000000080E5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3224541053.00000000080E5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3237933978.00000000080E5000.00000004.00000020.00020000.00000000.sdmp	false	high
https://word.office.com	explorer.exe, 0000000A.00000000.2320253258.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3184648582.000000000C091000.00000004.00000001.00020000.00000000.sdmp	false	high
https://www.msn.com/en-us/music/news/6-rock-ballads-that-tug-at-the-heartstrings/ar-AA1hIdsm	explorer.exe, 0000000A.00000000.2314262850.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3177112525.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	high
http://r11.o.lencr.org0#	rundll32.exe, 00000004.00000003.2332477990.0000027F8ED75000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3660374742.0000027F8ED74000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2301320408.0000027F8ED9E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1837829758.0000027F8ED4C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2301394137.0000027F8ED9F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3660211148.0000027F9291F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3660320394.0000027F8ED9E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1837895324.0000027F8ECFF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2301320408.0000027F8ED71000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2332477990.0000027F8EDA0000.00000004.00000020.00020000.00000000.sdmp	false	high
https://proliforetka.com/test/%b	explorer.exe, 0000000A.00000002.3171729396.0000000003230000.00000004.00000001.00020000.00000000.sdmp	false	unknown
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	explorer.exe, 0000000A.00000002.3177112525.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	high
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark	explorer.exe, 0000000A.00000000.2314262850.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3177112525.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	high
https://proliforetka.com/jM	explorer.exe, 0000000A.00000002.3186986735.000000000C40E000.00000004.00000001.00020000.00000000.sdmp	false	unknown
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg	explorer.exe, 0000000A.00000002.3177112525.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	high
https://powerpoint.office.com	explorer.exe, 0000000A.00000000.2320253258.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3184648582.000000000C091000.00000004.00000001.00020000.00000000.sdmp	false	high
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 0000000A.00000000.2314262850.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3177112525.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	high
http://www.foreca.com	explorer.exe, 0000000A.00000000.2314262850.00000000071B1000.00000004.00000001.00020000.00000000.sdmp	false	unknown
https://outlook.com	explorer.exe, 0000000A.00000000.2320253258.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3184648582.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3237298470.00000000081FC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3235994670.00000000081FC000.00000004.00000020.00020000.00000000.sdmp	false	high
http://r11.i.lencr.org/0	rundll32.exe, 00000004.00000003.2332477990.0000027F8ED75000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3660374742.0000027F8ED74000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2301320408.0000027F8ED9E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1837829758.0000027F8ED4C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2301394137.0000027F8ED9F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3660211148.0000027F9291F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3660320394.0000027F8ED9E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1837895324.0000027F8ECFF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2301320408.0000027F8ED71000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2332477990.0000027F8EDA0000.00000004.00000020.00020000.00000000.sdmp	false	high
https://word.office.comola-	explorer.exe, 0000000F.00000003.3237933978.00000000081FC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3237298470.00000000081FC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3235994670.00000000081FC000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://cronoze.com:8817/intel.php	rundll32.exe, 00000004.00000003.3660211148.0000027F9291F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1837895324.0000027F8ED1F000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://www.thawte.com/cps0/	mirabon.msi, MSI26E5.tmp.2.dr, 6c24ff.msi.2.dr, MSI2618.tmp.2.dr, MSI26B5.tmp.2.dr, MSI2715.tmp.2.dr	false	high
https://android.notify.windows.com/iOS	explorer.exe, 0000000A.00000000.2317548863.000000000913F000.00000004.00000001.00020000.00000000.sdmp	false	high
https://www.thawte.com/repository0W	mirabon.msi, MSI26E5.tmp.2.dr, 6c24ff.msi.2.dr, MSI2618.tmp.2.dr, MSI26B5.tmp.2.dr, MSI2715.tmp.2.dr	false	high
https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp	explorer.exe, 0000000A.00000002.3179387517.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2317048902.0000000008F83000.00000004.00000001.00020000.00000000.sdmp	false	high
https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the	explorer.exe, 0000000A.00000000.2314262850.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3177112525.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	high
https://dogirafer.com/test/t/	explorer.exe, 0000000A.00000002.3181337306.000000000969D000.00000004.00000010.00020000.00000000.sdmp	false	unknown
https://proliforetka.com/test/CIu	explorer.exe, 0000000A.00000002.3185367946.000000000C214000.00000004.00000001.00020000.00000000.sdmp	false	unknown
https://www.advancedinstaller.com	mirabon.msi, MSI26E5.tmp.2.dr, 6c24ff.msi.2.dr, MSI2618.tmp.2.dr, MSI26B5.tmp.2.dr, MSI2715.tmp.2.dr	false	unknown
https://api.msn.com/	explorer.exe, 0000000A.00000002.3179387517.0000000008F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3237298470.00000000080E5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3224541053.00000000080E5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3237933978.00000000080E5000.00000004.00000020.00020000.00000000.sdmp	false	high
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark	explorer.exe, 0000000A.00000000.2314262850.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3177112525.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	high
https://www.msn.com:443/en-us/feed	explorer.exe, 0000000A.00000000.2314262850.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3177112525.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	high
https://www.msn.com/en-us/weather/topstories/accuweather-el-ni	explorer.exe, 0000000A.00000000.2314262850.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3177112525.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
188.114.97.6	proliforetka.com	European Union	13335	CLOUDFLARENETUS	true
94.232.46.11	muuxxu.com	Russian Federation	44477	WELLWEBNL	false
94.232.40.41	cronoze.com	Russian Federation	44477	WELLWEBNL	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1578371
Start date and time:	2024-12-19 16:08:13 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 29s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	29
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	mirabon.msi
Detection:	MAL
Classification:	mal100.troj.evad.winMSI@8/31@5/3
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 100% Number of executed functions: 18 Number of non-executed functions: 21
Cookbook Comments:	Found application associated with file extension: .msi Override analysis time to 240s for rundll32

Warnings

Connection to analysis system has been lost, crash info: Unknown
Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, backgroundTaskHost.exe, VSSVC.exe, SearchApp.exe, WerFault.exe, WMIADAP.exe, conhost.exe, svchost.exe, StartMenuExperienceHost.exe, TextInputHost.exe, mobsync.exe
Excluded IPs from analysis (whitelisted): 204.79.197.203, 4.175.87.197, 20.190.159.75, 23.218.208.109, 2.18.40.143, 2.18.40.136
Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, slscr.update.microsoft.com, login.live.com, r.bing.com, a-0003.a-msedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com, api-msn-com.a-0003.a-msedge.net
Execution Graph export aborted for target rundll32.exe, PID 3920 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtEnumerateValueKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: mirabon.msi

Simulations

Behavior and APIs

Time	Type	Description
10:11:00	API Interceptor	1335664x Sleep call for process: explorer.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.97.6	236236236.elf	Get hash	malicious	Unknown	Browse	hollweghospitality.com/wp-login.php
	RFQ_P.O.1212024.scr	Get hash	malicious	FormBook	Browse	www.questmatch.pro/1yxc/
	8WgZHDQckx.exe	Get hash	malicious	Pony	Browse	www.dynamotouren.com/?dynamotouren.de
	fUHl7rElXU.xlsx	Get hash	malicious	Unknown	Browse	paste.ee/d/OARvm
	ibk0BQaWAo.exe	Get hash	malicious	Unknown	Browse	orbitdownloader.com/
	ibk0BQaWAo.exe	Get hash	malicious	Unknown	Browse	orbitdownloader.com/
	INVOICE087667899.exe	Get hash	malicious	Unknown	Browse	heygirlisheeverythingyouwantedinaman.comheygirlisheeverythingyouwantedinaman.com:443
	ZciowjM9hN.exe	Get hash	malicious	Lokibot	Browse	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml/BN2/fre.php
94.232.46.11	gpufault.dll.dll	Get hash	malicious	BruteRatel	Browse
	lavita.msi	Get hash	malicious	BruteRatel, Latrodectus	Browse
	appgpuset.dll.dll	Get hash	malicious	BruteRatel	Browse
	45c62e.msi	Get hash	malicious	Unknown	Browse
	TiNgny4xSB.dll	Get hash	malicious	BruteRatel	Browse
	TiNgny4xSB.dll	Get hash	malicious	BruteRatel	Browse
94.232.40.41	gpufault.dll.dll	Get hash	malicious	BruteRatel	Browse
	lavita.msi	Get hash	malicious	BruteRatel, Latrodectus	Browse
	appgpuset.dll.dll	Get hash	malicious	BruteRatel	Browse
	45c62e.msi	Get hash	malicious	Unknown	Browse
	TiNgny4xSB.dll	Get hash	malicious	BruteRatel	Browse
	TiNgny4xSB.dll	Get hash	malicious	BruteRatel	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
muuxxu.com	gpufault.dll.dll	Get hash	malicious	BruteRatel	Browse	94.232.46.11
	lavita.msi	Get hash	malicious	BruteRatel, Latrodectus	Browse	94.232.46.11
	appgpuset.dll.dll	Get hash	malicious	BruteRatel	Browse	94.232.46.11
	45c62e.msi	Get hash	malicious	Unknown	Browse	94.232.46.11
	TiNgny4xSB.dll	Get hash	malicious	BruteRatel	Browse	94.232.46.11
	TiNgny4xSB.dll	Get hash	malicious	BruteRatel	Browse	94.232.46.11
proliforetka.com	lavita.msi	Get hash	malicious	BruteRatel, Latrodectus	Browse	172.67.161.60
cronoze.com	gpufault.dll.dll	Get hash	malicious	BruteRatel	Browse	94.232.40.41
	lavita.msi	Get hash	malicious	BruteRatel, Latrodectus	Browse	94.232.40.41
	appgpuset.dll.dll	Get hash	malicious	BruteRatel	Browse	94.232.40.41
	45c62e.msi	Get hash	malicious	Unknown	Browse	94.232.40.41
	TiNgny4xSB.dll	Get hash	malicious	BruteRatel	Browse	94.232.40.41
	TiNgny4xSB.dll	Get hash	malicious	BruteRatel	Browse	94.232.40.41

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	Doc_14-58-28.js	Get hash	malicious	Unknown	Browse	172.67.180.133
	Doc_14-58-28.js	Get hash	malicious	Unknown	Browse	172.67.180.133
	Gioia Faggioli-End Of Year-Bonus.docx	Get hash	malicious	Unknown	Browse	172.67.134.110
	PURCHASE ORDER TRC-090971819130-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.67.152
	PAYMENT ADVICE 750013-1012449943-81347-pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	172.67.177.134
	Eallentoff_401k_1484013830.html	Get hash	malicious	HTMLPhisher	Browse	104.18.11.207
	Hkeyboard.dll	Get hash	malicious	Unknown	Browse	104.21.40.214
	powerpc.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	1.13.202.149
	Tii6ue74NB.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, RHADAMANTHYS, Stealc, Vidar	Browse	104.21.67.146
	Non-Disclosure Agreement.html	Get hash	malicious	Unknown	Browse	104.17.25.14
WELLWEBNL	gpufault.dll.dll	Get hash	malicious	BruteRatel	Browse	94.232.40.41
	lavita.msi	Get hash	malicious	BruteRatel, Latrodectus	Browse	94.232.40.41
	appgpuset.dll.dll	Get hash	malicious	BruteRatel	Browse	94.232.40.41
	45c62e.msi	Get hash	malicious	Unknown	Browse	94.232.40.41
	TiNgny4xSB.dll	Get hash	malicious	BruteRatel	Browse	94.232.40.41
	TiNgny4xSB.dll	Get hash	malicious	BruteRatel	Browse	94.232.40.41
	avutil.dll.dll	Get hash	malicious	BruteRatel	Browse	94.232.43.224
	fes.msi	Get hash	malicious	BruteRatel, Latrodectus	Browse	94.232.43.224
	wait.dll.dll	Get hash	malicious	BruteRatel, Latrodectus	Browse	94.232.43.224
	sqx.dll.dll	Get hash	malicious	Unknown	Browse	94.232.40.38
WELLWEBNL	gpufault.dll.dll	Get hash	malicious	BruteRatel	Browse	94.232.40.41
	lavita.msi	Get hash	malicious	BruteRatel, Latrodectus	Browse	94.232.40.41
	appgpuset.dll.dll	Get hash	malicious	BruteRatel	Browse	94.232.40.41
	45c62e.msi	Get hash	malicious	Unknown	Browse	94.232.40.41
	TiNgny4xSB.dll	Get hash	malicious	BruteRatel	Browse	94.232.40.41
	TiNgny4xSB.dll	Get hash	malicious	BruteRatel	Browse	94.232.40.41
	avutil.dll.dll	Get hash	malicious	BruteRatel	Browse	94.232.43.224
	fes.msi	Get hash	malicious	BruteRatel, Latrodectus	Browse	94.232.43.224
	wait.dll.dll	Get hash	malicious	BruteRatel, Latrodectus	Browse	94.232.43.224
	sqx.dll.dll	Get hash	malicious	Unknown	Browse	94.232.40.38

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	Tii6ue74NB.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, RHADAMANTHYS, Stealc, Vidar	Browse	188.114.97.6
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, RHADAMANTHYS	Browse	188.114.97.6
	Svcrhpjadgyclc.cmd	Get hash	malicious	DBatLoader	Browse	188.114.97.6
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Xmrig	Browse	188.114.97.6
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, Stealc, Vidar	Browse	188.114.97.6
	MFQbv2Yuzv.exe	Get hash	malicious	LummaC, Stealc	Browse	188.114.97.6
	Y41xQGmT37.exe	Get hash	malicious	LummaC, Stealc	Browse	188.114.97.6
	O3u9C8cpzl.exe	Get hash	malicious	LummaC, Stealc	Browse	188.114.97.6
	niwvNnBk2p.exe	Get hash	malicious	LummaC, Stealc	Browse	188.114.97.6
	661fW9gxDp.exe	Get hash	malicious	LummaC	Browse	188.114.97.6

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Windows\Installer\MSI2618.tmp	lavita.msi	Get hash	malicious	BruteRatel, Latrodectus	Browse
	45c62e.msi	Get hash	malicious	Unknown	Browse
	Doc_21-04-53.js	Get hash	malicious	Matanbuchus	Browse
	klog.php.msi	Get hash	malicious	Matanbuchus	Browse
	Doc_21-04-53.js	Get hash	malicious	Matanbuchus	Browse
	fes.msi	Get hash	malicious	BruteRatel, Latrodectus	Browse
	zdi.txt.msi	Get hash	malicious	BruteRatel, Latrodectus	Browse
	merd.msi	Get hash	malicious	Unknown	Browse
	medk.msi	Get hash	malicious	BruteRatel, Latrodectus	Browse
	lavi.msi	Get hash	malicious	BruteRatel, Latrodectus	Browse

Created / dropped Files

C:\Config.Msi\6c2501.rbs

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	modified
Size (bytes):	1407
Entropy (8bit):	5.743450585841822
Encrypted:	false
SSDEEP:	24:TOg59dnKCbnv68l9Ax9YbIA159TlRpUjSnISnoFP8DhiSW6ESnISn5hSnISnjQsV:ye9dNS8l9Ax9YbIA159TlbRlsP8D8SN+
MD5:	5C089D9D1E378B10AA781043EE7DC9A8
SHA1:	9624F53FE4C5DD8F29C24A7EEB60DF915DAE340F
SHA-256:	3A8244E1AF83797A06DF9C9F93AEBF6B7A101537CA591C1EAED05134B30DF25C
SHA-512:	61826C26AE9203FEC8AD2812F379A25437361DE59ECA91F582F6B1502DA4E917173B4D0C822D2FB086AD65BF32583A31DD09D030D089A754F22EEDFC1A1679D3
Malicious:	false
Reputation:	low
Preview:	...@IXOS.@.....@/Q.Y.@.....@.....@.....@.....@.....@......&.{6526CBB4-D28A-4CBC-AF93-907FED1F0EB9}..Nvidia Manage..mirabon.msi.@.....@..@..@.....@........&.{0D31114D-A190-4318-80CC-A4C94BB5A010}.....@.....@.....@.....@.......@.....@.....@.......@......Nvidia Manage......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{B48CC27C-9823-4256-8235-834BFD2D0DBB}&.{6526CBB4-D28A-4CBC-AF93-907FED1F0EB9}.@......&.{4A323D5F-6D73-4C26-8E39-BE8928DA13EB}&.{6526CBB4-D28A-4CBC-AF93-907FED1F0EB9}.@......&.{C7047CA2-930D-401A-9EE7-F73A42F04B5A}&.{6526CBB4-D28A-4CBC-AF93-907FED1F0EB9}.@........CreateFolders..Creating folders..Folder: [1]#.C.C:\Users\user\AppData\Roaming\Nvidia Manage INC\Nvidia Manage\.@........InstallFiles..Copying new files&.File: [1], Directory: [9], Size: [6]..*.C:\Users\user\AppData\Roaming\gpuset\....6.C:\Users\user\AppData\Roaming\gpuset\gpufault.dll....WriteRegistryValue

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Explorer.EXE_fe8167436d6db6c6d2c4bed5d6f2d2c06e142845_f78a65ed_2ae97f98-0092-4d0f-8a0a-7c4d59a1c43f\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.2837343839878925
Encrypted:	false
SSDEEP:	384:GJCmLYJc/jw6GY9olRb5cpzuiF1Y4lO8k:GJvYJc/jyYyjbepzuiF1Y4lO8
MD5:	3DE959A1E167B0B06E33A9ADFD8EB9E9
SHA1:	BE7D31D1873E48142385544C4824E698BE3BF77D
SHA-256:	3EB5ADCAF5F9273712B11F90C5C1BF24E54C53AD8852B8845E362CA66113D697
SHA-512:	F2D36214D89F55A6316A576F69C7B4C5CCDC8290794222E89864E94689EB207256EF9E572FFE11425BC944E0DD2E611D98810EE07A68E4DE1AB37AFF774F53D9
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.9.0.9.4.7.4.1.1.1.1.5.2.6.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.F.l.a.g.s.=.5.2.4.2.8.8.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.a.e.9.7.f.9.8.-.0.0.9.2.-.4.d.0.f.-.8.a.0.a.-.7.c.4.d.5.9.a.1.c.4.3.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.d.d.c.e.d.2.c.-.a.c.e.a.-.4.f.2.2.-.a.1.5.f.-.1.c.f.d.3.d.9.3.4.1.a.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.E.x.p.l.o.r.e.r...E.X.E.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.E.X.P.L.O.R.E.R...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.f.d.8.-.0.0.0.1.-.0.0.1.4.-.e.c.4.b.-.c.1.7.f.1.7.5.2.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.9.0.b.0.8.0.e.0.6.5.5.7.2.0.c.a.d.8.c.1.c.a.e.4.b.8.1.9.3.c.9.3.8.2.c.9.a.c.9.2.!.e.x.p.l.o.r.e.r...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.0.2././.1.2././.2.1.:.2.0.:.5.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC339.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 17 streams, CheckSum 0x00000004, Thu Dec 19 15:12:23 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	1137864
Entropy (8bit):	1.3130417166919697
Encrypted:	false
SSDEEP:	3072:A0v+UPeV/xLUEYh7DwZX57NtbS6S52IMcI55:oUPgLzikZHtbjSE5
MD5:	6C0941BEE1C375369ECBD2940DFEA301
SHA1:	DAA413B40405A5AA0D390B23C5CAFF9104BACE48
SHA-256:	82DFEF8F55BD311B4E25F9A85D65C1789133E65756BE8C7CDA9B1DD2C948A767
SHA-512:	90B066940F60F5525B1CF5FF9131E7E95B13EAE8251C6390BCDC890E98B330A9FFE9535256DB453F0E964FDA708B69204D2FB64C6FE163A99B723BD202156EF6
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ........7dg................ .......pl..............0..................d...,D..........x.......8...........T...$........Q..8.......................t...........................................................................................eJ......(.......Lw......................T...........y.dg............................. ..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...............................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCDBA.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	10876
Entropy (8bit):	3.6987806018216465
Encrypted:	false
SSDEEP:	192:R6l7wVeJdX+6YsJigmfqzVyprK89bbJDDfDJm:R6lXJ9+6YyigmfqzVsb9DfA
MD5:	5701B7A42C3A44D7FFFC466ABF958061
SHA1:	4864FFBEBBADEE7E1A9A674DAB2C22F5DB80C687
SHA-256:	BDAB446F932BBC027BB5AD89D906483C80D822B1FD384F281C2F06C938EE5606
SHA-512:	6AD803ACCA4AB94947EE3EA548E06C07F92CA356CBBC281202F18271D3C2F0784AC2D15DA11B9F091AF2141487BC1FB9BDAA316416FDBA8C8BC25B7F0FCEB14A
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.0.5.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCDE9.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4724
Entropy (8bit):	4.460635178345506
Encrypted:	false
SSDEEP:	48:cvIwWl8zsBrJg771I9AzWpW8VYEYm8M4JYmFvEyq85cotb9Q32d:uIjfBFI7fC7VkJE6tba32d
MD5:	D2B49EC178AEA8BBA6E3832EBCD635A7
SHA1:	11B4B5B2AF592B1431D93BBE4CF4D898DCFCE5B4
SHA-256:	B49E316C0D9DE7AB9FB4E0B5A7EBE06FCEEC0A03CCB12B022BE8006A756BC6EF
SHA-512:	24BA642AF87ED9F9FE745644AD5FD4D18149395E1C7557DA04C725151B67BAFBE7694BE0285C112F9CCA0E22DFFAE7FE893600842A8D869143D2D0E18B78086B
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="638295" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000001c.db

Download File

Process:	C:\Windows\explorer.exe
File Type:	data
Category:	dropped
Size (bytes):	107552
Entropy (8bit):	4.006181503250095
Encrypted:	false
SSDEEP:	768:Dql6mCkbGV6SxZjk0ooMvqj0NTLNwzjU1ONPJZ4R1v4+SzQlJmKypu3UAhwiAGik:DSCkC62Mvqj7QThwiAGin7EFBKZnxTob
MD5:	CFD3C4CCA36FA5FD706B00CF83492E66
SHA1:	B319722E1ECD7541D7CAC3199F330895C7351ECF
SHA-256:	0DC37ABEC05FDBC0A0382968214A35DA72641AEA0334EAED37A35FBB3E7402F0
SHA-512:	4031CCDCC8DDBB34C9EC370D2935283CDBBC9E57FC9F3B13B96B0E73DD983A43CED3073412D7D3C92BC0ACC11F85A9C409D0EF17CE104CD9B35A3FA5FF76D46B
Malicious:	false
Preview:	....h... ... ..........P..............X...H...].......................V.......e.n.-.C.H.;.e.n.-.G.B....... ......................P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....\.1...........user.D............................................f.r.o.n.t.d.e.s.k.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....V.1...........Roaming.@............................................R.o.a.m.i.n.g.....\.1...........Microsoft.D............................................M.i.c.r.o.s.o.f.t.....V.1...........Windows.@............................................W.i.n.d.o.w.s.....`.1...........Start Menu..F............................................S.t.a.r.t. .M.e.n.u......................0..........P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....\.1...........user.D.................................

C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000001d.db

Download File

Process:	C:\Windows\explorer.exe
File Type:	data
Category:	dropped
Size (bytes):	107552
Entropy (8bit):	4.0067818085197775
Encrypted:	false
SSDEEP:	768:Dcl6YCk3GV6SxZjk0ooMvqj0NTLNwzjU1ONPJZ4R1v4+SzQlJmKypu3UAhwiAGi6:DmCke62Mvqj7QThwiAGin7EFBKgn0Tob
MD5:	BCBCBDC781D0FF898ADBBBC1F625D168
SHA1:	13E773152AC6A767B5FE16915CB13DDF29361B5B
SHA-256:	12C5EE0806C06EC13151CA7D5FAC789D72225B7FEBFF510B58A6576151211599
SHA-512:	3269C67A1B6123F1BDF8CFCE506286AECD2FB51888CCE5B2767A245CDCB0767AEF470A86DC1E17FEEF96D37F001A7EEA53496B63084B319F85866C6A37BFF07D
Malicious:	false
Preview:	....h... ... ..........P..............X...H...].......................V.......e.n.-.C.H.;.e.n.-.G.B....... ......................P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....\.1...........user.D............................................f.r.o.n.t.d.e.s.k.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....V.1...........Roaming.@............................................R.o.a.m.i.n.g.....\.1...........Microsoft.D............................................M.i.c.r.o.s.o.f.t.....V.1...........Windows.@............................................W.i.n.d.o.w.s.....`.1...........Start Menu..F............................................S.t.a.r.t. .M.e.n.u......................0..........P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....\.1...........user.D.................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\Windows[1].json

Download File

Process:	C:\Windows\explorer.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	891
Entropy (8bit):	5.222344879129331
Encrypted:	false
SSDEEP:	24:Yzc2TKgHYoiScpTkC3c27c8Ht0drc6hE1opM:YzDuM0SEzD7Pt0drcAEMM
MD5:	54CB3617155DFC3B0CDFC6A0FD00ED6F
SHA1:	FE0333B61738657447449E6D51C9CE011839692D
SHA-256:	DE367797B64D2EA0196BD4F4DB1BBB2E1A7C9338C7B60919D022E11E912959A1
SHA-512:	DB0B1CC974A900572193779B0D90C52A8089964A60A1A519F5542E05B7A8A24082043A38525529D7E4E81A96082E383CE6C944FF4D32095078369F1FC4C74184
Malicious:	false
Preview:	{"serviceContext":{"serviceActivityId":"b49cadae-6490-4807-82b1-f7d361306f32","responseCreationDateTime":"0001-01-01T00:00:00","debugId":"b49cadae-6490-4807-82b1-f7d361306f32\|2024-12-19T15:12:30.3356419Z\|fabric_msn\|EUS2-A\|News_594","tier":"\u0000","clientActivityId":"A54F5523-F6DE-473C-A25B-D9D285B1AF8D"},"expirationDateTime":"0001-01-01T00:00:00","showBadge":false,"settings":{"refreshIntervalMinutes":0,"feedEnabled":true,"evolvedNotificationLifecycleEnabled":false,"showBadgeOnRotationsForEvolvedNotificationLifecycle":false,"webView2Enabled":false,"webView2EnabledV1":false,"windowsSuppressClientRace":false,"flyoutV2EndpointEnabled":false,"showAnimation":false,"useTallerFlyoutSize":false,"useDynamicHeight":false,"useWiderFlyoutSize":false,"reclaimEnabled":false,"isPreviewDurationsEnabled":false,"1SlockscreenContentEnabled":true,"setMUIDOnMultipleDomains":false},"isPartial":false}

C:\Users\user\AppData\Roaming\gpuset\gpufault.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	3954176
Entropy (8bit):	6.141170391700714
Encrypted:	false
SSDEEP:	49152:uUhs9XR3wxZXRTZUcuVHleFPH1FBJtFfmHrgdvs+s9bj5ZDhN4q:SagbONF30blJ7B
MD5:	72462AE450BB675EAE4EC1BA6BCB8305
SHA1:	C14355446CDC6786E9EF69180FC699D8CC17AECD
SHA-256:	1BCF12604F49243FBB260F7E52B485FEF7E215C5462E63BA2106BCBB7F68E3FA
SHA-512:	68FCA442B0A19C46407F7863C92F6639F5954DC250AAD9A6F1CE5C57D6D2BC14876C3160480FF8C0FD7149ABD9CD3980B49A35DBD2726D8E8794434A29184B93
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 24%
Preview:	MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$.......#?U.g^;.g^;.g^;..:8.j^;..:?.\|^;..:>..^;.t88.n^;.t8>..^;.t8?.D^;....f^;.....d^;...>.b^;.\|..w^;....f^;.....e^;....z^;.g^:..^;.[9>.x^;.[9?.f^;.[9;.f^;.[9.f^;.[99.f^;.Richg^;.........PE..d...g\|hf.........." ......%..>...............................................`>.....V.2...`A.........................................[/.X.....3.,.....3.<L...P1..}....2.(&....>.. ..px+.8...................8.+.(....x+...............3..............................text...Q.%.......%................. ..`.rdata.......0%..0....%.............@..@.data...P....`/..b...H/.............@....pdata......P1......./.............@..@.idata...3....3..4...P1.............@..@.gfids..$1...@3..2....1.............@..@.giats........3.......1.............@..@minATL..).....3.......1.............@..@.00cfg........3.......1.............@..@.tls..........3.......1.............@....rsrc...<L....3..N....1.

