Windows Analysis Report
ad.msi

Overview

General Information

Sample name: ad.msi
Analysis ID: 1431940
MD5: 666151c11b7899a0c764abe711d3f9b3
SHA1: 35462114e096f4d307607d713136bfe38479870d
SHA256: 8041a15e27c785f2adcce9e8c643f5cc619b52e50cd36ff043d13c4089ce1cad
Infos:

Detection

Latrodectus
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected Latrodectus
C2 URLs / IPs found in malware configuration
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to detect sleep reduction / modifications
Drops executables to the windows directory (C:\Windows) and starts them
PE file contains section with special chars
Performs a network lookup / discovery via net view
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Uses ipconfig to lookup or modify the Windows network settings
AV process strings found (often used to terminate AV products)
Checks for available system drives (often done to infect USB drives)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates COM task schedule object (often to register a task for autostart)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the current domain controller via net
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Name Description Attribution Blogpost URLs Link
Unidentified 111 (Latrodectus), Latrodectus First discovered in October 2023, BLACKWIDOW is a backdoor written in C that communicates over HTTP using RC4 encrypted requests. The malware has the capability to execute discovery commands, query information about the victim's machine, update itself, as well as download and execute an EXE, DLL, or shellcode. The malware is believed to have been developed by LUNAR SPIDER, the creators of IcedID (aka BokBot) Malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_111

AV Detection
barindex
Found malware configuration
Source: 8.2.rundll32.exe.210fea00000.1.unpack Malware Configuration Extractor: Latrodectus {"C2 url": ["https://jarinamaers.shop/live/", "https://wrankaget.site/live/"]}
Multi AV Scanner detection for dropped file
Source: :wtfbbq (copy) Virustotal: Detection: 14% Perma Link
Source: C:\Users\user\AppData\Local\sharepoint\360total.dll Virustotal: Detection: 14% Perma Link
Source: C:\Users\user\AppData\Roaming\Custom_update\Update_77697333.dll Virustotal: Detection: 14% Perma Link
Multi AV Scanner detection for submitted file
Source: ad.msi Virustotal: Detection: 8% Perma Link
Sample uses string decryption to hide its real strings
Source: 6.2.rundll32.exe.1fb3ab60000.1.unpack String decryptor: H-%8L
Source: 6.2.rundll32.exe.1fb3ab60000.1.unpack String decryptor: )b
Source: 6.2.rundll32.exe.1fb3ab60000.1.unpack String decryptor: $k$
Source: 6.2.rundll32.exe.1fb3ab60000.1.unpack String decryptor:
Source: 6.2.rundll32.exe.1fb3ab60000.1.unpack String decryptor: h
Source: 6.2.rundll32.exe.1fb3ab60000.1.unpack String decryptor:
Source: 6.2.rundll32.exe.1fb3ab60000.1.unpack String decryptor:
Source: 6.2.rundll32.exe.1fb3ab60000.1.unpack String decryptor: !"#$%&'()*+,-./012345678
Source: 6.2.rundll32.exe.1fb3ab60000.1.unpack String decryptor:
Source: 6.2.rundll32.exe.1fb3ab60000.1.unpack String decryptor: @ !"#$%&'()*+,-./0123456789:;<=>?@
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018003BC0C CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptGenRandom,CryptReleaseContext, 6_2_000000018003BC0C
Source: unknown HTTPS traffic detected: 104.21.46.75:443 -> 192.168.2.5:49714 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.219.28:443 -> 192.168.2.5:49718 version: TLS 1.2
Source: Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb: source: MSID8B1.tmp, 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmp, MSID8B1.tmp, 00000005.00000000.1989909897.0000000000B67000.00000002.00000001.01000000.00000003.sdmp, ad.msi, MSID8B1.tmp.1.dr, 5fd5a1.msi.1.dr, MSID824.tmp.1.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: ad.msi, MSID3EB.tmp.0.dr, MSID498.tmp.0.dr, MSID69B.tmp.1.dr, MSID509.tmp.0.dr, 5fd5a1.msi.1.dr, MSID529.tmp.0.dr, MSID4B9.tmp.0.dr, MSID719.tmp.1.dr, MSID4D9.tmp.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbn source: ad.msi, MSID3EB.tmp.0.dr, MSID498.tmp.0.dr, MSID69B.tmp.1.dr, MSID509.tmp.0.dr, 5fd5a1.msi.1.dr, MSID529.tmp.0.dr, MSID4B9.tmp.0.dr, MSID719.tmp.1.dr, MSID4D9.tmp.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb source: MSID8B1.tmp, 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmp, MSID8B1.tmp, 00000005.00000000.1989909897.0000000000B67000.00000002.00000001.01000000.00000003.sdmp, ad.msi, MSID8B1.tmp.1.dr, 5fd5a1.msi.1.dr, MSID824.tmp.1.dr
Source: Binary string: C:\vmagent_new\bin\joblist\574019\out\Release\360Util64.pdb source: rundll32.exe, 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000006.00000003.1995316224.000001FB3C5F0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3238751138.0000000180086000.00000002.00000001.01000000.00000007.sdmp, Update_77697333.dll.6.dr, 360total.dll.1.dr

Spreading
barindex
Performs a network lookup / discovery via net view
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net view /all /domain
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net view /all /domain Jump to behavior
Checks for available system drives (often done to infect USB drives)
Source: C:\Windows\System32\msiexec.exe File opened: z: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: x: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: v: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: t: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: r: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: p: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: n: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: l: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: j: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: h: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: f: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: b: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: y: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: w: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: u: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: s: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: q: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: o: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: m: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: k: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: i: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: g: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: e: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: c: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: a: Jump to behavior
Creates COM task schedule object (often to register a task for autostart)
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd} Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd} Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd} Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd} Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 5_2_00B5AF79 FindFirstFileExW, 5_2_00B5AF79
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000001FB3AB7A350 FindFirstFileW,FindNextFileW,LoadLibraryW, 6_2_000001FB3AB7A350
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000001FB3AB71A08 FindFirstFileA,wsprintfA,FindNextFileA,FindClose, 6_2_000001FB3AB71A08
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_0000024739A4A350 FindFirstFileW,FindNextFileW,LoadLibraryW, 7_2_0000024739A4A350
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_0000024739A41A08 FindFirstFileA,wsprintfA,FindNextFileA,FindClose, 7_2_0000024739A41A08
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00000210FEA0A350 FindFirstFileW,FindNextFileW,LoadLibraryW, 8_2_00000210FEA0A350
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00000210FEA01A08 FindFirstFileA,wsprintfA,FindNextFileA,FindClose, 8_2_00000210FEA01A08

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\rundll32.exe Network Connect: 104.21.46.75 443 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Network Connect: 172.67.219.28 443 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://jarinamaers.shop/live/
Source: Malware configuration extractor URLs: https://wrankaget.site/live/
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /live/ HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: jarinamaers.shopContent-Length: 252Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /live/ HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: jarinamaers.shopContent-Length: 180Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /live/ HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: jarinamaers.shopContent-Length: 180Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /live/ HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: jarinamaers.shopContent-Length: 180Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /live/ HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: grizmotras.comContent-Length: 180Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /live/ HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: grizmotras.comContent-Length: 180Cache-Control: no-cache
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000001FB3AB78D90 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle, 6_2_000001FB3AB78D90
Source: global traffic DNS traffic detected: DNS query: jarinamaers.shop
Source: global traffic DNS traffic detected: DNS query: grizmotras.com
Source: unknown HTTP traffic detected: POST /live/ HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: jarinamaers.shopContent-Length: 252Cache-Control: no-cache
Source: rundll32.exe, 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000006.00000003.1995316224.000001FB3C5F0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3238751138.0000000180086000.00000002.00000001.01000000.00000007.sdmp, Update_77697333.dll.6.dr, 360total.dll.1.dr String found in binary or memory: ftp://ftp%2desktop.ini
Source: ad.msi, MSID3EB.tmp.0.dr, MSID498.tmp.0.dr, MSID69B.tmp.1.dr, MSID8B1.tmp.1.dr, MSID509.tmp.0.dr, 5fd5a1.msi.1.dr, MSID529.tmp.0.dr, MSID824.tmp.1.dr, MSID4B9.tmp.0.dr, MSID719.tmp.1.dr, MSID4D9.tmp.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: ad.msi, MSID3EB.tmp.0.dr, MSID498.tmp.0.dr, MSID69B.tmp.1.dr, MSID8B1.tmp.1.dr, MSID509.tmp.0.dr, 5fd5a1.msi.1.dr, MSID529.tmp.0.dr, MSID824.tmp.1.dr, MSID4B9.tmp.0.dr, MSID719.tmp.1.dr, MSID4D9.tmp.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: ad.msi, MSID3EB.tmp.0.dr, MSID498.tmp.0.dr, MSID69B.tmp.1.dr, MSID8B1.tmp.1.dr, MSID509.tmp.0.dr, 5fd5a1.msi.1.dr, MSID529.tmp.0.dr, MSID824.tmp.1.dr, MSID4B9.tmp.0.dr, MSID719.tmp.1.dr, MSID4D9.tmp.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: ad.msi, MSID3EB.tmp.0.dr, MSID498.tmp.0.dr, MSID69B.tmp.1.dr, MSID8B1.tmp.1.dr, MSID509.tmp.0.dr, 5fd5a1.msi.1.dr, MSID529.tmp.0.dr, MSID824.tmp.1.dr, MSID4B9.tmp.0.dr, MSID719.tmp.1.dr, MSID4D9.tmp.0.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: ad.msi, MSID3EB.tmp.0.dr, MSID498.tmp.0.dr, MSID69B.tmp.1.dr, MSID8B1.tmp.1.dr, MSID509.tmp.0.dr, 5fd5a1.msi.1.dr, MSID529.tmp.0.dr, MSID824.tmp.1.dr, MSID4B9.tmp.0.dr, MSID719.tmp.1.dr, MSID4D9.tmp.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: ad.msi, MSID3EB.tmp.0.dr, MSID498.tmp.0.dr, MSID69B.tmp.1.dr, MSID8B1.tmp.1.dr, MSID509.tmp.0.dr, 5fd5a1.msi.1.dr, MSID529.tmp.0.dr, MSID824.tmp.1.dr, MSID4B9.tmp.0.dr, MSID719.tmp.1.dr, MSID4D9.tmp.0.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: rundll32.exe String found in binary or memory: http://dr.f.360.cn/scan
Source: rundll32.exe, 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000006.00000003.1995316224.000001FB3C5F0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3238751138.0000000180086000.00000002.00000001.01000000.00000007.sdmp, Update_77697333.dll.6.dr, 360total.dll.1.dr String found in binary or memory: http://dr.f.360.cn/scanlist
Source: ad.msi, MSID3EB.tmp.0.dr, MSID498.tmp.0.dr, MSID69B.tmp.1.dr, MSID8B1.tmp.1.dr, MSID509.tmp.0.dr, 5fd5a1.msi.1.dr, MSID529.tmp.0.dr, MSID824.tmp.1.dr, MSID4B9.tmp.0.dr, MSID719.tmp.1.dr, MSID4D9.tmp.0.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: ad.msi, MSID3EB.tmp.0.dr, MSID498.tmp.0.dr, MSID69B.tmp.1.dr, MSID8B1.tmp.1.dr, MSID509.tmp.0.dr, 5fd5a1.msi.1.dr, MSID529.tmp.0.dr, MSID824.tmp.1.dr, MSID4B9.tmp.0.dr, MSID719.tmp.1.dr, MSID4D9.tmp.0.dr String found in binary or memory: http://ocsp.digicert.com0O
Source: rundll32.exe String found in binary or memory: http://pconf.f.360.cn/safe_update.php
Source: rundll32.exe String found in binary or memory: http://pscan.f.360.cn/safe_update.php
Source: rundll32.exe, 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000006.00000003.1995316224.000001FB3C5F0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3238751138.0000000180086000.00000002.00000001.01000000.00000007.sdmp, Update_77697333.dll.6.dr, 360total.dll.1.dr String found in binary or memory: http://pscan.f.360.cn/safe_update.phphttp://pconf.f.360.cn/safe_update.phphttp://sconf.f.360.cn/clie
Source: rundll32.exe String found in binary or memory: http://sconf.f.360.cn/client_security_conf
Source: ad.msi, MSID3EB.tmp.0.dr, MSID498.tmp.0.dr, MSID69B.tmp.1.dr, MSID8B1.tmp.1.dr, MSID509.tmp.0.dr, 5fd5a1.msi.1.dr, MSID529.tmp.0.dr, MSID824.tmp.1.dr, MSID4B9.tmp.0.dr, MSID719.tmp.1.dr, MSID4D9.tmp.0.dr String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: ad.msi, MSID3EB.tmp.0.dr, MSID498.tmp.0.dr, MSID69B.tmp.1.dr, MSID8B1.tmp.1.dr, MSID509.tmp.0.dr, 5fd5a1.msi.1.dr, MSID529.tmp.0.dr, MSID824.tmp.1.dr, MSID4B9.tmp.0.dr, MSID719.tmp.1.dr, MSID4D9.tmp.0.dr String found in binary or memory: http://t2.symcb.com0
Source: ad.msi, MSID3EB.tmp.0.dr, MSID498.tmp.0.dr, MSID69B.tmp.1.dr, MSID8B1.tmp.1.dr, MSID509.tmp.0.dr, 5fd5a1.msi.1.dr, MSID529.tmp.0.dr, MSID824.tmp.1.dr, MSID4B9.tmp.0.dr, MSID719.tmp.1.dr, MSID4D9.tmp.0.dr String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: ad.msi, MSID3EB.tmp.0.dr, MSID498.tmp.0.dr, MSID69B.tmp.1.dr, MSID8B1.tmp.1.dr, MSID509.tmp.0.dr, 5fd5a1.msi.1.dr, MSID529.tmp.0.dr, MSID824.tmp.1.dr, MSID4B9.tmp.0.dr, MSID719.tmp.1.dr, MSID4D9.tmp.0.dr String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: ad.msi, MSID3EB.tmp.0.dr, MSID498.tmp.0.dr, MSID69B.tmp.1.dr, MSID8B1.tmp.1.dr, MSID509.tmp.0.dr, 5fd5a1.msi.1.dr, MSID529.tmp.0.dr, MSID824.tmp.1.dr, MSID4B9.tmp.0.dr, MSID719.tmp.1.dr, MSID4D9.tmp.0.dr String found in binary or memory: http://tl.symcd.com0&
Source: ad.msi, MSID3EB.tmp.0.dr, MSID498.tmp.0.dr, MSID69B.tmp.1.dr, MSID8B1.tmp.1.dr, MSID509.tmp.0.dr, 5fd5a1.msi.1.dr, MSID529.tmp.0.dr, MSID824.tmp.1.dr, MSID4B9.tmp.0.dr, MSID719.tmp.1.dr, MSID4D9.tmp.0.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: rundll32.exe, 00000007.00000002.3239328472.0000024739B56000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://grizmotras.com/
Source: rundll32.exe, 00000007.00000002.3239328472.0000024739B56000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3239328472.0000024739B23000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3137449195.000002473BAB0000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: https://grizmotras.com/live/
Source: rundll32.exe, 00000007.00000003.3137465440.000002473BA70000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: https://grizmotras.com/live/URLS1https://pewwhranet.com/live/COMMAND4front://sysinfo.bin
Source: rundll32.exe, 00000007.00000003.3199082000.0000024739B27000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3239328472.0000024739B23000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://grizmotras.com/live/p
Source: rundll32.exe, 00000007.00000002.3239328472.0000024739B56000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://grizmotras.com/live/xe
Source: rundll32.exe, 00000007.00000002.3239328472.0000024739B56000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://grizmotras.com/vider
Source: rundll32.exe, 00000007.00000003.3199082000.0000024739B56000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://grizmotras.com/videri
Source: rundll32.exe, 00000007.00000003.3137300650.0000024739B56000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://jarinamaers.shop/
Source: rundll32.exe, 00000007.00000003.3199082000.0000024739B56000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3239328472.0000024739B56000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3137201375.0000024739B56000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3137300650.0000024739B56000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://jarinamaers.shop/1
Source: rundll32.exe, 00000007.00000003.3137201375.0000024739B56000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3137300650.0000024739B56000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://jarinamaers.shop/G
Source: rundll32.exe, 00000007.00000003.3137201375.0000024739B56000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3137300650.0000024739B56000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://jarinamaers.shop/Y
Source: rundll32.exe, 00000007.00000002.3239328472.0000024739AE8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3137300650.0000024739B28000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3137201375.0000024739B56000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3137300650.0000024739B56000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://jarinamaers.shop/live/
Source: rundll32.exe, 00000007.00000003.3199082000.0000024739B56000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3137201375.0000024739B56000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3137300650.0000024739B56000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://jarinamaers.shop/live/K
Source: rundll32.exe, 00000007.00000003.3199082000.0000024739B56000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3137201375.0000024739B56000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3137300650.0000024739B56000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://jarinamaers.shop/live/l
Source: rundll32.exe, 00000007.00000003.3137465440.000002473BA70000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3137449195.000002473BAB0000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: https://pewwhranet.com/live/
Source: ad.msi, MSID3EB.tmp.0.dr, MSID498.tmp.0.dr, MSID69B.tmp.1.dr, MSID8B1.tmp.1.dr, MSID509.tmp.0.dr, 5fd5a1.msi.1.dr, MSID529.tmp.0.dr, MSID824.tmp.1.dr, MSID4B9.tmp.0.dr, MSID719.tmp.1.dr, MSID4D9.tmp.0.dr String found in binary or memory: https://www.advancedinstaller.com
Source: ad.msi, MSID3EB.tmp.0.dr, MSID498.tmp.0.dr, MSID69B.tmp.1.dr, MSID8B1.tmp.1.dr, MSID509.tmp.0.dr, 5fd5a1.msi.1.dr, MSID529.tmp.0.dr, MSID824.tmp.1.dr, MSID4B9.tmp.0.dr, MSID719.tmp.1.dr, MSID4D9.tmp.0.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: ad.msi, MSID3EB.tmp.0.dr, MSID498.tmp.0.dr, MSID69B.tmp.1.dr, MSID8B1.tmp.1.dr, MSID509.tmp.0.dr, 5fd5a1.msi.1.dr, MSID529.tmp.0.dr, MSID824.tmp.1.dr, MSID4B9.tmp.0.dr, MSID719.tmp.1.dr, MSID4D9.tmp.0.dr String found in binary or memory: https://www.thawte.com/cps0/
Source: ad.msi, MSID3EB.tmp.0.dr, MSID498.tmp.0.dr, MSID69B.tmp.1.dr, MSID8B1.tmp.1.dr, MSID509.tmp.0.dr, 5fd5a1.msi.1.dr, MSID529.tmp.0.dr, MSID824.tmp.1.dr, MSID4B9.tmp.0.dr, MSID719.tmp.1.dr, MSID4D9.tmp.0.dr String found in binary or memory: https://www.thawte.com/repository0W
Source: unknown Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown HTTPS traffic detected: 104.21.46.75:443 -> 192.168.2.5:49714 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.219.28:443 -> 192.168.2.5:49718 version: TLS 1.2

System Summary
barindex
PE file contains section with special chars
Source: 360total.dll.1.dr Static PE information: section name: yhDm^
Source: Update_77697333.dll.6.dr Static PE information: section name: yhDm^
Contains functionality to call native functions
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 5_2_00B23C20 GetProcAddress,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,GetLastError,FreeLibrary, 5_2_00B23C20
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000001FB3AB77B40 NtFreeVirtualMemory, 6_2_000001FB3AB77B40
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000001FB3AB77588 RtlInitUnicodeString,NtCreateFile,NtClose, 6_2_000001FB3AB77588
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000001FB3AB778C0 NtReadFile, 6_2_000001FB3AB778C0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000001FB3AB77A54 NtWriteFile, 6_2_000001FB3AB77A54
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000001FB3AB779C8 NtClose, 6_2_000001FB3AB779C8
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000001FB3AB7378C NtClose, 6_2_000001FB3AB7378C
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000001FB3AB777B0 RtlInitUnicodeString,NtCreateFile, 6_2_000001FB3AB777B0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000001FB3AB7AD34 NtAllocateVirtualMemory, 6_2_000001FB3AB7AD34
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000001FB3AB7B0C4 NtOpenKey,RtlpNtOpenKey, 6_2_000001FB3AB7B0C4
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000001FB3AB7B1D4 NtQueryValueKey,NtQueryValueKey,NtClose, 6_2_000001FB3AB7B1D4
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000001FB3AB7463C GetModuleHandleW,GetCurrentProcessId,GetCurrentProcessId,GetCurrentProcessId,OpenProcess,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WideCharToMultiByte,CloseHandle,FindCloseChangeNotification, 6_2_000001FB3AB7463C
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000001FB3AB77ACC NtClose, 6_2_000001FB3AB77ACC
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000001FB3AB77694 RtlInitUnicodeString,NtDeleteFile, 6_2_000001FB3AB77694
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000001FB3AB7745C RtlInitUnicodeString,NtOpenFile,NtClose, 6_2_000001FB3AB7745C
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000001FB3AB77704 NtQueryInformationFile, 6_2_000001FB3AB77704
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000001FB3AB7CB54 NtDelayExecution, 6_2_000001FB3AB7CB54
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000001FB3AB80AC0 NtFreeVirtualMemory, 6_2_000001FB3AB80AC0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000001FB3AB80AF0 NtWriteFile, 6_2_000001FB3AB80AF0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000001FB3AB80A90 NtDeleteFile, 6_2_000001FB3AB80A90
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000001FB3AB80A78 NtClose, 6_2_000001FB3AB80A78
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_0000024739A4CB54 NtDelayExecution, 7_2_0000024739A4CB54
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_0000024739A4AD34 NtAllocateVirtualMemory, 7_2_0000024739A4AD34
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_0000024739A47B40 NtFreeVirtualMemory, 7_2_0000024739A47B40
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_0000024739A4B0C4 NtOpenKey,RtlpNtOpenKey, 7_2_0000024739A4B0C4
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_0000024739A47A54 NtWriteFile, 7_2_0000024739A47A54
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_0000024739A4463C GetModuleHandleW,GetCurrentProcessId,GetCurrentProcessId,GetCurrentProcessId,OpenProcess,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WideCharToMultiByte,CloseHandle,FindCloseChangeNotification, 7_2_0000024739A4463C
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_0000024739A4378C NtClose, 7_2_0000024739A4378C
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_0000024739A4B1D4 NtQueryValueKey,NtQueryValueKey,NtClose, 7_2_0000024739A4B1D4
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_0000024739A477B0 RtlInitUnicodeString,NtCreateFile, 7_2_0000024739A477B0
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_0000024739A47704 NtQueryInformationFile, 7_2_0000024739A47704
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_0000024739A47694 RtlInitUnicodeString,NtDeleteFile, 7_2_0000024739A47694
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_0000024739A50A90 NtDeleteFile, 7_2_0000024739A50A90
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_0000024739A50A78 NtClose, 7_2_0000024739A50A78
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_0000024739A47ACC NtClose, 7_2_0000024739A47ACC
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_0000024739A50AC0 NtFreeVirtualMemory, 7_2_0000024739A50AC0
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_0000024739A478C0 NtReadFile, 7_2_0000024739A478C0
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_0000024739A4745C RtlInitUnicodeString,NtOpenFile,NtClose, 7_2_0000024739A4745C
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_0000024739A47588 RtlInitUnicodeString,NtCreateFile,NtClose, 7_2_0000024739A47588
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_0000024739A479C8 NtClose, 7_2_0000024739A479C8
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00000210FEA0AD34 NtAllocateVirtualMemory, 8_2_00000210FEA0AD34
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00000210FEA07B40 NtFreeVirtualMemory, 8_2_00000210FEA07B40
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00000210FEA078C0 NtReadFile, 8_2_00000210FEA078C0
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00000210FEA10AC0 NtFreeVirtualMemory, 8_2_00000210FEA10AC0
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00000210FEA0B0C4 NtOpenKey, 8_2_00000210FEA0B0C4
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00000210FEA07ACC NtClose, 8_2_00000210FEA07ACC
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00000210FEA07694 RtlInitUnicodeString,NtDeleteFile, 8_2_00000210FEA07694
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00000210FEA07704 NtQueryInformationFile, 8_2_00000210FEA07704
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00000210FEA0463C GetModuleHandleW,GetCurrentProcessId,GetCurrentProcessId,GetCurrentProcessId,OpenProcess,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WideCharToMultiByte,CloseHandle, 8_2_00000210FEA0463C
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00000210FEA07A54 NtWriteFile, 8_2_00000210FEA07A54
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00000210FEA0745C RtlInitUnicodeString,NtOpenFile,NtClose, 8_2_00000210FEA0745C
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00000210FEA077B0 RtlInitUnicodeString,NtCreateFile, 8_2_00000210FEA077B0
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00000210FEA079C8 NtClose, 8_2_00000210FEA079C8
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00000210FEA0B1D4 NtQueryValueKey,NtQueryValueKey,NtClose, 8_2_00000210FEA0B1D4
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00000210FEA07588 RtlInitUnicodeString,NtCreateFile,NtClose, 8_2_00000210FEA07588
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00000210FEA0378C NtClose, 8_2_00000210FEA0378C
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00000210FEA0CB54 NtDelayExecution, 8_2_00000210FEA0CB54
Contains functionality to communicate with device drivers
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018006A2C8: DeviceIoControl, 6_2_000000018006A2C8
Contains functionality to launch a process as a different user
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018004B1A4 memset,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,WTSGetActiveConsoleSessionId,WTSQueryUserToken,GetTokenInformation,DuplicateTokenEx,CreateEnvironmentBlock,CreateProcessAsUserW,GetLastError,DestroyEnvironmentBlock,CloseHandle,CloseHandle,AdjustTokenPrivileges,CloseHandle, 6_2_000000018004B1A4
Creates files inside the system directory
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\5fd5a1.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSID69B.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSID719.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\inprogressinstallinfo.ipi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\SourceHash{B135729E-0574-44D1-B7A1-6E44550F506B} Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSID824.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSID8B1.tmp Jump to behavior
Deletes files inside the Windows folder
Source: C:\Windows\System32\msiexec.exe File deleted: C:\Windows\Installer\MSID69B.tmp Jump to behavior
Detected potential crypto function
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 5_2_00B26A50 5_2_00B26A50
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 5_2_00B5F032 5_2_00B5F032
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 5_2_00B592A9 5_2_00B592A9
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 5_2_00B4C2CA 5_2_00B4C2CA
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 5_2_00B4E270 5_2_00B4E270
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 5_2_00B584BD 5_2_00B584BD
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 5_2_00B4A587 5_2_00B4A587
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 5_2_00B5D8D5 5_2_00B5D8D5
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 5_2_00B2C870 5_2_00B2C870
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 5_2_00B44920 5_2_00B44920
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 5_2_00B4A915 5_2_00B4A915
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 5_2_00B50A48 5_2_00B50A48
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 5_2_00B29CC0 5_2_00B29CC0
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 5_2_00B55D6D 5_2_00B55D6D
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180017FE8 6_2_0000000180017FE8
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018006DFF4 6_2_000000018006DFF4
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00000001800220D8 6_2_00000001800220D8
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018007C140 6_2_000000018007C140
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180060174 6_2_0000000180060174
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018008023C 6_2_000000018008023C
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018000834C 6_2_000000018000834C
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018006C470 6_2_000000018006C470
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00000001800784E0 6_2_00000001800784E0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00000001800764F0 6_2_00000001800764F0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180060578 6_2_0000000180060578
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180010580 6_2_0000000180010580
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018004E5DC 6_2_000000018004E5DC
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180062600 6_2_0000000180062600
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180002610 6_2_0000000180002610
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180004638 6_2_0000000180004638
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018004A650 6_2_000000018004A650
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018006E760 6_2_000000018006E760
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00000001800647B0 6_2_00000001800647B0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018007E7C7 6_2_000000018007E7C7
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180076930 6_2_0000000180076930
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180062954 6_2_0000000180062954
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018006A994 6_2_000000018006A994
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018006E9FC 6_2_000000018006E9FC
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180082A18 6_2_0000000180082A18
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180072A27 6_2_0000000180072A27
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180010B58 6_2_0000000180010B58
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180026C84 6_2_0000000180026C84
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018001ECF4 6_2_000000018001ECF4
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180008E20 6_2_0000000180008E20
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180052FD8 6_2_0000000180052FD8
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018003AFE8 6_2_000000018003AFE8
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018005D014 6_2_000000018005D014
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018006F0B4 6_2_000000018006F0B4
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00000001800630CC 6_2_00000001800630CC
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018005912C 6_2_000000018005912C
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018004B1A4 6_2_000000018004B1A4
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180049278 6_2_0000000180049278
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018007B2D0 6_2_000000018007B2D0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018002B2EC 6_2_000000018002B2EC
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018006D3D4 6_2_000000018006D3D4
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00000001800033E0 6_2_00000001800033E0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180075480 6_2_0000000180075480
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00000001800694A0 6_2_00000001800694A0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018005958C 6_2_000000018005958C
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00000001800576DC 6_2_00000001800576DC
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00000001800097E0 6_2_00000001800097E0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00000001800277FC 6_2_00000001800277FC
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018002D964 6_2_000000018002D964
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180073B60 6_2_0000000180073B60
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018007BBB0 6_2_000000018007BBB0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018001BC38 6_2_000000018001BC38
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018005DD18 6_2_000000018005DD18
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180073DF0 6_2_0000000180073DF0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180011DF0 6_2_0000000180011DF0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018005BE6C 6_2_000000018005BE6C
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018004FF88 6_2_000000018004FF88
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000001FB3AB71030 6_2_000001FB3AB71030
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_0000024739A41030 7_2_0000024739A41030
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00000210FEA01030 8_2_00000210FEA01030
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: :wtfbbq (copy) 1625AC230AA5CA950573F3BA0B1A7BD4C7FBD3E3686F9ECD4A40F1504BF33A11
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\MSID3EB.tmp 426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
Found potential string decryption / allocating functions
Source: C:\Windows\System32\rundll32.exe Code function: String function: 000000018000CF30 appears 33 times
Source: C:\Windows\System32\rundll32.exe Code function: String function: 0000000180005348 appears 71 times
Source: C:\Windows\Installer\MSID8B1.tmp Code function: String function: 00B43292 appears 70 times
Source: C:\Windows\Installer\MSID8B1.tmp Code function: String function: 00B43790 appears 39 times
Source: C:\Windows\Installer\MSID8B1.tmp Code function: String function: 00B4325F appears 103 times
Sample file is different than original file name gathered from version info
Source: ad.msi Binary or memory string: OriginalFilenameviewer.exeF vs ad.msi
Source: ad.msi Binary or memory string: OriginalFilenameAICustAct.dllF vs ad.msi
Source: classification engine Classification label: mal100.spre.troj.evad.winMSI@38/31@2/2
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180049050 GetCurrentProcessId,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,SetLastError,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,OpenProcess, 6_2_0000000180049050
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018004B1A4 memset,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,WTSGetActiveConsoleSessionId,WTSQueryUserToken,GetTokenInformation,DuplicateTokenEx,CreateEnvironmentBlock,CreateProcessAsUserW,GetLastError,DestroyEnvironmentBlock,CloseHandle,CloseHandle,AdjustTokenPrivileges,CloseHandle, 6_2_000000018004B1A4
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180049278 LookupPrivilegeValueW,LookupPrivilegeValueW,LookupPrivilegeValueW,LookupPrivilegeValueW,??_U@YAPEAX_K@Z,GetCurrentProcess,OpenProcessToken,CreateRestrictedToken,CloseHandle,CloseHandle,AllocateAndInitializeSid,GetLengthSid,SetTokenInformation,FreeSid,AdjustTokenPrivileges,??_V@YAXPEAX@Z, 6_2_0000000180049278
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018008395A DestroyEnvironmentBlock,CloseHandle,CloseHandle,AdjustTokenPrivileges,CloseHandle, 6_2_000000018008395A
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 5_2_00B23860 CreateToolhelp32Snapshot,CloseHandle,Process32FirstW,OpenProcess,FindCloseChangeNotification,Process32NextW,CloseHandle, 5_2_00B23860
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 5_2_00B24BA0 CoInitialize,CoCreateInstance,VariantInit,VariantClear,IUnknown_QueryService,IUnknown_QueryInterface_Proxy,IUnknown_QueryInterface_Proxy,CoAllowSetForegroundWindow,SysAllocString,SysAllocString,SysAllocString,SysAllocString,VariantInit,OpenProcess,WaitForSingleObject,GetExitCodeProcess,CloseHandle,LocalFree,VariantClear,VariantClear,VariantClear,VariantClear,VariantClear,SysFreeString,VariantClear,CoUninitialize,_com_issue_error, 5_2_00B24BA0
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 5_2_00B245B0 LoadResource,LockResource,SizeofResource, 5_2_00B245B0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180049AEC OpenSCManagerW,OpenServiceW,ChangeServiceConfigW,StartServiceW,GetTickCount,Sleep,GetTickCount,QueryServiceStatus,CloseServiceHandle,CloseServiceHandle, 6_2_0000000180049AEC
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Microsoft\CMLD87F.tmp Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3596:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2364:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5404:120:WilError_03
Source: C:\Windows\System32\rundll32.exe Mutant created: \Sessions\1\BaseNamedObjects\runnung
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3788:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5864:120:WilError_03
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\Temp\MSID3EB.tmp Jump to behavior
Source: C:\Windows\System32\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Installer\MSID8B1.tmp Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Local\sharepoint\360total.dll, homq
Source: rundll32.exe, rundll32.exe, 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000006.00000003.1995316224.000001FB3C5F0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3238751138.0000000180086000.00000002.00000001.01000000.00000007.sdmp, Update_77697333.dll.6.dr, 360total.dll.1.dr Binary or memory string: select * from sqlite_sequence;
Source: rundll32.exe, rundll32.exe, 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000006.00000003.1995316224.000001FB3C5F0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3238751138.0000000180086000.00000002.00000001.01000000.00000007.sdmp, Update_77697333.dll.6.dr, 360total.dll.1.dr Binary or memory string: update sqlite_sequence set seq = 0 where name='MT';
Source: ad.msi Virustotal: Detection: 8%
Source: unknown Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\ad.msi"
Source: unknown Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding E4F2088FE7B6F79163C652AEB7DCBA5B C
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 2B25E5241F8800AB2020C808DD90D583
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\Installer\MSID8B1.tmp "C:\Windows\Installer\MSID8B1.tmp" C:/Windows/System32/rundll32.exe C:\Users\user\AppData\Local\sharepoint\360total.dll, homq
Source: unknown Process created: C:\Windows\System32\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Local\sharepoint\360total.dll, homq
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_77697333.dll", homq
Source: unknown Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_77697333.dll", homq
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe /c ipconfig /all
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\ipconfig.exe ipconfig /all
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe /c systeminfo
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\systeminfo.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe /c nltest /domain_trusts
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe /c nltest /domain_trusts /all_trusts
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts /all_trusts
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe /c net view /all /domain
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net view /all /domain
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding E4F2088FE7B6F79163C652AEB7DCBA5B C Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 2B25E5241F8800AB2020C808DD90D583 Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\Installer\MSID8B1.tmp "C:\Windows\Installer\MSID8B1.tmp" C:/Windows/System32/rundll32.exe C:\Users\user\AppData\Local\sharepoint\360total.dll, homq Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_77697333.dll", homq Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe /c ipconfig /all Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe /c systeminfo Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe /c nltest /domain_trusts Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe /c nltest /domain_trusts /all_trusts Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe /c net view /all /domain Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\ipconfig.exe ipconfig /all Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\systeminfo.exe systeminfo Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts /all_trusts Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net view /all /domain Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: srpapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msihnd.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: srclient.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: spp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vssapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vsstrace.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\Installer\MSID8B1.tmp Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Installer\MSID8B1.tmp Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Installer\MSID8B1.tmp Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\Installer\MSID8B1.tmp Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\Installer\MSID8B1.tmp Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\ipconfig.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\ipconfig.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\ipconfig.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\ipconfig.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\ipconfig.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: esscli.dll Jump to behavior
Source: C:\Windows\System32\nltest.exe Section loaded: ntdsapi.dll Jump to behavior
Source: C:\Windows\System32\nltest.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\System32\nltest.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\nltest.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\nltest.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\nltest.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\nltest.exe Section loaded: ntdsapi.dll Jump to behavior
Source: C:\Windows\System32\nltest.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\System32\nltest.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\nltest.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\nltest.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\nltest.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\net.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\net.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\net.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\net.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\System32\net.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\net.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\net.exe Section loaded: browcli.dll Jump to behavior
Source: C:\Windows\System32\net.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Windows\Installer\MSID8B1.tmp Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: ad.msi Static file information: File size 1619456 > 1048576
Source: Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb: source: MSID8B1.tmp, 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmp, MSID8B1.tmp, 00000005.00000000.1989909897.0000000000B67000.00000002.00000001.01000000.00000003.sdmp, ad.msi, MSID8B1.tmp.1.dr, 5fd5a1.msi.1.dr, MSID824.tmp.1.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: ad.msi, MSID3EB.tmp.0.dr, MSID498.tmp.0.dr, MSID69B.tmp.1.dr, MSID509.tmp.0.dr, 5fd5a1.msi.1.dr, MSID529.tmp.0.dr, MSID4B9.tmp.0.dr, MSID719.tmp.1.dr, MSID4D9.tmp.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbn source: ad.msi, MSID3EB.tmp.0.dr, MSID498.tmp.0.dr, MSID69B.tmp.1.dr, MSID509.tmp.0.dr, 5fd5a1.msi.1.dr, MSID529.tmp.0.dr, MSID4B9.tmp.0.dr, MSID719.tmp.1.dr, MSID4D9.tmp.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb source: MSID8B1.tmp, 00000005.00000002.1997119056.0000000000B67000.00000002.00000001.01000000.00000003.sdmp, MSID8B1.tmp, 00000005.00000000.1989909897.0000000000B67000.00000002.00000001.01000000.00000003.sdmp, ad.msi, MSID8B1.tmp.1.dr, 5fd5a1.msi.1.dr, MSID824.tmp.1.dr
Source: Binary string: C:\vmagent_new\bin\joblist\574019\out\Release\360Util64.pdb source: rundll32.exe, 00000006.00000002.1996154731.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000006.00000003.1995316224.000001FB3C5F0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3238751138.0000000180086000.00000002.00000001.01000000.00000007.sdmp, Update_77697333.dll.6.dr, 360total.dll.1.dr
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00000001800033E0 memset,memset,memset,memset,CreateFileW,GetFileInformationByHandle,ReadFile,ReadFile,CoTaskMemAlloc,ReadFile,CoTaskMemFree,SetFilePointer,ReadFile,SetFilePointer,ReadFile,SetFilePointer,??_U@YAPEAX_K@Z,ReadFile,??_U@YAPEAX_K@Z,ReadFile,??_U@YAPEAX_K@Z,ReadFile,??_U@YAPEAX_K@Z,ReadFile,PathRemoveFileSpecW,PathCombineW,PathRemoveFileSpecW,PathCombineW,free,??_U@YAPEAX_K@Z,ReadFile,ReadFile,SetFilePointer,ReadFile,ReadFile,ReadFile,ILFree,ReadFile,memset,GetSystemDirectoryW,LoadLibraryW,GetProcAddress,CoTaskMemFree,GetLastError,FreeLibrary,CloseHandle,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,SetLastError, 6_2_00000001800033E0
PE file contains an invalid checksum
Source: Update_77697333.dll.6.dr Static PE information: real checksum: 0xe14a2 should be: 0xe5e2c
Source: 360total.dll.1.dr Static PE information: real checksum: 0xe14a2 should be: 0xe5e2c
PE file contains sections with non-standard names
Source: 360total.dll.1.dr Static PE information: section name: yhDm^
Source: Update_77697333.dll.6.dr Static PE information: section name: yhDm^
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 5_2_00B4323C push ecx; ret 5_2_00B4324F
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180010451 push rcx; ret 6_2_0000000180010452
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018001045A push rcx; ret 6_2_000000018001045B
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018017500F push rdx; iretd 6_2_0000000180175010

Persistence and Installation Behavior
barindex
Drops executables to the windows directory (C:\Windows) and starts them
Source: C:\Windows\System32\msiexec.exe Executable created and started: C:\Windows\Installer\MSID8B1.tmp Jump to behavior
Uses ipconfig to lookup or modify the Windows network settings
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\ipconfig.exe ipconfig /all
Drops PE files
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\Temp\MSID529.tmp Jump to dropped file
Source: C:\Windows\System32\rundll32.exe File created: :wtfbbq (copy) Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\sharepoint\360total.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\Temp\MSID4D9.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSID8B1.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSID69B.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSID719.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\Temp\MSID509.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\Temp\MSID4B9.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\Temp\MSID3EB.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\Temp\MSID498.tmp Jump to dropped file
Source: C:\Windows\System32\rundll32.exe File created: C:\Users\user\AppData\Roaming\Custom_update\Update_77697333.dll Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSID8B1.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSID69B.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSID719.tmp Jump to dropped file
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180049AEC OpenSCManagerW,OpenServiceW,ChangeServiceConfigW,StartServiceW,GetTickCount,Sleep,GetTickCount,QueryServiceStatus,CloseServiceHandle,CloseServiceHandle, 6_2_0000000180049AEC
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180062148 memset,GetModuleFileNameW,PathCombineW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary, 6_2_0000000180062148
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\systeminfo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\systeminfo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\systeminfo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\systeminfo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Contains functionality to compare user and computer (likely to detect sandboxes)
Source: C:\Windows\System32\rundll32.exe Code function: EnterCriticalSection,memset,GetModuleFileNameW,PathAppendW,StrStrIW,PathFileExistsW,PathAppendW,PathFileExistsW,memset,SHGetValueW,PathAppendW,PathFileExistsW,LoadLibraryW,GetProcAddress,GetProcAddress,GetModuleFileNameW,PathAppendW,PathFileExistsW,PathAppendW,PathFileExistsW,memset,SHGetValueW,PathAppendW,PathFileExistsW,LoadLibraryW,GetProcAddress,GetProcAddress,LeaveCriticalSection, 6_2_00000001800655A8
Contains functionality to detect sleep reduction / modifications
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180049AEC 6_2_0000000180049AEC
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\System32\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
Contains functionality to query network adapater information
Source: C:\Windows\System32\rundll32.exe Code function: GetAdaptersInfo,GetAdaptersInfo, 6_2_000001FB3AB768E8
Source: C:\Windows\System32\rundll32.exe Code function: GetAdaptersInfo,GetAdaptersInfo,wsprintfA,wsprintfA,wsprintfA,GetComputerNameExA,wsprintfA,GetComputerNameExA,wsprintfA, 6_2_000001FB3AB77FA8
Source: C:\Windows\System32\rundll32.exe Code function: GetAdaptersInfo,GetAdaptersInfo, 7_2_0000024739A468E8
Source: C:\Windows\System32\rundll32.exe Code function: GetAdaptersInfo,GetAdaptersInfo,wsprintfA,wsprintfA,wsprintfA,GetComputerNameExA,wsprintfA,GetComputerNameExA,wsprintfA, 7_2_0000024739A47FA8
Source: C:\Windows\System32\rundll32.exe Code function: GetAdaptersInfo,GetAdaptersInfo, 8_2_00000210FEA068E8
Source: C:\Windows\System32\rundll32.exe Code function: GetAdaptersInfo,GetAdaptersInfo,wsprintfA,wsprintfA,wsprintfA,GetComputerNameExA,wsprintfA,GetComputerNameExA,wsprintfA, 8_2_00000210FEA07FA8
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\rundll32.exe Window / User API: threadDelayed 8237 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Window / User API: threadDelayed 816 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Window / User API: threadDelayed 946 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\System32\rundll32.exe Dropped PE file which has not been started: :wtfbbq (copy) Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSID529.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\sharepoint\360total.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSID719.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSID69B.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSID4D9.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSID509.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSID4B9.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSID498.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSID3EB.tmp Jump to dropped file
Source: C:\Windows\System32\rundll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Custom_update\Update_77697333.dll Jump to dropped file
Found evasive API chain checking for process token information
Source: C:\Windows\Installer\MSID8B1.tmp Check user administrative privileges: GetTokenInformation,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Windows\System32\rundll32.exe API coverage: 1.6 %
Source: C:\Windows\System32\rundll32.exe API coverage: 8.4 %
May check if the current machine is a sandbox (GetTickCount - Sleep)
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180049AEC 6_2_0000000180049AEC
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\rundll32.exe TID: 4112 Thread sleep count: 8237 > 30 Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 4112 Thread sleep time: -8237000s >= -30000s Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 5248 Thread sleep count: 816 > 30 Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 5248 Thread sleep time: -81600s >= -30000s Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 4112 Thread sleep count: 946 > 30 Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 4112 Thread sleep time: -946000s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\System32\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\System32\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Queries the current domain controller via net
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net view /all /domain
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net view /all /domain Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 5_2_00B5AF79 FindFirstFileExW, 5_2_00B5AF79
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000001FB3AB7A350 FindFirstFileW,FindNextFileW,LoadLibraryW, 6_2_000001FB3AB7A350
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000001FB3AB71A08 FindFirstFileA,wsprintfA,FindNextFileA,FindClose, 6_2_000001FB3AB71A08
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_0000024739A4A350 FindFirstFileW,FindNextFileW,LoadLibraryW, 7_2_0000024739A4A350
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_0000024739A41A08 FindFirstFileA,wsprintfA,FindNextFileA,FindClose, 7_2_0000024739A41A08
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00000210FEA0A350 FindFirstFileW,FindNextFileW,LoadLibraryW, 8_2_00000210FEA0A350
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00000210FEA01A08 FindFirstFileA,wsprintfA,FindNextFileA,FindClose, 8_2_00000210FEA01A08
Source: rundll32.exe, 00000007.00000002.3239328472.0000024739A88000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: MWrod_VMware_SATA_CD00#4&224f42ef&
Source: rundll32.exe, 00000007.00000003.3200350559.0000024739B18000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3200350559.0000024739AEE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3239328472.0000024739B18000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3239328472.0000024739AE8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3239328472.0000024739A88000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: rundll32.exe, 00000007.00000002.3239728503.000002473BAB0000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: Hyper-V Requirements: VM Monitor Mode Extensions: No
Source: C:\Windows\System32\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\msiexec.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 5_2_00B2D0A5 IsDebuggerPresent,OutputDebugStringW, 5_2_00B2D0A5
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180066C3C memset,GetLastError,IsDebuggerPresent,OutputDebugStringW, 6_2_0000000180066C3C
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00000001800033E0 memset,memset,memset,memset,CreateFileW,GetFileInformationByHandle,ReadFile,ReadFile,CoTaskMemAlloc,ReadFile,CoTaskMemFree,SetFilePointer,ReadFile,SetFilePointer,ReadFile,SetFilePointer,??_U@YAPEAX_K@Z,ReadFile,??_U@YAPEAX_K@Z,ReadFile,??_U@YAPEAX_K@Z,ReadFile,??_U@YAPEAX_K@Z,ReadFile,PathRemoveFileSpecW,PathCombineW,PathRemoveFileSpecW,PathCombineW,free,??_U@YAPEAX_K@Z,ReadFile,ReadFile,SetFilePointer,ReadFile,ReadFile,ReadFile,ILFree,ReadFile,memset,GetSystemDirectoryW,LoadLibraryW,GetProcAddress,CoTaskMemFree,GetLastError,FreeLibrary,CloseHandle,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,SetLastError, 6_2_00000001800033E0
Contains functionality to read the PEB
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 5_2_00B52DCC mov ecx, dword ptr fs:[00000030h] 5_2_00B52DCC
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 5_2_00B5AD78 mov eax, dword ptr fs:[00000030h] 5_2_00B5AD78
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 5_2_00B22310 GetProcessHeap, 5_2_00B22310
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 5_2_00B433A8 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_00B433A8
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 5_2_00B4353F SetUnhandledExceptionFilter, 5_2_00B4353F
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 5_2_00B42968 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 5_2_00B42968
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 5_2_00B46E1B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_00B46E1B
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180070760 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 6_2_0000000180070760
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018006F6E0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 6_2_000000018006F6E0

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\rundll32.exe Network Connect: 104.21.46.75 443 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Network Connect: 172.67.219.28 443 Jump to behavior
Contains functionality to launch a program with higher privileges
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 5_2_00B252F0 GetWindowsDirectoryW,GetForegroundWindow,ShellExecuteExW,ShellExecuteExW,ShellExecuteExW,GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetProcAddress,AllowSetForegroundWindow,GetModuleHandleW,GetProcAddress,Sleep,Sleep,EnumWindows,BringWindowToTop,WaitForSingleObject,GetExitCodeProcess, 5_2_00B252F0
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe /c ipconfig /all Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe /c systeminfo Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe /c nltest /domain_trusts Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe /c nltest /domain_trusts /all_trusts Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe /c net view /all /domain Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\ipconfig.exe ipconfig /all Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\systeminfo.exe systeminfo Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts /all_trusts Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net view /all /domain Jump to behavior
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018004A650 memset,GetModuleFileNameW,PathAppendW,ShellExecuteExW,ILGetSize,GetTickCount,srand,GetCurrentProcess,GetProcessId,GetCurrentThreadId,rand,LocalAlloc,InitializeSecurityDescriptor,LocalFree,SetSecurityDescriptorDacl,CreateFileMappingW,LocalFree,CreateFileMappingW,MapViewOfFile,CloseHandle,memset,memmove,memmove,memmove,memmove,memmove,UnmapViewOfFile,FindWindowW,SetForegroundWindow,memset,wsprintfW,memset,WaitForSingleObject,Sleep,CloseHandle,CloseHandle,CloseHandle, 6_2_000000018004A650
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180049278 LookupPrivilegeValueW,LookupPrivilegeValueW,LookupPrivilegeValueW,LookupPrivilegeValueW,??_U@YAPEAX_K@Z,GetCurrentProcess,OpenProcessToken,CreateRestrictedToken,CloseHandle,CloseHandle,AllocateAndInitializeSid,GetLengthSid,SetTokenInformation,FreeSid,AdjustTokenPrivileges,??_V@YAXPEAX@Z, 6_2_0000000180049278
Source: 360total.dll.1.dr Binary or memory string: Program managerProgmanSeShutdownPrivilegeSeTimeZonePrivilegeSeIncreaseWorkingSetPrivilegeSeUndockPrivilegeSeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeEnableLUASoftware\Microsoft\Windows\CurrentVersion\Policies\Systemseclogonwdc.dllWdcRunTaskAsInteractiveUser"%s" %swinsta0\defaultadvapi32.dllCreateProcessWithTokenW:open..\360DeskAna64.exe%u_%d_%d_%d_%use2/%s %s %use1SeTcbPrivilegeNT AUTHORITYLOCAL SERVICENETWORK SERVICE360utilexplorer.exe,
Source: rundll32.exe Binary or memory string: Progman
Source: rundll32.exe Binary or memory string: Program manager
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 5_2_00B435A9 cpuid 5_2_00B435A9
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\Installer\MSID8B1.tmp Code function: EnumSystemLocalesW, 5_2_00B5E0C6
Source: C:\Windows\Installer\MSID8B1.tmp Code function: EnumSystemLocalesW, 5_2_00B5E1AC
Source: C:\Windows\Installer\MSID8B1.tmp Code function: EnumSystemLocalesW, 5_2_00B57132
Source: C:\Windows\Installer\MSID8B1.tmp Code function: EnumSystemLocalesW, 5_2_00B5E111
Source: C:\Windows\Installer\MSID8B1.tmp Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 5_2_00B5E237
Source: C:\Windows\Installer\MSID8B1.tmp Code function: GetLocaleInfoEx, 5_2_00B423F8
Source: C:\Windows\Installer\MSID8B1.tmp Code function: GetLocaleInfoW, 5_2_00B5E48A
Source: C:\Windows\Installer\MSID8B1.tmp Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 5_2_00B5E5B3
Source: C:\Windows\Installer\MSID8B1.tmp Code function: GetLocaleInfoW, 5_2_00B5E6B9
Source: C:\Windows\Installer\MSID8B1.tmp Code function: GetLocaleInfoW, 5_2_00B576AF
Source: C:\Windows\Installer\MSID8B1.tmp Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 5_2_00B5E788
Source: C:\Windows\Installer\MSID8B1.tmp Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 5_2_00B5DE24
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 5_2_00B437D5 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 5_2_00B437D5
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000001FB3AB78AE0 GetUserNameA,wsprintfA, 6_2_000001FB3AB78AE0
Source: C:\Windows\Installer\MSID8B1.tmp Code function: 5_2_00B57B1F GetTimeZoneInformation, 5_2_00B57B1F
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180040CB0 GetVersionExW,memset,SHGetValueW,atoi,GetVersion,GetModuleHandleW,GetProcAddress, 6_2_0000000180040CB0
Source: C:\Windows\System32\nltest.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: rundll32.exe Binary or memory string: 360tray.exe
Source: rundll32.exe Binary or memory string: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe
Source: rundll32.exe Binary or memory string: SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe

Stealing of Sensitive Information
barindex
Yara detected Latrodectus
Source: Yara match File source: 8.2.rundll32.exe.210fe9f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.1fb3ab70000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.1fb3ab70000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.1fb3ab60000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.24739a10000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.210fea00000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.210fe9f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.1fb3ab60000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.24739a10000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.24739a40000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.24739a40000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.210fea00000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.3239594516.000002473B520000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3239003691.0000005536378000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2009341046.00000210FE9F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.2918615287.000002473B890000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2009386305.00000210FEA00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3239304282.0000024739A40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.3072398215.000002473B4C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.3001961858.000002473B4C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.2854188056.000002473B4C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.1996565614.000001FB3AB60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3239248195.0000024739A10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.1996586579.000001FB3AB70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 2624, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Latrodectus
Source: Yara match File source: 8.2.rundll32.exe.210fe9f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.1fb3ab70000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.1fb3ab70000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.1fb3ab60000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.24739a10000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.210fea00000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.210fe9f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.1fb3ab60000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.24739a10000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.24739a40000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.24739a40000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.210fea00000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.3239594516.000002473B520000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3239003691.0000005536378000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2009341046.00000210FE9F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.2918615287.000002473B890000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2009386305.00000210FEA00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3239304282.0000024739A40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.3072398215.000002473B4C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.3001961858.000002473B4C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.2854188056.000002473B4C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.1996565614.000001FB3AB60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3239248195.0000024739A10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.1996586579.000001FB3AB70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 2624, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1431940 Sample: ad.msi Startdate: 26/04/2024 Architecture: WINDOWS Score: 100 78 jarinamaers.shop 2->78 80 grizmotras.com 2->80 86 Found malware configuration 2->86 88 Multi AV Scanner detection for dropped file 2->88 90 Multi AV Scanner detection for submitted file 2->90 92 4 other signatures 2->92 10 rundll32.exe 2 2->10         started        14 msiexec.exe 9 2->14         started        16 msiexec.exe 15 38 2->16         started        18 rundll32.exe 2->18         started        signatures3 process4 file5 60 C:\Users\user\AppData\...\Update_77697333.dll, PE32+ 10->60 dropped 62 :wtfbbq (copy), PE32+ 10->62 dropped 96 Contains functionality to compare user and computer (likely to detect sandboxes) 10->96 98 Contains functionality to detect sleep reduction / modifications 10->98 20 rundll32.exe 13 10->20         started        64 C:\Users\user\AppData\Local\...\MSID529.tmp, PE32 14->64 dropped 66 C:\Users\user\AppData\Local\...\MSID509.tmp, PE32 14->66 dropped 76 4 other malicious files 14->76 dropped 68 C:\Windows\Installer\MSID8B1.tmp, PE32 16->68 dropped 70 C:\Windows\Installer\MSID719.tmp, PE32 16->70 dropped 72 C:\Windows\Installer\MSID69B.tmp, PE32 16->72 dropped 74 C:\Users\user\AppData\Local\...\360total.dll, PE32+ 16->74 dropped 100 Drops executables to the windows directory (C:\Windows) and starts them 16->100 24 MSID8B1.tmp 16->24         started        26 msiexec.exe 16->26         started        28 msiexec.exe 16->28         started        signatures6 process7 dnsIp8 82 jarinamaers.shop 104.21.46.75, 443, 49714, 49715 CLOUDFLARENETUS United States 20->82 84 grizmotras.com 172.67.219.28, 443, 49718, 49719 CLOUDFLARENETUS United States 20->84 94 System process connects to network (likely due to code injection or exploit) 20->94 30 cmd.exe 1 20->30         started        33 cmd.exe 1 20->33         started        35 cmd.exe 1 20->35         started        37 2 other processes 20->37 signatures9 process10 signatures11 104 Uses ipconfig to lookup or modify the Windows network settings 30->104 106 Performs a network lookup / discovery via net view 30->106 39 conhost.exe 30->39         started        41 ipconfig.exe 1 30->41         started        43 systeminfo.exe 2 1 33->43         started        46 conhost.exe 33->46         started        48 conhost.exe 35->48         started        50 net.exe 1 35->50         started        52 conhost.exe 37->52         started        54 conhost.exe 37->54         started        56 2 other processes 37->56 process12 signatures13 102 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 43->102 58 WmiPrvSE.exe 43->58         started        process14
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.21.46.75
 jarinamaers.shop United States
13335 CLOUDFLARENETUS true
172.67.219.28
 grizmotras.com United States
13335 CLOUDFLARENETUS true

Contacted Domains

Name IP Active
jarinamaers.shop 104.21.46.75 true
grizmotras.com 172.67.219.28 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://wrankaget.site/live/ true
  • 2%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
https://grizmotras.com/live/ true
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
https://jarinamaers.shop/live/ true
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown