Windows Analysis Report
neo.msi

Overview

General Information

Sample name:	neo.msi
Analysis ID:	1432285
MD5:	37605a3eb80f3366e56938031a9ac917
SHA1:	0582a0dd69d6027fb94765254ed91ad736ade305
SHA256:	4e7ac0bdb516e983b3cab7f79850d8102d2bf4117bb343b68d0da73780cceb1a
Infos:

Detection

Latrodectus

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for dropped file

System process connects to network (likely due to code injection or exploit)

Yara detected Latrodectus

C2 URLs / IPs found in malware configuration

Contains functionality to compare user and computer (likely to detect sandboxes)

Contains functionality to detect sleep reduction / modifications

Contains functionality to inject threads in other processes

Drops executables to the windows directory (C:\Windows) and starts them

Rundll32 performs DNS lookup (likely malicious behavior)

Sample uses string decryption to hide its real strings

AV process strings found (often used to terminate AV products)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Checks for available system drives (often done to infect USB drives)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to query network adapater information

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates COM task schedule object (often to register a task for autostart)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates or modifies windows services

Deletes files inside the Windows folder

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May check if the current machine is a sandbox (GetTickCount - Sleep)

May sleep (evasive loops) to hinder dynamic analysis

May use bcdedit to modify the Windows boot settings

Modifies existing windows services

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Unidentified 111 (Latrodectus), Latrodectus	First discovered in October 2023, BLACKWIDOW is a backdoor written in C that communicates over HTTP using RC4 encrypted requests. The malware has the capability to execute discovery commands, query information about the victim's machine, update itself, as well as download and execute an EXE, DLL, or shellcode. The malware is believed to have been developed by LUNAR SPIDER, the creators of IcedID (aka BokBot) Malware.	No Attribution	https://embee-research.ghost.io/phishing-domain-analysis-with-passive-dns-latrodectus/ https://exchange.xforce.ibmcloud.com/malware-analysis/guid:dab8a02f9161933bc2eff5ba4a5f8412 https://medium.com/walmartglobaltech/icedid-gets-loaded-af073b7b6d39 https://twitter.com/Myrtus0x0/status/1732997981866209550 https://www.embeeresearch.io/latrodectus-script-deobfuscation/	https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_111

Signatures

AV Detection

Found malware configuration

Source: 8.2.rundll32.exe.130000.1.unpack

Malware Configuration Extractor: Latrodectus {"C2 url": ["https://jarinamaers.shop/live/", "https://startmast.shop/live/"]}

Multi AV Scanner detection for dropped file

Source: :wtfbbq (copy)	Virustotal: Detection: 9%	Perma Link
Source: C:\Users\user\AppData\Local\sharepoint\360total.dll	Virustotal: Detection: 9%	Perma Link
Source: C:\Users\user\AppData\Roaming\Custom_update\Update_6a61d649.dll	Virustotal: Detection: 9%	Perma Link

Sample uses string decryption to hide its real strings

Source: 13.2.rundll32.exe.1ad0000.1.raw.unpack	String decryptor:
Source: 13.2.rundll32.exe.1ad0000.1.raw.unpack	String decryptor: "
Source: 13.2.rundll32.exe.1ad0000.1.raw.unpack	String decryptor: uau3"#%,''!
Source: 13.2.rundll32.exe.1ad0000.1.raw.unpack	String decryptor: FfD!6""#'& )<
Source: 13.2.rundll32.exe.1ad0000.1.raw.unpack	String decryptor: jB!
Source: 13.2.rundll32.exe.1ad0000.1.raw.unpack	String decryptor:
Source: 13.2.rundll32.exe.1ad0000.1.raw.unpack	String decryptor: 3efal9#"
Source: 13.2.rundll32.exe.1ad0000.1.raw.unpack	String decryptor: #kl&+=>4>@F[yz1

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\System32\rundll32.exe

Code function: 8_2_000000018003BC0C CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,

8_2_000000018003BC0C

Source:	Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb: source: MSI1B42.tmp, 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmp, MSI1B42.tmp, 00000007.00000000.402335120.0000000000D57000.00000002.00000001.01000000.00000005.sdmp, neo.msi, 747f6e.msi.1.dr, MSI19CA.tmp.1.dr, MSI1B42.tmp.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: neo.msi, 747f6e.msi.1.dr, MSI8029.tmp.1.dr, MSI829C.tmp.0.dr, MSIADBD.tmp.0.dr, MSI827B.tmp.0.dr, MSI82BC.tmp.0.dr, MSI825B.tmp.0.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbn source: neo.msi, 747f6e.msi.1.dr, MSI8029.tmp.1.dr, MSI829C.tmp.0.dr, MSIADBD.tmp.0.dr, MSI827B.tmp.0.dr, MSI82BC.tmp.0.dr, MSI825B.tmp.0.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb source: MSI1B42.tmp, 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmp, MSI1B42.tmp, 00000007.00000000.402335120.0000000000D57000.00000002.00000001.01000000.00000005.sdmp, neo.msi, 747f6e.msi.1.dr, MSI19CA.tmp.1.dr, MSI1B42.tmp.1.dr
Source:	Binary string: C:\vmagent_new\bin\joblist\574019\out\Release\360Util64.pdb source: rundll32.exe, 00000008.00000003.405624482.0000000001FC0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000009.00000002.619259049.0000000180086000.00000002.00000001.01000000.00000009.sdmp, Update_6a61d649.dll.8.dr, 360total.dll.1.dr

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Creates COM task schedule object (often to register a task for autostart)

Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_CLASSES\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\TreatAs	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\TreatAs	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\Progid	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\Progid	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\ProgID	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\Progid	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\Progid	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\ProgID	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandler32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandler32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandler	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandler	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_CLASSES\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\TreatAs	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\TreatAs	Jump to behavior

Source: C:\Windows\Installer\MSI1B42.tmp	Code function: 7_2_00D4AF79 FindFirstFileExW,	7_2_00D4AF79
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0013A350 FindFirstFileW,FindNextFileW,LoadLibraryW,LoadLibraryExW,	8_2_0013A350
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00131A08 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	8_2_00131A08
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00140DD8 FindFirstFileA,	8_2_00140DD8
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00140DE0 FindFirstFileW,	8_2_00140DE0
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_001CA350 FindFirstFileW,FindNextFileW,LoadLibraryW,LoadLibraryExW,	9_2_001CA350
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_001C1A08 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	9_2_001C1A08
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_01ADA350 FindFirstFileW,FindNextFileW,LoadLibraryW,LoadLibraryExW,	13_2_01ADA350
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_01AE0DE0 FindFirstFileW,	13_2_01AE0DE0
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_01AE0DD8 FindFirstFileA,	13_2_01AE0DD8
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_01AD1A08 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	13_2_01AD1A08

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\rundll32.exe

Domain query: jarinamaers.shop

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: https://jarinamaers.shop/live/
Source: Malware configuration extractor	URLs: https://startmast.shop/live/

Source: C:\Windows\System32\rundll32.exe

Code function: 8_2_00134F58 InternetReadFile,

8_2_00134F58

Source: global traffic

DNS traffic detected: DNS query: jarinamaers.shop

Source: rundll32.exe, 00000008.00000003.405624482.0000000001FC0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000009.00000002.619259049.0000000180086000.00000002.00000001.01000000.00000009.sdmp, Update_6a61d649.dll.8.dr, 360total.dll.1.dr	String found in binary or memory: ftp://ftp%2desktop.ini
Source: neo.msi, 747f6e.msi.1.dr, MSI8029.tmp.1.dr, MSI829C.tmp.0.dr, MSIADBD.tmp.0.dr, MSI827B.tmp.0.dr, MSI19CA.tmp.1.dr, MSI1B42.tmp.1.dr, MSI82BC.tmp.0.dr, MSI825B.tmp.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: neo.msi, 747f6e.msi.1.dr, MSI8029.tmp.1.dr, MSI829C.tmp.0.dr, MSIADBD.tmp.0.dr, MSI827B.tmp.0.dr, MSI19CA.tmp.1.dr, MSI1B42.tmp.1.dr, MSI82BC.tmp.0.dr, MSI825B.tmp.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: neo.msi, 747f6e.msi.1.dr, MSI8029.tmp.1.dr, MSI829C.tmp.0.dr, MSIADBD.tmp.0.dr, MSI827B.tmp.0.dr, MSI19CA.tmp.1.dr, MSI1B42.tmp.1.dr, MSI82BC.tmp.0.dr, MSI825B.tmp.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: neo.msi, 747f6e.msi.1.dr, MSI8029.tmp.1.dr, MSI829C.tmp.0.dr, MSIADBD.tmp.0.dr, MSI827B.tmp.0.dr, MSI19CA.tmp.1.dr, MSI1B42.tmp.1.dr, MSI82BC.tmp.0.dr, MSI825B.tmp.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: neo.msi, 747f6e.msi.1.dr, MSI8029.tmp.1.dr, MSI829C.tmp.0.dr, MSIADBD.tmp.0.dr, MSI827B.tmp.0.dr, MSI19CA.tmp.1.dr, MSI1B42.tmp.1.dr, MSI82BC.tmp.0.dr, MSI825B.tmp.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: neo.msi, 747f6e.msi.1.dr, MSI8029.tmp.1.dr, MSI829C.tmp.0.dr, MSIADBD.tmp.0.dr, MSI827B.tmp.0.dr, MSI19CA.tmp.1.dr, MSI1B42.tmp.1.dr, MSI82BC.tmp.0.dr, MSI825B.tmp.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: rundll32.exe	String found in binary or memory: http://dr.f.360.cn/scan
Source: rundll32.exe, 00000008.00000003.405624482.0000000001FC0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000009.00000002.619259049.0000000180086000.00000002.00000001.01000000.00000009.sdmp, Update_6a61d649.dll.8.dr, 360total.dll.1.dr	String found in binary or memory: http://dr.f.360.cn/scanlist
Source: neo.msi, 747f6e.msi.1.dr, MSI8029.tmp.1.dr, MSI829C.tmp.0.dr, MSIADBD.tmp.0.dr, MSI827B.tmp.0.dr, MSI19CA.tmp.1.dr, MSI1B42.tmp.1.dr, MSI82BC.tmp.0.dr, MSI825B.tmp.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: neo.msi, 747f6e.msi.1.dr, MSI8029.tmp.1.dr, MSI829C.tmp.0.dr, MSIADBD.tmp.0.dr, MSI827B.tmp.0.dr, MSI19CA.tmp.1.dr, MSI1B42.tmp.1.dr, MSI82BC.tmp.0.dr, MSI825B.tmp.0.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: rundll32.exe	String found in binary or memory: http://pconf.f.360.cn/safe_update.php
Source: rundll32.exe	String found in binary or memory: http://pscan.f.360.cn/safe_update.php
Source: rundll32.exe, 00000008.00000003.405624482.0000000001FC0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000009.00000002.619259049.0000000180086000.00000002.00000001.01000000.00000009.sdmp, Update_6a61d649.dll.8.dr, 360total.dll.1.dr	String found in binary or memory: http://pscan.f.360.cn/safe_update.phphttp://pconf.f.360.cn/safe_update.phphttp://sconf.f.360.cn/clie
Source: rundll32.exe	String found in binary or memory: http://sconf.f.360.cn/client_security_conf
Source: neo.msi, 747f6e.msi.1.dr, MSI8029.tmp.1.dr, MSI829C.tmp.0.dr, MSIADBD.tmp.0.dr, MSI827B.tmp.0.dr, MSI19CA.tmp.1.dr, MSI1B42.tmp.1.dr, MSI82BC.tmp.0.dr, MSI825B.tmp.0.dr	String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: neo.msi, 747f6e.msi.1.dr, MSI8029.tmp.1.dr, MSI829C.tmp.0.dr, MSIADBD.tmp.0.dr, MSI827B.tmp.0.dr, MSI19CA.tmp.1.dr, MSI1B42.tmp.1.dr, MSI82BC.tmp.0.dr, MSI825B.tmp.0.dr	String found in binary or memory: http://t2.symcb.com0
Source: neo.msi, 747f6e.msi.1.dr, MSI8029.tmp.1.dr, MSI829C.tmp.0.dr, MSIADBD.tmp.0.dr, MSI827B.tmp.0.dr, MSI19CA.tmp.1.dr, MSI1B42.tmp.1.dr, MSI82BC.tmp.0.dr, MSI825B.tmp.0.dr	String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: neo.msi, 747f6e.msi.1.dr, MSI8029.tmp.1.dr, MSI829C.tmp.0.dr, MSIADBD.tmp.0.dr, MSI827B.tmp.0.dr, MSI19CA.tmp.1.dr, MSI1B42.tmp.1.dr, MSI82BC.tmp.0.dr, MSI825B.tmp.0.dr	String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: neo.msi, 747f6e.msi.1.dr, MSI8029.tmp.1.dr, MSI829C.tmp.0.dr, MSIADBD.tmp.0.dr, MSI827B.tmp.0.dr, MSI19CA.tmp.1.dr, MSI1B42.tmp.1.dr, MSI82BC.tmp.0.dr, MSI825B.tmp.0.dr	String found in binary or memory: http://tl.symcd.com0&
Source: neo.msi, 747f6e.msi.1.dr, MSI8029.tmp.1.dr, MSI829C.tmp.0.dr, MSIADBD.tmp.0.dr, MSI827B.tmp.0.dr, MSI19CA.tmp.1.dr, MSI1B42.tmp.1.dr, MSI82BC.tmp.0.dr, MSI825B.tmp.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: rundll32.exe, 00000009.00000002.619056856.000000000056B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jarinamaers.shop/G
Source: rundll32.exe, 00000009.00000002.619056856.000000000056B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jarinamaers.shop/O
Source: rundll32.exe, 00000009.00000002.619056856.00000000004F3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.619056856.0000000000508000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jarinamaers.shop/live/
Source: neo.msi, 747f6e.msi.1.dr, MSI8029.tmp.1.dr, MSI829C.tmp.0.dr, MSIADBD.tmp.0.dr, MSI827B.tmp.0.dr, MSI19CA.tmp.1.dr, MSI1B42.tmp.1.dr, MSI82BC.tmp.0.dr, MSI825B.tmp.0.dr	String found in binary or memory: https://www.advancedinstaller.com
Source: neo.msi, 747f6e.msi.1.dr, MSI8029.tmp.1.dr, MSI829C.tmp.0.dr, MSIADBD.tmp.0.dr, MSI827B.tmp.0.dr, MSI19CA.tmp.1.dr, MSI1B42.tmp.1.dr, MSI82BC.tmp.0.dr, MSI825B.tmp.0.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: neo.msi, 747f6e.msi.1.dr, MSI8029.tmp.1.dr, MSI829C.tmp.0.dr, MSIADBD.tmp.0.dr, MSI827B.tmp.0.dr, MSI19CA.tmp.1.dr, MSI1B42.tmp.1.dr, MSI82BC.tmp.0.dr, MSI825B.tmp.0.dr	String found in binary or memory: https://www.thawte.com/cps0/
Source: neo.msi, 747f6e.msi.1.dr, MSI8029.tmp.1.dr, MSI829C.tmp.0.dr, MSIADBD.tmp.0.dr, MSI827B.tmp.0.dr, MSI19CA.tmp.1.dr, MSI1B42.tmp.1.dr, MSI82BC.tmp.0.dr, MSI825B.tmp.0.dr	String found in binary or memory: https://www.thawte.com/repository0W

System Summary

Rundll32 performs DNS lookup (likely malicious behavior)

Source: C:\Windows\System32\rundll32.exe	DNS query: name: jarinamaers.shop
Source: C:\Windows\System32\rundll32.exe	DNS query: name: jarinamaers.shop
Source: C:\Windows\System32\rundll32.exe	DNS query: name: jarinamaers.shop
Source: C:\Windows\System32\rundll32.exe	DNS query: name: jarinamaers.shop
Source: C:\Windows\System32\rundll32.exe	DNS query: name: jarinamaers.shop

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Windows\Installer\MSI1B42.tmp

Memory allocated: 770B0000 page execute and read and write

Jump to behavior

Contains functionality to call native functions

Source: C:\Windows\Installer\MSI1B42.tmp	Code function: 7_2_00D13C20 GetProcAddress,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,GetLastError,FreeLibrary,	7_2_00D13C20
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0013463C GetModuleHandleW,GetCurrentProcessId,GetCurrentProcessId,GetCurrentProcessId,OpenProcess,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WideCharToMultiByte,CloseHandle,	8_2_0013463C
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00137A54 NtWriteFile,	8_2_00137A54
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_001378C0 NtReadFile,	8_2_001378C0
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0013B0C4 NtOpenKey,RtlpNtOpenKey,	8_2_0013B0C4
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0013AD34 NtAllocateVirtualMemory,	8_2_0013AD34
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00137B40 NtFreeVirtualMemory,	8_2_00137B40
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00137588 RtlInitUnicodeString,NtCreateFile,NtClose,	8_2_00137588
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0013378C NtClose,	8_2_0013378C
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_001377B0 RtlInitUnicodeString,NtCreateFile,	8_2_001377B0
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0013B1D4 NtQueryValueKey,NtQueryValueKey,NtClose,	8_2_0013B1D4
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_001379C8 NtClose,	8_2_001379C8
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00140A18 NtQueryInformationProcess,LdrLoadDll,NtAllocateVirtualMemory,	8_2_00140A18
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0013745C RtlInitUnicodeString,NtOpenFile,NtClose,	8_2_0013745C
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00137694 RtlInitUnicodeString,NtDeleteFile,	8_2_00137694
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00140A80 NtCreateFile,	8_2_00140A80
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00140AC0 NtFreeVirtualMemory,NtFlushInstructionCache,	8_2_00140AC0
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00137ACC NtClose,	8_2_00137ACC
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00140AF0 NtWriteFile,	8_2_00140AF0
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00140AF8 NtReadFile,	8_2_00140AF8
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00140B00 NtDelayExecution,	8_2_00140B00
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00137704 NtQueryInformationFile,	8_2_00137704
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00140B08 NtOpenKey,NtSetValueKey,VirtualFree,OpenProcess,VirtualAllocEx,VirtualFreeEx,WriteProcessMemory,CreateRemoteThread,	8_2_00140B08
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00140B28 NtQueryInformationFile,VirtualAlloc,VirtualFree,OpenProcess,VirtualAllocEx,VirtualFreeEx,WriteProcessMemory,CreateRemoteThread,	8_2_00140B28
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0013CB54 NtDelayExecution,	8_2_0013CB54
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_001C463C GetModuleHandleW,GetCurrentProcessId,GetCurrentProcessId,GetCurrentProcessId,OpenProcess,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WideCharToMultiByte,CloseHandle,	9_2_001C463C
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_001CB0C4 NtOpenKey,RtlpNtOpenKey,	9_2_001CB0C4
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_001CAD34 NtAllocateVirtualMemory,	9_2_001CAD34
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_001CCB54 NtDelayExecution,	9_2_001CCB54
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_001C7B40 NtFreeVirtualMemory,	9_2_001C7B40
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_001C378C NtClose,	9_2_001C378C
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_001C77B0 RtlInitUnicodeString,NtCreateFile,	9_2_001C77B0
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_001CB1D4 NtQueryValueKey,NtQueryValueKey,NtClose,	9_2_001CB1D4
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_001D0A18 NtQueryInformationProcess,LdrLoadDll,NtAllocateVirtualMemory,	9_2_001D0A18
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_001C745C RtlInitUnicodeString,NtOpenFile,NtClose,	9_2_001C745C
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_001C7A54 NtWriteFile,	9_2_001C7A54
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_001C7694 RtlInitUnicodeString,NtDeleteFile,	9_2_001C7694
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_001C7ACC NtClose,	9_2_001C7ACC
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_001C78C0 NtReadFile,	9_2_001C78C0
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_001D0AC0 NtFreeVirtualMemory,NtFlushInstructionCache,	9_2_001D0AC0
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_001D0AF0 NtWriteFile,	9_2_001D0AF0
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_001C7704 NtQueryInformationFile,	9_2_001C7704
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_001D0B00 NtDelayExecution,	9_2_001D0B00
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_001C7588 RtlInitUnicodeString,NtCreateFile,NtClose,	9_2_001C7588
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_001C79C8 NtClose,	9_2_001C79C8
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_01ADAD34 NtAllocateVirtualMemory,	13_2_01ADAD34
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_01AD7B40 NtFreeVirtualMemory,	13_2_01AD7B40
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_01AD77B0 RtlInitUnicodeString,NtCreateFile,	13_2_01AD77B0
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_01AD378C NtClose,	13_2_01AD378C
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_01AD7588 RtlInitUnicodeString,NtCreateFile,NtClose,	13_2_01AD7588
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_01AD79C8 NtClose,	13_2_01AD79C8
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_01ADB1D4 NtQueryValueKey,NtQueryValueKey,NtClose,	13_2_01ADB1D4
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_01AD7704 NtQueryInformationFile,	13_2_01AD7704
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_01AE0B00 NtDelayExecution,	13_2_01AE0B00
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_01ADCB54 NtDelayExecution,	13_2_01ADCB54
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_01AD7694 RtlInitUnicodeString,NtDeleteFile,	13_2_01AD7694
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_01AD7ACC NtClose,	13_2_01AD7ACC
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_01ADB0C4 NtOpenKey,	13_2_01ADB0C4
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_01AD78C0 NtReadFile,	13_2_01AD78C0
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_01AE0AC0 NtFreeVirtualMemory,NtFlushInstructionCache,	13_2_01AE0AC0
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_01AD463C GetModuleHandleW,GetCurrentProcessId,GetCurrentProcessId,GetCurrentProcessId,OpenProcess,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WideCharToMultiByte,CloseHandle,	13_2_01AD463C
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_01AE0A18 NtQueryInformationProcess,LdrLoadDll,NtAllocateVirtualMemory,	13_2_01AE0A18
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_01AD745C RtlInitUnicodeString,NtOpenFile,NtClose,	13_2_01AD745C
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_01AD7A54 NtWriteFile,	13_2_01AD7A54

Contains functionality to communicate with device drivers

Source: C:\Windows\System32\rundll32.exe

Code function: 8_2_000000018006A2C8: DeviceIoControl,

8_2_000000018006A2C8

Contains functionality to launch a process as a different user

Source: C:\Windows\System32\rundll32.exe

Code function: 8_2_000000018004B1A4 memset,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,WTSGetActiveConsoleSessionId,WTSQueryUserToken,GetTokenInformation,DuplicateTokenEx,CreateEnvironmentBlock,CreateProcessAsUserW,GetLastError,DestroyEnvironmentBlock,CloseHandle,CloseHandle,AdjustTokenPrivileges,CloseHandle,

8_2_000000018004B1A4

Creates files inside the system directory

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\747f6e.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI8029.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\747f6f.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\747f6f.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{B135729E-0574-44D1-B7A1-6E44550F506B}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI19CA.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1B42.tmp	Jump to behavior

Deletes files inside the Windows folder

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI8029.tmp

Jump to behavior

Detected potential crypto function

Source: C:\Windows\Installer\MSI1B42.tmp	Code function: 7_2_00D16A50	7_2_00D16A50
Source: C:\Windows\Installer\MSI1B42.tmp	Code function: 7_2_00D4F032	7_2_00D4F032
Source: C:\Windows\Installer\MSI1B42.tmp	Code function: 7_2_00D3C2CA	7_2_00D3C2CA
Source: C:\Windows\Installer\MSI1B42.tmp	Code function: 7_2_00D492A9	7_2_00D492A9
Source: C:\Windows\Installer\MSI1B42.tmp	Code function: 7_2_00D3E270	7_2_00D3E270
Source: C:\Windows\Installer\MSI1B42.tmp	Code function: 7_2_00D484BD	7_2_00D484BD
Source: C:\Windows\Installer\MSI1B42.tmp	Code function: 7_2_00D3A587	7_2_00D3A587
Source: C:\Windows\Installer\MSI1B42.tmp	Code function: 7_2_00D4D8D5	7_2_00D4D8D5
Source: C:\Windows\Installer\MSI1B42.tmp	Code function: 7_2_00D1C870	7_2_00D1C870
Source: C:\Windows\Installer\MSI1B42.tmp	Code function: 7_2_00D3A915	7_2_00D3A915
Source: C:\Windows\Installer\MSI1B42.tmp	Code function: 7_2_00D34920	7_2_00D34920
Source: C:\Windows\Installer\MSI1B42.tmp	Code function: 7_2_00D40A48	7_2_00D40A48
Source: C:\Windows\Installer\MSI1B42.tmp	Code function: 7_2_00D19CC0	7_2_00D19CC0
Source: C:\Windows\Installer\MSI1B42.tmp	Code function: 7_2_00D45D6D	7_2_00D45D6D
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00131030	8_2_00131030
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0000000180017FE8	8_2_0000000180017FE8
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000000018006DFF4	8_2_000000018006DFF4
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00000001800220D8	8_2_00000001800220D8
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000000018007C140	8_2_000000018007C140
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0000000180060174	8_2_0000000180060174
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000000018008023C	8_2_000000018008023C
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000000018000834C	8_2_000000018000834C
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000000018006C470	8_2_000000018006C470
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00000001800784E0	8_2_00000001800784E0
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00000001800764F0	8_2_00000001800764F0
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0000000180060578	8_2_0000000180060578
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0000000180010580	8_2_0000000180010580
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000000018004E5DC	8_2_000000018004E5DC
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0000000180062600	8_2_0000000180062600
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0000000180002610	8_2_0000000180002610
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0000000180004638	8_2_0000000180004638
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000000018004A650	8_2_000000018004A650
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000000018006E760	8_2_000000018006E760
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00000001800647B0	8_2_00000001800647B0
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000000018007E7C7	8_2_000000018007E7C7
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0000000180076930	8_2_0000000180076930
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0000000180062954	8_2_0000000180062954
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000000018006A994	8_2_000000018006A994
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000000018006E9FC	8_2_000000018006E9FC
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0000000180082A18	8_2_0000000180082A18
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0000000180072A27	8_2_0000000180072A27
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0000000180010B58	8_2_0000000180010B58
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0000000180026C84	8_2_0000000180026C84
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000000018001ECF4	8_2_000000018001ECF4
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0000000180008E20	8_2_0000000180008E20
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0000000180052FD8	8_2_0000000180052FD8
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000000018003AFE8	8_2_000000018003AFE8
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000000018005D014	8_2_000000018005D014
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000000018006F0B4	8_2_000000018006F0B4
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00000001800630CC	8_2_00000001800630CC
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000000018005912C	8_2_000000018005912C
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000000018004B1A4	8_2_000000018004B1A4
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0000000180049278	8_2_0000000180049278
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000000018007B2D0	8_2_000000018007B2D0
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000000018002B2EC	8_2_000000018002B2EC
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000000018006D3D4	8_2_000000018006D3D4
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00000001800033E0	8_2_00000001800033E0
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0000000180075480	8_2_0000000180075480
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00000001800694A0	8_2_00000001800694A0
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000000018005958C	8_2_000000018005958C
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00000001800576DC	8_2_00000001800576DC
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00000001800097E0	8_2_00000001800097E0
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00000001800277FC	8_2_00000001800277FC
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000000018002D964	8_2_000000018002D964
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0000000180073B60	8_2_0000000180073B60
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000000018007BBB0	8_2_000000018007BBB0
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000000018001BC38	8_2_000000018001BC38
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000000018005DD18	8_2_000000018005DD18
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0000000180073DF0	8_2_0000000180073DF0
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0000000180011DF0	8_2_0000000180011DF0
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000000018005BE6C	8_2_000000018005BE6C
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000000018004FF88	8_2_000000018004FF88
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_001C1030	9_2_001C1030
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_01AD1030	13_2_01AD1030

Found potential string decryption / allocating functions

Source: C:\Windows\System32\rundll32.exe	Code function: String function: 000000018000CF30 appears 33 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 0000000180005348 appears 71 times
Source: C:\Windows\Installer\MSI1B42.tmp	Code function: String function: 00D33790 appears 39 times
Source: C:\Windows\Installer\MSI1B42.tmp	Code function: String function: 00D3325F appears 103 times
Source: C:\Windows\Installer\MSI1B42.tmp	Code function: String function: 00D33292 appears 70 times

Sample file is different than original file name gathered from version info

Source: neo.msi	Binary or memory string: OriginalFilenameviewer.exeF vs neo.msi
Source: neo.msi	Binary or memory string: OriginalFilenameAICustAct.dllF vs neo.msi

Source: metadata-2.1.dr	Binary string: highlight.png22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\66program files\windows sidebar\gadgets\rssfeeds.gadgeticon.png22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{113527a4-45d4-4b6f-b567-97838f1b04b0}
Source: metadata-2.1.dr	Binary string: wmplayer.exe.mui22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\BBprogram files (x86)\windows sidebar\gadgets\weather.gadget\images**undocked_black_moon-new_partly-cloudy.png22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\((windows\diagnostics\system\device\en-us
Source: metadata-2.1.dr	Binary string: buttonup_off.png22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{113527a4-45d4-4b6f-b567-97838f1b04b0}
Source: metadata-2.1.dr	Binary string: system.web.dynamicdata.dll22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\BBprogram files (x86)\windows sidebar\gadgets\weather.gadget\images33docked_black_moon-waxing-gibbous_partly-cloudy.png22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{8702d817-5aad-4674-9ef3-4d3decd87120}
Source: metadata-2.1.dr	Binary string: system.addin.contract.dll22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{113527a4-45d4-4b6f-b567-97838f1b04b0}
Source: metadata-2.1.dr	Binary string: btn-previous-static.png22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{8702d817-5aad-4674-9ef3-4d3decd87120}
Source: metadata-2.1.dr	Binary string: keypad.xml22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\99program files\dvd maker\shared\dvdstyles\specialoccasion,,specialnavigationup_selectionsubpicture.png22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{8702d817-5aad-4674-9ef3-4d3decd87120}
Source: metadata-2.1.dr	Binary string: scenes_intro_bg_pal.wmv22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{113527a4-45d4-4b6f-b567-97838f1b04b0}
Source: metadata-2.1.dr	Binary string: acxtrnal.dll22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\((windows\diagnostics\system\device\en-us
Source: metadata-2.1.dr	Binary string: sbdrop.dll22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{113527a4-45d4-4b6f-b567-97838f1b04b0}

Source: classification engine

Classification label: mal100.troj.evad.winMSI@14/22@5/0

Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0000000180049050 GetCurrentProcessId,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,SetLastError,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,OpenProcess,	8_2_0000000180049050
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000000018004B1A4 memset,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,WTSGetActiveConsoleSessionId,WTSQueryUserToken,GetTokenInformation,DuplicateTokenEx,CreateEnvironmentBlock,CreateProcessAsUserW,GetLastError,DestroyEnvironmentBlock,CloseHandle,CloseHandle,AdjustTokenPrivileges,CloseHandle,	8_2_000000018004B1A4
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0000000180049278 LookupPrivilegeValueW,LookupPrivilegeValueW,LookupPrivilegeValueW,LookupPrivilegeValueW,??_U@YAPEAX_K@Z,GetCurrentProcess,OpenProcessToken,CreateRestrictedToken,CloseHandle,CloseHandle,AllocateAndInitializeSid,GetLengthSid,SetTokenInformation,FreeSid,AdjustTokenPrivileges,??_V@YAXPEAX@Z,	8_2_0000000180049278
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000000018008395A DestroyEnvironmentBlock,CloseHandle,CloseHandle,AdjustTokenPrivileges,CloseHandle,	8_2_000000018008395A

Source: C:\Windows\Installer\MSI1B42.tmp

Code function: 7_2_00D13860 CreateToolhelp32Snapshot,CloseHandle,Process32FirstW,OpenProcess,CloseHandle,Process32NextW,CloseHandle,

7_2_00D13860

Source: C:\Windows\Installer\MSI1B42.tmp

Code function: 7_2_00D14BA0 CoInitialize,CoCreateInstance,VariantInit,ObjectStublessClient10,VariantClear,IUnknown_QueryService,ObjectStublessClient9,CoAllowSetForegroundWindow,SysAllocString,SysAllocString,SysAllocString,SysAllocString,VariantInit,OpenProcess,WaitForSingleObject,GetExitCodeProcess,CloseHandle,LocalFree,VariantClear,VariantClear,VariantClear,VariantClear,VariantClear,SysFreeString,VariantClear,OleUninitialize,_com_issue_error,

7_2_00D14BA0

Source: C:\Windows\Installer\MSI1B42.tmp

Code function: 7_2_00D145B0 LoadResource,LockResource,SizeofResource,

7_2_00D145B0

Source: C:\Windows\System32\rundll32.exe

Code function: 8_2_0000000180049AEC OpenSCManagerW,OpenServiceW,ChangeServiceConfigW,StartServiceW,GetTickCount,Sleep,GetTickCount,QueryServiceStatus,CloseServiceHandle,CloseServiceHandle,

8_2_0000000180049AEC

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Roaming\HuMaster LLC

Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Mutant created: \BaseNamedObjects\Local\RstrMgr-3887CAB8-533F-4C85-B0DC-3E5639F8D511-Session0000
Source: C:\Windows\System32\msiexec.exe	Mutant created: \BaseNamedObjects\Local\RstrMgr3887CAB8-533F-4C85-B0DC-3E5639F8D511
Source: C:\Windows\System32\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\runnung

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Local\Temp\MSIADBD.tmp

Jump to behavior

Source: C:\Windows\Installer\MSI1B42.tmp

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: unknown

Process created: C:\Windows\System32\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Local\sharepoint\360total.dll, homq

Source: rundll32.exe, rundll32.exe, 00000008.00000003.405624482.0000000001FC0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000009.00000002.619259049.0000000180086000.00000002.00000001.01000000.00000009.sdmp, Update_6a61d649.dll.8.dr, 360total.dll.1.dr	Binary or memory string: select * from sqlite_sequence;
Source: rundll32.exe, rundll32.exe, 00000008.00000003.405624482.0000000001FC0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000009.00000002.619259049.0000000180086000.00000002.00000001.01000000.00000009.sdmp, Update_6a61d649.dll.8.dr, 360total.dll.1.dr	Binary or memory string: update sqlite_sequence set seq = 0 where name='MT';

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\neo.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 274E0059499F24D0FC6E34D9DC99A829 C
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 5FD089C2C199466E3D17DC881ED4AD10
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\Installer\MSI1B42.tmp "C:\Windows\Installer\MSI1B42.tmp" C:/Windows/System32/rundll32.exe C:\Users\user\AppData\Local\sharepoint\360total.dll, homq
Source: unknown	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Local\sharepoint\360total.dll, homq
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_6a61d649.dll", homq
Source: unknown	Process created: C:\Windows\System32\taskeng.exe taskeng.exe {9EB3A60F-302F-4AB2-B149-897715BB8B05} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1]
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_6a61d649.dll", homq
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 274E0059499F24D0FC6E34D9DC99A829 C	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 5FD089C2C199466E3D17DC881ED4AD10	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\Installer\MSI1B42.tmp "C:\Windows\Installer\MSI1B42.tmp" C:/Windows/System32/rundll32.exe C:\Users\user\AppData\Local\sharepoint\360total.dll, homq	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_6a61d649.dll", homq	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_6a61d649.dll", homq	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msihnd.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: devrtl.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Installer\MSI1B42.tmp	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\Installer\MSI1B42.tmp	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\Installer\MSI1B42.tmp	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Installer\MSI1B42.tmp	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\Installer\MSI1B42.tmp	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Section loaded: dwmapi.dll	Jump to behavior

Source: C:\Windows\Installer\MSI1B42.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32

Jump to behavior

Source: neo.msi

Static file information: File size 1620480 > 1048576

Source:	Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb: source: MSI1B42.tmp, 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmp, MSI1B42.tmp, 00000007.00000000.402335120.0000000000D57000.00000002.00000001.01000000.00000005.sdmp, neo.msi, 747f6e.msi.1.dr, MSI19CA.tmp.1.dr, MSI1B42.tmp.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: neo.msi, 747f6e.msi.1.dr, MSI8029.tmp.1.dr, MSI829C.tmp.0.dr, MSIADBD.tmp.0.dr, MSI827B.tmp.0.dr, MSI82BC.tmp.0.dr, MSI825B.tmp.0.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbn source: neo.msi, 747f6e.msi.1.dr, MSI8029.tmp.1.dr, MSI829C.tmp.0.dr, MSIADBD.tmp.0.dr, MSI827B.tmp.0.dr, MSI82BC.tmp.0.dr, MSI825B.tmp.0.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb source: MSI1B42.tmp, 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmp, MSI1B42.tmp, 00000007.00000000.402335120.0000000000D57000.00000002.00000001.01000000.00000005.sdmp, neo.msi, 747f6e.msi.1.dr, MSI19CA.tmp.1.dr, MSI1B42.tmp.1.dr
Source:	Binary string: C:\vmagent_new\bin\joblist\574019\out\Release\360Util64.pdb source: rundll32.exe, 00000008.00000003.405624482.0000000001FC0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000009.00000002.619259049.0000000180086000.00000002.00000001.01000000.00000009.sdmp, Update_6a61d649.dll.8.dr, 360total.dll.1.dr

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\rundll32.exe

Code function: 8_2_00000001800033E0 memset,memset,memset,memset,CreateFileW,GetFileInformationByHandle,ReadFile,ReadFile,CoTaskMemAlloc,ReadFile,CoTaskMemFree,SetFilePointer,ReadFile,SetFilePointer,ReadFile,SetFilePointer,??_U@YAPEAX_K@Z,ReadFile,??_U@YAPEAX_K@Z,ReadFile,??_U@YAPEAX_K@Z,ReadFile,??_U@YAPEAX_K@Z,ReadFile,PathRemoveFileSpecW,PathCombineW,PathRemoveFileSpecW,PathCombineW,free,??_U@YAPEAX_K@Z,ReadFile,ReadFile,SetFilePointer,ReadFile,ReadFile,ReadFile,ILFree,ReadFile,memset,GetSystemDirectoryW,LoadLibraryW,GetProcAddress,CoTaskMemFree,GetLastError,FreeLibrary,CloseHandle,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,SetLastError,

8_2_00000001800033E0

PE file contains an invalid checksum

Source: 360total.dll.1.dr	Static PE information: real checksum: 0xd8785 should be: 0xe745c
Source: Update_6a61d649.dll.8.dr	Static PE information: real checksum: 0xd8785 should be: 0xe745c

PE file contains sections with non-standard names

Source: 360total.dll.1.dr	Static PE information: section name: wsgi2
Source: Update_6a61d649.dll.8.dr	Static PE information: section name: wsgi2

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\Installer\MSI1B42.tmp	Code function: 7_2_00D3323C push ecx; ret	7_2_00D3324F
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0000000180010451 push rcx; ret	8_2_0000000180010452
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000000018001045A push rcx; ret	8_2_000000018001045B
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00000001801758FC push rsp; ret	8_2_00000001801758FD
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0000000180175CDE push 2027C70Fh; ret	8_2_0000000180175CE5

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\System32\msiexec.exe

Executable created and started: C:\Windows\Installer\MSI1B42.tmp

Jump to behavior

Drops PE files

Source: C:\Windows\System32\rundll32.exe	File created: :wtfbbq (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSI829C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIADBD.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSI825B.tmp	Jump to dropped file
Source: C:\Windows\System32\rundll32.exe	File created: C:\Users\user\AppData\Roaming\Custom_update\Update_6a61d649.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSI82BC.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1B42.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI8029.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\sharepoint\360total.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSI827B.tmp	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1B42.tmp			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI8029.tmp			Jump to dropped file

May use bcdedit to modify the Windows boot settings

Source: metadata-2.1.dr	Binary or memory string: bcdedit.exe22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\
Source: metadata-2.1.dr	Binary or memory string: bcdedit.exe.mui22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\

Creates or modifies windows services

Source: C:\Windows\System32\msiexec.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher

Jump to behavior

Modifies existing windows services

Source: C:\Windows\System32\msiexec.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore

Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Code function: 8_2_0000000180049AEC OpenSCManagerW,OpenServiceW,ChangeServiceConfigW,StartServiceW,GetTickCount,Sleep,GetTickCount,QueryServiceStatus,CloseServiceHandle,CloseServiceHandle,

8_2_0000000180049AEC

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Windows\System32\rundll32.exe

Code function: 8_2_0000000180062148 memset,GetModuleFileNameW,PathCombineW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,

8_2_0000000180062148

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Contains functionality to compare user and computer (likely to detect sandboxes)

Source: C:\Windows\System32\rundll32.exe

Code function: EnterCriticalSection,memset,GetModuleFileNameW,PathAppendW,StrStrIW,PathFileExistsW,PathAppendW,PathFileExistsW,memset,SHGetValueW,PathAppendW,PathFileExistsW,LoadLibraryW,GetProcAddress,GetProcAddress,GetModuleFileNameW,PathAppendW,PathFileExistsW,PathAppendW,PathFileExistsW,memset,SHGetValueW,PathAppendW,PathFileExistsW,LoadLibraryW,GetProcAddress,GetProcAddress,LeaveCriticalSection,

8_2_00000001800655A8

Contains functionality to detect sleep reduction / modifications

Source: C:\Windows\System32\rundll32.exe

Code function: 8_2_0000000180049AEC

8_2_0000000180049AEC

Contains functionality to query network adapater information

Source: C:\Windows\System32\rundll32.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,	8_2_001368E8
Source: C:\Windows\System32\rundll32.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,wsprintfA,wsprintfA,wsprintfA,GetComputerNameExA,wsprintfA,GetComputerNameExA,wsprintfA,	8_2_00137FA8
Source: C:\Windows\System32\rundll32.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,	9_2_001C68E8
Source: C:\Windows\System32\rundll32.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,wsprintfA,wsprintfA,wsprintfA,GetComputerNameExA,wsprintfA,GetComputerNameExA,wsprintfA,	9_2_001C7FA8
Source: C:\Windows\System32\rundll32.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,	13_2_01AD68E8
Source: C:\Windows\System32\rundll32.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,wsprintfA,wsprintfA,wsprintfA,GetComputerNameExA,wsprintfA,GetComputerNameExA,wsprintfA,	13_2_01AD7FA8

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\rundll32.exe	Window / User API: threadDelayed 647			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Window / User API: threadDelayed 9092			Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\rundll32.exe	Dropped PE file which has not been started: :wtfbbq (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI829C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI825B.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIADBD.tmp	Jump to dropped file
Source: C:\Windows\System32\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Custom_update\Update_6a61d649.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI82BC.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI8029.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\sharepoint\360total.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI827B.tmp	Jump to dropped file

Found evasive API chain checking for process token information

Source: C:\Windows\Installer\MSI1B42.tmp

Check user administrative privileges: GetTokenInformation,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Windows\System32\rundll32.exe	API coverage: 1.6 %
Source: C:\Windows\System32\rundll32.exe	API coverage: 8.5 %

May check if the current machine is a sandbox (GetTickCount - Sleep)

Source: C:\Windows\System32\rundll32.exe

Code function: 8_2_0000000180049AEC

8_2_0000000180049AEC

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\msiexec.exe TID: 828	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\msiexec.exe TID: 3792	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\msiexec.exe TID: 1648	Thread sleep time: -720000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3084	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3796	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3368	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\Installer\MSI1B42.tmp TID: 3560	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Windows\Installer\MSI1B42.tmp TID: 3560	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 3584	Thread sleep count: 261 > 30	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 3584	Thread sleep time: -261000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 3632	Thread sleep count: 647 > 30	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 3632	Thread sleep time: -64700s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 3584	Thread sleep count: 9092 > 30	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 3584	Thread sleep time: -9092000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\taskeng.exe TID: 3684	Thread sleep time: -60000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Windows\Installer\MSI1B42.tmp	Code function: 7_2_00D4AF79 FindFirstFileExW,	7_2_00D4AF79
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0013A350 FindFirstFileW,FindNextFileW,LoadLibraryW,LoadLibraryExW,	8_2_0013A350
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00131A08 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	8_2_00131A08
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00140DD8 FindFirstFileA,	8_2_00140DD8
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00140DE0 FindFirstFileW,	8_2_00140DE0
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_001CA350 FindFirstFileW,FindNextFileW,LoadLibraryW,LoadLibraryExW,	9_2_001CA350
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_001C1A08 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	9_2_001C1A08
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_01ADA350 FindFirstFileW,FindNextFileW,LoadLibraryW,LoadLibraryExW,	13_2_01ADA350
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_01AE0DE0 FindFirstFileW,	13_2_01AE0DE0
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_01AE0DD8 FindFirstFileA,	13_2_01AE0DD8
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_01AD1A08 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	13_2_01AD1A08

Source: rundll32.exe, 00000008.00000002.446788834.00000000001D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: "MWar_VMware_SATA_CD01______
Source: metadata-2.1.dr	Binary or memory string: lsm.exe22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\--windows\system32\migwiz\replacementmanifests,,microsoft-hyper-v-migration-replacement.man22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\
Source: metadata-2.1.dr	Binary or memory string: iasmigplugin-dl.man22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\--windows\system32\migwiz\replacementmanifests33microsoft-hyper-v-client-migration-replacement.man22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\##windows\system32\spp\tokens\ppdlic
Source: metadata-2.1.dr	Binary or memory string: iasmigplugin-dl.man22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\--windows\syswow64\migwiz\replacementmanifests33microsoft-hyper-v-client-migration-replacement.man22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\,,program files (x86)\internet explorer\en-us
Source: metadata-2.1.dr	Binary or memory string: imscmig.dll22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\--windows\system32\migwiz\replacementmanifests44microsoft-hyper-v-drivers-migration-replacement.man22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\System32\rundll32.exe

Code function: 8_2_00140A18 NtQueryInformationProcess,LdrLoadDll,NtAllocateVirtualMemory,

8_2_00140A18

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\Installer\MSI1B42.tmp

Code function: 7_2_00D1D0A5 IsDebuggerPresent,OutputDebugStringW,

7_2_00D1D0A5

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Windows\System32\rundll32.exe

Code function: 8_2_0000000180066C3C memset,GetLastError,IsDebuggerPresent,OutputDebugStringW,

8_2_0000000180066C3C

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\rundll32.exe

8_2_00000001800033E0

Contains functionality to read the PEB

Source: C:\Windows\Installer\MSI1B42.tmp	Code function: 7_2_00D42DCC mov ecx, dword ptr fs:[00000030h]		7_2_00D42DCC
Source: C:\Windows\Installer\MSI1B42.tmp	Code function: 7_2_00D4AD78 mov eax, dword ptr fs:[00000030h]		7_2_00D4AD78

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\Installer\MSI1B42.tmp

Code function: 7_2_00D12310 GetProcessHeap,

7_2_00D12310

Source: C:\Windows\Installer\MSI1B42.tmp	Code function: 7_2_00D3353F SetUnhandledExceptionFilter,	7_2_00D3353F
Source: C:\Windows\Installer\MSI1B42.tmp	Code function: 7_2_00D333A8 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00D333A8
Source: C:\Windows\Installer\MSI1B42.tmp	Code function: 7_2_00D32968 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_00D32968
Source: C:\Windows\Installer\MSI1B42.tmp	Code function: 7_2_00D36E1B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00D36E1B
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0000000180070760 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_0000000180070760
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000000018006F6E0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_000000018006F6E0

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\rundll32.exe

Domain query: jarinamaers.shop

Contains functionality to inject threads in other processes

Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00140B08 NtOpenKey,NtSetValueKey,VirtualFree,OpenProcess,VirtualAllocEx,VirtualFreeEx,WriteProcessMemory,CreateRemoteThread,	8_2_00140B08
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00140B38 RtlFormatCurrentUserKeyPath,VirtualAlloc,VirtualFree,OpenProcess,VirtualAllocEx,VirtualFreeEx,WriteProcessMemory,CreateRemoteThread,	8_2_00140B38
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00140B28 NtQueryInformationFile,VirtualAlloc,VirtualFree,OpenProcess,VirtualAllocEx,VirtualFreeEx,WriteProcessMemory,CreateRemoteThread,	8_2_00140B28
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_01AE0B38 RtlFormatCurrentUserKeyPath,VirtualAlloc,VirtualFree,OpenProcess,VirtualAllocEx,VirtualFreeEx,WriteProcessMemory,CreateRemoteThread,	13_2_01AE0B38

Contains functionality to launch a program with higher privileges

Source: C:\Windows\Installer\MSI1B42.tmp

Code function: 7_2_00D152F0 GetWindowsDirectoryW,GetForegroundWindow,ShellExecuteExW,ShellExecuteExW,ShellExecuteExW,GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetProcAddress,AllowSetForegroundWindow,GetModuleHandleW,GetProcAddress,Sleep,Sleep,EnumWindows,BringWindowToTop,WaitForSingleObject,GetExitCodeProcess,

7_2_00D152F0

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 274E0059499F24D0FC6E34D9DC99A829 C	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 5FD089C2C199466E3D17DC881ED4AD10	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\Installer\MSI1B42.tmp "C:\Windows\Installer\MSI1B42.tmp" C:/Windows/System32/rundll32.exe C:\Users\user\AppData\Local\sharepoint\360total.dll, homq	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_6a61d649.dll", homq	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_6a61d649.dll", homq	Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Code function: 8_2_000000018004A650 memset,GetModuleFileNameW,PathAppendW,ShellExecuteExW,ILGetSize,GetTickCount,srand,GetCurrentProcess,GetProcessId,GetCurrentThreadId,rand,LocalAlloc,InitializeSecurityDescriptor,LocalFree,SetSecurityDescriptorDacl,CreateFileMappingW,LocalFree,CreateFileMappingW,MapViewOfFile,CloseHandle,memset,memmove,memmove,memmove,memmove,memmove,UnmapViewOfFile,FindWindowW,SetForegroundWindow,memset,wsprintfW,memset,WaitForSingleObject,Sleep,CloseHandle,CloseHandle,CloseHandle,

8_2_000000018004A650

Source: C:\Windows\System32\rundll32.exe

Code function: 8_2_0000000180049278 LookupPrivilegeValueW,LookupPrivilegeValueW,LookupPrivilegeValueW,LookupPrivilegeValueW,??_U@YAPEAX_K@Z,GetCurrentProcess,OpenProcessToken,CreateRestrictedToken,CloseHandle,CloseHandle,AllocateAndInitializeSid,GetLengthSid,SetTokenInformation,FreeSid,AdjustTokenPrivileges,??_V@YAXPEAX@Z,

8_2_0000000180049278

Source: 360total.dll.1.dr	Binary or memory string: Program managerProgmanSeShutdownPrivilegeSeTimeZonePrivilegeSeIncreaseWorkingSetPrivilegeSeUndockPrivilegeSeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeEnableLUASoftware\Microsoft\Windows\CurrentVersion\Policies\Systemseclogonwdc.dllWdcRunTaskAsInteractiveUser"%s" %swinsta0\defaultadvapi32.dllCreateProcessWithTokenW:open..\360DeskAna64.exe%u_%d_%d_%d_%use2/%s %s %use1SeTcbPrivilegeNT AUTHORITYLOCAL SERVICENETWORK SERVICE360utilexplorer.exe,
Source: rundll32.exe	Binary or memory string: Progman
Source: rundll32.exe	Binary or memory string: Program manager

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\Installer\MSI1B42.tmp

Code function: 7_2_00D335A9 cpuid

7_2_00D335A9

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\Installer\MSI1B42.tmp	Code function: EnumSystemLocalesW,	7_2_00D4E0C6
Source: C:\Windows\Installer\MSI1B42.tmp	Code function: EnumSystemLocalesW,	7_2_00D4E1AC
Source: C:\Windows\Installer\MSI1B42.tmp	Code function: EnumSystemLocalesW,	7_2_00D4E111
Source: C:\Windows\Installer\MSI1B42.tmp	Code function: EnumSystemLocalesW,	7_2_00D47132
Source: C:\Windows\Installer\MSI1B42.tmp	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	7_2_00D4E237
Source: C:\Windows\Installer\MSI1B42.tmp	Code function: GetLocaleInfoEx,	7_2_00D323F8
Source: C:\Windows\Installer\MSI1B42.tmp	Code function: GetLocaleInfoW,	7_2_00D4E48A
Source: C:\Windows\Installer\MSI1B42.tmp	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	7_2_00D4E5B3
Source: C:\Windows\Installer\MSI1B42.tmp	Code function: GetLocaleInfoW,	7_2_00D4E6B9
Source: C:\Windows\Installer\MSI1B42.tmp	Code function: GetLocaleInfoW,	7_2_00D476AF
Source: C:\Windows\Installer\MSI1B42.tmp	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	7_2_00D4E788
Source: C:\Windows\Installer\MSI1B42.tmp	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	7_2_00D4DE24

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\Installer\MSI1B42.tmp

Code function: 7_2_00D337D5 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

7_2_00D337D5

Source: C:\Windows\System32\rundll32.exe

Code function: 8_2_00138AE0 GetUserNameA,wsprintfA,

8_2_00138AE0

Source: C:\Windows\Installer\MSI1B42.tmp

Code function: 7_2_00D47B1F GetTimeZoneInformation,

7_2_00D47B1F

Source: C:\Windows\System32\rundll32.exe

Code function: 8_2_00138560 RtlGetVersion,GetVersionExW,

8_2_00138560

Source: C:\Windows\Installer\MSI1B42.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: rundll32.exe	Binary or memory string: 360tray.exe
Source: rundll32.exe	Binary or memory string: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe
Source: rundll32.exe	Binary or memory string: SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe

Stealing of Sensitive Information

Yara detected Latrodectus

Source: Yara match	File source: 13.2.rundll32.exe.2a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.2a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.110000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.130000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1ad0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1ad0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.110000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.130000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1c0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000003.614395824.0000000000470000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.446771476.00000000000A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.619163772.0000000001E80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.420736655.00000000002A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.446779994.0000000000130000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.619168848.0000000001F0A000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.420775529.0000000001AD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.618961213.0000000000110000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.619007012.00000000001C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 3580, type: MEMORYSTR

Remote Access Functionality

Yara detected Latrodectus

Source: Yara match	File source: 13.2.rundll32.exe.2a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.2a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.110000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.130000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1ad0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1ad0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.110000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.130000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1c0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000003.614395824.0000000000470000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.446771476.00000000000A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.619163772.0000000001E80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.420736655.00000000002A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.446779994.0000000000130000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.619168848.0000000001F0A000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.420775529.0000000001AD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.618961213.0000000000110000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.619007012.00000000001C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 3580, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

Contacted Domains

Name	IP	Active
jarinamaers.shop	104.21.46.75	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://startmast.shop/live/	true	Avira URL Cloud: safe	unknown
https://jarinamaers.shop/live/	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown

AV Detection

Found malware configuration

Source: 8.2.rundll32.exe.130000.1.unpack

Malware Configuration Extractor: Latrodectus {"C2 url": ["https://jarinamaers.shop/live/", "https://startmast.shop/live/"]}

Multi AV Scanner detection for dropped file

Source: :wtfbbq (copy)	Virustotal: Detection: 9%	Perma Link
Source: C:\Users\user\AppData\Local\sharepoint\360total.dll	Virustotal: Detection: 9%	Perma Link
Source: C:\Users\user\AppData\Roaming\Custom_update\Update_6a61d649.dll	Virustotal: Detection: 9%	Perma Link

Sample uses string decryption to hide its real strings

Source: 13.2.rundll32.exe.1ad0000.1.raw.unpack	String decryptor:
Source: 13.2.rundll32.exe.1ad0000.1.raw.unpack	String decryptor: "
Source: 13.2.rundll32.exe.1ad0000.1.raw.unpack	String decryptor: uau3"#%,''!
Source: 13.2.rundll32.exe.1ad0000.1.raw.unpack	String decryptor: FfD!6""#'& )<
Source: 13.2.rundll32.exe.1ad0000.1.raw.unpack	String decryptor: jB!
Source: 13.2.rundll32.exe.1ad0000.1.raw.unpack	String decryptor:
Source: 13.2.rundll32.exe.1ad0000.1.raw.unpack	String decryptor: 3efal9#"
Source: 13.2.rundll32.exe.1ad0000.1.raw.unpack	String decryptor: #kl&+=>4>@F[yz1

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\System32\rundll32.exe

Code function: 8_2_000000018003BC0C CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,

8_2_000000018003BC0C

Source:	Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb: source: MSI1B42.tmp, 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmp, MSI1B42.tmp, 00000007.00000000.402335120.0000000000D57000.00000002.00000001.01000000.00000005.sdmp, neo.msi, 747f6e.msi.1.dr, MSI19CA.tmp.1.dr, MSI1B42.tmp.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: neo.msi, 747f6e.msi.1.dr, MSI8029.tmp.1.dr, MSI829C.tmp.0.dr, MSIADBD.tmp.0.dr, MSI827B.tmp.0.dr, MSI82BC.tmp.0.dr, MSI825B.tmp.0.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbn source: neo.msi, 747f6e.msi.1.dr, MSI8029.tmp.1.dr, MSI829C.tmp.0.dr, MSIADBD.tmp.0.dr, MSI827B.tmp.0.dr, MSI82BC.tmp.0.dr, MSI825B.tmp.0.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb source: MSI1B42.tmp, 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmp, MSI1B42.tmp, 00000007.00000000.402335120.0000000000D57000.00000002.00000001.01000000.00000005.sdmp, neo.msi, 747f6e.msi.1.dr, MSI19CA.tmp.1.dr, MSI1B42.tmp.1.dr
Source:	Binary string: C:\vmagent_new\bin\joblist\574019\out\Release\360Util64.pdb source: rundll32.exe, 00000008.00000003.405624482.0000000001FC0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000009.00000002.619259049.0000000180086000.00000002.00000001.01000000.00000009.sdmp, Update_6a61d649.dll.8.dr, 360total.dll.1.dr

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Creates COM task schedule object (often to register a task for autostart)

Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_CLASSES\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\TreatAs	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\TreatAs	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\Progid	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\Progid	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\ProgID	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\Progid	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\Progid	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\ProgID	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandler32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandler32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandler	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandler	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_CLASSES\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\TreatAs	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\TreatAs	Jump to behavior

Source: C:\Windows\Installer\MSI1B42.tmp	Code function: 7_2_00D4AF79 FindFirstFileExW,	7_2_00D4AF79
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0013A350 FindFirstFileW,FindNextFileW,LoadLibraryW,LoadLibraryExW,	8_2_0013A350
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00131A08 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	8_2_00131A08
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00140DD8 FindFirstFileA,	8_2_00140DD8
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00140DE0 FindFirstFileW,	8_2_00140DE0
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_001CA350 FindFirstFileW,FindNextFileW,LoadLibraryW,LoadLibraryExW,	9_2_001CA350
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_001C1A08 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	9_2_001C1A08
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_01ADA350 FindFirstFileW,FindNextFileW,LoadLibraryW,LoadLibraryExW,	13_2_01ADA350
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_01AE0DE0 FindFirstFileW,	13_2_01AE0DE0
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_01AE0DD8 FindFirstFileA,	13_2_01AE0DD8
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_01AD1A08 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	13_2_01AD1A08

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\rundll32.exe

Domain query: jarinamaers.shop

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: https://jarinamaers.shop/live/
Source: Malware configuration extractor	URLs: https://startmast.shop/live/

Source: C:\Windows\System32\rundll32.exe

Code function: 8_2_00134F58 InternetReadFile,

8_2_00134F58

Source: global traffic

DNS traffic detected: DNS query: jarinamaers.shop

Source: rundll32.exe, 00000008.00000003.405624482.0000000001FC0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000009.00000002.619259049.0000000180086000.00000002.00000001.01000000.00000009.sdmp, Update_6a61d649.dll.8.dr, 360total.dll.1.dr	String found in binary or memory: ftp://ftp%2desktop.ini
Source: neo.msi, 747f6e.msi.1.dr, MSI8029.tmp.1.dr, MSI829C.tmp.0.dr, MSIADBD.tmp.0.dr, MSI827B.tmp.0.dr, MSI19CA.tmp.1.dr, MSI1B42.tmp.1.dr, MSI82BC.tmp.0.dr, MSI825B.tmp.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: neo.msi, 747f6e.msi.1.dr, MSI8029.tmp.1.dr, MSI829C.tmp.0.dr, MSIADBD.tmp.0.dr, MSI827B.tmp.0.dr, MSI19CA.tmp.1.dr, MSI1B42.tmp.1.dr, MSI82BC.tmp.0.dr, MSI825B.tmp.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: neo.msi, 747f6e.msi.1.dr, MSI8029.tmp.1.dr, MSI829C.tmp.0.dr, MSIADBD.tmp.0.dr, MSI827B.tmp.0.dr, MSI19CA.tmp.1.dr, MSI1B42.tmp.1.dr, MSI82BC.tmp.0.dr, MSI825B.tmp.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: neo.msi, 747f6e.msi.1.dr, MSI8029.tmp.1.dr, MSI829C.tmp.0.dr, MSIADBD.tmp.0.dr, MSI827B.tmp.0.dr, MSI19CA.tmp.1.dr, MSI1B42.tmp.1.dr, MSI82BC.tmp.0.dr, MSI825B.tmp.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: neo.msi, 747f6e.msi.1.dr, MSI8029.tmp.1.dr, MSI829C.tmp.0.dr, MSIADBD.tmp.0.dr, MSI827B.tmp.0.dr, MSI19CA.tmp.1.dr, MSI1B42.tmp.1.dr, MSI82BC.tmp.0.dr, MSI825B.tmp.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: neo.msi, 747f6e.msi.1.dr, MSI8029.tmp.1.dr, MSI829C.tmp.0.dr, MSIADBD.tmp.0.dr, MSI827B.tmp.0.dr, MSI19CA.tmp.1.dr, MSI1B42.tmp.1.dr, MSI82BC.tmp.0.dr, MSI825B.tmp.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: rundll32.exe	String found in binary or memory: http://dr.f.360.cn/scan
Source: rundll32.exe, 00000008.00000003.405624482.0000000001FC0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000009.00000002.619259049.0000000180086000.00000002.00000001.01000000.00000009.sdmp, Update_6a61d649.dll.8.dr, 360total.dll.1.dr	String found in binary or memory: http://dr.f.360.cn/scanlist
Source: neo.msi, 747f6e.msi.1.dr, MSI8029.tmp.1.dr, MSI829C.tmp.0.dr, MSIADBD.tmp.0.dr, MSI827B.tmp.0.dr, MSI19CA.tmp.1.dr, MSI1B42.tmp.1.dr, MSI82BC.tmp.0.dr, MSI825B.tmp.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: neo.msi, 747f6e.msi.1.dr, MSI8029.tmp.1.dr, MSI829C.tmp.0.dr, MSIADBD.tmp.0.dr, MSI827B.tmp.0.dr, MSI19CA.tmp.1.dr, MSI1B42.tmp.1.dr, MSI82BC.tmp.0.dr, MSI825B.tmp.0.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: rundll32.exe	String found in binary or memory: http://pconf.f.360.cn/safe_update.php
Source: rundll32.exe	String found in binary or memory: http://pscan.f.360.cn/safe_update.php
Source: rundll32.exe, 00000008.00000003.405624482.0000000001FC0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000009.00000002.619259049.0000000180086000.00000002.00000001.01000000.00000009.sdmp, Update_6a61d649.dll.8.dr, 360total.dll.1.dr	String found in binary or memory: http://pscan.f.360.cn/safe_update.phphttp://pconf.f.360.cn/safe_update.phphttp://sconf.f.360.cn/clie
Source: rundll32.exe	String found in binary or memory: http://sconf.f.360.cn/client_security_conf
Source: neo.msi, 747f6e.msi.1.dr, MSI8029.tmp.1.dr, MSI829C.tmp.0.dr, MSIADBD.tmp.0.dr, MSI827B.tmp.0.dr, MSI19CA.tmp.1.dr, MSI1B42.tmp.1.dr, MSI82BC.tmp.0.dr, MSI825B.tmp.0.dr	String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: neo.msi, 747f6e.msi.1.dr, MSI8029.tmp.1.dr, MSI829C.tmp.0.dr, MSIADBD.tmp.0.dr, MSI827B.tmp.0.dr, MSI19CA.tmp.1.dr, MSI1B42.tmp.1.dr, MSI82BC.tmp.0.dr, MSI825B.tmp.0.dr	String found in binary or memory: http://t2.symcb.com0
Source: neo.msi, 747f6e.msi.1.dr, MSI8029.tmp.1.dr, MSI829C.tmp.0.dr, MSIADBD.tmp.0.dr, MSI827B.tmp.0.dr, MSI19CA.tmp.1.dr, MSI1B42.tmp.1.dr, MSI82BC.tmp.0.dr, MSI825B.tmp.0.dr	String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: neo.msi, 747f6e.msi.1.dr, MSI8029.tmp.1.dr, MSI829C.tmp.0.dr, MSIADBD.tmp.0.dr, MSI827B.tmp.0.dr, MSI19CA.tmp.1.dr, MSI1B42.tmp.1.dr, MSI82BC.tmp.0.dr, MSI825B.tmp.0.dr	String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: neo.msi, 747f6e.msi.1.dr, MSI8029.tmp.1.dr, MSI829C.tmp.0.dr, MSIADBD.tmp.0.dr, MSI827B.tmp.0.dr, MSI19CA.tmp.1.dr, MSI1B42.tmp.1.dr, MSI82BC.tmp.0.dr, MSI825B.tmp.0.dr	String found in binary or memory: http://tl.symcd.com0&
Source: neo.msi, 747f6e.msi.1.dr, MSI8029.tmp.1.dr, MSI829C.tmp.0.dr, MSIADBD.tmp.0.dr, MSI827B.tmp.0.dr, MSI19CA.tmp.1.dr, MSI1B42.tmp.1.dr, MSI82BC.tmp.0.dr, MSI825B.tmp.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: rundll32.exe, 00000009.00000002.619056856.000000000056B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jarinamaers.shop/G
Source: rundll32.exe, 00000009.00000002.619056856.000000000056B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jarinamaers.shop/O
Source: rundll32.exe, 00000009.00000002.619056856.00000000004F3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.619056856.0000000000508000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jarinamaers.shop/live/
Source: neo.msi, 747f6e.msi.1.dr, MSI8029.tmp.1.dr, MSI829C.tmp.0.dr, MSIADBD.tmp.0.dr, MSI827B.tmp.0.dr, MSI19CA.tmp.1.dr, MSI1B42.tmp.1.dr, MSI82BC.tmp.0.dr, MSI825B.tmp.0.dr	String found in binary or memory: https://www.advancedinstaller.com
Source: neo.msi, 747f6e.msi.1.dr, MSI8029.tmp.1.dr, MSI829C.tmp.0.dr, MSIADBD.tmp.0.dr, MSI827B.tmp.0.dr, MSI19CA.tmp.1.dr, MSI1B42.tmp.1.dr, MSI82BC.tmp.0.dr, MSI825B.tmp.0.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: neo.msi, 747f6e.msi.1.dr, MSI8029.tmp.1.dr, MSI829C.tmp.0.dr, MSIADBD.tmp.0.dr, MSI827B.tmp.0.dr, MSI19CA.tmp.1.dr, MSI1B42.tmp.1.dr, MSI82BC.tmp.0.dr, MSI825B.tmp.0.dr	String found in binary or memory: https://www.thawte.com/cps0/
Source: neo.msi, 747f6e.msi.1.dr, MSI8029.tmp.1.dr, MSI829C.tmp.0.dr, MSIADBD.tmp.0.dr, MSI827B.tmp.0.dr, MSI19CA.tmp.1.dr, MSI1B42.tmp.1.dr, MSI82BC.tmp.0.dr, MSI825B.tmp.0.dr	String found in binary or memory: https://www.thawte.com/repository0W

System Summary

Rundll32 performs DNS lookup (likely malicious behavior)

Source: C:\Windows\System32\rundll32.exe	DNS query: name: jarinamaers.shop
Source: C:\Windows\System32\rundll32.exe	DNS query: name: jarinamaers.shop
Source: C:\Windows\System32\rundll32.exe	DNS query: name: jarinamaers.shop
Source: C:\Windows\System32\rundll32.exe	DNS query: name: jarinamaers.shop
Source: C:\Windows\System32\rundll32.exe	DNS query: name: jarinamaers.shop

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Windows\Installer\MSI1B42.tmp

Memory allocated: 770B0000 page execute and read and write

Jump to behavior

Contains functionality to call native functions

Source: C:\Windows\Installer\MSI1B42.tmp	Code function: 7_2_00D13C20 GetProcAddress,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,GetLastError,FreeLibrary,	7_2_00D13C20
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0013463C GetModuleHandleW,GetCurrentProcessId,GetCurrentProcessId,GetCurrentProcessId,OpenProcess,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WideCharToMultiByte,CloseHandle,	8_2_0013463C
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00137A54 NtWriteFile,	8_2_00137A54
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_001378C0 NtReadFile,	8_2_001378C0
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0013B0C4 NtOpenKey,RtlpNtOpenKey,	8_2_0013B0C4
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0013AD34 NtAllocateVirtualMemory,	8_2_0013AD34
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00137B40 NtFreeVirtualMemory,	8_2_00137B40
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00137588 RtlInitUnicodeString,NtCreateFile,NtClose,	8_2_00137588
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0013378C NtClose,	8_2_0013378C
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_001377B0 RtlInitUnicodeString,NtCreateFile,	8_2_001377B0
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0013B1D4 NtQueryValueKey,NtQueryValueKey,NtClose,	8_2_0013B1D4
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_001379C8 NtClose,	8_2_001379C8
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00140A18 NtQueryInformationProcess,LdrLoadDll,NtAllocateVirtualMemory,	8_2_00140A18
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0013745C RtlInitUnicodeString,NtOpenFile,NtClose,	8_2_0013745C
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00137694 RtlInitUnicodeString,NtDeleteFile,	8_2_00137694
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00140A80 NtCreateFile,	8_2_00140A80
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00140AC0 NtFreeVirtualMemory,NtFlushInstructionCache,	8_2_00140AC0
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00137ACC NtClose,	8_2_00137ACC
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00140AF0 NtWriteFile,	8_2_00140AF0
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00140AF8 NtReadFile,	8_2_00140AF8
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00140B00 NtDelayExecution,	8_2_00140B00
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00137704 NtQueryInformationFile,	8_2_00137704
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00140B08 NtOpenKey,NtSetValueKey,VirtualFree,OpenProcess,VirtualAllocEx,VirtualFreeEx,WriteProcessMemory,CreateRemoteThread,	8_2_00140B08
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00140B28 NtQueryInformationFile,VirtualAlloc,VirtualFree,OpenProcess,VirtualAllocEx,VirtualFreeEx,WriteProcessMemory,CreateRemoteThread,	8_2_00140B28
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0013CB54 NtDelayExecution,	8_2_0013CB54
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_001C463C GetModuleHandleW,GetCurrentProcessId,GetCurrentProcessId,GetCurrentProcessId,OpenProcess,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WideCharToMultiByte,CloseHandle,	9_2_001C463C
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_001CB0C4 NtOpenKey,RtlpNtOpenKey,	9_2_001CB0C4
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_001CAD34 NtAllocateVirtualMemory,	9_2_001CAD34
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_001CCB54 NtDelayExecution,	9_2_001CCB54
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_001C7B40 NtFreeVirtualMemory,	9_2_001C7B40
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_001C378C NtClose,	9_2_001C378C
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_001C77B0 RtlInitUnicodeString,NtCreateFile,	9_2_001C77B0
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_001CB1D4 NtQueryValueKey,NtQueryValueKey,NtClose,	9_2_001CB1D4
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_001D0A18 NtQueryInformationProcess,LdrLoadDll,NtAllocateVirtualMemory,	9_2_001D0A18
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_001C745C RtlInitUnicodeString,NtOpenFile,NtClose,	9_2_001C745C
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_001C7A54 NtWriteFile,	9_2_001C7A54
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_001C7694 RtlInitUnicodeString,NtDeleteFile,	9_2_001C7694
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_001C7ACC NtClose,	9_2_001C7ACC
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_001C78C0 NtReadFile,	9_2_001C78C0
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_001D0AC0 NtFreeVirtualMemory,NtFlushInstructionCache,	9_2_001D0AC0
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_001D0AF0 NtWriteFile,	9_2_001D0AF0
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_001C7704 NtQueryInformationFile,	9_2_001C7704
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_001D0B00 NtDelayExecution,	9_2_001D0B00
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_001C7588 RtlInitUnicodeString,NtCreateFile,NtClose,	9_2_001C7588
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_001C79C8 NtClose,	9_2_001C79C8
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_01ADAD34 NtAllocateVirtualMemory,	13_2_01ADAD34
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_01AD7B40 NtFreeVirtualMemory,	13_2_01AD7B40
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_01AD77B0 RtlInitUnicodeString,NtCreateFile,	13_2_01AD77B0
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_01AD378C NtClose,	13_2_01AD378C
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_01AD7588 RtlInitUnicodeString,NtCreateFile,NtClose,	13_2_01AD7588
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_01AD79C8 NtClose,	13_2_01AD79C8
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_01ADB1D4 NtQueryValueKey,NtQueryValueKey,NtClose,	13_2_01ADB1D4
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_01AD7704 NtQueryInformationFile,	13_2_01AD7704
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_01AE0B00 NtDelayExecution,	13_2_01AE0B00
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_01ADCB54 NtDelayExecution,	13_2_01ADCB54
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_01AD7694 RtlInitUnicodeString,NtDeleteFile,	13_2_01AD7694
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_01AD7ACC NtClose,	13_2_01AD7ACC
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_01ADB0C4 NtOpenKey,	13_2_01ADB0C4
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_01AD78C0 NtReadFile,	13_2_01AD78C0
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_01AE0AC0 NtFreeVirtualMemory,NtFlushInstructionCache,	13_2_01AE0AC0
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_01AD463C GetModuleHandleW,GetCurrentProcessId,GetCurrentProcessId,GetCurrentProcessId,OpenProcess,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WideCharToMultiByte,CloseHandle,	13_2_01AD463C
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_01AE0A18 NtQueryInformationProcess,LdrLoadDll,NtAllocateVirtualMemory,	13_2_01AE0A18
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_01AD745C RtlInitUnicodeString,NtOpenFile,NtClose,	13_2_01AD745C
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_01AD7A54 NtWriteFile,	13_2_01AD7A54

Contains functionality to communicate with device drivers

Source: C:\Windows\System32\rundll32.exe

Code function: 8_2_000000018006A2C8: DeviceIoControl,

8_2_000000018006A2C8

Contains functionality to launch a process as a different user

Source: C:\Windows\System32\rundll32.exe

8_2_000000018004B1A4

Creates files inside the system directory

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\747f6e.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI8029.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\747f6f.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\747f6f.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{B135729E-0574-44D1-B7A1-6E44550F506B}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI19CA.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1B42.tmp	Jump to behavior

Deletes files inside the Windows folder

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI8029.tmp

Jump to behavior

Detected potential crypto function

Source: C:\Windows\Installer\MSI1B42.tmp	Code function: 7_2_00D16A50	7_2_00D16A50
Source: C:\Windows\Installer\MSI1B42.tmp	Code function: 7_2_00D4F032	7_2_00D4F032
Source: C:\Windows\Installer\MSI1B42.tmp	Code function: 7_2_00D3C2CA	7_2_00D3C2CA
Source: C:\Windows\Installer\MSI1B42.tmp	Code function: 7_2_00D492A9	7_2_00D492A9
Source: C:\Windows\Installer\MSI1B42.tmp	Code function: 7_2_00D3E270	7_2_00D3E270
Source: C:\Windows\Installer\MSI1B42.tmp	Code function: 7_2_00D484BD	7_2_00D484BD
Source: C:\Windows\Installer\MSI1B42.tmp	Code function: 7_2_00D3A587	7_2_00D3A587
Source: C:\Windows\Installer\MSI1B42.tmp	Code function: 7_2_00D4D8D5	7_2_00D4D8D5
Source: C:\Windows\Installer\MSI1B42.tmp	Code function: 7_2_00D1C870	7_2_00D1C870
Source: C:\Windows\Installer\MSI1B42.tmp	Code function: 7_2_00D3A915	7_2_00D3A915
Source: C:\Windows\Installer\MSI1B42.tmp	Code function: 7_2_00D34920	7_2_00D34920
Source: C:\Windows\Installer\MSI1B42.tmp	Code function: 7_2_00D40A48	7_2_00D40A48
Source: C:\Windows\Installer\MSI1B42.tmp	Code function: 7_2_00D19CC0	7_2_00D19CC0
Source: C:\Windows\Installer\MSI1B42.tmp	Code function: 7_2_00D45D6D	7_2_00D45D6D
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00131030	8_2_00131030
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0000000180017FE8	8_2_0000000180017FE8
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000000018006DFF4	8_2_000000018006DFF4
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00000001800220D8	8_2_00000001800220D8
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000000018007C140	8_2_000000018007C140
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0000000180060174	8_2_0000000180060174
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000000018008023C	8_2_000000018008023C
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000000018000834C	8_2_000000018000834C
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000000018006C470	8_2_000000018006C470
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00000001800784E0	8_2_00000001800784E0
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00000001800764F0	8_2_00000001800764F0
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0000000180060578	8_2_0000000180060578
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0000000180010580	8_2_0000000180010580
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000000018004E5DC	8_2_000000018004E5DC
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0000000180062600	8_2_0000000180062600
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0000000180002610	8_2_0000000180002610
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0000000180004638	8_2_0000000180004638
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000000018004A650	8_2_000000018004A650
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000000018006E760	8_2_000000018006E760
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00000001800647B0	8_2_00000001800647B0
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000000018007E7C7	8_2_000000018007E7C7
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0000000180076930	8_2_0000000180076930
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0000000180062954	8_2_0000000180062954
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000000018006A994	8_2_000000018006A994
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000000018006E9FC	8_2_000000018006E9FC
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0000000180082A18	8_2_0000000180082A18
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0000000180072A27	8_2_0000000180072A27
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0000000180010B58	8_2_0000000180010B58
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0000000180026C84	8_2_0000000180026C84
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000000018001ECF4	8_2_000000018001ECF4
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0000000180008E20	8_2_0000000180008E20
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0000000180052FD8	8_2_0000000180052FD8
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000000018003AFE8	8_2_000000018003AFE8
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000000018005D014	8_2_000000018005D014
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000000018006F0B4	8_2_000000018006F0B4
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00000001800630CC	8_2_00000001800630CC
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000000018005912C	8_2_000000018005912C
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000000018004B1A4	8_2_000000018004B1A4
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0000000180049278	8_2_0000000180049278
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000000018007B2D0	8_2_000000018007B2D0
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000000018002B2EC	8_2_000000018002B2EC
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000000018006D3D4	8_2_000000018006D3D4
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00000001800033E0	8_2_00000001800033E0
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0000000180075480	8_2_0000000180075480
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00000001800694A0	8_2_00000001800694A0
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000000018005958C	8_2_000000018005958C
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00000001800576DC	8_2_00000001800576DC
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00000001800097E0	8_2_00000001800097E0
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00000001800277FC	8_2_00000001800277FC
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000000018002D964	8_2_000000018002D964
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0000000180073B60	8_2_0000000180073B60
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000000018007BBB0	8_2_000000018007BBB0
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000000018001BC38	8_2_000000018001BC38
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000000018005DD18	8_2_000000018005DD18
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0000000180073DF0	8_2_0000000180073DF0
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0000000180011DF0	8_2_0000000180011DF0
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000000018005BE6C	8_2_000000018005BE6C
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000000018004FF88	8_2_000000018004FF88
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_001C1030	9_2_001C1030
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_01AD1030	13_2_01AD1030

Found potential string decryption / allocating functions

Source: C:\Windows\System32\rundll32.exe	Code function: String function: 000000018000CF30 appears 33 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 0000000180005348 appears 71 times
Source: C:\Windows\Installer\MSI1B42.tmp	Code function: String function: 00D33790 appears 39 times
Source: C:\Windows\Installer\MSI1B42.tmp	Code function: String function: 00D3325F appears 103 times
Source: C:\Windows\Installer\MSI1B42.tmp	Code function: String function: 00D33292 appears 70 times

Sample file is different than original file name gathered from version info

Source: neo.msi	Binary or memory string: OriginalFilenameviewer.exeF vs neo.msi
Source: neo.msi	Binary or memory string: OriginalFilenameAICustAct.dllF vs neo.msi

Source: metadata-2.1.dr	Binary string: highlight.png22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\66program files\windows sidebar\gadgets\rssfeeds.gadgeticon.png22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{113527a4-45d4-4b6f-b567-97838f1b04b0}
Source: metadata-2.1.dr	Binary string: wmplayer.exe.mui22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\BBprogram files (x86)\windows sidebar\gadgets\weather.gadget\images**undocked_black_moon-new_partly-cloudy.png22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\((windows\diagnostics\system\device\en-us
Source: metadata-2.1.dr	Binary string: buttonup_off.png22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{113527a4-45d4-4b6f-b567-97838f1b04b0}
Source: metadata-2.1.dr	Binary string: system.web.dynamicdata.dll22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\BBprogram files (x86)\windows sidebar\gadgets\weather.gadget\images33docked_black_moon-waxing-gibbous_partly-cloudy.png22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{8702d817-5aad-4674-9ef3-4d3decd87120}
Source: metadata-2.1.dr	Binary string: system.addin.contract.dll22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{113527a4-45d4-4b6f-b567-97838f1b04b0}
Source: metadata-2.1.dr	Binary string: btn-previous-static.png22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{8702d817-5aad-4674-9ef3-4d3decd87120}
Source: metadata-2.1.dr	Binary string: keypad.xml22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\99program files\dvd maker\shared\dvdstyles\specialoccasion,,specialnavigationup_selectionsubpicture.png22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{8702d817-5aad-4674-9ef3-4d3decd87120}
Source: metadata-2.1.dr	Binary string: scenes_intro_bg_pal.wmv22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{113527a4-45d4-4b6f-b567-97838f1b04b0}
Source: metadata-2.1.dr	Binary string: acxtrnal.dll22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\((windows\diagnostics\system\device\en-us
Source: metadata-2.1.dr	Binary string: sbdrop.dll22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{113527a4-45d4-4b6f-b567-97838f1b04b0}

Source: classification engine

Classification label: mal100.troj.evad.winMSI@14/22@5/0

Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0000000180049050 GetCurrentProcessId,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,SetLastError,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,OpenProcess,	8_2_0000000180049050
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000000018004B1A4 memset,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,WTSGetActiveConsoleSessionId,WTSQueryUserToken,GetTokenInformation,DuplicateTokenEx,CreateEnvironmentBlock,CreateProcessAsUserW,GetLastError,DestroyEnvironmentBlock,CloseHandle,CloseHandle,AdjustTokenPrivileges,CloseHandle,	8_2_000000018004B1A4
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0000000180049278 LookupPrivilegeValueW,LookupPrivilegeValueW,LookupPrivilegeValueW,LookupPrivilegeValueW,??_U@YAPEAX_K@Z,GetCurrentProcess,OpenProcessToken,CreateRestrictedToken,CloseHandle,CloseHandle,AllocateAndInitializeSid,GetLengthSid,SetTokenInformation,FreeSid,AdjustTokenPrivileges,??_V@YAXPEAX@Z,	8_2_0000000180049278
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000000018008395A DestroyEnvironmentBlock,CloseHandle,CloseHandle,AdjustTokenPrivileges,CloseHandle,	8_2_000000018008395A

Source: C:\Windows\Installer\MSI1B42.tmp

Code function: 7_2_00D13860 CreateToolhelp32Snapshot,CloseHandle,Process32FirstW,OpenProcess,CloseHandle,Process32NextW,CloseHandle,

7_2_00D13860

Source: C:\Windows\Installer\MSI1B42.tmp

7_2_00D14BA0

Source: C:\Windows\Installer\MSI1B42.tmp

Code function: 7_2_00D145B0 LoadResource,LockResource,SizeofResource,

7_2_00D145B0

Source: C:\Windows\System32\rundll32.exe

Code function: 8_2_0000000180049AEC OpenSCManagerW,OpenServiceW,ChangeServiceConfigW,StartServiceW,GetTickCount,Sleep,GetTickCount,QueryServiceStatus,CloseServiceHandle,CloseServiceHandle,

8_2_0000000180049AEC

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Roaming\HuMaster LLC

Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Mutant created: \BaseNamedObjects\Local\RstrMgr-3887CAB8-533F-4C85-B0DC-3E5639F8D511-Session0000
Source: C:\Windows\System32\msiexec.exe	Mutant created: \BaseNamedObjects\Local\RstrMgr3887CAB8-533F-4C85-B0DC-3E5639F8D511
Source: C:\Windows\System32\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\runnung

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Local\Temp\MSIADBD.tmp

Jump to behavior

Source: C:\Windows\Installer\MSI1B42.tmp

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: unknown

Process created: C:\Windows\System32\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Local\sharepoint\360total.dll, homq

Source: rundll32.exe, rundll32.exe, 00000008.00000003.405624482.0000000001FC0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000009.00000002.619259049.0000000180086000.00000002.00000001.01000000.00000009.sdmp, Update_6a61d649.dll.8.dr, 360total.dll.1.dr	Binary or memory string: select * from sqlite_sequence;
Source: rundll32.exe, rundll32.exe, 00000008.00000003.405624482.0000000001FC0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000009.00000002.619259049.0000000180086000.00000002.00000001.01000000.00000009.sdmp, Update_6a61d649.dll.8.dr, 360total.dll.1.dr	Binary or memory string: update sqlite_sequence set seq = 0 where name='MT';

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\neo.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 274E0059499F24D0FC6E34D9DC99A829 C
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 5FD089C2C199466E3D17DC881ED4AD10
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\Installer\MSI1B42.tmp "C:\Windows\Installer\MSI1B42.tmp" C:/Windows/System32/rundll32.exe C:\Users\user\AppData\Local\sharepoint\360total.dll, homq
Source: unknown	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Local\sharepoint\360total.dll, homq
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_6a61d649.dll", homq
Source: unknown	Process created: C:\Windows\System32\taskeng.exe taskeng.exe {9EB3A60F-302F-4AB2-B149-897715BB8B05} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1]
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_6a61d649.dll", homq
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 274E0059499F24D0FC6E34D9DC99A829 C	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 5FD089C2C199466E3D17DC881ED4AD10	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\Installer\MSI1B42.tmp "C:\Windows\Installer\MSI1B42.tmp" C:/Windows/System32/rundll32.exe C:\Users\user\AppData\Local\sharepoint\360total.dll, homq	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_6a61d649.dll", homq	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_6a61d649.dll", homq	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msihnd.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: devrtl.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Installer\MSI1B42.tmp	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\Installer\MSI1B42.tmp	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\Installer\MSI1B42.tmp	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Installer\MSI1B42.tmp	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\Installer\MSI1B42.tmp	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Section loaded: dwmapi.dll	Jump to behavior

Source: C:\Windows\Installer\MSI1B42.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32

Jump to behavior

Source: neo.msi

Static file information: File size 1620480 > 1048576

Source:	Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb: source: MSI1B42.tmp, 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmp, MSI1B42.tmp, 00000007.00000000.402335120.0000000000D57000.00000002.00000001.01000000.00000005.sdmp, neo.msi, 747f6e.msi.1.dr, MSI19CA.tmp.1.dr, MSI1B42.tmp.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: neo.msi, 747f6e.msi.1.dr, MSI8029.tmp.1.dr, MSI829C.tmp.0.dr, MSIADBD.tmp.0.dr, MSI827B.tmp.0.dr, MSI82BC.tmp.0.dr, MSI825B.tmp.0.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbn source: neo.msi, 747f6e.msi.1.dr, MSI8029.tmp.1.dr, MSI829C.tmp.0.dr, MSIADBD.tmp.0.dr, MSI827B.tmp.0.dr, MSI82BC.tmp.0.dr, MSI825B.tmp.0.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb source: MSI1B42.tmp, 00000007.00000002.447220101.0000000000D57000.00000002.00000001.01000000.00000005.sdmp, MSI1B42.tmp, 00000007.00000000.402335120.0000000000D57000.00000002.00000001.01000000.00000005.sdmp, neo.msi, 747f6e.msi.1.dr, MSI19CA.tmp.1.dr, MSI1B42.tmp.1.dr
Source:	Binary string: C:\vmagent_new\bin\joblist\574019\out\Release\360Util64.pdb source: rundll32.exe, 00000008.00000003.405624482.0000000001FC0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.447008267.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000009.00000002.619259049.0000000180086000.00000002.00000001.01000000.00000009.sdmp, Update_6a61d649.dll.8.dr, 360total.dll.1.dr

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\rundll32.exe

8_2_00000001800033E0

PE file contains an invalid checksum

Source: 360total.dll.1.dr	Static PE information: real checksum: 0xd8785 should be: 0xe745c
Source: Update_6a61d649.dll.8.dr	Static PE information: real checksum: 0xd8785 should be: 0xe745c

PE file contains sections with non-standard names

Source: 360total.dll.1.dr	Static PE information: section name: wsgi2
Source: Update_6a61d649.dll.8.dr	Static PE information: section name: wsgi2

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\Installer\MSI1B42.tmp	Code function: 7_2_00D3323C push ecx; ret	7_2_00D3324F
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0000000180010451 push rcx; ret	8_2_0000000180010452
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000000018001045A push rcx; ret	8_2_000000018001045B
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00000001801758FC push rsp; ret	8_2_00000001801758FD
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0000000180175CDE push 2027C70Fh; ret	8_2_0000000180175CE5

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\System32\msiexec.exe

Executable created and started: C:\Windows\Installer\MSI1B42.tmp

Jump to behavior

Drops PE files

Source: C:\Windows\System32\rundll32.exe	File created: :wtfbbq (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSI829C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIADBD.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSI825B.tmp	Jump to dropped file
Source: C:\Windows\System32\rundll32.exe	File created: C:\Users\user\AppData\Roaming\Custom_update\Update_6a61d649.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSI82BC.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1B42.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI8029.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\sharepoint\360total.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSI827B.tmp	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1B42.tmp			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI8029.tmp			Jump to dropped file

May use bcdedit to modify the Windows boot settings

Source: metadata-2.1.dr	Binary or memory string: bcdedit.exe22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\
Source: metadata-2.1.dr	Binary or memory string: bcdedit.exe.mui22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\

Creates or modifies windows services

Source: C:\Windows\System32\msiexec.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher

Jump to behavior

Modifies existing windows services

Source: C:\Windows\System32\msiexec.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore

Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Code function: 8_2_0000000180049AEC OpenSCManagerW,OpenServiceW,ChangeServiceConfigW,StartServiceW,GetTickCount,Sleep,GetTickCount,QueryServiceStatus,CloseServiceHandle,CloseServiceHandle,

8_2_0000000180049AEC

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Windows\System32\rundll32.exe

8_2_0000000180062148

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Contains functionality to compare user and computer (likely to detect sandboxes)

Source: C:\Windows\System32\rundll32.exe

8_2_00000001800655A8

Contains functionality to detect sleep reduction / modifications

Source: C:\Windows\System32\rundll32.exe

Code function: 8_2_0000000180049AEC

8_2_0000000180049AEC

Contains functionality to query network adapater information

Source: C:\Windows\System32\rundll32.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,	8_2_001368E8
Source: C:\Windows\System32\rundll32.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,wsprintfA,wsprintfA,wsprintfA,GetComputerNameExA,wsprintfA,GetComputerNameExA,wsprintfA,	8_2_00137FA8
Source: C:\Windows\System32\rundll32.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,	9_2_001C68E8
Source: C:\Windows\System32\rundll32.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,wsprintfA,wsprintfA,wsprintfA,GetComputerNameExA,wsprintfA,GetComputerNameExA,wsprintfA,	9_2_001C7FA8
Source: C:\Windows\System32\rundll32.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,	13_2_01AD68E8
Source: C:\Windows\System32\rundll32.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,wsprintfA,wsprintfA,wsprintfA,GetComputerNameExA,wsprintfA,GetComputerNameExA,wsprintfA,	13_2_01AD7FA8

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\rundll32.exe	Window / User API: threadDelayed 647			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Window / User API: threadDelayed 9092			Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\rundll32.exe	Dropped PE file which has not been started: :wtfbbq (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI829C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI825B.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIADBD.tmp	Jump to dropped file
Source: C:\Windows\System32\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Custom_update\Update_6a61d649.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI82BC.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI8029.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\sharepoint\360total.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI827B.tmp	Jump to dropped file

Found evasive API chain checking for process token information

Source: C:\Windows\Installer\MSI1B42.tmp

Check user administrative privileges: GetTokenInformation,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Windows\System32\rundll32.exe	API coverage: 1.6 %
Source: C:\Windows\System32\rundll32.exe	API coverage: 8.5 %

May check if the current machine is a sandbox (GetTickCount - Sleep)

Source: C:\Windows\System32\rundll32.exe

Code function: 8_2_0000000180049AEC

8_2_0000000180049AEC

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\msiexec.exe TID: 828	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\msiexec.exe TID: 3792	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\msiexec.exe TID: 1648	Thread sleep time: -720000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3084	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3796	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3368	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\Installer\MSI1B42.tmp TID: 3560	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Windows\Installer\MSI1B42.tmp TID: 3560	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 3584	Thread sleep count: 261 > 30	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 3584	Thread sleep time: -261000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 3632	Thread sleep count: 647 > 30	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 3632	Thread sleep time: -64700s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 3584	Thread sleep count: 9092 > 30	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 3584	Thread sleep time: -9092000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\taskeng.exe TID: 3684	Thread sleep time: -60000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Windows\Installer\MSI1B42.tmp	Code function: 7_2_00D4AF79 FindFirstFileExW,	7_2_00D4AF79
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0013A350 FindFirstFileW,FindNextFileW,LoadLibraryW,LoadLibraryExW,	8_2_0013A350
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00131A08 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	8_2_00131A08
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00140DD8 FindFirstFileA,	8_2_00140DD8
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00140DE0 FindFirstFileW,	8_2_00140DE0
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_001CA350 FindFirstFileW,FindNextFileW,LoadLibraryW,LoadLibraryExW,	9_2_001CA350
Source: C:\Windows\System32\rundll32.exe	Code function: 9_2_001C1A08 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	9_2_001C1A08
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_01ADA350 FindFirstFileW,FindNextFileW,LoadLibraryW,LoadLibraryExW,	13_2_01ADA350
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_01AE0DE0 FindFirstFileW,	13_2_01AE0DE0
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_01AE0DD8 FindFirstFileA,	13_2_01AE0DD8
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_01AD1A08 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	13_2_01AD1A08

Source: rundll32.exe, 00000008.00000002.446788834.00000000001D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: "MWar_VMware_SATA_CD01______
Source: metadata-2.1.dr	Binary or memory string: lsm.exe22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\--windows\system32\migwiz\replacementmanifests,,microsoft-hyper-v-migration-replacement.man22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\
Source: metadata-2.1.dr	Binary or memory string: iasmigplugin-dl.man22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\--windows\system32\migwiz\replacementmanifests33microsoft-hyper-v-client-migration-replacement.man22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\##windows\system32\spp\tokens\ppdlic
Source: metadata-2.1.dr	Binary or memory string: iasmigplugin-dl.man22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\--windows\syswow64\migwiz\replacementmanifests33microsoft-hyper-v-client-migration-replacement.man22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\,,program files (x86)\internet explorer\en-us
Source: metadata-2.1.dr	Binary or memory string: imscmig.dll22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\--windows\system32\migwiz\replacementmanifests44microsoft-hyper-v-drivers-migration-replacement.man22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\System32\rundll32.exe

Code function: 8_2_00140A18 NtQueryInformationProcess,LdrLoadDll,NtAllocateVirtualMemory,

8_2_00140A18

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\Installer\MSI1B42.tmp

Code function: 7_2_00D1D0A5 IsDebuggerPresent,OutputDebugStringW,

7_2_00D1D0A5

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Windows\System32\rundll32.exe

Code function: 8_2_0000000180066C3C memset,GetLastError,IsDebuggerPresent,OutputDebugStringW,

8_2_0000000180066C3C

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\rundll32.exe

8_2_00000001800033E0

Contains functionality to read the PEB

Source: C:\Windows\Installer\MSI1B42.tmp	Code function: 7_2_00D42DCC mov ecx, dword ptr fs:[00000030h]		7_2_00D42DCC
Source: C:\Windows\Installer\MSI1B42.tmp	Code function: 7_2_00D4AD78 mov eax, dword ptr fs:[00000030h]		7_2_00D4AD78

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\Installer\MSI1B42.tmp

Code function: 7_2_00D12310 GetProcessHeap,

7_2_00D12310

Source: C:\Windows\Installer\MSI1B42.tmp	Code function: 7_2_00D3353F SetUnhandledExceptionFilter,	7_2_00D3353F
Source: C:\Windows\Installer\MSI1B42.tmp	Code function: 7_2_00D333A8 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00D333A8
Source: C:\Windows\Installer\MSI1B42.tmp	Code function: 7_2_00D32968 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_00D32968
Source: C:\Windows\Installer\MSI1B42.tmp	Code function: 7_2_00D36E1B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00D36E1B
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0000000180070760 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_0000000180070760
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_000000018006F6E0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_000000018006F6E0

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\rundll32.exe

Domain query: jarinamaers.shop

Contains functionality to inject threads in other processes

Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00140B08 NtOpenKey,NtSetValueKey,VirtualFree,OpenProcess,VirtualAllocEx,VirtualFreeEx,WriteProcessMemory,CreateRemoteThread,	8_2_00140B08
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00140B38 RtlFormatCurrentUserKeyPath,VirtualAlloc,VirtualFree,OpenProcess,VirtualAllocEx,VirtualFreeEx,WriteProcessMemory,CreateRemoteThread,	8_2_00140B38
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00140B28 NtQueryInformationFile,VirtualAlloc,VirtualFree,OpenProcess,VirtualAllocEx,VirtualFreeEx,WriteProcessMemory,CreateRemoteThread,	8_2_00140B28
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_01AE0B38 RtlFormatCurrentUserKeyPath,VirtualAlloc,VirtualFree,OpenProcess,VirtualAllocEx,VirtualFreeEx,WriteProcessMemory,CreateRemoteThread,	13_2_01AE0B38

Contains functionality to launch a program with higher privileges

Source: C:\Windows\Installer\MSI1B42.tmp

7_2_00D152F0

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 274E0059499F24D0FC6E34D9DC99A829 C	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 5FD089C2C199466E3D17DC881ED4AD10	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\Installer\MSI1B42.tmp "C:\Windows\Installer\MSI1B42.tmp" C:/Windows/System32/rundll32.exe C:\Users\user\AppData\Local\sharepoint\360total.dll, homq	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_6a61d649.dll", homq	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_6a61d649.dll", homq	Jump to behavior

Source: C:\Windows\System32\rundll32.exe

8_2_000000018004A650

Source: C:\Windows\System32\rundll32.exe

8_2_0000000180049278

Source: 360total.dll.1.dr	Binary or memory string: Program managerProgmanSeShutdownPrivilegeSeTimeZonePrivilegeSeIncreaseWorkingSetPrivilegeSeUndockPrivilegeSeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeEnableLUASoftware\Microsoft\Windows\CurrentVersion\Policies\Systemseclogonwdc.dllWdcRunTaskAsInteractiveUser"%s" %swinsta0\defaultadvapi32.dllCreateProcessWithTokenW:open..\360DeskAna64.exe%u_%d_%d_%d_%use2/%s %s %use1SeTcbPrivilegeNT AUTHORITYLOCAL SERVICENETWORK SERVICE360utilexplorer.exe,
Source: rundll32.exe	Binary or memory string: Progman
Source: rundll32.exe	Binary or memory string: Program manager

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\Installer\MSI1B42.tmp

Code function: 7_2_00D335A9 cpuid

7_2_00D335A9

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\Installer\MSI1B42.tmp	Code function: EnumSystemLocalesW,	7_2_00D4E0C6
Source: C:\Windows\Installer\MSI1B42.tmp	Code function: EnumSystemLocalesW,	7_2_00D4E1AC
Source: C:\Windows\Installer\MSI1B42.tmp	Code function: EnumSystemLocalesW,	7_2_00D4E111
Source: C:\Windows\Installer\MSI1B42.tmp	Code function: EnumSystemLocalesW,	7_2_00D47132
Source: C:\Windows\Installer\MSI1B42.tmp	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	7_2_00D4E237
Source: C:\Windows\Installer\MSI1B42.tmp	Code function: GetLocaleInfoEx,	7_2_00D323F8
Source: C:\Windows\Installer\MSI1B42.tmp	Code function: GetLocaleInfoW,	7_2_00D4E48A
Source: C:\Windows\Installer\MSI1B42.tmp	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	7_2_00D4E5B3
Source: C:\Windows\Installer\MSI1B42.tmp	Code function: GetLocaleInfoW,	7_2_00D4E6B9
Source: C:\Windows\Installer\MSI1B42.tmp	Code function: GetLocaleInfoW,	7_2_00D476AF
Source: C:\Windows\Installer\MSI1B42.tmp	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	7_2_00D4E788
Source: C:\Windows\Installer\MSI1B42.tmp	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	7_2_00D4DE24

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\Installer\MSI1B42.tmp

Code function: 7_2_00D337D5 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

7_2_00D337D5

Source: C:\Windows\System32\rundll32.exe

Code function: 8_2_00138AE0 GetUserNameA,wsprintfA,

8_2_00138AE0

Source: C:\Windows\Installer\MSI1B42.tmp

Code function: 7_2_00D47B1F GetTimeZoneInformation,

7_2_00D47B1F

Source: C:\Windows\System32\rundll32.exe

Code function: 8_2_00138560 RtlGetVersion,GetVersionExW,

8_2_00138560

Source: C:\Windows\Installer\MSI1B42.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: rundll32.exe	Binary or memory string: 360tray.exe
Source: rundll32.exe	Binary or memory string: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe
Source: rundll32.exe	Binary or memory string: SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe

Stealing of Sensitive Information

Yara detected Latrodectus

Source: Yara match	File source: 13.2.rundll32.exe.2a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.2a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.110000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.130000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1ad0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1ad0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.110000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.130000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1c0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000003.614395824.0000000000470000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.446771476.00000000000A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.619163772.0000000001E80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.420736655.00000000002A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.446779994.0000000000130000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.619168848.0000000001F0A000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.420775529.0000000001AD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.618961213.0000000000110000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.619007012.00000000001C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 3580, type: MEMORYSTR

Remote Access Functionality

Yara detected Latrodectus

Source: Yara match	File source: 13.2.rundll32.exe.2a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.2a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.110000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.130000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1ad0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1ad0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.110000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.130000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1c0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000003.614395824.0000000000470000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.446771476.00000000000A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.619163772.0000000001E80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.420736655.00000000002A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.446779994.0000000000130000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.619168848.0000000001F0A000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.420775529.0000000001AD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.618961213.0000000000110000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.619007012.00000000001C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 3580, type: MEMORYSTR

Windows Analysis Report
neo.msi

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Domains

Contacted URLs

ID:	1432285
Product:	CloudBasic
Start time:	19:24:05
Start date:	26.04.2024
Sample:	neo.msi
Cookbook:	default.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	37605a3eb80f3366e56938031a9ac917
SHA1:	0582a0dd69d6027fb94765254ed91ad736ade305
SHA256:	4e7ac0bdb516e983b3cab7f79850d8102d2bf4117bb343b68d0da73780cceb1a
Filetype:	Windows SDK Setup Transform Script (63028/2) 47.91%

Name	Type	MD5	SHA1	SHA256
:wtfbbq (copy)	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	BD3A3714EE9A071EBEB59AC91D9EBB5A	55110A221F20A4CEEC34C58D0179FA31F8C102E9	4CF2B612939359977DF51A32D2F63E2CB0C6C601E114B8E4812BD548D1DB85FE
C:\Config.Msi\747f70.rbs	data	EA918F400E4A1EB3E4527F94AD42A8E2	49B4A4675B082257E39692BEE2CA653CE166D0CE	1BA0EC81998B368DAD946B67B0E6B82286340DD3CCCA0E4EE843C0947CAC6C08
C:\System Volume Information\SPP\OnlineMetadataCache\{f14178ee-79d6-4c4a-804e-c18354b90115}_OnDiskSnapshotProp	data	75CDF3F1112E5F9922F9E1CC3A34E72D	26DFEE703703EB5DCA338D58B04FC42579AEF31B	BBD26345804B58BE3F41323421CB492DA1426253CD82DD8EB82C916889CF0690
C:\System Volume Information\SPP\metadata-2	SysEx File - Twister	1BD864E31838B776694C4E0B26CCAE68	9851F2BE7B3335BF27FABD2B48F2D3FBD83252B0	2C0B39FED8EF3BD4215C5AE1CE8BDFA627436F44DBD0AFCB6D1852FAD5474940
C:\System Volume Information\SPP\snapshot-2	data	75CDF3F1112E5F9922F9E1CC3A34E72D	26DFEE703703EB5DCA338D58B04FC42579AEF31B	BBD26345804B58BE3F41323421CB492DA1426253CD82DD8EB82C916889CF0690
C:\Users\user\AppData\Local\Temp\MSI782b9.LOG	Unicode text, UTF-16, little-endian text, with very long lines (346), with CRLF line terminators	F5D67B0709309FC672AE4032CE057E00	7F96BF7FC81731C786322DFB063236A22CBFCE40	02400657525EAA2D3ACF866D7B91AE651AEA730D326CD4327611386F2DF77ADA
C:\Users\user\AppData\Local\Temp\MSI825B.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	475D20C0EA477A35660E3F67ECF0A1DF	67340739F51E1134AE8F0FFC5AE9DD710E8E3A08	426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
C:\Users\user\AppData\Local\Temp\MSI827B.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	475D20C0EA477A35660E3F67ECF0A1DF	67340739F51E1134AE8F0FFC5AE9DD710E8E3A08	426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
C:\Users\user\AppData\Local\Temp\MSI829C.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	475D20C0EA477A35660E3F67ECF0A1DF	67340739F51E1134AE8F0FFC5AE9DD710E8E3A08	426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
C:\Users\user\AppData\Local\Temp\MSI82BC.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	475D20C0EA477A35660E3F67ECF0A1DF	67340739F51E1134AE8F0FFC5AE9DD710E8E3A08	426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
C:\Users\user\AppData\Local\Temp\MSIADBD.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	475D20C0EA477A35660E3F67ECF0A1DF	67340739F51E1134AE8F0FFC5AE9DD710E8E3A08	426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
C:\Users\user\AppData\Local\Temp\~DF675E700E3E268100.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Users\user\AppData\Local\Temp\~DF84AA1769D646EEA7.TMP	data	230E0E4EC375BB7B60D47E0B783A3C60	F80D7CCC6D6822E765BEE7159CD8F9917724DF7C	256B5CAF68651A065FA4EC99D80F0045FA374CAB9EC7309C864527D4C3CDA474
C:\Users\user\AppData\Local\Temp\~DFF4C5D3C8AB30DF96.TMP	data	F164F17683B82A5A48D60CB5420CE46B	8613E8F06FAFFA42E1929EEC4260DB25523DFD5D	C54B7BE1C2C71FF44223F7FEABB7C293B20F2BA48D02D2AF9685FB143EE7A5B4
C:\Users\user\AppData\Local\sharepoint\360total.dll	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	BD3A3714EE9A071EBEB59AC91D9EBB5A	55110A221F20A4CEEC34C58D0179FA31F8C102E9	4CF2B612939359977DF51A32D2F63E2CB0C6C601E114B8E4812BD548D1DB85FE
C:\Users\user\AppData\Roaming\Custom_update\Update_6a61d649.dll	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	BD3A3714EE9A071EBEB59AC91D9EBB5A	55110A221F20A4CEEC34C58D0179FA31F8C102E9	4CF2B612939359977DF51A32D2F63E2CB0C6C601E114B8E4812BD548D1DB85FE
C:\Windows\Installer\747f6e.msi	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {6C81CEE0-3161-4D91-A688-254B67D7D838}, Number of Words: 10, Subject: 360 Total, Author: HuMaster LLC, Name of Creating Application: 360 Total, Template: ;1033, Comments: This installer database contains the logic and data required to install 360 Total., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200	37605A3EB80F3366E56938031A9AC917	0582A0DD69D6027FB94765254ED91AD736ADE305	4E7AC0BDB516E983B3CAB7F79850D8102D2BF4117BB343B68D0DA73780CCEB1A
C:\Windows\Installer\747f6f.ipi	Composite Document File V2 Document, Cannot read section info	D19184246803D4518495AFE1200E4D6E	BB4710FDC5C8D656893FE569550D9DF9FF35C2CA	72ECA19ACA5A7F267EA3F700702590CEDB7288B075D227082791FDE26A877D60
C:\Windows\Installer\MSI19CA.tmp	data	2CA1525269AABDEC54BBE29C75CA2C9C	71C6FDD065A92B32CA27A3D839521D3F4667E2F4	E8DCBD749DBB471272C4555235E6923B946D93FF957800C64A53C8A6399300C4
C:\Windows\Installer\MSI1B42.tmp	PE32 executable (GUI) Intel 80386, for MS Windows	B9545ED17695A32FACE8C3408A6A3553	F6C31C9CD832AE2AEBCD88E7B2FA6803AE93FC83	1E0E63B446EECF6C9781C7D1CAE1F46A3BB31654A70612F71F31538FB4F4729A
C:\Windows\Installer\MSI8029.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	475D20C0EA477A35660E3F67ECF0A1DF	67340739F51E1134AE8F0FFC5AE9DD710E8E3A08	426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
C:\Windows\Installer\SourceHash{B135729E-0574-44D1-B7A1-6E44550F506B}	Composite Document File V2 Document, Cannot read section info	AB251117F6DE2E0E2F3E42A8A6C8CD4E	67C3E4AFC3E1FBBB311C66CA729F8878ECE2F87A	A6673048BBC5DAD8F2905310E97D31ECB97A3DD60FA4DD526AA773BCE2B4A446

Windows Analysis Report neo.msi

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Domains

Contacted URLs

Windows Analysis Report
neo.msi

Malware Threat Intel
Provided by