C:\Users\user\NTUSER.DAT.Not

Download File

Process:	C:\Windows\System32\rundll32.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	120
Entropy (8bit):	5.227613725985919
Encrypted:	false
SSDEEP:	3:TnmyWJFmBzdalViSVg8nBLoVcoSzVABysBydVyskVLLrci5gn:Tmz4ElVz5B55kQiXVbT+n
MD5:	542174ADE9675F596FEFDDC0EF232854
SHA1:	26F5E97A84AD0413F693E039ADD99FDF40B18BFC
SHA-256:	2837BB64C2DA5C35E958AD3035D4C2B1B27CCEC25017CA57B1D161A545502FFC
SHA-512:	0281E20C7210AFC93025DD91882D809C97D441F1D4142474E050BC3B598A5CA73AFA5472E962D63EBE842F0DA2A6D0D4958A3BD30D22EECB86D0BF882FCEAD46
Malicious:	false
Preview:	{Z3B1ZmF1bHQuZGxs, IkM6XFVzZXJzXGZyb250ZGVza1xBcHBEYXRhXFJvYW1pbmdcZ3B1c2V0XGdwdWZhdWx0LmRsbCI=, MQ==, R2ZlWGNvZGVGdW5j}

C:\Windows\Installer\6c24ff.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {0D31114D-A190-4318-80CC-A4C94BB5A010}, Number of Words: 10, Subject: Nvidia Manage, Author: Nvidia Manage INC, Name of Creating Application: Nvidia Manage, Template: ;1033, Comments: Create database IInlimited, Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
Category:	dropped
Size (bytes):	2416640
Entropy (8bit):	7.734473917523424
Encrypted:	false
SSDEEP:	49152:GBdTYBZKumZr7AC1su1uXZn8Ud9JCM5Rm5hfJYPYtwRXIhMRs:+YnK/AyuSyJN5RmjJvi4+
MD5:	A9ABE7B0D625CB55ADB1E9C3E7DF498B
SHA1:	8FC950287AA5BD3DB8449B9EBDEECF9CBD0A4D57
SHA-256:	D500D26F09F5419CA83D0604DEFE1CC7B17B16530EE2667EFF4CEC07BDEC2F99
SHA-512:	62C34BCCB0F47C0F4A361DBA51161353CDAAE2FD8C850E707D981391F6E5E60F56F6181B53E8BC18806CA64863E06AF1E09C62E70D87A8E57CD97A3A8797A538
Malicious:	false
Preview:	......................>...................%...................................D.......`......................................./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...............................................................................................................................................................................................................................................................................................................;...........!...3............................................................................................... ...+..."...#...$...%...&...'...(...)...*...1...,...-......./...0...4...2...:...?...5...6...7...8...9...>...<.......=...........@...A...B...C...........F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Windows\Installer\MSI2618.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	446944
Entropy (8bit):	6.403916470886214
Encrypted:	false
SSDEEP:	6144:5x0A4eCDsgvSd7ftYx5fnLHT7ybjfgaUFfQiAOuv2IaZeB+:5x0ECIgYOx5fnL/tYi8OBZr
MD5:	475D20C0EA477A35660E3F67ECF0A1DF
SHA1:	67340739F51E1134AE8F0FFC5AE9DD710E8E3A08
SHA-256:	426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
SHA-512:	99525AAAB2AB608134B5D66B5313E7FC3C2E2877395C5C171897D7A6C66EFB26B606DE1A4CB01118C2738EA4B6542E4EB4983E631231B3F340BF85E509A9589E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: lavita.msi, Detection: malicious, Browse Filename: 45c62e.msi, Detection: malicious, Browse Filename: Doc_21-04-53.js, Detection: malicious, Browse Filename: klog.php.msi, Detection: malicious, Browse Filename: Doc_21-04-53.js, Detection: malicious, Browse Filename: fes.msi, Detection: malicious, Browse Filename: zdi.txt.msi, Detection: malicious, Browse Filename: merd.msi, Detection: malicious, Browse Filename: medk.msi, Detection: malicious, Browse Filename: lavi.msi, Detection: malicious, Browse
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........0...c...c...c...b...c...bZ..c...b...c...b...c...b...c...b...c...b...c...b...c...c...cF..b...cF..b...cF..c...c..{c...cF..b...cRich...c........................PE..L....;.a.........."!.....t...P......'.....................................................@.........................PK......$S..........0........................L......p...............................@...............4............................text....r.......t.................. ..`.rdata..@............x..............@..@.data....!...p.......R..............@....rsrc...0............d..............@..@.reloc...L.......N...j..............@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI26B5.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	446944
Entropy (8bit):	6.403916470886214
Encrypted:	false
SSDEEP:	6144:5x0A4eCDsgvSd7ftYx5fnLHT7ybjfgaUFfQiAOuv2IaZeB+:5x0ECIgYOx5fnL/tYi8OBZr
MD5:	475D20C0EA477A35660E3F67ECF0A1DF
SHA1:	67340739F51E1134AE8F0FFC5AE9DD710E8E3A08
SHA-256:	426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
SHA-512:	99525AAAB2AB608134B5D66B5313E7FC3C2E2877395C5C171897D7A6C66EFB26B606DE1A4CB01118C2738EA4B6542E4EB4983E631231B3F340BF85E509A9589E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........0...c...c...c...b...c...bZ..c...b...c...b...c...b...c...b...c...b...c...b...c...c...cF..b...cF..b...cF..c...c..{c...cF..b...cRich...c........................PE..L....;.a.........."!.....t...P......'.....................................................@.........................PK......$S..........0........................L......p...............................@...............4............................text....r.......t.................. ..`.rdata..@............x..............@..@.data....!...p.......R..............@....rsrc...0............d..............@..@.reloc...L.......N...j..............@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI26E5.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	446944
Entropy (8bit):	6.403916470886214
Encrypted:	false
SSDEEP:	6144:5x0A4eCDsgvSd7ftYx5fnLHT7ybjfgaUFfQiAOuv2IaZeB+:5x0ECIgYOx5fnL/tYi8OBZr
MD5:	475D20C0EA477A35660E3F67ECF0A1DF
SHA1:	67340739F51E1134AE8F0FFC5AE9DD710E8E3A08
SHA-256:	426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
SHA-512:	99525AAAB2AB608134B5D66B5313E7FC3C2E2877395C5C171897D7A6C66EFB26B606DE1A4CB01118C2738EA4B6542E4EB4983E631231B3F340BF85E509A9589E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........0...c...c...c...b...c...bZ..c...b...c...b...c...b...c...b...c...b...c...b...c...c...cF..b...cF..b...cF..c...c..{c...cF..b...cRich...c........................PE..L....;.a.........."!.....t...P......'.....................................................@.........................PK......$S..........0........................L......p...............................@...............4............................text....r.......t.................. ..`.rdata..@............x..............@..@.data....!...p.......R..............@....rsrc...0............d..............@..@.reloc...L.......N...j..............@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI2715.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	446944
Entropy (8bit):	6.403916470886214
Encrypted:	false
SSDEEP:	6144:5x0A4eCDsgvSd7ftYx5fnLHT7ybjfgaUFfQiAOuv2IaZeB+:5x0ECIgYOx5fnL/tYi8OBZr
MD5:	475D20C0EA477A35660E3F67ECF0A1DF
SHA1:	67340739F51E1134AE8F0FFC5AE9DD710E8E3A08
SHA-256:	426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
SHA-512:	99525AAAB2AB608134B5D66B5313E7FC3C2E2877395C5C171897D7A6C66EFB26B606DE1A4CB01118C2738EA4B6542E4EB4983E631231B3F340BF85E509A9589E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........0...c...c...c...b...c...bZ..c...b...c...b...c...b...c...b...c...b...c...b...c...c...cF..b...cF..b...cF..c...c..{c...cF..b...cRich...c........................PE..L....;.a.........."!.....t...P......'.....................................................@.........................PK......$S..........0........................L......p...............................@...............4............................text....r.......t.................. ..`.rdata..@............x..............@..@.data....!...p.......R..............@....rsrc...0............d..............@..@.reloc...L.......N...j..............@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI2793.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	1793
Entropy (8bit):	5.569575133342501
Encrypted:	false
SSDEEP:	48:Xe9dN7hlAOlabIAEhclsP3+ON5D8SXlnl9N:XerNtlplasxclsdXXlnln
MD5:	D5E6384235E6CEAE9E0976440E10322B
SHA1:	48D804627D45AA30D611F7FC4DA7EA5608747EBD
SHA-256:	20A0BF4BB253BAEC79F3E68390FFD18CBC1CBAEE64C36F5B15B3BA3E03677514
SHA-512:	C9FE17F997C983D7BE1A91780CE1C91F0FC473C0D61B19D1A454FD6669D71767D6A16DD9DD2D62603C26A6D55D41B93C5B3A8B550DD3E4364F37E02F551B0608
Malicious:	false
Preview:	...@IXOS.@.....@/Q.Y.@.....@.....@.....@.....@.....@......&.{6526CBB4-D28A-4CBC-AF93-907FED1F0EB9}..Nvidia Manage..mirabon.msi.@.....@..@..@.....@........&.{0D31114D-A190-4318-80CC-A4C94BB5A010}.....@.....@.....@.....@.......@.....@.....@.......@......Nvidia Manage......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration...@.....@.....@.]....&.{B48CC27C-9823-4256-8235-834BFD2D0DBB}C.C:\Users\user\AppData\Roaming\Nvidia Manage INC\Nvidia Manage\.@.......@.....@.....@......&.{4A323D5F-6D73-4C26-8E39-BE8928DA13EB}4.01:\Software\Nvidia Manage INC\Nvidia Manage\Version.@.......@.....@.....@......&.{C7047CA2-930D-401A-9EE7-F73A42F04B5A}6.C:\Users\user\AppData\Roaming\gpuset\gpufault.dll.@.......@.....@.....@........CreateFolders..Creating folders..Folder: [1]".C.C:\Users\user\AppData\Roaming\Nvidia Manage INC\Nvidia Manage\.@........InstallFiles..Copying new files&.File: [1],

C:\Windows\Installer\SourceHash{6526CBB4-D28A-4CBC-AF93-907FED1F0EB9}

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.1625100654659097
Encrypted:	false
SSDEEP:	12:JSbX72FjZ0lAGiLIlHVRpY5h/7777777777777777777777777vDHFlDddpdl0i5:JAlQI5eHmF
MD5:	F2EA56DBD3EE39BA9156AA6B54B9BD0F
SHA1:	F27E87C4176DB4F1378B715CDB8C7D2A9B38DE2E
SHA-256:	61DA67BA1F4ECC293EA8259919F9300C2A93465473D4192F66B1B7E6EE015D8C
SHA-512:	9F26309219BF6C798027CEEB1B6F362858EB899F9D9D473FFE87ACDE91B70630A064FBA75057A9CC010C233C37C9C729BD417901EAA0B208E5EEB96FCB8801C9
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\inprogressinstallinfo.ipi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5618784757314748
Encrypted:	false
SSDEEP:	96:Yhm1tjTQpBtJrRrJrIZlCBvHJrRrJr0V:H1poHKK
MD5:	889BF38D3AB3FF50D35B51D27AD177B3
SHA1:	ED77BC97BD298767C48442622F02683F2FB1B034
SHA-256:	066E77B4917C79F375EC6E3E63FBA27695077758E2DB6A477A6321AD11F88BE3
SHA-512:	C5781DE5EC06E4F3C062FAB6BD5D50A12B3A8058801F390E6D139F0FBD1AD44722122D84BE6A7FFE8BE08757096F346F7C1CDA655E3E0C2179F3A3D66024B8DA
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	360001
Entropy (8bit):	5.362972061630627
Encrypted:	false
SSDEEP:	1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgauf:zTtbmkExhMJCIpEa
MD5:	39D29E25953AC5C3D2679158A122ECDC
SHA1:	07F92EAFE44F4DDC3A874836BF74641BB348AF29
SHA-256:	336BC888D572DEBB6E7DA922FD0A8E80388C69A43D4DBD92E443A24D405A6E94
SHA-512:	6D975D964BED481EA3E08C627F657947B3A29FF0BBCF45FEAD8FC4B610ECF3C065E9A52A77C376012AFC1198CC240A18A36C0179758961132B93C9315F27D397
Malicious:	false
Preview:	.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

