Windows Analysis Report
3cfc9c.msi

Overview

General Information

Sample name:	3cfc9c.msi
Analysis ID:	1543057
MD5:	4875b23906a1e1f4d2aaed6a503cdde6
SHA1:	b463f3c978f11a12e4cbdfd6ff141451ed32bb7c
SHA256:	62adbe84f0f19e897df4e0573fc048272e0b537d5b34f811162b8526b9afaf32
Tags:	msiuser-JAMESWT_MHT
Infos:

Detection

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Found evasive API chain (may stop execution after checking mutex)

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Checks for available system drives (often done to infect USB drives)

Checks if the current process is being debugged

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Drops PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Launches processes in debugging mode, may be used to hinder debugging

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sigma detected: CurrentVersion Autorun Keys Modification

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\Intelnet\imjp14k.dll	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen3
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imjp14k.dll	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen3

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\rrfqmEuGb\imjp14k.dll	ReversingLabs: Detection: 25%
Source: C:\Users\user\AppData\Roaming\Intelnet\imjp14k.dll	ReversingLabs: Detection: 25%

Multi AV Scanner detection for submitted file

Source: 3cfc9c.msi	ReversingLabs: Detection: 18%
Source: 3cfc9c.msi	Virustotal: Detection: 14%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9625_none_508ef7e4bcbbe589\MSVCR90.dll

Jump to behavior

Source:	Binary string: t:\ime\x86\ship\0\imecmnt.pdb6\ship\0\imecmnt.exe\bbtopt\imecmntO.pdb source: imecmnt.exe, 00000003.00000002.4507443595.000000002DBA1000.00000020.00000001.01000000.00000003.sdmp, imecmnt.exe, 00000003.00000000.2059506107.000000002DBA1000.00000020.00000001.01000000.00000003.sdmp, imecmnt.exe, 00000005.00000000.2224629702.000000002D561000.00000020.00000001.01000000.00000007.sdmp, imecmnt.exe, 00000005.00000002.2257799236.000000002D561000.00000020.00000001.01000000.00000007.sdmp, imecmnt.exe, 00000006.00000002.2338321715.000000002D561000.00000020.00000001.01000000.00000007.sdmp, imecmnt.exe, 00000006.00000000.2305663711.000000002D561000.00000020.00000001.01000000.00000007.sdmp, imecmnt.exe.1.dr, imecmnt.exe.3.dr
Source:	Binary string: t:\ime\x86\ship\0\imecmnt.pdb source: imecmnt.exe, imecmnt.exe, 00000006.00000002.2338321715.000000002D561000.00000020.00000001.01000000.00000007.sdmp, imecmnt.exe, 00000006.00000000.2305663711.000000002D561000.00000020.00000001.01000000.00000007.sdmp, imecmnt.exe.1.dr, imecmnt.exe.3.dr
Source:	Binary string: 6\ship\0\imecmnt.exe\bbtopt\imecmntO.pdb source: imecmnt.exe, imecmnt.exe, 00000006.00000002.2338321715.000000002D561000.00000020.00000001.01000000.00000007.sdmp, imecmnt.exe, 00000006.00000000.2305663711.000000002D561000.00000020.00000001.01000000.00000007.sdmp, imecmnt.exe.1.dr, imecmnt.exe.3.dr

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_6FB761EC FindFirstFileW,		3_2_6FB761EC
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_6C4F61EC FindFirstFileW,		5_2_6C4F61EC

Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67

Source: imecmnt.exe, 00000003.00000003.3633568048.0000000008946000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windon
Source: imecmnt.exe, 00000003.00000003.3396199002.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3505626612.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3158740175.0000000000FF1000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3341157017.0000000000FF1000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3459803958.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3421698717.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3245178309.0000000000FF1000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3232146993.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3438197277.0000000000FF1000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3288559846.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3423149752.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsup
Source: imecmnt.exe, 00000003.00000003.4019282952.0000000008937000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate
Source: imecmnt.exe, 00000003.00000003.4199951294.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3232146993.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.4481612590.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3925738274.0000000000FF1000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.4385769362.000000000891C000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3288559846.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.4098677017.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3340559175.000000000891C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/
Source: imecmnt.exe, 00000003.00000003.3505626612.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3459803958.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.4253837768.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3979831109.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.4199951294.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3925738274.0000000000FF1000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3438197277.0000000000FF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/6i
Source: imecmnt.exe, 00000003.00000003.4386147973.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/?iI
Source: imecmnt.exe, 00000003.00000003.4386147973.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000002.4504001086.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.4292788976.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.4019173186.0000000000FF1000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3245178309.0000000000FF1000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.4481612590.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3288559846.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/Hh
Source: imecmnt.exe, 00000003.00000003.3396199002.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3733932369.0000000000FF1000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3505626612.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.4292788976.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3341157017.0000000000FF1000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.4019173186.0000000000FF1000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3815539575.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3459803958.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3245178309.0000000000FF1000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3814006132.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3438197277.0000000000FF1000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3288559846.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/_h
Source: imecmnt.exe, 00000003.00000003.3423127639.000000000894B000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3340559175.0000000008948000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/d
Source: imecmnt.exe, 00000003.00000003.3909591108.0000000008463000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3733587256.0000000008463000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.2867600121.0000000008465000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/tru
Source: imecmnt.exe, 00000003.00000003.4481337321.000000000892C000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000002.4507277691.000000000892C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedQ
Source: imecmnt.exe, 00000003.00000002.4504001086.0000000000F96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: imecmnt.exe, 00000003.00000003.4386147973.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3396199002.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3244099513.000000000845E000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.4187516057.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3505550706.0000000008468000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3619541905.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3618657597.0000000008468000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000002.4504001086.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3714967545.0000000008468000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3716445321.0000000008468000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3137427769.0000000008472000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3911021141.0000000008468000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3518226633.0000000008468000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3910828961.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3733932369.0000000000FF1000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.4005684128.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3505626612.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3830595175.000000000892C000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.4098541000.0000000008468000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3518590505.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.4372080451.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: imecmnt.exe, 00000003.00000003.2867600121.0000000008472000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab$n
Source: imecmnt.exe, 00000003.00000003.3059020363.000000000847A000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3325812029.000000000847A000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3150354402.000000000847A000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3245775569.000000000847A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?12a097f4e64f3
Source: imecmnt.exe, 00000003.00000003.4481612590.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?27d9f1a9bf18e
Source: imecmnt.exe, 00000003.00000003.3925431433.000000000845B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?36e3795370d63
Source: imecmnt.exe, 00000003.00000003.2966860999.000000000847A000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.2867600121.0000000008472000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.2867600121.000000000847A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?4dec25eca75b4
Source: imecmnt.exe, 00000003.00000003.3830961120.0000000000FF1000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3979918862.000000000847A000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3925431433.000000000847A000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3911021141.000000000847A000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3979831109.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3925738274.0000000000FF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?5872b181a4100
Source: imecmnt.exe, 00000003.00000003.3438197277.0000000000FF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?6612615f6f8b2
Source: imecmnt.exe, 00000003.00000003.3814006132.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?81af322e81a6d
Source: imecmnt.exe, 00000003.00000003.4292788976.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?858976d52d71a
Source: imecmnt.exe, 00000003.00000003.2364925819.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.2137836830.0000000008472000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.2137780457.0000000008471000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?9b263918feb52
Source: imecmnt.exe, 00000003.00000003.4481612590.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?ab90ddf4b9683
Source: imecmnt.exe, 00000003.00000003.3158740175.0000000000FF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?d08c16717473a
Source: imecmnt.exe, 00000003.00000003.4386147973.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000002.4504001086.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.4372080451.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.4292788976.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.4253837768.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.4279838935.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.4199951294.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.4463381103.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.4481612590.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?d281b98da966c
Source: imecmnt.exe, 00000003.00000003.4188071605.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?dcbf262f68dd8
Source: imecmnt.exe, 00000003.00000003.3619541905.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3634141253.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3618751946.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3716076529.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3533672809.000000000845E000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3533912228.0000000008462000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3534392488.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3618657597.0000000008465000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3715242359.0000000000FF5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?dfdd21d4744fa
Source: imecmnt.exe, 00000003.00000003.4098677017.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?dfedb27c80db8
Source: imecmnt.exe, 00000003.00000003.3158740175.0000000000FF1000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.2966860999.0000000008472000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3046066996.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?e97b631e752a7
Source: imecmnt.exe, 00000003.00000003.3634141253.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3633568048.0000000008946000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3716076529.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3815539575.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3814006132.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3813958421.000000000894B000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3715242359.0000000000FF5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?efec4abf1c9b7
Source: imecmnt.exe, 00000003.00000003.3396199002.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3505626612.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3396361028.000000000847A000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3341157017.0000000000FF1000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3341437396.000000000847A000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3459803958.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3421698717.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3422186506.000000000847A000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3438197277.0000000000FF1000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3423149752.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?f23f4f17e60bd
Source: imecmnt.exe, 00000003.00000003.3423149752.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?f3ff1e4b268c6
Source: imecmnt.exe, 00000003.00000003.3635068937.0000000008466000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabE
Source: imecmnt.exe, 00000003.00000003.3244099513.000000000845E000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3505550706.0000000008468000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3518226633.0000000008468000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3422186506.0000000008468000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3325812029.0000000008468000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3341437396.0000000008468000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3396256713.0000000008468000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3733587256.0000000008468000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3245775569.0000000008462000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3246217784.0000000008467000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3460032031.0000000008468000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3438515309.0000000008468000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabP
Source: imecmnt.exe, 00000003.00000003.3505550706.0000000008468000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3460032031.0000000008468000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3438515309.0000000008468000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabm_3H
Source: imecmnt.exe, 00000003.00000003.4463904523.0000000008468000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.4463046351.0000000008468000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabv_$H
Source: imecmnt.exe, 00000003.00000002.4504001086.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3505626612.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3459803958.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.4481612590.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3438197277.0000000000FF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/rh
Source: imecmnt.exe, 00000003.00000003.4463046351.0000000008468000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.206.178.67/
Source: imecmnt.exe, 00000003.00000003.3137427769.0000000008472000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3150354402.0000000008472000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.206.178.67/$n
Source: imecmnt.exe, 00000003.00000003.2364925819.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.206.178.67/)
Source: imecmnt.exe, 00000003.00000003.3396199002.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3341157017.0000000000FF1000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3421698717.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3423149752.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.206.178.67/.ulIb
Source: imecmnt.exe, 00000003.00000003.4187516057.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.4109648348.0000000000FF1000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.4098677017.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.4188071605.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.206.178.67/7
Source: imecmnt.exe, 00000003.00000003.3714967545.0000000008468000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3716445321.0000000008468000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3733587256.0000000008468000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.206.178.67/E
Source: imecmnt.exe, 00000003.00000003.3505550706.0000000008468000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3911021141.0000000008468000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3518226633.0000000008468000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3422186506.0000000008468000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3325812029.0000000008468000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3341437396.0000000008468000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3396256713.0000000008468000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3460032031.0000000008468000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3909591108.0000000008468000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3438515309.0000000008468000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.206.178.67/G
Source: imecmnt.exe, 00000003.00000003.2856280109.0000000001034000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.206.178.67/H
Source: imecmnt.exe, 00000003.00000003.3909186456.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.4386147973.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.4187516057.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3619541905.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000002.4504001086.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3910828961.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3733932369.0000000000FF1000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.4005684128.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3505626612.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3518590505.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.4372080451.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3830961120.0000000000FF1000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.4292788976.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3634141253.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.4019173186.0000000000FF1000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3618751946.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3716076529.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3815539575.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.4109648348.0000000000FF1000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.4253837768.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3814006132.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.206.178.67/Ku
Source: imecmnt.exe, 00000003.00000003.2364925819.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.206.178.67/Q
Source: imecmnt.exe, 00000003.00000003.2867600121.0000000008472000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.206.178.67/Vn
Source: imecmnt.exe, 00000003.00000003.2364925819.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.206.178.67/X
Source: imecmnt.exe, 00000003.00000003.2766965209.0000000008472000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.206.178.67/Ym
Source: imecmnt.exe, 00000003.00000003.3505626612.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.206.178.67/au1I
Source: imecmnt.exe, 00000003.00000003.2364925819.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.206.178.67/c
Source: imecmnt.exe, 00000003.00000003.3505626612.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.206.178.67/hu
Source: imecmnt.exe, 00000003.00000003.3618751946.0000000000FCE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.206.178.67/iWrI
Source: imecmnt.exe, 00000003.00000003.3046066996.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.206.178.67/l
Source: imecmnt.exe, 00000003.00000003.4372080451.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.4292788976.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.4279838935.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.4463381103.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.206.178.67/m
Source: imecmnt.exe, 00000003.00000003.3505626612.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.206.178.67/ou#I
Source: imecmnt.exe, 00000003.00000003.2364925819.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.206.178.67/u
Source: imecmnt.exe, 00000003.00000003.4279695146.0000000008468000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.4254153237.0000000008467000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.206.178.67/v_$H
Source: imecmnt.exe, 00000003.00000003.3909186456.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.4386147973.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.4187516057.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3619541905.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3910828961.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3733932369.0000000000FF1000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.4005684128.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3505626612.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3518590505.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.4372080451.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3830961120.0000000000FF1000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.4292788976.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3634141253.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3341157017.0000000000FF1000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.4019173186.0000000000FF1000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3618751946.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3716076529.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3815539575.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.4109648348.0000000000FF1000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3421698717.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3245178309.0000000000FF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.206.178.67:443/m

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49986
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49984
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49982
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49980
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50010
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50012
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50014
Source: unknown	Network traffic detected: HTTP traffic on port 49984 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49986 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49982 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49990 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49980 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49992 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49979 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49979
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49998
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49996
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50006
Source: unknown	Network traffic detected: HTTP traffic on port 50012 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49998 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49994
Source: unknown	Network traffic detected: HTTP traffic on port 49996 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50008
Source: unknown	Network traffic detected: HTTP traffic on port 49994 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50010 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49992
Source: unknown	Network traffic detected: HTTP traffic on port 50008 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49990
Source: unknown	Network traffic detected: HTTP traffic on port 50014 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50000
Source: unknown	Network traffic detected: HTTP traffic on port 49988 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50002
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50004
Source: unknown	Network traffic detected: HTTP traffic on port 50002 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50000 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50004 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50006 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49988

Contains functionality to call native functions

Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_6FB7949F Sleep,GetFileAttributesW,Sleep,CreateFileW,Sleep,exit,CreateThread,NtdllDefWindowProc_W,	3_2_6FB7949F
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_6FB791B9 Sleep,ReadFile,Sleep,Sleep,NtAllocateVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,Sleep,EnumSystemGeoID,	3_2_6FB791B9
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_6C4F949F Sleep,GetFileAttributesW,Sleep,CreateFileW,Sleep,exit,CreateThread,NtdllDefWindowProc_W,	5_2_6C4F949F
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_6C4F91B9 Sleep,ReadFile,Sleep,Sleep,NtAllocateVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,Sleep,EnumSystemGeoID,	5_2_6C4F91B9

Creates files inside the system directory

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\588fef.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{00318A2B-0EB2-49D2-898C-4ABCB30CFD49}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9118.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\588ff1.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\588ff1.msi	Jump to behavior

Deletes files inside the Windows folder

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\588ff1.msi

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03E513F0	3_2_03E513F0
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03DCA3DE	3_2_03DCA3DE
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03E063E8	3_2_03E063E8
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03DF63F8	3_2_03DF63F8
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03DBA3A0	3_2_03DBA3A0
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03DFA34E	3_2_03DFA34E
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03DFD2C2	3_2_03DFD2C2
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03DC2AEE	3_2_03DC2AEE
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03DDBAE4	3_2_03DDBAE4
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03DEAAE2	3_2_03DEAAE2
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03DB9A92	3_2_03DB9A92
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03DD6AA6	3_2_03DD6AA6
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03DD224D	3_2_03DD224D
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03DF9224	3_2_03DF9224
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03DFC9CE	3_2_03DFC9CE
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03DF51CA	3_2_03DF51CA
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03DC61CA	3_2_03DC61CA
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03DF21FC	3_2_03DF21FC
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03DBF1A8	3_2_03DBF1A8
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03DBA9A0	3_2_03DBA9A0
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03DC5946	3_2_03DC5946
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03DE8112	3_2_03DE8112
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03DBF900	3_2_03DBF900
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03E0C0F0	3_2_03E0C0F0
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03DB38F5	3_2_03DB38F5
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03DF80A8	3_2_03DF80A8
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03DC4870	3_2_03DC4870
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03E34834	3_2_03E34834
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03DC003D	3_2_03DC003D
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03DB67CC	3_2_03DB67CC
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03DB07F0	3_2_03DB07F0
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03DCC758	3_2_03DCC758
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03DB7F56	3_2_03DB7F56
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03DF0F4E	3_2_03DF0F4E
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03DB4EF0	3_2_03DB4EF0
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03DC3EEA	3_2_03DC3EEA
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03DB6E9A	3_2_03DB6E9A
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03E40691	3_2_03E40691
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03DFE65E	3_2_03DFE65E
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03DC6634	3_2_03DC6634
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03DE9DF4	3_2_03DE9DF4
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03DBBCF0	3_2_03DBBCF0
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03DE8C48	3_2_03DE8C48
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03DBB46A	3_2_03DBB46A
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_2DBCFE27	3_2_2DBCFE27
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_2DBDD8D4	3_2_2DBDD8D4
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_2DBE4424	3_2_2DBE4424
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_2DBE4706	3_2_2DBE4706
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_2DBCA675	3_2_2DBCA675
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_2DBE413A	3_2_2DBE413A
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_2DBCE279	3_2_2DBCE279
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_6FB791B9	3_2_6FB791B9
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_6FB79673	3_2_6FB79673
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_6FB71E57	3_2_6FB71E57
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_6FB77B22	3_2_6FB77B22
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_6FB7E240	3_2_6FB7E240
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_6FB7295D	3_2_6FB7295D
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_6FB7D800	3_2_6FB7D800
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_037913F0	5_2_037913F0
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_0373A34E	5_2_0373A34E
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_037363F8	5_2_037363F8
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_037463E8	5_2_037463E8
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_0370A3DE	5_2_0370A3DE
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_036FA3A0	5_2_036FA3A0
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_0371224D	5_2_0371224D
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_03739224	5_2_03739224
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_0372AAE2	5_2_0372AAE2
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_0371BAE4	5_2_0371BAE4
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_03702AEE	5_2_03702AEE
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_0373D2C2	5_2_0373D2C2
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_03716AA6	5_2_03716AA6
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_036F9A92	5_2_036F9A92
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_03705946	5_2_03705946
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_03728112	5_2_03728112
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_036FF900	5_2_036FF900
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_037321FC	5_2_037321FC
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_037351CA	5_2_037351CA
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_037061CA	5_2_037061CA
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_0373C9CE	5_2_0373C9CE
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_036FF1A8	5_2_036FF1A8
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_036FA9A0	5_2_036FA9A0
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_03704870	5_2_03704870
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_03774834	5_2_03774834
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_0370003D	5_2_0370003D
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_0374C0F0	5_2_0374C0F0
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_036F38F5	5_2_036F38F5
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_037380A8	5_2_037380A8
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_0370C758	5_2_0370C758
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_036F7F56	5_2_036F7F56
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_03730F4E	5_2_03730F4E
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_036F07F0	5_2_036F07F0
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_036F67CC	5_2_036F67CC
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_0373E65E	5_2_0373E65E
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_03706634	5_2_03706634
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_03703EEA	5_2_03703EEA
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_036F4EF0	5_2_036F4EF0
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_03780691	5_2_03780691
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_036F6E9A	5_2_036F6E9A
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_03729DF4	5_2_03729DF4
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_036FB46A	5_2_036FB46A
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_03728C48	5_2_03728C48
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_036FBCF0	5_2_036FBCF0
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_2D58FE27	5_2_2D58FE27
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_2D59D8D4	5_2_2D59D8D4
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_2D5A4424	5_2_2D5A4424
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_2D5A4706	5_2_2D5A4706
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_2D58A675	5_2_2D58A675
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_2D5A413A	5_2_2D5A413A
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_2D58E279	5_2_2D58E279
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_6C4F91B9	5_2_6C4F91B9
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_6C4F1E57	5_2_6C4F1E57
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_6C4F9673	5_2_6C4F9673
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_6C4FD800	5_2_6C4FD800
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_6C4F295D	5_2_6C4F295D
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_6C4FE240	5_2_6C4FE240
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_6C4F7B22	5_2_6C4F7B22
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_035613F0	6_2_035613F0
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_0350A34E	6_2_0350A34E
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_034DA3DE	6_2_034DA3DE
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_035063F8	6_2_035063F8
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_035163E8	6_2_035163E8
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_034CA3A0	6_2_034CA3A0
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_034E224D	6_2_034E224D
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_03509224	6_2_03509224
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_0350D2C2	6_2_0350D2C2
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_034D2AEE	6_2_034D2AEE
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_034EBAE4	6_2_034EBAE4
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_034FAAE2	6_2_034FAAE2
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_034C9A92	6_2_034C9A92
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_034E6AA6	6_2_034E6AA6
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_034D5946	6_2_034D5946
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_034CF900	6_2_034CF900
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_034F8112	6_2_034F8112
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_034D61CA	6_2_034D61CA
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_035051CA	6_2_035051CA
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_0350C9CE	6_2_0350C9CE
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_035021FC	6_2_035021FC
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_034CF1A8	6_2_034CF1A8
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_034CA9A0	6_2_034CA9A0
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_034D4870	6_2_034D4870
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_03544834	6_2_03544834
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_034D003D	6_2_034D003D
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_0351C0F0	6_2_0351C0F0
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_034C38F5	6_2_034C38F5
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_035080A8	6_2_035080A8
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_034DC758	6_2_034DC758
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_034C7F56	6_2_034C7F56
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_03500F4E	6_2_03500F4E
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_034C67CC	6_2_034C67CC
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_034C07F0	6_2_034C07F0
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_0350E65E	6_2_0350E65E
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_034D6634	6_2_034D6634
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_034D3EEA	6_2_034D3EEA
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_034C4EF0	6_2_034C4EF0
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_03550691	6_2_03550691
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_034C6E9A	6_2_034C6E9A
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_034F9DF4	6_2_034F9DF4
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_034F8C48	6_2_034F8C48
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_034CB46A	6_2_034CB46A
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_034CBCF0	6_2_034CBCF0
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_2D58FE27	6_2_2D58FE27
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_2D59D8D4	6_2_2D59D8D4
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_2D5A4424	6_2_2D5A4424
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_2D5A4706	6_2_2D5A4706
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_2D58A675	6_2_2D58A675
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_2D5A413A	6_2_2D5A413A
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_2D58E279	6_2_2D58E279

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: String function: 2D57D465 appears 140 times
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: String function: 2D5A58E9 appears 90 times
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: String function: 2D57D498 appears 56 times
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: String function: 2D59B423 appears 102 times
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: String function: 2D5A2612 appears 46 times
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: String function: 2DBDB423 appears 51 times
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: String function: 2DBE58E9 appears 45 times
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: String function: 2DBBD465 appears 70 times

Source: classification engine

Classification label: mal76.evad.winMSI@6/27@0/1

Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe

Code function: 3_2_2DBBCED8 CoCreateInstance,memset,

3_2_2DBBCED8

Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe

Code function: 3_2_2DBC3CC4 ??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@XZ,??4?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV01@PB_W@Z,CloseHandle,FreeLibrary,FindResourceExW,SizeofResource,LoadResource,LockResource,

3_2_2DBC3CC4

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\CML9137.tmp

Jump to behavior

Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe

Mutant created: \Sessions\1\BaseNamedObjects\rnLcoyQNV

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\TEMP\~DF6105C0498CDE2B42.TMP

Jump to behavior

Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 3cfc9c.msi

Static file information: TRID: Microsoft Windows Installer (60509/1) 88.31%

Source: 3cfc9c.msi	ReversingLabs: Detection: 18%
Source: 3cfc9c.msi	Virustotal: Detection: 14%

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\3cfc9c.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe "C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe" 835 281
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe "C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe" 835 281
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msihnd.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Section loaded: imjp14k.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Section loaded: imjp14k.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Section loaded: imjp14k.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Section loaded: winhttp.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9625_none_508ef7e4bcbbe589\MSVCR90.dll

Jump to behavior

Source:	Binary string: t:\ime\x86\ship\0\imecmnt.pdb6\ship\0\imecmnt.exe\bbtopt\imecmntO.pdb source: imecmnt.exe, 00000003.00000002.4507443595.000000002DBA1000.00000020.00000001.01000000.00000003.sdmp, imecmnt.exe, 00000003.00000000.2059506107.000000002DBA1000.00000020.00000001.01000000.00000003.sdmp, imecmnt.exe, 00000005.00000000.2224629702.000000002D561000.00000020.00000001.01000000.00000007.sdmp, imecmnt.exe, 00000005.00000002.2257799236.000000002D561000.00000020.00000001.01000000.00000007.sdmp, imecmnt.exe, 00000006.00000002.2338321715.000000002D561000.00000020.00000001.01000000.00000007.sdmp, imecmnt.exe, 00000006.00000000.2305663711.000000002D561000.00000020.00000001.01000000.00000007.sdmp, imecmnt.exe.1.dr, imecmnt.exe.3.dr
Source:	Binary string: t:\ime\x86\ship\0\imecmnt.pdb source: imecmnt.exe, imecmnt.exe, 00000006.00000002.2338321715.000000002D561000.00000020.00000001.01000000.00000007.sdmp, imecmnt.exe, 00000006.00000000.2305663711.000000002D561000.00000020.00000001.01000000.00000007.sdmp, imecmnt.exe.1.dr, imecmnt.exe.3.dr
Source:	Binary string: 6\ship\0\imecmnt.exe\bbtopt\imecmntO.pdb source: imecmnt.exe, imecmnt.exe, 00000006.00000002.2338321715.000000002D561000.00000020.00000001.01000000.00000007.sdmp, imecmnt.exe, 00000006.00000000.2305663711.000000002D561000.00000020.00000001.01000000.00000007.sdmp, imecmnt.exe.1.dr, imecmnt.exe.3.dr

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe

Code function: 3_2_2DBAE34E LoadLibraryW,GetProcAddress,FreeLibrary,

3_2_2DBAE34E

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03DDEF85 push cs; iretd	3_2_03DDEF93
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03DDECD7 push cs; iretd	3_2_03DDECDA
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_2DBBD53D push ecx; ret	3_2_2DBBD550
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_2DBBD3F5 push ecx; ret	3_2_2DBBD408
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_0371EF85 push cs; iretd	5_2_0371EF93
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_0371ECD7 push cs; iretd	5_2_0371ECDA
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_2D57D53D push ecx; ret	5_2_2D57D550
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_2D57D3F5 push ecx; ret	5_2_2D57D408
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_034EEF85 push cs; iretd	6_2_034EEF93
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_034EECD7 push cs; iretd	6_2_034EECDA
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_2D57D53D push ecx; ret	6_2_2D57D550
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_2D57D3F5 push ecx; ret	6_2_2D57D408

Drops PE files

Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	File created: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\rrfqmEuGb\imjp14k.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	File created: C:\Users\user\AppData\Roaming\Intelnet\imjp14k.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OfficeLaunch			Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OfficeLaunch			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Memory written: PID: 4668 base: 75921720 value: E9 14 FA 52 8E	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Memory written: PID: 344 base: 75921720 value: E9 14 FA E6 8D	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Memory written: PID: 1196 base: 75921720 value: E9 14 FA C3 8D	Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT			Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Evasive API call chain: CreateMutex,DecisionNodes,Sleep

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe

Window / User API: threadDelayed 9517

Jump to behavior

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	API coverage: 2.0 %
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	API coverage: 1.9 %
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	API coverage: 0.8 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe TID: 4508	Thread sleep count: 64 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe TID: 2964	Thread sleep count: 340 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe TID: 2964	Thread sleep time: -340000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe TID: 2964	Thread sleep count: 9517 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe TID: 2964	Thread sleep time: -9517000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_6FB761EC FindFirstFileW,		3_2_6FB761EC
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_6C4F61EC FindFirstFileW,		5_2_6C4F61EC

Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe

Code function: 3_2_2DBB4CB8 GetSystemInfo,

3_2_2DBB4CB8

Source: imecmnt.exe, 00000003.00000002.4504001086.0000000000F96000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW8Z
Source: imecmnt.exe, 00000003.00000003.3618751946.0000000000FCE000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3715417727.0000000000FCE000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3925849626.0000000000FCE000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3518420891.0000000000FCE000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3534392488.0000000000FCE000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.2364925819.0000000000FCE000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3909314960.0000000000FCE000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3716193161.0000000000FCE000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3438355168.0000000000FCE000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3909925509.0000000000FCE000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3421781271.0000000000FCE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Process queried: DebugPort	Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe

Code function: 3_2_2DBBC867 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,

3_2_2DBBC867

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe

Code function: 3_2_2DBAE34E LoadLibraryW,GetProcAddress,FreeLibrary,

3_2_2DBAE34E

Contains functionality to read the PEB

Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03E38A92 mov eax, dword ptr fs:[00000030h]	3_2_03E38A92
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03E3A7E5 mov eax, dword ptr fs:[00000030h]	3_2_03E3A7E5
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_03778A92 mov eax, dword ptr fs:[00000030h]	5_2_03778A92
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_0377A7E5 mov eax, dword ptr fs:[00000030h]	5_2_0377A7E5
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_03548A92 mov eax, dword ptr fs:[00000030h]	6_2_03548A92
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_0354A7E5 mov eax, dword ptr fs:[00000030h]	6_2_0354A7E5

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe

Code function: 3_2_2DBBC7B3 GetModuleHandleW,GetProcAddress,GetProcessHeap,GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,VirtualProtect,VirtualProtect,VirtualProtect,

3_2_2DBBC7B3

Launches processes in debugging mode, may be used to hinder debugging

Source: C:\Windows\System32\msiexec.exe

Process created: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe

Jump to behavior

Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_2DBBC867 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,	3_2_2DBBC867
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_2D57C867 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,	5_2_2D57C867
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_2D57C867 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,	6_2_2D57C867

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe

Code function: 3_2_03E3623A cpuid

3_2_03E3623A

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe

3_2_2DBBC7B3

Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe

Code function: 3_2_2DBBE648 GetVersionExW,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,

3_2_2DBBE648

Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
116.206.178.67	unknown	China		132325	LEMON-AS-APLEMONTELECOMMUNICATIONSLIMITEDHK	false

Contacted Domains

Name	IP	Active
bg.microsoft.map.fastly.net	199.232.210.172	true

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\Intelnet\imjp14k.dll	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen3
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imjp14k.dll	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen3

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\rrfqmEuGb\imjp14k.dll	ReversingLabs: Detection: 25%
Source: C:\Users\user\AppData\Roaming\Intelnet\imjp14k.dll	ReversingLabs: Detection: 25%

Multi AV Scanner detection for submitted file

Source: 3cfc9c.msi	ReversingLabs: Detection: 18%
Source: 3cfc9c.msi	Virustotal: Detection: 14%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9625_none_508ef7e4bcbbe589\MSVCR90.dll

Jump to behavior

Source:	Binary string: t:\ime\x86\ship\0\imecmnt.pdb6\ship\0\imecmnt.exe\bbtopt\imecmntO.pdb source: imecmnt.exe, 00000003.00000002.4507443595.000000002DBA1000.00000020.00000001.01000000.00000003.sdmp, imecmnt.exe, 00000003.00000000.2059506107.000000002DBA1000.00000020.00000001.01000000.00000003.sdmp, imecmnt.exe, 00000005.00000000.2224629702.000000002D561000.00000020.00000001.01000000.00000007.sdmp, imecmnt.exe, 00000005.00000002.2257799236.000000002D561000.00000020.00000001.01000000.00000007.sdmp, imecmnt.exe, 00000006.00000002.2338321715.000000002D561000.00000020.00000001.01000000.00000007.sdmp, imecmnt.exe, 00000006.00000000.2305663711.000000002D561000.00000020.00000001.01000000.00000007.sdmp, imecmnt.exe.1.dr, imecmnt.exe.3.dr
Source:	Binary string: t:\ime\x86\ship\0\imecmnt.pdb source: imecmnt.exe, imecmnt.exe, 00000006.00000002.2338321715.000000002D561000.00000020.00000001.01000000.00000007.sdmp, imecmnt.exe, 00000006.00000000.2305663711.000000002D561000.00000020.00000001.01000000.00000007.sdmp, imecmnt.exe.1.dr, imecmnt.exe.3.dr
Source:	Binary string: 6\ship\0\imecmnt.exe\bbtopt\imecmntO.pdb source: imecmnt.exe, imecmnt.exe, 00000006.00000002.2338321715.000000002D561000.00000020.00000001.01000000.00000007.sdmp, imecmnt.exe, 00000006.00000000.2305663711.000000002D561000.00000020.00000001.01000000.00000007.sdmp, imecmnt.exe.1.dr, imecmnt.exe.3.dr

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_6FB761EC FindFirstFileW,		3_2_6FB761EC
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_6C4F61EC FindFirstFileW,		5_2_6C4F61EC

Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67
Source: unknown	TCP traffic detected without corresponding DNS query: 116.206.178.67

Source: imecmnt.exe, 00000003.00000003.3633568048.0000000008946000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windon
Source: imecmnt.exe, 00000003.00000003.3396199002.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3505626612.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3158740175.0000000000FF1000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3341157017.0000000000FF1000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3459803958.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3421698717.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3245178309.0000000000FF1000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3232146993.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3438197277.0000000000FF1000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3288559846.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3423149752.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsup
Source: imecmnt.exe, 00000003.00000003.4019282952.0000000008937000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate
Source: imecmnt.exe, 00000003.00000003.4199951294.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3232146993.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.4481612590.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3925738274.0000000000FF1000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.4385769362.000000000891C000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3288559846.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.4098677017.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3340559175.000000000891C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/
Source: imecmnt.exe, 00000003.00000003.3505626612.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3459803958.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.4253837768.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3979831109.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.4199951294.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3925738274.0000000000FF1000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3438197277.0000000000FF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/6i
Source: imecmnt.exe, 00000003.00000003.4386147973.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/?iI
Source: imecmnt.exe, 00000003.00000003.4386147973.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000002.4504001086.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.4292788976.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.4019173186.0000000000FF1000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3245178309.0000000000FF1000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.4481612590.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3288559846.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/Hh
Source: imecmnt.exe, 00000003.00000003.3396199002.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3733932369.0000000000FF1000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3505626612.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.4292788976.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3341157017.0000000000FF1000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.4019173186.0000000000FF1000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3815539575.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3459803958.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3245178309.0000000000FF1000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3814006132.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3438197277.0000000000FF1000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3288559846.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/_h
Source: imecmnt.exe, 00000003.00000003.3423127639.000000000894B000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3340559175.0000000008948000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/d
Source: imecmnt.exe, 00000003.00000003.3909591108.0000000008463000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3733587256.0000000008463000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.2867600121.0000000008465000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/tru
Source: imecmnt.exe, 00000003.00000003.4481337321.000000000892C000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000002.4507277691.000000000892C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedQ
Source: imecmnt.exe, 00000003.00000002.4504001086.0000000000F96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: imecmnt.exe, 00000003.00000003.4386147973.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3396199002.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3244099513.000000000845E000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.4187516057.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3505550706.0000000008468000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3619541905.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3618657597.0000000008468000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000002.4504001086.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3714967545.0000000008468000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3716445321.0000000008468000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3137427769.0000000008472000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3911021141.0000000008468000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3518226633.0000000008468000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3910828961.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3733932369.0000000000FF1000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.4005684128.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3505626612.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3830595175.000000000892C000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.4098541000.0000000008468000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3518590505.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.4372080451.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: imecmnt.exe, 00000003.00000003.2867600121.0000000008472000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab$n
Source: imecmnt.exe, 00000003.00000003.3059020363.000000000847A000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3325812029.000000000847A000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3150354402.000000000847A000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3245775569.000000000847A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?12a097f4e64f3
Source: imecmnt.exe, 00000003.00000003.4481612590.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?27d9f1a9bf18e
Source: imecmnt.exe, 00000003.00000003.3925431433.000000000845B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?36e3795370d63
Source: imecmnt.exe, 00000003.00000003.2966860999.000000000847A000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.2867600121.0000000008472000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.2867600121.000000000847A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?4dec25eca75b4
Source: imecmnt.exe, 00000003.00000003.3830961120.0000000000FF1000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3979918862.000000000847A000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3925431433.000000000847A000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3911021141.000000000847A000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3979831109.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3925738274.0000000000FF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?5872b181a4100
Source: imecmnt.exe, 00000003.00000003.3438197277.0000000000FF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?6612615f6f8b2
Source: imecmnt.exe, 00000003.00000003.3814006132.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?81af322e81a6d
Source: imecmnt.exe, 00000003.00000003.4292788976.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?858976d52d71a
Source: imecmnt.exe, 00000003.00000003.2364925819.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.2137836830.0000000008472000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.2137780457.0000000008471000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?9b263918feb52
Source: imecmnt.exe, 00000003.00000003.4481612590.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?ab90ddf4b9683
Source: imecmnt.exe, 00000003.00000003.3158740175.0000000000FF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?d08c16717473a
Source: imecmnt.exe, 00000003.00000003.4386147973.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000002.4504001086.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.4372080451.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.4292788976.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.4253837768.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.4279838935.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.4199951294.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.4463381103.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.4481612590.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?d281b98da966c
Source: imecmnt.exe, 00000003.00000003.4188071605.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?dcbf262f68dd8
Source: imecmnt.exe, 00000003.00000003.3619541905.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3634141253.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3618751946.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3716076529.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3533672809.000000000845E000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3533912228.0000000008462000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3534392488.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3618657597.0000000008465000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3715242359.0000000000FF5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?dfdd21d4744fa
Source: imecmnt.exe, 00000003.00000003.4098677017.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?dfedb27c80db8
Source: imecmnt.exe, 00000003.00000003.3158740175.0000000000FF1000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.2966860999.0000000008472000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3046066996.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?e97b631e752a7
Source: imecmnt.exe, 00000003.00000003.3634141253.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3633568048.0000000008946000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3716076529.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3815539575.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3814006132.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3813958421.000000000894B000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3715242359.0000000000FF5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?efec4abf1c9b7
Source: imecmnt.exe, 00000003.00000003.3396199002.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3505626612.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3396361028.000000000847A000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3341157017.0000000000FF1000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3341437396.000000000847A000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3459803958.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3421698717.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3422186506.000000000847A000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3438197277.0000000000FF1000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3423149752.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?f23f4f17e60bd
Source: imecmnt.exe, 00000003.00000003.3423149752.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?f3ff1e4b268c6
Source: imecmnt.exe, 00000003.00000003.3635068937.0000000008466000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabE
Source: imecmnt.exe, 00000003.00000003.3244099513.000000000845E000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3505550706.0000000008468000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3518226633.0000000008468000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3422186506.0000000008468000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3325812029.0000000008468000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3341437396.0000000008468000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3396256713.0000000008468000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3733587256.0000000008468000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3245775569.0000000008462000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3246217784.0000000008467000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3460032031.0000000008468000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3438515309.0000000008468000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabP
Source: imecmnt.exe, 00000003.00000003.3505550706.0000000008468000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3460032031.0000000008468000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3438515309.0000000008468000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabm_3H
Source: imecmnt.exe, 00000003.00000003.4463904523.0000000008468000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.4463046351.0000000008468000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabv_$H
Source: imecmnt.exe, 00000003.00000002.4504001086.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3505626612.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3459803958.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.4481612590.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3438197277.0000000000FF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/rh
Source: imecmnt.exe, 00000003.00000003.4463046351.0000000008468000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.206.178.67/
Source: imecmnt.exe, 00000003.00000003.3137427769.0000000008472000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3150354402.0000000008472000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.206.178.67/$n
Source: imecmnt.exe, 00000003.00000003.2364925819.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.206.178.67/)
Source: imecmnt.exe, 00000003.00000003.3396199002.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3341157017.0000000000FF1000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3421698717.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3423149752.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.206.178.67/.ulIb
Source: imecmnt.exe, 00000003.00000003.4187516057.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.4109648348.0000000000FF1000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.4098677017.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.4188071605.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.206.178.67/7
Source: imecmnt.exe, 00000003.00000003.3714967545.0000000008468000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3716445321.0000000008468000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3733587256.0000000008468000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.206.178.67/E
Source: imecmnt.exe, 00000003.00000003.3505550706.0000000008468000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3911021141.0000000008468000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3518226633.0000000008468000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3422186506.0000000008468000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3325812029.0000000008468000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3341437396.0000000008468000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3396256713.0000000008468000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3460032031.0000000008468000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3909591108.0000000008468000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3438515309.0000000008468000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.206.178.67/G
Source: imecmnt.exe, 00000003.00000003.2856280109.0000000001034000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.206.178.67/H
Source: imecmnt.exe, 00000003.00000003.3909186456.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.4386147973.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.4187516057.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3619541905.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000002.4504001086.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3910828961.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3733932369.0000000000FF1000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.4005684128.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3505626612.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3518590505.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.4372080451.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3830961120.0000000000FF1000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.4292788976.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3634141253.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.4019173186.0000000000FF1000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3618751946.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3716076529.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3815539575.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.4109648348.0000000000FF1000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.4253837768.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3814006132.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.206.178.67/Ku
Source: imecmnt.exe, 00000003.00000003.2364925819.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.206.178.67/Q
Source: imecmnt.exe, 00000003.00000003.2867600121.0000000008472000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.206.178.67/Vn
Source: imecmnt.exe, 00000003.00000003.2364925819.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.206.178.67/X
Source: imecmnt.exe, 00000003.00000003.2766965209.0000000008472000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.206.178.67/Ym
Source: imecmnt.exe, 00000003.00000003.3505626612.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.206.178.67/au1I
Source: imecmnt.exe, 00000003.00000003.2364925819.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.206.178.67/c
Source: imecmnt.exe, 00000003.00000003.3505626612.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.206.178.67/hu
Source: imecmnt.exe, 00000003.00000003.3618751946.0000000000FCE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.206.178.67/iWrI
Source: imecmnt.exe, 00000003.00000003.3046066996.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.206.178.67/l
Source: imecmnt.exe, 00000003.00000003.4372080451.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.4292788976.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.4279838935.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.4463381103.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.206.178.67/m
Source: imecmnt.exe, 00000003.00000003.3505626612.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.206.178.67/ou#I
Source: imecmnt.exe, 00000003.00000003.2364925819.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.206.178.67/u
Source: imecmnt.exe, 00000003.00000003.4279695146.0000000008468000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.4254153237.0000000008467000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.206.178.67/v_$H
Source: imecmnt.exe, 00000003.00000003.3909186456.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.4386147973.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.4187516057.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3619541905.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3910828961.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3733932369.0000000000FF1000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.4005684128.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3505626612.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3518590505.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.4372080451.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3830961120.0000000000FF1000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.4292788976.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3634141253.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3341157017.0000000000FF1000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.4019173186.0000000000FF1000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3618751946.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3716076529.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3815539575.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.4109648348.0000000000FF1000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3421698717.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3245178309.0000000000FF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.206.178.67:443/m

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49986
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49984
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49982
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49980
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50010
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50012
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50014
Source: unknown	Network traffic detected: HTTP traffic on port 49984 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49986 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49982 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49990 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49980 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49992 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49979 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49979
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49998
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49996
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50006
Source: unknown	Network traffic detected: HTTP traffic on port 50012 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49998 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49994
Source: unknown	Network traffic detected: HTTP traffic on port 49996 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50008
Source: unknown	Network traffic detected: HTTP traffic on port 49994 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50010 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49992
Source: unknown	Network traffic detected: HTTP traffic on port 50008 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49990
Source: unknown	Network traffic detected: HTTP traffic on port 50014 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50000
Source: unknown	Network traffic detected: HTTP traffic on port 49988 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50002
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50004
Source: unknown	Network traffic detected: HTTP traffic on port 50002 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50000 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50004 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50006 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49988

Contains functionality to call native functions

Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_6FB7949F Sleep,GetFileAttributesW,Sleep,CreateFileW,Sleep,exit,CreateThread,NtdllDefWindowProc_W,	3_2_6FB7949F
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_6FB791B9 Sleep,ReadFile,Sleep,Sleep,NtAllocateVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,Sleep,EnumSystemGeoID,	3_2_6FB791B9
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_6C4F949F Sleep,GetFileAttributesW,Sleep,CreateFileW,Sleep,exit,CreateThread,NtdllDefWindowProc_W,	5_2_6C4F949F
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_6C4F91B9 Sleep,ReadFile,Sleep,Sleep,NtAllocateVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,Sleep,EnumSystemGeoID,	5_2_6C4F91B9

Creates files inside the system directory

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\588fef.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{00318A2B-0EB2-49D2-898C-4ABCB30CFD49}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9118.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\588ff1.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\588ff1.msi	Jump to behavior

Deletes files inside the Windows folder

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\588ff1.msi

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03E513F0	3_2_03E513F0
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03DCA3DE	3_2_03DCA3DE
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03E063E8	3_2_03E063E8
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03DF63F8	3_2_03DF63F8
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03DBA3A0	3_2_03DBA3A0
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03DFA34E	3_2_03DFA34E
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03DFD2C2	3_2_03DFD2C2
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03DC2AEE	3_2_03DC2AEE
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03DDBAE4	3_2_03DDBAE4
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03DEAAE2	3_2_03DEAAE2
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03DB9A92	3_2_03DB9A92
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03DD6AA6	3_2_03DD6AA6
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03DD224D	3_2_03DD224D
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03DF9224	3_2_03DF9224
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03DFC9CE	3_2_03DFC9CE
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03DF51CA	3_2_03DF51CA
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03DC61CA	3_2_03DC61CA
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03DF21FC	3_2_03DF21FC
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03DBF1A8	3_2_03DBF1A8
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03DBA9A0	3_2_03DBA9A0
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03DC5946	3_2_03DC5946
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03DE8112	3_2_03DE8112
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03DBF900	3_2_03DBF900
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03E0C0F0	3_2_03E0C0F0
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03DB38F5	3_2_03DB38F5
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03DF80A8	3_2_03DF80A8
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03DC4870	3_2_03DC4870
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03E34834	3_2_03E34834
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03DC003D	3_2_03DC003D
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03DB67CC	3_2_03DB67CC
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03DB07F0	3_2_03DB07F0
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03DCC758	3_2_03DCC758
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03DB7F56	3_2_03DB7F56
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03DF0F4E	3_2_03DF0F4E
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03DB4EF0	3_2_03DB4EF0
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03DC3EEA	3_2_03DC3EEA
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03DB6E9A	3_2_03DB6E9A
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03E40691	3_2_03E40691
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03DFE65E	3_2_03DFE65E
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03DC6634	3_2_03DC6634
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03DE9DF4	3_2_03DE9DF4
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03DBBCF0	3_2_03DBBCF0
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03DE8C48	3_2_03DE8C48
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03DBB46A	3_2_03DBB46A
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_2DBCFE27	3_2_2DBCFE27
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_2DBDD8D4	3_2_2DBDD8D4
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_2DBE4424	3_2_2DBE4424
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_2DBE4706	3_2_2DBE4706
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_2DBCA675	3_2_2DBCA675
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_2DBE413A	3_2_2DBE413A
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_2DBCE279	3_2_2DBCE279
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_6FB791B9	3_2_6FB791B9
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_6FB79673	3_2_6FB79673
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_6FB71E57	3_2_6FB71E57
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_6FB77B22	3_2_6FB77B22
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_6FB7E240	3_2_6FB7E240
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_6FB7295D	3_2_6FB7295D
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_6FB7D800	3_2_6FB7D800
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_037913F0	5_2_037913F0
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_0373A34E	5_2_0373A34E
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_037363F8	5_2_037363F8
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_037463E8	5_2_037463E8
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_0370A3DE	5_2_0370A3DE
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_036FA3A0	5_2_036FA3A0
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_0371224D	5_2_0371224D
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_03739224	5_2_03739224
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_0372AAE2	5_2_0372AAE2
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_0371BAE4	5_2_0371BAE4
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_03702AEE	5_2_03702AEE
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_0373D2C2	5_2_0373D2C2
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_03716AA6	5_2_03716AA6
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_036F9A92	5_2_036F9A92
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_03705946	5_2_03705946
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_03728112	5_2_03728112
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_036FF900	5_2_036FF900
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_037321FC	5_2_037321FC
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_037351CA	5_2_037351CA
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_037061CA	5_2_037061CA
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_0373C9CE	5_2_0373C9CE
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_036FF1A8	5_2_036FF1A8
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_036FA9A0	5_2_036FA9A0
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_03704870	5_2_03704870
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_03774834	5_2_03774834
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_0370003D	5_2_0370003D
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_0374C0F0	5_2_0374C0F0
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_036F38F5	5_2_036F38F5
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_037380A8	5_2_037380A8
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_0370C758	5_2_0370C758
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_036F7F56	5_2_036F7F56
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_03730F4E	5_2_03730F4E
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_036F07F0	5_2_036F07F0
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_036F67CC	5_2_036F67CC
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_0373E65E	5_2_0373E65E
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_03706634	5_2_03706634
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_03703EEA	5_2_03703EEA
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_036F4EF0	5_2_036F4EF0
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_03780691	5_2_03780691
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_036F6E9A	5_2_036F6E9A
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_03729DF4	5_2_03729DF4
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_036FB46A	5_2_036FB46A
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_03728C48	5_2_03728C48
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_036FBCF0	5_2_036FBCF0
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_2D58FE27	5_2_2D58FE27
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_2D59D8D4	5_2_2D59D8D4
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_2D5A4424	5_2_2D5A4424
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_2D5A4706	5_2_2D5A4706
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_2D58A675	5_2_2D58A675
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_2D5A413A	5_2_2D5A413A
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_2D58E279	5_2_2D58E279
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_6C4F91B9	5_2_6C4F91B9
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_6C4F1E57	5_2_6C4F1E57
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_6C4F9673	5_2_6C4F9673
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_6C4FD800	5_2_6C4FD800
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_6C4F295D	5_2_6C4F295D
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_6C4FE240	5_2_6C4FE240
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_6C4F7B22	5_2_6C4F7B22
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_035613F0	6_2_035613F0
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_0350A34E	6_2_0350A34E
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_034DA3DE	6_2_034DA3DE
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_035063F8	6_2_035063F8
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_035163E8	6_2_035163E8
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_034CA3A0	6_2_034CA3A0
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_034E224D	6_2_034E224D
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_03509224	6_2_03509224
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_0350D2C2	6_2_0350D2C2
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_034D2AEE	6_2_034D2AEE
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_034EBAE4	6_2_034EBAE4
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_034FAAE2	6_2_034FAAE2
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_034C9A92	6_2_034C9A92
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_034E6AA6	6_2_034E6AA6
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_034D5946	6_2_034D5946
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_034CF900	6_2_034CF900
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_034F8112	6_2_034F8112
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_034D61CA	6_2_034D61CA
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_035051CA	6_2_035051CA
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_0350C9CE	6_2_0350C9CE
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_035021FC	6_2_035021FC
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_034CF1A8	6_2_034CF1A8
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_034CA9A0	6_2_034CA9A0
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_034D4870	6_2_034D4870
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_03544834	6_2_03544834
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_034D003D	6_2_034D003D
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_0351C0F0	6_2_0351C0F0
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_034C38F5	6_2_034C38F5
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_035080A8	6_2_035080A8
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_034DC758	6_2_034DC758
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_034C7F56	6_2_034C7F56
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_03500F4E	6_2_03500F4E
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_034C67CC	6_2_034C67CC
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_034C07F0	6_2_034C07F0
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_0350E65E	6_2_0350E65E
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_034D6634	6_2_034D6634
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_034D3EEA	6_2_034D3EEA
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_034C4EF0	6_2_034C4EF0
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_03550691	6_2_03550691
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_034C6E9A	6_2_034C6E9A
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_034F9DF4	6_2_034F9DF4
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_034F8C48	6_2_034F8C48
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_034CB46A	6_2_034CB46A
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_034CBCF0	6_2_034CBCF0
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_2D58FE27	6_2_2D58FE27
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_2D59D8D4	6_2_2D59D8D4
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_2D5A4424	6_2_2D5A4424
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_2D5A4706	6_2_2D5A4706
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_2D58A675	6_2_2D58A675
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_2D5A413A	6_2_2D5A413A
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_2D58E279	6_2_2D58E279

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: String function: 2D57D465 appears 140 times
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: String function: 2D5A58E9 appears 90 times
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: String function: 2D57D498 appears 56 times
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: String function: 2D59B423 appears 102 times
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: String function: 2D5A2612 appears 46 times
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: String function: 2DBDB423 appears 51 times
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: String function: 2DBE58E9 appears 45 times
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: String function: 2DBBD465 appears 70 times

Source: classification engine

Classification label: mal76.evad.winMSI@6/27@0/1

Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe

Code function: 3_2_2DBBCED8 CoCreateInstance,memset,

3_2_2DBBCED8

Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe

3_2_2DBC3CC4

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\CML9137.tmp

Jump to behavior

Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe

Mutant created: \Sessions\1\BaseNamedObjects\rnLcoyQNV

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\TEMP\~DF6105C0498CDE2B42.TMP

Jump to behavior

Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 3cfc9c.msi

Static file information: TRID: Microsoft Windows Installer (60509/1) 88.31%

Source: 3cfc9c.msi	ReversingLabs: Detection: 18%
Source: 3cfc9c.msi	Virustotal: Detection: 14%

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\3cfc9c.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe "C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe" 835 281
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe "C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe" 835 281
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msihnd.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Section loaded: imjp14k.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Section loaded: imjp14k.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Section loaded: imjp14k.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Section loaded: winhttp.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9625_none_508ef7e4bcbbe589\MSVCR90.dll

Jump to behavior

Source:	Binary string: t:\ime\x86\ship\0\imecmnt.pdb6\ship\0\imecmnt.exe\bbtopt\imecmntO.pdb source: imecmnt.exe, 00000003.00000002.4507443595.000000002DBA1000.00000020.00000001.01000000.00000003.sdmp, imecmnt.exe, 00000003.00000000.2059506107.000000002DBA1000.00000020.00000001.01000000.00000003.sdmp, imecmnt.exe, 00000005.00000000.2224629702.000000002D561000.00000020.00000001.01000000.00000007.sdmp, imecmnt.exe, 00000005.00000002.2257799236.000000002D561000.00000020.00000001.01000000.00000007.sdmp, imecmnt.exe, 00000006.00000002.2338321715.000000002D561000.00000020.00000001.01000000.00000007.sdmp, imecmnt.exe, 00000006.00000000.2305663711.000000002D561000.00000020.00000001.01000000.00000007.sdmp, imecmnt.exe.1.dr, imecmnt.exe.3.dr
Source:	Binary string: t:\ime\x86\ship\0\imecmnt.pdb source: imecmnt.exe, imecmnt.exe, 00000006.00000002.2338321715.000000002D561000.00000020.00000001.01000000.00000007.sdmp, imecmnt.exe, 00000006.00000000.2305663711.000000002D561000.00000020.00000001.01000000.00000007.sdmp, imecmnt.exe.1.dr, imecmnt.exe.3.dr
Source:	Binary string: 6\ship\0\imecmnt.exe\bbtopt\imecmntO.pdb source: imecmnt.exe, imecmnt.exe, 00000006.00000002.2338321715.000000002D561000.00000020.00000001.01000000.00000007.sdmp, imecmnt.exe, 00000006.00000000.2305663711.000000002D561000.00000020.00000001.01000000.00000007.sdmp, imecmnt.exe.1.dr, imecmnt.exe.3.dr

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe

Code function: 3_2_2DBAE34E LoadLibraryW,GetProcAddress,FreeLibrary,

3_2_2DBAE34E

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03DDEF85 push cs; iretd	3_2_03DDEF93
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03DDECD7 push cs; iretd	3_2_03DDECDA
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_2DBBD53D push ecx; ret	3_2_2DBBD550
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_2DBBD3F5 push ecx; ret	3_2_2DBBD408
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_0371EF85 push cs; iretd	5_2_0371EF93
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_0371ECD7 push cs; iretd	5_2_0371ECDA
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_2D57D53D push ecx; ret	5_2_2D57D550
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_2D57D3F5 push ecx; ret	5_2_2D57D408
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_034EEF85 push cs; iretd	6_2_034EEF93
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_034EECD7 push cs; iretd	6_2_034EECDA
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_2D57D53D push ecx; ret	6_2_2D57D550
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_2D57D3F5 push ecx; ret	6_2_2D57D408

Drops PE files

Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	File created: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\rrfqmEuGb\imjp14k.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	File created: C:\Users\user\AppData\Roaming\Intelnet\imjp14k.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OfficeLaunch			Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OfficeLaunch			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Memory written: PID: 4668 base: 75921720 value: E9 14 FA 52 8E	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Memory written: PID: 344 base: 75921720 value: E9 14 FA E6 8D	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Memory written: PID: 1196 base: 75921720 value: E9 14 FA C3 8D	Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT			Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Evasive API call chain: CreateMutex,DecisionNodes,Sleep

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe

Window / User API: threadDelayed 9517

Jump to behavior

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	API coverage: 2.0 %
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	API coverage: 1.9 %
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	API coverage: 0.8 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe TID: 4508	Thread sleep count: 64 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe TID: 2964	Thread sleep count: 340 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe TID: 2964	Thread sleep time: -340000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe TID: 2964	Thread sleep count: 9517 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe TID: 2964	Thread sleep time: -9517000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_6FB761EC FindFirstFileW,		3_2_6FB761EC
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_6C4F61EC FindFirstFileW,		5_2_6C4F61EC

Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe

Code function: 3_2_2DBB4CB8 GetSystemInfo,

3_2_2DBB4CB8

Source: imecmnt.exe, 00000003.00000002.4504001086.0000000000F96000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW8Z
Source: imecmnt.exe, 00000003.00000003.3618751946.0000000000FCE000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3715417727.0000000000FCE000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3925849626.0000000000FCE000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3518420891.0000000000FCE000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3534392488.0000000000FCE000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.2364925819.0000000000FCE000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3909314960.0000000000FCE000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3716193161.0000000000FCE000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3438355168.0000000000FCE000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3909925509.0000000000FCE000.00000004.00000020.00020000.00000000.sdmp, imecmnt.exe, 00000003.00000003.3421781271.0000000000FCE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Process queried: DebugPort	Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe

Code function: 3_2_2DBBC867 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,

3_2_2DBBC867

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe

Code function: 3_2_2DBAE34E LoadLibraryW,GetProcAddress,FreeLibrary,

3_2_2DBAE34E

Contains functionality to read the PEB

Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03E38A92 mov eax, dword ptr fs:[00000030h]	3_2_03E38A92
Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_03E3A7E5 mov eax, dword ptr fs:[00000030h]	3_2_03E3A7E5
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_03778A92 mov eax, dword ptr fs:[00000030h]	5_2_03778A92
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_0377A7E5 mov eax, dword ptr fs:[00000030h]	5_2_0377A7E5
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_03548A92 mov eax, dword ptr fs:[00000030h]	6_2_03548A92
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_0354A7E5 mov eax, dword ptr fs:[00000030h]	6_2_0354A7E5

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe

3_2_2DBBC7B3

Launches processes in debugging mode, may be used to hinder debugging

Source: C:\Windows\System32\msiexec.exe

Process created: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe

Jump to behavior

Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	Code function: 3_2_2DBBC867 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,	3_2_2DBBC867
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 5_2_2D57C867 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,	5_2_2D57C867
Source: C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	Code function: 6_2_2D57C867 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,	6_2_2D57C867

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe

Code function: 3_2_03E3623A cpuid

3_2_03E3623A

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe

3_2_2DBBC7B3

Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe

Code function: 3_2_2DBBE648 GetVersionExW,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,

3_2_2DBBE648

Source: C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

ID:	1543057
Product:	CloudBasic
Start time:	07:28:06
Start date:	27.10.2024
Sample:	3cfc9c.msi
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	4875b23906a1e1f4d2aaed6a503cdde6
SHA1:	b463f3c978f11a12e4cbdfd6ff141451ed32bb7c
SHA256:	62adbe84f0f19e897df4e0573fc048272e0b537d5b34f811162b8526b9afaf32
Filetype:	Microsoft Windows Installer (60509/1) 88.31%

Name	Type	MD5	SHA1	SHA256
C:\Config.Msi\588ff0.rbs	data	0EE006FBA2B117D8631DFBCDEB0CC1E0	D72EB65AB85368341737178FC39C965D71D27432	F6E04A669253304E12F6152F1758A12DDC279D1A85A885DA389947B59382AB79
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression	49AEBF8CBD62D92AC215B2923FB1B9F5	1723BE06719828DDA65AD804298D0431F6AFF976	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	data	B596C62E4821BF6D52160325D4A80BFB	FDE5A3625B297D41893317007C10A5AE82C69D99	99DE5F906BCD1080F7AB0B7566332D9832E0CD9DF8249B3F56D8DC7D022873FE
C:\Users\user\AppData\Local\rrfqmEuGb\imecmnt.exe	PE32 executable (GUI) Intel 80386, for MS Windows	E6A65BCCC172345CD69F04D4EF4D5EE0	F35CE62ABEEDFB8C6A38CEAC50A250F48C41E65E	80A7FF01DE553CB099452CB9FAC5762CAF96C0C3CD9C5AD229739DA7F2A2CA72
C:\Users\user\AppData\Local\rrfqmEuGb\imjp14k.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	7F091AAC694A1CDC6060F474999C5C96	3D60AE2D85C3370AEFE2CE75D59BCBD6BD5143F8	557F04C6AB6F06E11032B25BD3989209DE90DE898D145B2D3A56E3C9F354D884
C:\Users\user\AppData\Local\rrfqmEuGb\officeime.dat	data	47394993647F617FB12D11C440C721B4	3961279F6A33A646FE987504098319C7A21E46C4	5DAE5254493DF246C15E52FD246855A5D0A248F36925CECEE141348112776275
C:\Users\user\AppData\Roaming\.office\officeime.dat	data	47394993647F617FB12D11C440C721B4	3961279F6A33A646FE987504098319C7A21E46C4	5DAE5254493DF246C15E52FD246855A5D0A248F36925CECEE141348112776275
C:\Users\user\AppData\Roaming\Intelnet\imecmnt.exe	PE32 executable (GUI) Intel 80386, for MS Windows	E6A65BCCC172345CD69F04D4EF4D5EE0	F35CE62ABEEDFB8C6A38CEAC50A250F48C41E65E	80A7FF01DE553CB099452CB9FAC5762CAF96C0C3CD9C5AD229739DA7F2A2CA72
C:\Users\user\AppData\Roaming\Intelnet\imjp14k.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	7F091AAC694A1CDC6060F474999C5C96	3D60AE2D85C3370AEFE2CE75D59BCBD6BD5143F8	557F04C6AB6F06E11032B25BD3989209DE90DE898D145B2D3A56E3C9F354D884
C:\Windows\Installer\588fef.msi	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Windows Installer, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Windows Installer., Template: Intel;1033, Revision Number: {95E032D1-CFE9-4221-BD41-1664157B5B33}, Create Time/Date: Mon Oct 21 04:27:34 2024, Last Saved Time/Date: Mon Oct 21 04:27:34 2024, Number of Pages: 400, Number of Words: 10, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2	4875B23906A1E1F4D2AAED6A503CDDE6	B463F3C978F11A12E4CBDFD6FF141451ED32BB7C	62ADBE84F0F19E897DF4E0573FC048272E0B537D5B34F811162B8526B9AFAF32
C:\Windows\Installer\588ff1.msi	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Windows Installer, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Windows Installer., Template: Intel;1033, Revision Number: {95E032D1-CFE9-4221-BD41-1664157B5B33}, Create Time/Date: Mon Oct 21 04:27:34 2024, Last Saved Time/Date: Mon Oct 21 04:27:34 2024, Number of Pages: 400, Number of Words: 10, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2	4875B23906A1E1F4D2AAED6A503CDDE6	B463F3C978F11A12E4CBDFD6FF141451ED32BB7C	62ADBE84F0F19E897DF4E0573FC048272E0B537D5B34F811162B8526B9AFAF32
C:\Windows\Installer\MSI9118.tmp	data	311C47B58C3181B987A88ABC3913EAE4	B1AD09D00FDCE16783391A57526DC15A978B1DEF	668521D1071115C8B3E90CD3D8BADC1E07A04ECC628486B41B4104DF71DC3EE5
C:\Windows\Installer\SourceHash{00318A2B-0EB2-49D2-898C-4ABCB30CFD49}	Composite Document File V2 Document, Cannot read section info	26075E77111689CFA47AE284DFC293B5	9E7899C0A2B131CF6997DC55DF90DB6EF6ADFEAB	1F9A199CCAF130270519657FDF917880664CDCE16BCCFAD18A883886208A0922
C:\Windows\Installer\inprogressinstallinfo.ipi	Composite Document File V2 Document, Cannot read section info	2E404AA2F3CF8DA4FAA22919481DAFD6	0FAF8730683209740AFD55DF69AEF9251D8A344E	FEE4D22CADF70AF0CF0A2D34483FF6119BB1171D5437DB614E1AB6DED93A0105
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	1A77AEF801EF52C7A1E52B8A5FBF1A30	A4766EE574302E080DBCD4800B69B2ADD92450CF	867270A7055D8E54B09BD3D9C77EFE2266DFBD2861FD34C154867B843A58005F
C:\Windows\Temp\~DF2F087FD8304417E7.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Windows\Temp\~DF38C2C7CC85888ED8.TMP	Composite Document File V2 Document, Cannot read section info	BDD4BF784CB67EDC0730403B6EFACCC8	02ECF81F32C53AAA7D058C2CF505CC66DB9AD220	9617EDBA7B44E52D6E11F1732F4F4BD8A7EDE45D2113EE7358256CD5CAC12CB5
C:\Windows\Temp\~DF40725D97829584F7.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Windows\Temp\~DF6105C0498CDE2B42.TMP	data	28B4A836BFC308C89E037154E39E079A	FB8DE1D644077697F23B622F345674E03352FD61	1E11524C22B7FDADA81C809F7DA9645FC99B31D37D09D2EC60807E0720E25E1E
C:\Windows\Temp\~DF6292FB31DAF109B5.TMP	Composite Document File V2 Document, Cannot read section info	2E404AA2F3CF8DA4FAA22919481DAFD6	0FAF8730683209740AFD55DF69AEF9251D8A344E	FEE4D22CADF70AF0CF0A2D34483FF6119BB1171D5437DB614E1AB6DED93A0105
C:\Windows\Temp\~DF662F206D87E4C5B3.TMP	data	4A1C37B857BFCC050AE0042F006DE613	22B5F77435313F80CA7DCCDA49F3F65D91EC1F1C	1629F7FFBC8F301B0BC82CEEC651A94CF10C92C49C9EE73FF1837F7D9E88BE0D
C:\Windows\Temp\~DF829E9401181C9636.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Windows\Temp\~DF8891557E4E7C73C4.TMP	Composite Document File V2 Document, Cannot read section info	2E404AA2F3CF8DA4FAA22919481DAFD6	0FAF8730683209740AFD55DF69AEF9251D8A344E	FEE4D22CADF70AF0CF0A2D34483FF6119BB1171D5437DB614E1AB6DED93A0105
C:\Windows\Temp\~DFABB9E7D42CB67D55.TMP	Composite Document File V2 Document, Cannot read section info	BDD4BF784CB67EDC0730403B6EFACCC8	02ECF81F32C53AAA7D058C2CF505CC66DB9AD220	9617EDBA7B44E52D6E11F1732F4F4BD8A7EDE45D2113EE7358256CD5CAC12CB5
C:\Windows\Temp\~DFAF887BB8808F8C19.TMP	Composite Document File V2 Document, Cannot read section info	BDD4BF784CB67EDC0730403B6EFACCC8	02ECF81F32C53AAA7D058C2CF505CC66DB9AD220	9617EDBA7B44E52D6E11F1732F4F4BD8A7EDE45D2113EE7358256CD5CAC12CB5
C:\Windows\Temp\~DFBD98AD6FB605ED87.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Windows\Temp\~DFBE36C84A78EC1E1A.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560

Windows Analysis Report
3cfc9c.msi

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Windows Analysis Report 3cfc9c.msi

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Windows Analysis Report
3cfc9c.msi