C:\Windows\Temp\~DF3127AAB1AA391739.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5618784757314748
Encrypted:	false
SSDEEP:	96:Yhm1tjTQpBtJrRrJrIZlCBvHJrRrJr0V:H1poHKK
MD5:	889BF38D3AB3FF50D35B51D27AD177B3
SHA1:	ED77BC97BD298767C48442622F02683F2FB1B034
SHA-256:	066E77B4917C79F375EC6E3E63FBA27695077758E2DB6A477A6321AD11F88BE3
SHA-512:	C5781DE5EC06E4F3C062FAB6BD5D50A12B3A8058801F390E6D139F0FBD1AD44722122D84BE6A7FFE8BE08757096F346F7C1CDA655E3E0C2179F3A3D66024B8DA
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF47C405809BEAAC01.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF6C6DEB475CB79BA7.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	0.13724158709234693
Encrypted:	false
SSDEEP:	48:GhETSJfjRS+JfjYJfjRS+JfjvAE+lCy8sMLBzp:GhzJrRrJrYJrRrJrIZlCBvLVp
MD5:	3927E5C2214EC02C99936A44CDB4A83B
SHA1:	5BA02734F345E8E59ED035B79350FF6BDF17347F
SHA-256:	BCCE05C20B78557526574E45A5AA3A2457EB18C678E73D7D10C456164A1F2591
SHA-512:	1D3B28748829FAC69A7F01470B0595F31B9CE78AC738B4494134A5CFC9ADFA609672C7DF2EB69624E83CC78AFF5670BEB77DECD9C1836F4FFA4B087522E5B0BA
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF7D4CB92359B3769E.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF9DE2386F38C2C2FD.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFA7F00CC4B22B16FE.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5618784757314748
Encrypted:	false
SSDEEP:	96:Yhm1tjTQpBtJrRrJrIZlCBvHJrRrJr0V:H1poHKK
MD5:	889BF38D3AB3FF50D35B51D27AD177B3
SHA1:	ED77BC97BD298767C48442622F02683F2FB1B034
SHA-256:	066E77B4917C79F375EC6E3E63FBA27695077758E2DB6A477A6321AD11F88BE3
SHA-512:	C5781DE5EC06E4F3C062FAB6BD5D50A12B3A8058801F390E6D139F0FBD1AD44722122D84BE6A7FFE8BE08757096F346F7C1CDA655E3E0C2179F3A3D66024B8DA
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFAA7AE56EEE566A98.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.07019254875528211
Encrypted:	false
SSDEEP:	6:2/9LG7iVCnLG7iVrKOzPLHKO65+DdKshqVky6lf1:2F0i8n0itFzDHFlDd/d
MD5:	7CCDA4E5A01268404561F6A5A4278034
SHA1:	B2D0143E9D0ABF186C8540642E540290F706F428
SHA-256:	0FDBB15E5B0A3495281924FED801E881036BF752A8CAF7EE83114EC1F884DCDB
SHA-512:	67F5E303471EAA2D79748805E0A0CE32BE633CB6304D8783F116C9BC34F6AFA0D721C87831A85BF24F1ED79A52B72E4532FE698FC105B45761D91EC2BD0F0438
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFAC63758EDC07B166.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2526091689087346
Encrypted:	false
SSDEEP:	48:WvuubI+CFXJxT56pBBLJfjRS+JfjvAE+lCy8sMHJfjRS+JfjbTkV:QutZTwpBtJrRrJrIZlCBvHJrRrJr0V
MD5:	CB753EB157F6C7528D4D20374A942619
SHA1:	06C32D74ABB1CC3C6DA99409DB9B3D1CC727282B
SHA-256:	0167ABC32E845C46A2B3C82DDEF5E342B48A71A164A5DACDE511E1E54913BFF7
SHA-512:	77BA8078FA29BAE7DF5ABB9989DDCC99A566865DD033999633A17AE43E27F07001781491B1A3D13EA7D8B9E1B9325DF3F53E9EFF213945DAAE0B1950292E3B8A
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFB4C2A51C379386DF.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFBB5599D4DF25B098.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2526091689087346
Encrypted:	false
SSDEEP:	48:WvuubI+CFXJxT56pBBLJfjRS+JfjvAE+lCy8sMHJfjRS+JfjbTkV:QutZTwpBtJrRrJrIZlCBvHJrRrJr0V
MD5:	CB753EB157F6C7528D4D20374A942619
SHA1:	06C32D74ABB1CC3C6DA99409DB9B3D1CC727282B
SHA-256:	0167ABC32E845C46A2B3C82DDEF5E342B48A71A164A5DACDE511E1E54913BFF7
SHA-512:	77BA8078FA29BAE7DF5ABB9989DDCC99A566865DD033999633A17AE43E27F07001781491B1A3D13EA7D8B9E1B9325DF3F53E9EFF213945DAAE0B1950292E3B8A
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFD2835E268EFD4831.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2526091689087346
Encrypted:	false
SSDEEP:	48:WvuubI+CFXJxT56pBBLJfjRS+JfjvAE+lCy8sMHJfjRS+JfjbTkV:QutZTwpBtJrRrJrIZlCBvHJrRrJr0V
MD5:	CB753EB157F6C7528D4D20374A942619
SHA1:	06C32D74ABB1CC3C6DA99409DB9B3D1CC727282B
SHA-256:	0167ABC32E845C46A2B3C82DDEF5E342B48A71A164A5DACDE511E1E54913BFF7
SHA-512:	77BA8078FA29BAE7DF5ABB9989DDCC99A566865DD033999633A17AE43E27F07001781491B1A3D13EA7D8B9E1B9325DF3F53E9EFF213945DAAE0B1950292E3B8A
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFF772A8C7737BCD57.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {0D31114D-A190-4318-80CC-A4C94BB5A010}, Number of Words: 10, Subject: Nvidia Manage, Author: Nvidia Manage INC, Name of Creating Application: Nvidia Manage, Template: ;1033, Comments: Create database IInlimited, Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
Entropy (8bit):	7.734473917523424
TrID:	Windows SDK Setup Transform Script (63028/2) 47.91% Microsoft Windows Installer (60509/1) 46.00% Generic OLE2 / Multistream Compound File (8008/1) 6.09%
File name:	mirabon.msi
File size:	2'416'640 bytes
MD5:	a9abe7b0d625cb55adb1e9c3e7df498b
SHA1:	8fc950287aa5bd3db8449b9ebdeecf9cbd0a4d57
SHA256:	d500d26f09f5419ca83d0604defe1cc7b17b16530ee2667eff4cec07bdec2f99
SHA512:	62c34bccb0f47c0f4a361dba51161353cdaae2fd8c850e707d981391f6e5e60f56f6181b53e8bc18806ca64863e06af1e09c62e70d87a8e57cd97a3a8797a538
SSDEEP:	49152:GBdTYBZKumZr7AC1su1uXZn8Ud9JCM5Rm5hfJYPYtwRXIhMRs:+YnK/AyuSyJN5RmjJvi4+
TLSH:	6DB502223386C737C95E0270352A929B1178FDAB8B7140C7A3C9391EADB44D16A7DFD6
File Content Preview:	........................>...................%...................................D.......`......................................./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F..................................

File Icon


Icon Hash:	2d2e3797b32b2b99

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-19T16:12:20.475672+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49714	188.114.97.6	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 19, 2024 16:09:36.430679083 CET	49705	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:09:36.550302982 CET	8817	49705	94.232.40.41	192.168.2.7
Dec 19, 2024 16:09:36.550390005 CET	49705	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:09:36.594131947 CET	49705	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:09:36.713691950 CET	8817	49705	94.232.40.41	192.168.2.7
Dec 19, 2024 16:09:38.261358023 CET	8817	49705	94.232.40.41	192.168.2.7
Dec 19, 2024 16:09:38.261372089 CET	8817	49705	94.232.40.41	192.168.2.7
Dec 19, 2024 16:09:38.261384964 CET	8817	49705	94.232.40.41	192.168.2.7
Dec 19, 2024 16:09:38.261435032 CET	49705	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:09:38.261473894 CET	49705	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:09:38.315412045 CET	49705	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:09:38.435077906 CET	8817	49705	94.232.40.41	192.168.2.7
Dec 19, 2024 16:09:38.705760956 CET	8817	49705	94.232.40.41	192.168.2.7
Dec 19, 2024 16:09:38.708570957 CET	49705	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:09:38.723416090 CET	49705	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:09:38.842963934 CET	8817	49705	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:10.759936094 CET	49705	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:37.212150097 CET	49711	8817	192.168.2.7	94.232.46.11
Dec 19, 2024 16:10:37.331744909 CET	8817	49711	94.232.46.11	192.168.2.7
Dec 19, 2024 16:10:37.331947088 CET	49711	8817	192.168.2.7	94.232.46.11
Dec 19, 2024 16:10:37.332384109 CET	49711	8817	192.168.2.7	94.232.46.11
Dec 19, 2024 16:10:37.451997995 CET	8817	49711	94.232.46.11	192.168.2.7
Dec 19, 2024 16:10:38.653723001 CET	8817	49711	94.232.46.11	192.168.2.7
Dec 19, 2024 16:10:38.653738976 CET	8817	49711	94.232.46.11	192.168.2.7
Dec 19, 2024 16:10:38.653752089 CET	8817	49711	94.232.46.11	192.168.2.7
Dec 19, 2024 16:10:38.653867960 CET	49711	8817	192.168.2.7	94.232.46.11
Dec 19, 2024 16:10:38.663347006 CET	49711	8817	192.168.2.7	94.232.46.11
Dec 19, 2024 16:10:38.782850981 CET	8817	49711	94.232.46.11	192.168.2.7
Dec 19, 2024 16:10:39.089982986 CET	8817	49711	94.232.46.11	192.168.2.7
Dec 19, 2024 16:10:39.090079069 CET	49711	8817	192.168.2.7	94.232.46.11
Dec 19, 2024 16:10:39.090612888 CET	49711	8817	192.168.2.7	94.232.46.11
Dec 19, 2024 16:10:39.210314989 CET	8817	49711	94.232.46.11	192.168.2.7
Dec 19, 2024 16:10:46.779781103 CET	8817	49711	94.232.46.11	192.168.2.7
Dec 19, 2024 16:10:46.779877901 CET	49711	8817	192.168.2.7	94.232.46.11
Dec 19, 2024 16:10:46.781655073 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:46.901990891 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:46.902132988 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:46.902920961 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:47.022620916 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:48.148248911 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:48.148317099 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:48.148396969 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:48.148411036 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:48.148442030 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:48.148463964 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:48.152925014 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:48.272409916 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:48.551246881 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:48.551454067 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:48.551930904 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:48.671708107 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.174880028 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.174973965 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:56.174982071 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.175096989 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.175111055 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:56.175142050 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:56.175174952 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.175184011 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.175240993 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:56.175285101 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.175467014 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:56.183609009 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.183706045 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:56.183725119 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.183820963 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:56.192223072 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.192235947 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.192306995 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:56.199575901 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.199650049 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:56.199683905 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.199780941 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:56.208005905 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.208105087 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:56.253149033 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.253226042 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:56.294441938 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.294465065 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.294543982 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:56.367163897 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.367172003 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.367228031 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:56.371114969 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.371181011 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:56.372629881 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.372678995 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.372709036 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:56.372735977 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:56.377739906 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.377800941 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.377804995 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:56.377850056 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:56.385720015 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.385781050 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.385844946 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:56.393925905 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.394021034 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:56.394071102 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.394117117 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:56.402301073 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.402316093 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.402376890 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:56.410501957 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.410525084 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.410587072 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:56.418715954 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.418771982 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:56.418798923 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.418855906 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:56.426830053 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.426919937 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:56.426934004 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.426995993 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:56.546376944 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.546456099 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:56.546793938 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.546852112 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:56.666045904 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.666057110 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.666121006 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:56.785612106 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.785621881 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.785677910 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.785685062 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.785689116 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:56.785708904 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.785713911 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.785761118 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:56.785794973 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:56.785836935 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.785893917 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:56.798372030 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.798382998 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.798393965 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.798405886 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.798446894 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:56.798458099 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.798476934 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.798490047 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:56.798536062 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:56.798649073 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:56.799166918 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.799246073 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:56.799319029 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.799326897 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.799352884 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.799361944 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.799370050 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.799376011 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.799381971 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.799382925 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:56.799390078 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.799434900 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:56.799458981 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:56.800108910 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.800117016 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.800175905 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:56.800540924 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.800548077 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.800599098 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:56.800601959 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.800609112 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.800637007 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.800643921 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.800656080 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.800662994 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.800667048 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:56.800669909 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.800694942 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:56.800733089 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:56.801554918 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.801563025 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.801575899 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.801582098 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.801588058 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.801595926 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.801601887 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.801614046 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.801620007 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.801623106 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:56.801626921 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.801634073 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.801686049 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:56.801717043 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:56.802434921 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.802443027 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.802455902 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.802465916 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.802506924 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:56.802544117 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:56.812918901 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.812925100 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.812993050 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:56.905721903 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.905884981 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:56.905908108 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.905976057 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:56.908421993 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.908543110 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:56.908555031 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.908835888 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:56.914000034 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.914066076 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.914067030 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:56.914119959 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:56.919744015 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.919802904 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:56.922422886 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.922475100 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.922492027 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:56.922523975 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:56.927972078 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.928039074 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.928062916 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:56.928092003 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:56.933573008 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.933653116 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:56.933661938 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.933737993 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:56.937289000 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.937342882 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:56.937388897 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.937446117 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:56.940716982 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.940794945 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:56.940953970 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.941029072 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:56.944555044 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.944562912 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.944612980 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:56.947891951 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.947953939 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:56.947977066 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.948024035 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:56.951462984 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.951584101 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.951647043 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:56.955126047 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.955271006 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.955369949 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:56.958617926 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.958663940 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:56.958885908 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.958980083 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:56.962387085 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.962462902 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.962471008 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:56.962517977 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:56.965980053 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.966068029 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:56.966084003 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.966145039 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:56.969396114 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.969510078 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.969566107 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:56.973048925 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.973081112 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.973155975 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:56.976553917 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.976762056 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.976831913 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:56.980156898 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.980216980 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:56.980273962 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.980341911 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:56.983844995 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.983999014 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.984055996 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:56.987274885 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.987370968 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.987428904 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:56.990942001 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.991024017 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.991113901 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:56.994498968 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.994551897 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.994616985 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:56.998080015 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.998130083 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:56.998187065 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:57.001769066 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:57.001857042 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:57.001915932 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:57.005227089 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:57.005285025 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:57.005321980 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:57.005398989 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:57.009118080 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:57.009183884 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:57.009257078 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:57.012398005 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:57.012485027 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:57.012578964 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:57.015928984 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:57.015983105 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:57.025458097 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:57.025567055 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:57.026338100 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:57.026408911 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:57.028110981 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:57.028186083 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:57.028208971 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:57.028247118 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:57.031733990 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:57.031923056 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:57.032104015 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:57.035393953 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:57.035410881 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:57.035480022 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:57.038908958 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:57.038928986 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:57.038992882 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:57.042506933 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:57.042541027 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:57.042614937 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:57.046052933 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:57.046098948 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:57.046189070 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:57.049583912 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:57.049767971 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:57.049844027 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:57.053385973 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:57.053455114 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:57.053549051 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:57.053606033 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:57.056842089 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:57.056884050 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:57.056952000 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:57.060414076 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:57.060457945 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:57.060554981 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:10:57.063961983 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:10:57.064060926 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:11:33.446065903 CET	49713	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:11:33.567338943 CET	8817	49713	94.232.40.41	192.168.2.7
Dec 19, 2024 16:11:33.567550898 CET	49713	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:11:33.567795992 CET	49713	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:11:33.687269926 CET	8817	49713	94.232.40.41	192.168.2.7
Dec 19, 2024 16:11:37.837378979 CET	8817	49713	94.232.40.41	192.168.2.7
Dec 19, 2024 16:11:37.837415934 CET	8817	49713	94.232.40.41	192.168.2.7
Dec 19, 2024 16:11:37.837428093 CET	8817	49713	94.232.40.41	192.168.2.7
Dec 19, 2024 16:11:37.837526083 CET	49713	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:11:37.837595940 CET	49713	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:11:37.841038942 CET	49713	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:11:38.016407967 CET	8817	49713	94.232.40.41	192.168.2.7
Dec 19, 2024 16:11:44.390094042 CET	8817	49713	94.232.40.41	192.168.2.7
Dec 19, 2024 16:11:44.390180111 CET	49713	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:11:44.390928030 CET	49713	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:11:44.510535955 CET	8817	49713	94.232.40.41	192.168.2.7
Dec 19, 2024 16:11:59.328135014 CET	8817	49713	94.232.40.41	192.168.2.7
Dec 19, 2024 16:11:59.328210115 CET	49713	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:12:16.782907963 CET	8817	49711	94.232.46.11	192.168.2.7
Dec 19, 2024 16:12:16.782963037 CET	49711	8817	192.168.2.7	94.232.46.11
Dec 19, 2024 16:12:19.250973940 CET	49714	443	192.168.2.7	188.114.97.6
Dec 19, 2024 16:12:19.251029968 CET	443	49714	188.114.97.6	192.168.2.7
Dec 19, 2024 16:12:19.251115084 CET	49714	443	192.168.2.7	188.114.97.6
Dec 19, 2024 16:12:19.251708031 CET	49714	443	192.168.2.7	188.114.97.6
Dec 19, 2024 16:12:19.251732111 CET	443	49714	188.114.97.6	192.168.2.7
Dec 19, 2024 16:12:20.475595951 CET	443	49714	188.114.97.6	192.168.2.7
Dec 19, 2024 16:12:20.475672007 CET	49714	443	192.168.2.7	188.114.97.6
Dec 19, 2024 16:12:26.343442917 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:12:26.343501091 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:12:26.874342918 CET	49714	443	192.168.2.7	188.114.97.6
Dec 19, 2024 16:12:38.504446983 CET	49712	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:12:38.505027056 CET	49729	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:12:38.624236107 CET	8817	49712	94.232.40.41	192.168.2.7
Dec 19, 2024 16:12:38.624651909 CET	8817	49729	94.232.40.41	192.168.2.7
Dec 19, 2024 16:12:38.624792099 CET	49729	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:12:39.605057001 CET	49729	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:12:39.724879980 CET	8817	49729	94.232.40.41	192.168.2.7
Dec 19, 2024 16:12:39.998483896 CET	8817	49729	94.232.40.41	192.168.2.7
Dec 19, 2024 16:12:39.998511076 CET	8817	49729	94.232.40.41	192.168.2.7
Dec 19, 2024 16:12:39.998523951 CET	8817	49729	94.232.40.41	192.168.2.7
Dec 19, 2024 16:12:39.998543024 CET	49729	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:12:39.998574018 CET	49729	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:12:40.201242924 CET	49729	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:12:40.320911884 CET	8817	49729	94.232.40.41	192.168.2.7
Dec 19, 2024 16:12:40.591958046 CET	8817	49729	94.232.40.41	192.168.2.7
Dec 19, 2024 16:12:40.592053890 CET	49729	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:12:40.752799988 CET	49729	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:12:40.752939939 CET	49729	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:12:40.872927904 CET	8817	49729	94.232.40.41	192.168.2.7
Dec 19, 2024 16:12:40.872946024 CET	8817	49729	94.232.40.41	192.168.2.7
Dec 19, 2024 16:12:40.872956038 CET	8817	49729	94.232.40.41	192.168.2.7
Dec 19, 2024 16:12:40.872966051 CET	8817	49729	94.232.40.41	192.168.2.7
Dec 19, 2024 16:12:40.872975111 CET	8817	49729	94.232.40.41	192.168.2.7
Dec 19, 2024 16:12:40.872987986 CET	8817	49729	94.232.40.41	192.168.2.7
Dec 19, 2024 16:12:40.873011112 CET	8817	49729	94.232.40.41	192.168.2.7
Dec 19, 2024 16:12:40.873009920 CET	49729	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:12:40.873023033 CET	8817	49729	94.232.40.41	192.168.2.7
Dec 19, 2024 16:12:40.873070002 CET	49729	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:12:40.873070002 CET	49729	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:12:40.873096943 CET	49729	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:12:40.873105049 CET	8817	49729	94.232.40.41	192.168.2.7
Dec 19, 2024 16:12:40.873116016 CET	8817	49729	94.232.40.41	192.168.2.7
Dec 19, 2024 16:12:40.873142958 CET	49729	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:12:40.873172045 CET	49729	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:12:40.873204947 CET	8817	49729	94.232.40.41	192.168.2.7
Dec 19, 2024 16:12:40.873250961 CET	49729	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:12:40.992724895 CET	8817	49729	94.232.40.41	192.168.2.7
Dec 19, 2024 16:12:40.992799044 CET	8817	49729	94.232.40.41	192.168.2.7
Dec 19, 2024 16:12:40.992809057 CET	8817	49729	94.232.40.41	192.168.2.7
Dec 19, 2024 16:12:40.992820024 CET	49729	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:12:40.992911100 CET	8817	49729	94.232.40.41	192.168.2.7
Dec 19, 2024 16:12:40.992933989 CET	49729	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:12:40.992980003 CET	49729	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:12:40.993035078 CET	8817	49729	94.232.40.41	192.168.2.7
Dec 19, 2024 16:12:40.993089914 CET	49729	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:12:40.994388103 CET	8817	49729	94.232.40.41	192.168.2.7
Dec 19, 2024 16:12:40.994533062 CET	49729	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:12:41.112608910 CET	8817	49729	94.232.40.41	192.168.2.7
Dec 19, 2024 16:12:41.112680912 CET	8817	49729	94.232.40.41	192.168.2.7
Dec 19, 2024 16:12:41.112682104 CET	49729	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:12:41.112692118 CET	8817	49729	94.232.40.41	192.168.2.7
Dec 19, 2024 16:12:41.112791061 CET	8817	49729	94.232.40.41	192.168.2.7
Dec 19, 2024 16:12:41.112799883 CET	8817	49729	94.232.40.41	192.168.2.7
Dec 19, 2024 16:12:41.114387989 CET	8817	49729	94.232.40.41	192.168.2.7
Dec 19, 2024 16:12:41.114563942 CET	8817	49729	94.232.40.41	192.168.2.7
Dec 19, 2024 16:12:41.114706993 CET	8817	49729	94.232.40.41	192.168.2.7
Dec 19, 2024 16:12:41.114938974 CET	8817	49729	94.232.40.41	192.168.2.7
Dec 19, 2024 16:12:41.115122080 CET	8817	49729	94.232.40.41	192.168.2.7
Dec 19, 2024 16:12:41.115129948 CET	8817	49729	94.232.40.41	192.168.2.7
Dec 19, 2024 16:12:41.115279913 CET	8817	49729	94.232.40.41	192.168.2.7
Dec 19, 2024 16:12:41.115288973 CET	8817	49729	94.232.40.41	192.168.2.7
Dec 19, 2024 16:12:41.115472078 CET	8817	49729	94.232.40.41	192.168.2.7
Dec 19, 2024 16:12:41.115485907 CET	8817	49729	94.232.40.41	192.168.2.7
Dec 19, 2024 16:12:41.115710974 CET	8817	49729	94.232.40.41	192.168.2.7
Dec 19, 2024 16:12:41.115719080 CET	8817	49729	94.232.40.41	192.168.2.7
Dec 19, 2024 16:12:41.115801096 CET	8817	49729	94.232.40.41	192.168.2.7
Dec 19, 2024 16:12:41.115809917 CET	8817	49729	94.232.40.41	192.168.2.7
Dec 19, 2024 16:12:41.115931034 CET	8817	49729	94.232.40.41	192.168.2.7
Dec 19, 2024 16:12:41.115938902 CET	8817	49729	94.232.40.41	192.168.2.7
Dec 19, 2024 16:12:41.232332945 CET	8817	49729	94.232.40.41	192.168.2.7
Dec 19, 2024 16:12:41.232424974 CET	8817	49729	94.232.40.41	192.168.2.7
Dec 19, 2024 16:12:41.232454062 CET	8817	49729	94.232.40.41	192.168.2.7
Dec 19, 2024 16:12:41.233876944 CET	8817	49729	94.232.40.41	192.168.2.7
Dec 19, 2024 16:12:41.684921026 CET	49729	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:12:41.804775000 CET	8817	49729	94.232.40.41	192.168.2.7
Dec 19, 2024 16:12:41.804796934 CET	8817	49729	94.232.40.41	192.168.2.7
Dec 19, 2024 16:12:41.804848909 CET	8817	49729	94.232.40.41	192.168.2.7
Dec 19, 2024 16:12:41.804915905 CET	8817	49729	94.232.40.41	192.168.2.7
Dec 19, 2024 16:12:41.804997921 CET	8817	49729	94.232.40.41	192.168.2.7
Dec 19, 2024 16:13:12.711033106 CET	49729	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:13:15.831454039 CET	49711	8817	192.168.2.7	94.232.46.11
Dec 19, 2024 16:13:15.831824064 CET	49713	8817	192.168.2.7	94.232.40.41
Dec 19, 2024 16:13:15.951318979 CET	8817	49711	94.232.46.11	192.168.2.7
Dec 19, 2024 16:13:15.951883078 CET	8817	49713	94.232.40.41	192.168.2.7
Dec 19, 2024 16:13:15.951999903 CET	49713	8817	192.168.2.7	94.232.40.41

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 19, 2024 16:09:35.291857004 CET	54259	53	192.168.2.7	1.1.1.1
Dec 19, 2024 16:09:36.315114021 CET	54259	53	192.168.2.7	1.1.1.1
Dec 19, 2024 16:09:36.321902037 CET	53	54259	1.1.1.1	192.168.2.7
Dec 19, 2024 16:09:36.451869965 CET	53	54259	1.1.1.1	192.168.2.7
Dec 19, 2024 16:10:36.801948071 CET	52472	53	192.168.2.7	1.1.1.1
Dec 19, 2024 16:10:37.211127996 CET	53	52472	1.1.1.1	192.168.2.7
Dec 19, 2024 16:12:18.935462952 CET	58335	53	192.168.2.7	1.1.1.1
Dec 19, 2024 16:12:19.206824064 CET	53	58335	1.1.1.1	192.168.2.7
Dec 19, 2024 16:12:28.342819929 CET	53591	53	192.168.2.7	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 19, 2024 16:09:35.291857004 CET	192.168.2.7	1.1.1.1	0x1773	Standard query (0)	cronoze.com	A (IP address)	IN (0x0001)	false
Dec 19, 2024 16:09:36.315114021 CET	192.168.2.7	1.1.1.1	0x1773	Standard query (0)	cronoze.com	A (IP address)	IN (0x0001)	false
Dec 19, 2024 16:10:36.801948071 CET	192.168.2.7	1.1.1.1	0xd947	Standard query (0)	muuxxu.com	A (IP address)	IN (0x0001)	false
Dec 19, 2024 16:12:18.935462952 CET	192.168.2.7	1.1.1.1	0xd991	Standard query (0)	proliforetka.com	A (IP address)	IN (0x0001)	false
Dec 19, 2024 16:12:28.342819929 CET	192.168.2.7	1.1.1.1	0x97a9	Standard query (0)	api.msn.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 19, 2024 16:09:36.321902037 CET	1.1.1.1	192.168.2.7	0x1773	No error (0)	cronoze.com		94.232.40.41	A (IP address)	IN (0x0001)	false
Dec 19, 2024 16:09:36.451869965 CET	1.1.1.1	192.168.2.7	0x1773	No error (0)	cronoze.com		94.232.40.41	A (IP address)	IN (0x0001)	false
Dec 19, 2024 16:10:37.211127996 CET	1.1.1.1	192.168.2.7	0xd947	No error (0)	muuxxu.com		94.232.46.11	A (IP address)	IN (0x0001)	false
Dec 19, 2024 16:12:19.206824064 CET	1.1.1.1	192.168.2.7	0xd991	No error (0)	proliforetka.com		188.114.97.6	A (IP address)	IN (0x0001)	false
Dec 19, 2024 16:12:19.206824064 CET	1.1.1.1	192.168.2.7	0xd991	No error (0)	proliforetka.com		188.114.96.6	A (IP address)	IN (0x0001)	false
Dec 19, 2024 16:12:28.480362892 CET	1.1.1.1	192.168.2.7	0x97a9	No error (0)	api.msn.com	api-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)	false

Target ID:	0
Start time:	10:09:27
Start date:	19/12/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\mirabon.msi"
Imagebase:	0x7ff602970000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	10:09:27
Start date:	19/12/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff602970000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	10:09:28
Start date:	19/12/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding AC2828E810036024BC5181D16A644983
Imagebase:	0x5b0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	10:09:30
Start date:	19/12/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	C:/Windows/System32/rundll32.exe gpufault.dll, GfeXcodeFunc
Imagebase:	0x7ff60cea0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_BruteRatel_1, Description: Yara detected BruteRatel, Source: 00000004.00000003.2301509386.0000027F9288B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	10:10:57
Start date:	19/12/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff70ffd0000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 0000000A.00000002.3181432738.00000000099DB000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	10:12:20
Start date:	19/12/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 4056 -s 7000
Imagebase:	0x7ff6b0050000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	10:12:24
Start date:	19/12/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	explorer.exe
Imagebase:	0x7ff70ffd0000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Function 00007DF498EC0100 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

@, xrefs: 00007DF498EC0237

Memory Dump Source

Source File: 00000004.00000003.2332171238.00007DF498EC0000.00000020.00001000.00020000.00000000.sdmp, Offset: 00007DF498EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_7df498ec0000_rundll32.jbxd

Similarity

API ID: CreateSnapshotToolhelp32
String ID: @
API String ID: 3332741929-2766056989
Opcode ID: 4dd753c87e2aa29c9c96ae48a87dd40f0169a1ec6aa8ae238ef9ae283b3ca07b
Instruction ID: 7bdb0b4980b9b07f1fc8875b43bf5e00ecd9790668ef6a5037859c945781a200
Opcode Fuzzy Hash: 4dd753c87e2aa29c9c96ae48a87dd40f0169a1ec6aa8ae238ef9ae283b3ca07b
Instruction Fuzzy Hash: 6971D031614A4C8FEF94EF5CC858BA977E1FBA8315F50462AE81EC72A0DB74D954CB80

Function 00007DF498EC0000 Relevance: 4.6, APIs: 3, Instructions: 88processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00007DF498EC0052
Process32First.KERNEL32 ref: 00007DF498EC008B
CloseHandle.KERNEL32 ref: 00007DF498EC00C1

Memory Dump Source

Source File: 00000004.00000003.2332171238.00007DF498EC0000.00000020.00001000.00020000.00000000.sdmp, Offset: 00007DF498EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_7df498ec0000_rundll32.jbxd

Similarity

API ID: CloseCreateFirstHandleProcess32SnapshotToolhelp32
String ID:
API String ID: 1083639309-0
Opcode ID: 7b76749183c32904e7c867cae929a431087f8f66ce00ca14fd6eade76c102862
Instruction ID: e40f7ab2100cc2afe94fec8005532e8f0deb7162a2c947a009eeb773b97fa5e3
Opcode Fuzzy Hash: 7b76749183c32904e7c867cae929a431087f8f66ce00ca14fd6eade76c102862
Instruction Fuzzy Hash: 5C21B83061494C8FEFA1EB5CC858BEA33E1EBA9311F404226D81EDB290DE35AE448750

Function 0000027F9253D270 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000003.1475164952.0000027F92500000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000027F92500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_27f92500000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7e753f29fc521fa2d0b6c7a6994e588844e22f1070003091da851a212630d82
Instruction ID: 6d9d127ccd3dfd325077ffe632fb38cd11b8f84a3fcaab2ebc0d53b115ce5aa5
Opcode Fuzzy Hash: d7e753f29fc521fa2d0b6c7a6994e588844e22f1070003091da851a212630d82
Instruction Fuzzy Hash: 1FF08170628B408BE7449F1884C963677E1FB98655F64452EF98987361CB3198428B43

Function 0000027F9253D2E0 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000003.1475164952.0000027F92500000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000027F92500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_27f92500000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c03d8a45eb9b0d3ccc835ff03553e770b46152858ebd01b16508ffef1a6f20c3
Instruction ID: 5cbbd633afa6259c1f177900140c6121f37b8a92a70d2e44b7aa899390ccea0d
Opcode Fuzzy Hash: c03d8a45eb9b0d3ccc835ff03553e770b46152858ebd01b16508ffef1a6f20c3
Instruction Fuzzy Hash: 63F05470A28F448BD744AF2C888E63577E1F7A8645F54453EA548C7361DB35E8428B83

Function 0000027F9253BE60 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 317COMMON

Download Yara Rule

Strings

, xrefs: 0000027F9253C0CA

Memory Dump Source

Source File: 00000004.00000003.1475164952.0000027F92500000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000027F92500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_27f92500000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 493f5e9feb3bc185952b791932f3846df56847a002a59b7567bfb59bfa631270
Instruction ID: b70fcdff1e2b238d5b56ea5b9d03c7b061780b242d49db670d6e077b86eab1ec
Opcode Fuzzy Hash: 493f5e9feb3bc185952b791932f3846df56847a002a59b7567bfb59bfa631270
Instruction Fuzzy Hash: 93B1613121CA08CFDB94EF1CC885BAAB7E1FB98311F504669E48EC7251DB34E845CB82

Analysis Process: explorer.exePID: 4056, Parent PID: 3920COMMON

Execution Graph

Execution Coverage:	9.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	9.2%
Total number of Nodes:	861
Total number of Limit Nodes:	7

Executed Functions

Function 02E18424 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 202
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02E1B388: NtAllocateVirtualMemory.NTDLL ref: 02E1B3BE

GetAdaptersInfo.IPHLPAPI ref: 02E18470
GetAdaptersInfo.IPHLPAPI ref: 02E184A7
wsprintfA.USER32 ref: 02E184F0
wsprintfA.USER32 ref: 02E185DB
wsprintfA.USER32 ref: 02E1863F

Strings

o, xrefs: 02E18482

Memory Dump Source

Source File: 0000000A.00000002.3170849503.0000000002E10000.00000040.00000001.00020000.00000000.sdmp, Offset: 02E10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e10000_explorer.jbxd

Similarity

API ID: wsprintf$AdaptersInfo$AllocateMemoryVirtual
String ID: o
API String ID: 2074107575-252678980
Opcode ID: 297d1a7e7ca8095e50a572676fb4cd9321a35f6664537050dc1b6cbbb83bb27f
Instruction ID: 07ed4f07480ffc994d384e07a2d011e394fac94e89b929bc9cdbc9c2d56d9e81
Opcode Fuzzy Hash: 297d1a7e7ca8095e50a572676fb4cd9321a35f6664537050dc1b6cbbb83bb27f
Instruction Fuzzy Hash: E2A1E876249B84CADB70CB14F49439AB7A5F788788F445529EA8E83B68EF3CC544CF40

Function 02E17274 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetAdaptersInfo.IPHLPAPI ref: 02E1729C

Part of subcall function 02E1B388: NtAllocateVirtualMemory.NTDLL ref: 02E1B3BE

GetAdaptersInfo.IPHLPAPI ref: 02E172C7

Strings

o, xrefs: 02E172A6

Memory Dump Source

Source File: 0000000A.00000002.3170849503.0000000002E10000.00000040.00000001.00020000.00000000.sdmp, Offset: 02E10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e10000_explorer.jbxd

Similarity

API ID: AdaptersInfo$AllocateMemoryVirtual
String ID: o
API String ID: 2718687846-252678980
Opcode ID: 7f42663b622c32a3db8ec0ccf10743740cf63e3247e40a922d1c01b602dc0a8d
Instruction ID: 2e5bef14aae0ee64314fa504c08cda9a148a9b3103b93e081220f549ae7b9a24
Opcode Fuzzy Hash: 7f42663b622c32a3db8ec0ccf10743740cf63e3247e40a922d1c01b602dc0a8d
Instruction Fuzzy Hash: B801B0B2648B4486DB309B15E49835EB7A0F3C8B98F445225EA8D47B68DB7CC685CF04

Function 02E18D3C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserNameA.ADVAPI32 ref: 02E18D64
wsprintfA.USER32 ref: 02E18D81

Strings

frontdesk, xrefs: 02E18D7A, 02E18D87

Memory Dump Source

Source File: 0000000A.00000002.3170849503.0000000002E10000.00000040.00000001.00020000.00000000.sdmp, Offset: 02E10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e10000_explorer.jbxd

Similarity

API ID: NameUserwsprintf
String ID: frontdesk
API String ID: 54179028-1081972030
Opcode ID: 0d2000033b4f6b77b7c63e69016060f77196b9a618d98f030aea10d94a3709f8
Instruction ID: 6a8d425dfeacaf32e21d66b745f6768efd82b9615d22379eda6d5a96284e95b5
Opcode Fuzzy Hash: 0d2000033b4f6b77b7c63e69016060f77196b9a618d98f030aea10d94a3709f8
Instruction Fuzzy Hash: 6EF07D712A4AC7D2EB60DF14E8543A96329FB95748FC06036A14E469A8EF7CC61ECB40

Function 02E1A8E0 Relevance: 4.6, APIs: 3, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.3170849503.0000000002E10000.00000040.00000001.00020000.00000000.sdmp, Offset: 02E10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e10000_explorer.jbxd

Similarity

API ID: DirectorySystem
String ID:
API String ID: 2188284642-0
Opcode ID: ba65162137a8887c46524e037aee2d8e48247b8fd7d5144eb10fde51ea88d61c
Instruction ID: 4be140fa8fe25eef20ba4bc82e3e1e0eaf8deb951bbe8c49c57a7708e6246502
Opcode Fuzzy Hash: ba65162137a8887c46524e037aee2d8e48247b8fd7d5144eb10fde51ea88d61c
Instruction Fuzzy Hash: 1A310332159A80D5D760DB24F4443AAB365F784368F50A336E69E82BDCDF3CC544CB40

Function 02E1B388 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL ref: 02E1B3BE

Strings

@, xrefs: 02E1B39A

Memory Dump Source

Source File: 0000000A.00000002.3170849503.0000000002E10000.00000040.00000001.00020000.00000000.sdmp, Offset: 02E10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e10000_explorer.jbxd

Similarity

API ID: AllocateMemoryVirtual
String ID: @
API String ID: 2167126740-2766056989
Opcode ID: 2e93f9f6b96c1bd6ea69c113b3f2c8e4b302791aa10c0df241b540a453c9b905
Instruction ID: 0960a1e726dc83c378dd22ecfbfc3993d38100bfc8b08440e6d2d49782f671d3
Opcode Fuzzy Hash: 2e93f9f6b96c1bd6ea69c113b3f2c8e4b302791aa10c0df241b540a453c9b905
Instruction Fuzzy Hash: AAE0C9B6638A84C6D7509F65E45470BB764F7847B8F806315FAA906BD8CBBCC118CF00

Function 02E182B4 Relevance: 1.5, APIs: 1, Instructions: 13
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtFreeVirtualMemory.NTDLL ref: 02E182E5

Memory Dump Source

Source File: 0000000A.00000002.3170849503.0000000002E10000.00000040.00000001.00020000.00000000.sdmp, Offset: 02E10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e10000_explorer.jbxd

Similarity

API ID: FreeMemoryVirtual
String ID:
API String ID: 3963845541-0
Opcode ID: db712fdc7e1c69cc4b3c08b17230264df9142ca57683cf2c056e2540a21d56f0
Instruction ID: 0e81b4daf35ab72843a299c7c6251e2d5d8a2be2a98c51986be359d0ada5d571
Opcode Fuzzy Hash: db712fdc7e1c69cc4b3c08b17230264df9142ca57683cf2c056e2540a21d56f0
Instruction Fuzzy Hash: 06E0EC72508A8182D7219B60E4047897760F3953B8F944315EAF912AE8CF7CC289CB04

Function 02E1C704 Relevance: 1.5, APIs: 1, Instructions: 11
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDelayExecution.NTDLL ref: 02E1C726

Memory Dump Source

Source File: 0000000A.00000002.3170849503.0000000002E10000.00000040.00000001.00020000.00000000.sdmp, Offset: 02E10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e10000_explorer.jbxd

Similarity

API ID: DelayExecution
String ID:
API String ID: 1249177460-0
Opcode ID: 551b8892589dcd62e4628d181c76442dc689c90fb238e82810fb464567079569
Instruction ID: 1a55daea237dcef503fe8215ad828cbc8f56ea849f3faa0568e929c9110efe22
Opcode Fuzzy Hash: 551b8892589dcd62e4628d181c76442dc689c90fb238e82810fb464567079569
Instruction Fuzzy Hash: 38D0C772604680C7CB145B14E44520E7764F795344FD04519E68D45794DA3CC265CF04

Function 02E141B4 Relevance: 9.1, APIs: 6, Instructions: 87
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.3170849503.0000000002E10000.00000040.00000001.00020000.00000000.sdmp, Offset: 02E10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e10000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e74177ae8edb192d765eaf2097ca1072eb58028511075e98d8bdaa32260b05f
Instruction ID: 7e1786020286cdfaef2e529f73313ef618bc8bd0544fc170b3105254c7458d85
Opcode Fuzzy Hash: 9e74177ae8edb192d765eaf2097ca1072eb58028511075e98d8bdaa32260b05f
Instruction Fuzzy Hash: 66315E31298B80C2E7649BB4F8547AA73A5FB94769F40A335F96B467E4DF78C048CB01

Function 02E15160 Relevance: 7.6, APIs: 5, Instructions: 146
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02E1B388: NtAllocateVirtualMemory.NTDLL ref: 02E1B3BE

HttpOpenRequestA.WININET ref: 02E15305
HttpOpenRequestA.WININET ref: 02E15391
InternetSetOptionA.WININET ref: 02E153D0
HttpSendRequestA.WININET ref: 02E15418
HttpSendRequestA.WININET ref: 02E15439

Part of subcall function 02E182B4: NtFreeVirtualMemory.NTDLL ref: 02E182E5

Memory Dump Source

Source File: 0000000A.00000002.3170849503.0000000002E10000.00000040.00000001.00020000.00000000.sdmp, Offset: 02E10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e10000_explorer.jbxd

Similarity

API ID: HttpRequest$MemoryOpenSendVirtual$AllocateFreeInternetOption
String ID:
API String ID: 2140924187-0
Opcode ID: 835e16c16b22b6174a5754b7d25c6c2f2fafd1e7607b4187fe6f6a54c6a90b8c
Instruction ID: 7c07671afd39af5079f0276039bd0a8ec3e8c0a4b5eadbe2d394a96d65933f7a
Opcode Fuzzy Hash: 835e16c16b22b6174a5754b7d25c6c2f2fafd1e7607b4187fe6f6a54c6a90b8c
Instruction Fuzzy Hash: C771B332249BC486DB60DB14F48439AB7A5F7C8788F94512AEACE43A68DF7DC584CF40

Function 02E18C30 Relevance: 4.5, APIs: 3, Instructions: 38
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstVolumeW.KERNEL32 ref: 02E18C6A
GetVolumeInformationW.KERNEL32 ref: 02E18CBE
FindVolumeClose.KERNEL32 ref: 02E18CCD

Memory Dump Source

Source File: 0000000A.00000002.3170849503.0000000002E10000.00000040.00000001.00020000.00000000.sdmp, Offset: 02E10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e10000_explorer.jbxd

Similarity

API ID: Volume$Find$CloseFirstInformation
String ID:
API String ID: 586543143-0
Opcode ID: 143e719ddec52287121586d21c481339464cc0c977c9cf5c64880edffd785b6e
Instruction ID: cef9261e3de29c3843e9d0af9971148d8037a3816dd7ce077fdb67948743cd62
Opcode Fuzzy Hash: 143e719ddec52287121586d21c481339464cc0c977c9cf5c64880edffd785b6e
Instruction Fuzzy Hash: 2C111F76259B80C6D760DB10F48439BB7B5F795354F904236E29E42AE8DF7CC549CB40

Function 02E18A58 Relevance: 1.6, APIs: 1, Instructions: 94
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32 ref: 02E18B6D

Memory Dump Source

Source File: 0000000A.00000002.3170849503.0000000002E10000.00000040.00000001.00020000.00000000.sdmp, Offset: 02E10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e10000_explorer.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: dd05d69051d8526e51a2bec147cb8dd081a76b38c43059c36bd5d7d32c083d26
Instruction ID: f56dabdd3e288629887b2c6e9ae779430c2c30d2c44507cdc4f244e408858323
Opcode Fuzzy Hash: dd05d69051d8526e51a2bec147cb8dd081a76b38c43059c36bd5d7d32c083d26
Instruction Fuzzy Hash: 5941AA76619A8487DB90CB19E49076AB7A0F3C8B88F505126EBCE83B68DB3CC551CF00

Function 02E1545D Relevance: 1.5, APIs: 1, Instructions: 42
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HttpOpenRequestA.WININET ref: 02E15305

Memory Dump Source

Source File: 0000000A.00000002.3170849503.0000000002E10000.00000040.00000001.00020000.00000000.sdmp, Offset: 02E10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e10000_explorer.jbxd

Similarity

API ID: HttpOpenRequest
String ID:
API String ID: 1984915467-0
Opcode ID: b63ba8eaa06b2abc429e5557986bc836de0240013f192fa4620f15fbf5b13976
Instruction ID: 141050591850f211b49da608887672c6cf2df896541cfe7c07a302cfbaf8a658
Opcode Fuzzy Hash: b63ba8eaa06b2abc429e5557986bc836de0240013f192fa4620f15fbf5b13976
Instruction Fuzzy Hash: B211DD32149BC0C6EB65CB54F48439AB7B4F3C9398F945536EACA82A68DB7DC484CF01

Function 02E16C6C Relevance: 1.5, APIs: 1, Instructions: 17
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNEL32 ref: 02E16C90

Memory Dump Source

Source File: 0000000A.00000002.3170849503.0000000002E10000.00000040.00000001.00020000.00000000.sdmp, Offset: 02E10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e10000_explorer.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 0926225cdb8231c0071b822caba6bf63f9d334e810094fff266de868dfe5a6cc
Instruction ID: 0bbb2cc7f1a6464f68f267f73261de92f22bd8ce15384b76b381c6f423122034
Opcode Fuzzy Hash: 0926225cdb8231c0071b822caba6bf63f9d334e810094fff266de868dfe5a6cc
Instruction Fuzzy Hash: 47E08672664B80C5D764DF20F48838A77A4F3D4398F806026E58F46B68DF3CC199CB00

Non-executed Functions

Function 02E12164 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 206
pipefileprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreatePipe.KERNEL32 ref: 02E12233
SetHandleInformation.KERNEL32 ref: 02E1224D
CreatePipe.KERNEL32 ref: 02E1226E
SetHandleInformation.KERNEL32 ref: 02E12288
CreatePipe.KERNEL32 ref: 02E122A9
SetHandleInformation.KERNEL32 ref: 02E122C3
CreateProcessW.KERNEL32 ref: 02E12385

Part of subcall function 02E1B388: NtAllocateVirtualMemory.NTDLL ref: 02E1B3BE

PeekNamedPipe.KERNEL32 ref: 02E12434
ReadFile.KERNEL32 ref: 02E12490
PeekNamedPipe.KERNEL32 ref: 02E124E4
ReadFile.KERNEL32 ref: 02E12540
GetExitCodeProcess.KERNEL32 ref: 02E12579
TerminateProcess.KERNEL32 ref: 02E125AA
CloseHandle.KERNEL32 ref: 02E125B8

Part of subcall function 02E1C704: NtDelayExecution.NTDLL ref: 02E1C726

CloseHandle.KERNEL32 ref: 02E125C6
CloseHandle.KERNEL32 ref: 02E125D4
CloseHandle.KERNEL32 ref: 02E125E2

Part of subcall function 02E182B4: NtFreeVirtualMemory.NTDLL ref: 02E182E5

Strings

h, xrefs: 02E122C9

Memory Dump Source

Source File: 0000000A.00000002.3170849503.0000000002E10000.00000040.00000001.00020000.00000000.sdmp, Offset: 02E10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e10000_explorer.jbxd

Similarity

API ID: Handle$Pipe$CloseCreate$InformationProcess$FileMemoryNamedPeekReadVirtual$AllocateCodeDelayExecutionExitFreeTerminate
String ID: h
API String ID: 30365702-2439710439
Opcode ID: 1524f5b28a2edb6cb4b23f8a254870fd250a8d12787243c2afd0398788242095
Instruction ID: 0c8625c1ac21d7bc920efd53ee1c5477fa0ea7f18d5acec2c3e111562b231961
Opcode Fuzzy Hash: 1524f5b28a2edb6cb4b23f8a254870fd250a8d12787243c2afd0398788242095
Instruction Fuzzy Hash: 37C1B436258BC0CAE760DB65F49479AB7A1F3C4758F509126EA8983E68DFBDC448CF40

Function 02E180B8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43filenativeCOMMON

Download Yara Rule

APIs

RtlInitUnicodeString.NTDLL ref: 02E18123
NtCreateFile.NTDLL ref: 02E181A0

Strings

0, xrefs: 02E1810B
@, xrefs: 02E18136

Memory Dump Source

Source File: 0000000A.00000002.3170849503.0000000002E10000.00000040.00000001.00020000.00000000.sdmp, Offset: 02E10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e10000_explorer.jbxd

Similarity

API ID: CreateFileInitStringUnicode
String ID: 0$@
API String ID: 2498367268-1545510068
Opcode ID: 163a1ef7f33438d4532239550843a801b488fff278782a1d37a7daa1ffc6847a
Instruction ID: ab917066e712d36c1b47a3cb21a7910053fa251c1d5adf95680d3c19c040d3f6
Opcode Fuzzy Hash: 163a1ef7f33438d4532239550843a801b488fff278782a1d37a7daa1ffc6847a
Instruction Fuzzy Hash: B121AF721187C48AE760DF14F45478BBBA5F384398F90821AE2D947AA8DB7DD589CF40

Function 02E12B28 Relevance: 6.1, APIs: 4, Instructions: 112fileCOMMON

Download Yara Rule

APIs

Part of subcall function 02E1B388: NtAllocateVirtualMemory.NTDLL ref: 02E1B3BE

FindFirstFileA.KERNEL32 ref: 02E12BE7
wsprintfA.USER32 ref: 02E12CAD
FindNextFileA.KERNEL32 ref: 02E12CDA
FindClose.KERNEL32 ref: 02E12CED

Memory Dump Source

Source File: 0000000A.00000002.3170849503.0000000002E10000.00000040.00000001.00020000.00000000.sdmp, Offset: 02E10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e10000_explorer.jbxd

Similarity

API ID: Find$File$AllocateCloseFirstMemoryNextVirtualwsprintf
String ID:
API String ID: 65906682-0
Opcode ID: 19b5a71f4bd669ed1cbe17d3c7cdf1e0173d750f2f9a06502065251e799152bb
Instruction ID: 91e1553994ad6eab748b3b2ba24743162a8ef7fae2ef1ca5c5df866c52131c6d
Opcode Fuzzy Hash: 19b5a71f4bd669ed1cbe17d3c7cdf1e0173d750f2f9a06502065251e799152bb
Instruction Fuzzy Hash: CB512D32258BC591DB20DB14F89439EA365F784788F84A536EB8E43A68EF7CC549CB40

Function 02E15078 Relevance: 1.6, APIs: 1, Instructions: 57filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET ref: 02E150D4

Memory Dump Source

Source File: 0000000A.00000002.3170849503.0000000002E10000.00000040.00000001.00020000.00000000.sdmp, Offset: 02E10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e10000_explorer.jbxd

Similarity

API ID: FileInternetRead
String ID:
API String ID: 778332206-0
Opcode ID: 29b86a3ab9ddbe11ce9b9fbde145847ecb2975815f7cf14476ac95fa9b6fe6b1
Instruction ID: ec4dcabe1fa3ccc3d65c0aac7a9afdda3b4adf70ed73e32e41b074d576d54c41
Opcode Fuzzy Hash: 29b86a3ab9ddbe11ce9b9fbde145847ecb2975815f7cf14476ac95fa9b6fe6b1
Instruction Fuzzy Hash: 7A21EA3236968597D761CA15E4547AAB3E1F3CC788F805135EA8E83B58EB7DC644CF00

Function 02E202A8 Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3170849503.0000000002E10000.00000040.00000001.00020000.00000000.sdmp, Offset: 02E10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e10000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 609fff9ca47891a76d7cdf81cd939a81397670999d1d5ad69760438364788215
Instruction ID: c1a893ff31bbae57e5d90c04e2a69e381911871356d9a4b980eb778a4cbf8fa3
Opcode Fuzzy Hash: 609fff9ca47891a76d7cdf81cd939a81397670999d1d5ad69760438364788215
Instruction Fuzzy Hash: F481FD9798EEE44BE3624AB8CE7416A3F10E5B2E1835EF09BD3C2421C7F75654098F42

Function 02E20328 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3170849503.0000000002E10000.00000040.00000001.00020000.00000000.sdmp, Offset: 02E10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e10000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90eb0edbb0e359fe3357fd5d9efdbf27eb50c4a649baecfa982fe5d27c6f2677
Instruction ID: 744023de83050db0a6a5e905fb518141a6a595cf68ffc53048876dcf3dcd0853
Opcode Fuzzy Hash: 90eb0edbb0e359fe3357fd5d9efdbf27eb50c4a649baecfa982fe5d27c6f2677
Instruction Fuzzy Hash: AA51FB9798EEE44BE3224ABCCD7416E3F10E5B2E1835EF09AD3C2461C6F65A54098F42

Function 02E11A7C Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3170849503.0000000002E10000.00000040.00000001.00020000.00000000.sdmp, Offset: 02E10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e10000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56bda534025fc2a5258da5b2ae6ad53c3544734871fed1170d4db59892fa36d4
Instruction ID: 947b48f1e51ef12d15f1e50ed092366b375334a550d644e850d685ce3753def4
Opcode Fuzzy Hash: 56bda534025fc2a5258da5b2ae6ad53c3544734871fed1170d4db59892fa36d4
Instruction Fuzzy Hash: B58132A320C9E545CB258A25A0702BEBFB2F3CE749F184266E7DA47799C91DC701DF10

Function 02E11A8C Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3170849503.0000000002E10000.00000040.00000001.00020000.00000000.sdmp, Offset: 02E10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e10000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21d9c8b16c67657ba2a8914a9b5ddf9366b4d43717004cc4a20ecaa045c348f3
Instruction ID: d803143113754f0796142d8a7aeff69e107c89dd28fd43c38f33be63de86ef67
Opcode Fuzzy Hash: 21d9c8b16c67657ba2a8914a9b5ddf9366b4d43717004cc4a20ecaa045c348f3
Instruction Fuzzy Hash: 5981216320C9E545CB258A25A0702BEBFB2F3CE749F185266E7DA47B9AC91DC701DF10

Function 02E203C8 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3170849503.0000000002E10000.00000040.00000001.00020000.00000000.sdmp, Offset: 02E10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e10000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe7200296f90a68437e6908fb7329b8232917be444cc4185ed58ce1a744d9557
Instruction ID: af4ba55e6b4d31e184bce79b1f7df6a59a9d67213d2afb03faa211fb04930f2e
Opcode Fuzzy Hash: fe7200296f90a68437e6908fb7329b8232917be444cc4185ed58ce1a744d9557
Instruction Fuzzy Hash: 8341D89788DAE44BE3234AB8CD7417E3F10E5B2E1835EF19AD7C2461C6F65A5409CF42

Function 02E203E8 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3170849503.0000000002E10000.00000040.00000001.00020000.00000000.sdmp, Offset: 02E10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e10000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3603783c8cc2a61d70762c327341cb4965f77b09af58d8847897b256156bd2e
Instruction ID: fe35b6798abf2e32d5e80b7af06b969ef86dff51ef8890641595c584de53a2b3
Opcode Fuzzy Hash: b3603783c8cc2a61d70762c327341cb4965f77b09af58d8847897b256156bd2e
Instruction Fuzzy Hash: D541BC9788DAE44BE3624ABCCC7417E3F20E5B2E1835EF19AD7C2461C7B65A4409CF42

Function 02E201A0 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3170849503.0000000002E10000.00000040.00000001.00020000.00000000.sdmp, Offset: 02E10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e10000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 733233429738095bfea848319ca15546f1bf49c5b5c79b6d7323185b7aef0718
Instruction ID: ac98f9114cb008476841108a3e2a24c13015481007da9a536f5aa5c18edaa8cc
Opcode Fuzzy Hash: 733233429738095bfea848319ca15546f1bf49c5b5c79b6d7323185b7aef0718
Instruction Fuzzy Hash: 1241F39B98EBE44EE7638A78CC6815D3F10E5B7E1834EF09BD7C5462C3A749140A8B52

Function 02E202E0 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3170849503.0000000002E10000.00000040.00000001.00020000.00000000.sdmp, Offset: 02E10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e10000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38d52b5d5fe60a38a10f5b3562a9b3d9454dd88b8ece74df79603e6f6945b9c6
Instruction ID: 71138211f8aa8d12ac4b3d4a539042ccf6b9bb094520be4a0686f776402a2d5b
Opcode Fuzzy Hash: 38d52b5d5fe60a38a10f5b3562a9b3d9454dd88b8ece74df79603e6f6945b9c6
Instruction Fuzzy Hash: E531109798EEE44FE3224A78CF7415A2F10E5B2E1834EF09BC7C2821C3E75664099F52

Function 02E200E8 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3170849503.0000000002E10000.00000040.00000001.00020000.00000000.sdmp, Offset: 02E10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e10000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86f54137455ab80dbdbc12a7fc5e923267ad55422e72ceee1d8b8b56c2c8de9b
Instruction ID: 32e909c35b9d2c5b03ec5f0c14615bdbe10bdc1568d4139c9074af3d676373a9
Opcode Fuzzy Hash: 86f54137455ab80dbdbc12a7fc5e923267ad55422e72ceee1d8b8b56c2c8de9b
Instruction Fuzzy Hash: B7D0A99BC8CAE082F9021A348CAC2882F00E776A14F48E48686C0026C3AE08500E5B02

Function 02E20610 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3170849503.0000000002E10000.00000040.00000001.00020000.00000000.sdmp, Offset: 02E10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e10000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed80cfed0847e0f73f19d8a46af97e746bea18a48b2517016e1c88c6c229a98d
Instruction ID: bd6ccbdf3f14cd19176cea9a809e83ef04c83b8cfd05d0e2cf94957b911ad0a1
Opcode Fuzzy Hash: ed80cfed0847e0f73f19d8a46af97e746bea18a48b2517016e1c88c6c229a98d
Instruction Fuzzy Hash: 7F90025210F3D105C7034E74492150C3F30618281034D5097828882183C448049CA317

Function 02E1C860 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET ref: 02E1C8CC
HttpOpenRequestW.WININET ref: 02E1C91E
InternetCloseHandle.WININET ref: 02E1C9DA
InternetCloseHandle.WININET ref: 02E1C9ED

Strings

GET, xrefs: 02E1C912

Memory Dump Source

Source File: 0000000A.00000002.3170849503.0000000002E10000.00000040.00000001.00020000.00000000.sdmp, Offset: 02E10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e10000_explorer.jbxd

Similarity

API ID: Internet$CloseHandle$ConnectHttpOpenRequest
String ID: GET
API String ID: 830097650-1805413626
Opcode ID: 657b085bd4e3b228aebded96fa21e341c1e22246fcb3bdea63752328c3324ad3
Instruction ID: c757c4a4b03c41716205047d4b3411eebdfa0b18d20b95a2520b5d6d2d62048c
Opcode Fuzzy Hash: 657b085bd4e3b228aebded96fa21e341c1e22246fcb3bdea63752328c3324ad3
Instruction Fuzzy Hash: 8F41C572198A8086E720CF54F45975BB7A4F7C4798F606126E7CA83E68DFBDC448CB41

Function 02E12D50 Relevance: 15.2, APIs: 10, Instructions: 232processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 02E12D7F

Part of subcall function 02E1B388: NtAllocateVirtualMemory.NTDLL ref: 02E1B3BE

Process32First.KERNEL32 ref: 02E12E09
Process32Next.KERNEL32 ref: 02E12E2A
Process32First.KERNEL32 ref: 02E12E56
Process32Next.KERNEL32 ref: 02E12EA3
Process32First.KERNEL32 ref: 02E12EBA
wsprintfA.USER32 ref: 02E12FF5
wsprintfA.USER32 ref: 02E1309B
Process32Next.KERNEL32 ref: 02E131D8
CloseHandle.KERNEL32 ref: 02E131F5

Memory Dump Source

Source File: 0000000A.00000002.3170849503.0000000002E10000.00000040.00000001.00020000.00000000.sdmp, Offset: 02E10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e10000_explorer.jbxd

Similarity

API ID: Process32$FirstNext$wsprintf$AllocateCloseCreateHandleMemorySnapshotToolhelp32Virtual
String ID:
API String ID: 3605396869-0
Opcode ID: 8df3ec741e24db44c491636e4838e4e767a92c727dd18a58b057ff5a21d5a57b
Instruction ID: 4f7f2f05b41d4d0482513881273c57621bb5e2185eb6a2cdb4ef485b9b6b446a
Opcode Fuzzy Hash: 8df3ec741e24db44c491636e4838e4e767a92c727dd18a58b057ff5a21d5a57b
Instruction Fuzzy Hash: 01C1EA32249BC595DB30DB14E49039AB7A5F789788F849126EBCE43B68EF78C549CF40

Function 02E1BB44 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 102fileCOMMON

Download Yara Rule

APIs

CreateFileMappingA.KERNEL32 ref: 02E1BBB2
MapViewOfFile.KERNEL32 ref: 02E1BBE5
VirtualFree.KERNEL32 ref: 02E1BCF3
UnmapViewOfFile.KERNEL32 ref: 02E1BD0B
CloseHandle.KERNEL32 ref: 02E1BD16

Strings

@, xrefs: 02E1BBCC

Memory Dump Source

Source File: 0000000A.00000002.3170849503.0000000002E10000.00000040.00000001.00020000.00000000.sdmp, Offset: 02E10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e10000_explorer.jbxd

Similarity

API ID: File$View$CloseCreateFreeHandleMappingUnmapVirtual
String ID: @
API String ID: 1610889594-2766056989
Opcode ID: ad1cb295e95c51e9872045dcc49814874592f1d56c5c39f8443b6ff2deebca5c
Instruction ID: 8b2f07ff9efa2b8b8215e86890b65b07a991581f04b4df73cee69a5eb4c9d20d
Opcode Fuzzy Hash: ad1cb295e95c51e9872045dcc49814874592f1d56c5c39f8443b6ff2deebca5c
Instruction Fuzzy Hash: C841E832269B85C2DB60DB15E49476EB365F7C4B98F50A135EA8E43BA8DF3CC444CB40

Function 02E1C5C0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65fileCOMMON

Download Yara Rule

APIs

CreateFileMappingA.KERNEL32 ref: 02E1C62E
MapViewOfFile.KERNEL32 ref: 02E1C661
VirtualFree.KERNEL32 ref: 02E1C6BE
UnmapViewOfFile.KERNEL32 ref: 02E1C6D6
CloseHandle.KERNEL32 ref: 02E1C6E1

Strings

@, xrefs: 02E1C648

Memory Dump Source

Source File: 0000000A.00000002.3170849503.0000000002E10000.00000040.00000001.00020000.00000000.sdmp, Offset: 02E10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e10000_explorer.jbxd

Similarity

API ID: File$View$CloseCreateFreeHandleMappingUnmapVirtual
String ID: @
API String ID: 1610889594-2766056989
Opcode ID: 89cc15fca75ace34c048844633d37e36198ece7b99378586f91bb717b3fa10ee
Instruction ID: 5e042842727fe60a2c811fd390c32ef93d056d41c3f9aa9a0a6efcff957fdb4b
Opcode Fuzzy Hash: 89cc15fca75ace34c048844633d37e36198ece7b99378586f91bb717b3fa10ee
Instruction Fuzzy Hash: 8D310A32298BC4C2D750DB15E49435AB360F7C8B94F50A622EA9F83BA4DF7CC488CB00

Function 02E1260C Relevance: 7.7, APIs: 5, Instructions: 174processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 02E1262E
Process32First.KERNEL32 ref: 02E12671
wsprintfA.USER32 ref: 02E127B4
wsprintfA.USER32 ref: 02E1284E
Process32Next.KERNEL32 ref: 02E12970

Memory Dump Source

Source File: 0000000A.00000002.3170849503.0000000002E10000.00000040.00000001.00020000.00000000.sdmp, Offset: 02E10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e10000_explorer.jbxd

Similarity

API ID: Process32wsprintf$CreateFirstNextSnapshotToolhelp32
String ID:
API String ID: 4137211488-0
Opcode ID: f7cf74ccca81ea4395c2b22979aaa675c72b38b0cad517df50d9b68bbf6d3949
Instruction ID: 96a1c696c32b843805074a9c83f99ec3a13b8093fb4a8ff852c67e47fc431994
Opcode Fuzzy Hash: f7cf74ccca81ea4395c2b22979aaa675c72b38b0cad517df50d9b68bbf6d3949
Instruction Fuzzy Hash: 3181E836259BC5D6DA60DB14E88439AB3A5F788784F90A136EB8D43B6CEF38C545CF40

Function 02E1900C Relevance: 7.6, APIs: 5, Instructions: 121networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET ref: 02E19073
InternetCloseHandle.WININET ref: 02E19242
InternetCloseHandle.WININET ref: 02E19255

Memory Dump Source

Source File: 0000000A.00000002.3170849503.0000000002E10000.00000040.00000001.00020000.00000000.sdmp, Offset: 02E10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e10000_explorer.jbxd

Similarity

API ID: Internet$CloseHandle$Open
String ID:
API String ID: 2762225225-0
Opcode ID: f4ab23ea1251bde643204e4cb4ec55d253b41b4cc402ec1216c39552ba1b096d
Instruction ID: 35ebc39a3aea09ee040cf9db36220ec5fa0e5048144a2955c3077262227aa74f
Opcode Fuzzy Hash: f4ab23ea1251bde643204e4cb4ec55d253b41b4cc402ec1216c39552ba1b096d
Instruction Fuzzy Hash: 3A51E376258A8086DB60CB55F4A475EB7A0F7C5798F50A026EB8A83B68DF7DC484CF00

Function 02E1B9A0 Relevance: 7.6, APIs: 5, Instructions: 79processCOMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 02E1BA70
wsprintfW.USER32 ref: 02E1BAC2
CreateProcessW.KERNEL32 ref: 02E1BB11
CloseHandle.KERNEL32 ref: 02E1BB24
CloseHandle.KERNEL32 ref: 02E1BB2F

Memory Dump Source

Source File: 0000000A.00000002.3170849503.0000000002E10000.00000040.00000001.00020000.00000000.sdmp, Offset: 02E10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e10000_explorer.jbxd

Similarity

API ID: CloseHandlewsprintf$CreateProcess
String ID:
API String ID: 2803068115-0
Opcode ID: b18e833e66d955f35563fdfa70050700d38f2023f4f5055f34abfc6722212c5f
Instruction ID: f3eedb8290a60e770f346a0ee60728c8c29c413ddf443197de4a8fccfc6d74e4
Opcode Fuzzy Hash: b18e833e66d955f35563fdfa70050700d38f2023f4f5055f34abfc6722212c5f
Instruction Fuzzy Hash: 0141F972298BC5D6DB60DB10E4543ABB7A5F7D8348F80902AE6CD42A68EF7CC559CF40

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report mirabon.msi

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Latrodectus

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Config.Msi\6c2501.rbs

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Explorer.EXE_fe8167436d6db6c6d2c4bed5d6f2d2c06e142845_f78a65ed_2ae97f98-0092-4d0f-8a0a-7c4d59a1c43f\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC339.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCDBA.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCDE9.tmp.xml

C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000001c.db

C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000001d.db

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\Windows[1].json

C:\Users\user\AppData\Roaming\gpuset\gpufault.dll

C:\Users\user\NTUSER.DAT.Not

C:\Windows\Installer\6c24ff.msi

C:\Windows\Installer\MSI2618.tmp

C:\Windows\Installer\MSI26B5.tmp

C:\Windows\Installer\MSI26E5.tmp

C:\Windows\Installer\MSI2715.tmp

C:\Windows\Installer\MSI2793.tmp

Windows Analysis Report
mirabon.msi

Function 02E18424 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 202
COMMON

Function 02E17274 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35
COMMON

Function 02E18D3C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17
COMMON

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre