Windows Analysis Report
r3zg12.msi

Overview

General Information

Sample Name:	r3zg12.msi
Analysis ID:	878465
MD5:	665afc8f8b7972f427fe1bd90d263032
SHA1:	cc36e48f383750eb9416961b52ee3100b6e30688
SHA256:	d764436caf7114d880f982d208bd9514a433772dcac851f27c510d1597e26edd
Tags:	msi
Infos:

Detection

Qbot

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected Qbot

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Writes to foreign memory regions

Allocates memory in foreign processes

Injects a PE file into a foreign processes

C2 URLs / IPs found in malware configuration

Sample uses string decryption to hide its real strings

Potentially malicious time measurement code found

Queries the volume information (name, serial number etc) of a device

Yara signature match

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Found inlined nop instructions (likely shell or obfuscated code)

Modifies existing windows services

PE file contains an invalid checksum

Drops PE files

Contains functionality to read the PEB

Connects to several IPs in different countries

Launches processes in debugging mode, may be used to hinder debugging

Checks for available system drives (often done to infect USB drives)

Creates or modifies windows services

Found large amount of non-executed APIs

Uses Microsoft's Enhanced Cryptographic Provider

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Creates a process in suspended mode (likely to inject code)

Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
QakBot, qbotQbot	QBot is a modular information stealer also known as Qakbot or Pinkslipbot. It has been active for years since 2007. It has historically been known as a banking Trojan, meaning that it steals financial data from infected systems, and a loader using C2 servers for payload targeting and download.	GOLD CABIN	http://contagiodump.blogspot.com/2010/11/template.html http://www.secureworks.com/research/threat-profiles/gold-lagoon http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf https://0xthreatintel.medium.com/reversing-qakbot-tlp-white-d1b8b37ad8e7 https://asec.ahnlab.com/en/44662/	https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot

Signatures

AV Detection

Found malware configuration

Source: 00000007.00000002.1071797162.000000000029D000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Qbot {"Bot id": "obama265", "Campaign": "1685436052", "Version": "404.1320", "C2 list": ["103.42.86.42:995", "174.4.89.3:443", "161.142.103.187:995", "78.160.146.127:443", "84.35.26.14:995", "12.172.173.82:20", "70.28.50.223:2078", "124.149.143.189:2222", "70.160.67.203:443", "186.64.67.30:443", "103.123.223.133:443", "94.207.104.225:443", "89.114.140.100:443", "213.64.33.61:2222", "86.176.144.234:2222", "72.134.124.16:443", "47.34.30.133:443", "109.50.149.241:2222", "85.104.105.67:443", "81.111.108.123:443", "86.173.2.12:2222", "188.28.19.84:443", "41.228.224.161:995", "12.172.173.82:50001", "178.175.187.254:443", "65.95.141.84:2222", "205.237.67.69:995", "83.110.223.61:443", "193.253.100.236:2222", "27.0.48.233:443", "102.159.188.125:443", "71.38.155.217:443", "58.186.75.42:443", "76.178.148.107:2222", "70.28.50.223:2087", "114.143.176.236:443", "51.14.29.227:2222", "59.28.84.65:443", "173.88.135.179:443", "103.144.201.56:2078", "96.87.28.170:2222", "105.184.103.97:995", "176.142.207.63:443", "151.62.238.176:443", "12.172.173.82:32101", "122.186.210.254:443", "82.125.44.236:2222", "84.108.200.161:443", "76.16.49.134:443", "70.28.50.223:32100", "12.172.173.82:465", "76.170.252.153:995", "184.182.66.109:443", "78.92.133.215:443", "50.68.204.71:993", "186.75.95.6:443", "113.11.92.30:443", "70.28.50.223:3389", "98.145.23.67:443", "85.57.212.13:3389", "50.68.186.195:443", "47.205.25.170:443", "12.172.173.82:993", "12.172.173.82:22", "69.242.31.249:443", "81.101.185.146:443", "79.168.224.165:2222", "75.143.236.149:443", "14.192.241.76:995", "86.195.14.72:2222", "81.229.117.95:2222", "220.240.164.182:443", "73.29.92.128:443", "12.172.173.82:21", "96.56.197.26:2222", "75.109.111.89:443", "76.86.31.59:443", "201.244.108.183:995", "68.203.69.96:443", "124.122.47.148:443", "122.184.143.86:443", "92.186.69.229:2222", "70.28.50.223:2083", "89.129.109.27:2222", "147.147.30.126:2222", "125.99.76.102:443", "88.126.94.4:50000", "151.65.167.77:443", "86.132.236.117:443", "92.154.17.149:2222", "223.166.13.95:995", "89.36.206.69:995", "96.56.197.26:2083", "78.18.105.11:443", "82.127.153.75:2222", "90.78.147.141:2222", "82.131.141.209:443", "183.87.163.165:443", "92.9.45.20:2222", "80.6.50.34:443", "80.12.88.148:2222", "69.133.162.35:443", "172.115.17.50:443", "95.45.50.93:2222", "12.172.173.82:2087", "103.140.174.20:2222", "24.198.114.130:995", "50.68.204.71:443", "69.119.123.159:2222", "64.121.161.102:443", "2.82.8.80:443", "184.181.75.148:443", "70.112.206.5:443", "198.2.51.242:993", "2.36.64.159:2078", "79.77.142.22:2222", "84.215.202.8:443", "147.219.4.194:443", "116.74.164.81:443", "70.28.50.223:2078"]}

Sample uses string decryption to hide its real strings

Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: error res='%s' err=%d len=%u
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: netstat -nao
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: runas
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: ipconfig /all
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: net localgroup
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: nltest /domain_trusts /all_trusts
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: %s %04x.%u %04x.%u res: %s seh_test: %u consts_test: %d vmdetected: %d createprocess: %d
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: Microsoft
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: SELF_TEST_1
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: p%08x
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: Self test FAILED!!!
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: Self test OK.
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: /t5
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: whoami /all
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: cmd
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: microsoft.com,google.com,cisco.com,oracle.com,verisign.com,broadcom.com,yahoo.com,xfinity.com,irs.gov,linkedin.com
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: ERROR: GetModuleFileNameW() failed with error: ERROR_INSUFFICIENT_BUFFER
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: route print
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: .lnk
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: "%s\system32\schtasks.exe" /Create /ST %02u:%02u /RU "NT AUTHORITY\SYSTEM" /SC ONCE /tr "%s" /Z /ET %02u:%02u /tn %s
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: arp -a
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: %s "$%s = \"%s\"; & $%s"
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: net share
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: cmd.exe /c set
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: Self check
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: %u;%u;%u;
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: /c ping.exe -n 6 127.0.0.1 & type "%s\System32\calc.exe" > "%s"
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: ProfileImagePath
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: at.exe %u:%u "%s" /I
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: ProgramData
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: Self check ok!
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: powershell.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: qwinsta
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: net view
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.%s
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: Component_08
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: Start screenshot
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: schtasks.exe /Delete /F /TN %u
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: appidapi.dll
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: %s \"$%s = \\\"%s\\\\; & $%s\"
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: c:\ProgramData
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: Component_07
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: bUdiuy81gYguty@4frdRdpfko(eKmudeuMncueaN
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: powershell.exe -encodedCommand %S
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: ERROR: GetModuleFileNameW() failed with error: %u
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: powershell.exe -encodedCommand
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: SoNuce]ugdiB3c[doMuce2s81*uXmcvP
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: \System32\WindowsPowerShell\v1.0\powershell.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: schtasks.exe /Create /RU "NT AUTHORITY\SYSTEM" /SC ONSTART /TN %u /TR "%s" /NP /F
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: error res='%s' err=%d len=%u
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: netstat -nao
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: runas
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: ipconfig /all
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: %u.%u.%u.%u.%u.%u.%04x
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\explorer.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: SystemRoot
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: cscript.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: MBAMService.exe;mbamgui.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: %SystemRoot%\System32\xwizard.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: %SystemRoot%\System32\wermgr.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: AvastSvc.exe;aswEngSrv.exe;aswToolsSvc.exe;afwServ.exe;aswidsagent.exe;AvastUI.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: C:\INTERNAL\__empty
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: .dll
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: Win32_PhysicalMemory
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: ALLUSERSPROFILE
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: image/jpeg
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: LocalLow
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: displayName
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: Mozilla/5.0 (Windows NT 6.1; rv:77.0) Gecko/20100101 Firefox/77.0
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: shlwapi.dll
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\WerFault.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: CommandLine
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: {%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%02X}
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: kernel32.dll
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: SubmitSamplesConsent
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: 1234567890
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: wbj.go
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\wextract.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: Win32_DiskDrive
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: vkise.exe;isesrv.exe;cmdagent.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: System32
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: Name
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: %SystemRoot%\System32\WerFault.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: WRSA.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: c:\\
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: reg.exe ADD "HKLM\%s" /f /t %s /v "%s" /d "%s"
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: SpyNetReporting
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: FALSE
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: aswhookx.dll
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: Packages
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: SonicWallClientProtectionService.exe;SWDash.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: application/x-shockwave-flash
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: Sophos UI.exe;SophosUI.exe;SAVAdminService.exe;SavService.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: RepUx.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: %SystemRoot%\System32\mspaint.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: coreServiceShell.exe;PccNTMon.exe;NTRTScan.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: Winsta0
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: Caption,Description,DeviceID,Manufacturer,Name,PNPDeviceID,Service,Status
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: CynetEPS.exe;CynetMS.exe;CynetConsole.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\wermgr.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: %ProgramFiles(x86)%\Internet Explorer\iexplore.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: avp.exe;kavtray.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: root\SecurityCenter2
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\backgroundTaskHost.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: MsMpEng.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: %SystemRoot%\System32\CertEnrollCtrl.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: userenv.dll
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: csc_ui.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: frida-winjector-helper-32.exe;frida-winjector-helper-64.exe;tcpdump.exe;windump.exe;ethereal.exe;wireshark.exe;ettercap.exe;rtsniff.exe;packetcapture.exe;capturenet.exe;qak_proxy;dumpcap.exe;CFF Explorer.exe;not_rundll32.exe;ProcessHacker.exe;tcpview.exe;filemon.exe;procmon.exe;idaq64.exe;loaddll32.exe;PETools.exe;ImportREC.exe;LordPE.exe;SysInspector.exe;proc_analyzer.exe;sysAnalyzer.exe;sniff_hit.exe;joeboxcontrol.exe;joeboxserver.exe;ResourceHacker.exe;x64dbg.exe;Fiddler.exe;sniff_hit.exe;sysAnalyzer.exe;BehaviorDumper.exe;processdumperx64.exe;anti-virus.EXE;sysinfoX64.exe;sctoolswrapper.exe;sysinfoX64.exe;FakeExplorer.exe;apimonitor-x86.exe;idaq.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: \\.\pipe\
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: pstorec.dll
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: NTUSER.DAT
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: from
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: %SystemRoot%\System32\sethc.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: netapi32.dll
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: %SystemRoot%\System32\Utilman.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: gdi32.dll
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: setupapi.dll
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: SELECT * FROM Win32_Processor
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: iphlpapi.dll
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: Caption
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: CrAmTray.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: ccSvcHst.exe;NortonSecurity.exe;nsWscSvc.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: Win32_ComputerSystem
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: %SystemRoot%\System32\backgroundTaskHost.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: %ProgramFiles%\Internet Explorer\iexplore.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: user32.dll
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: xagtnotif.exe;AppUIMonitor.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: %SystemRoot%\System32\dxdiag.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: SentinelServiceHost.exe;SentinelStaticEngine.exe;SentinelAgent.exe;SentinelStaticEngineScanner.exe;SentinelUI.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: \sf2.dll
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\grpconv.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: egui.exe;ekrn.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: Software\Microsoft
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: %S.%06d
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: bcrypt.dll
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: SELECT * FROM AntiVirusProduct
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\SndVol.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: %SystemRoot%\explorer.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\Utilman.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows Defender\SpyNet
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: wtsapi32.dll
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: t=%s time=[%02d:%02d:%02d-%02d/%02d/%d]
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\xwizard.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: shell32.dll
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: TRUE
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: Win32_Bios
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: SELECT * FROM Win32_OperatingSystem
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\mobsync.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: c:\hiberfil.sysss
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: /
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\AtBroker.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: abcdefghijklmnopqrstuvwxyz
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: ByteFence.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: type=0x%04X
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: snxhk_border_mywnd
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: ROOT\CIMV2
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: dwengine.exe;dwarkdaemon.exe;dwwatcher.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: https
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\explorer.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: fshoster32.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: kernelbase.dll
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: regsvr32.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: %s\system32\
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\dxdiag.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: Win32_Process
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: rundll32.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: LOCALAPPDATA
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: cmd.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: APPDATA
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: select
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: .exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: mcshield.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: advapi32.dll
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: ws2_32.dll
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: .cfg
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: aabcdeefghiijklmnoopqrstuuvwxyyz
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: Win32_Product
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: WQL
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: wininet.dll
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: LastBootUpTime
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: S:(ML;;NW;;;LW)
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\CertEnrollCtrl.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: urlmon.dll
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: Create
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: Win32_PnPEntity
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: %SystemRoot%\System32\grpconv.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: Initializing database...
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: %SystemRoot%\System32\SearchIndexer.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: winsta0\default
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: .dat
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: WBJ_IGNORE
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: next
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: %SystemRoot%\System32\AtBroker.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: wpcap.dll
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: aaebcdeeifghiiojklmnooupqrstuuyvwxyyaz
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\sethc.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: image/pjpeg
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: fmon.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: bdagent.exe;vsserv.exe;vsservppl.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: %SystemRoot%\System32\SndVol.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: vbs
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: aswhooka.dll
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: SysWOW64
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\mspaint.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: mpr.dll
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: image/gif
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: crypt32.dll
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: avgcsrvx.exe;avgsvcx.exe;avgcsrva.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: ntdll.dll
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: open
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: %SystemRoot%\explorer.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: CSFalconService.exe;CSFalconContainer.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: %SystemRoot%\System32\wextract.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: %SystemRoot%\System32\mobsync.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\SearchIndexer.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: %u.%u.%u.%u.%u.%u.%04x
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\explorer.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: SystemRoot
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: cscript.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: MBAMService.exe;mbamgui.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: %SystemRoot%\System32\xwizard.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: %SystemRoot%\System32\wermgr.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: AvastSvc.exe;aswEngSrv.exe;aswToolsSvc.exe;afwServ.exe;aswidsagent.exe;AvastUI.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: C:\INTERNAL\__empty
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: .dll
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: Win32_PhysicalMemory
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: ALLUSERSPROFILE
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: image/jpeg
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: LocalLow
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: displayName
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: Mozilla/5.0 (Windows NT 6.1; rv:77.0) Gecko/20100101 Firefox/77.0
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: shlwapi.dll
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\WerFault.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: CommandLine
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: {%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%02X}
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: kernel32.dll
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: SubmitSamplesConsent
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: 1234567890
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: wbj.go
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\wextract.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: Win32_DiskDrive
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: vkise.exe;isesrv.exe;cmdagent.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: System32
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: Name
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: %SystemRoot%\System32\WerFault.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: WRSA.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: c:\\
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: reg.exe ADD "HKLM\%s" /f /t %s /v "%s" /d "%s"
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: SpyNetReporting
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: FALSE
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: aswhookx.dll
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: Packages
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: SonicWallClientProtectionService.exe;SWDash.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: application/x-shockwave-flash
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: Sophos UI.exe;SophosUI.exe;SAVAdminService.exe;SavService.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: RepUx.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: %SystemRoot%\System32\mspaint.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: coreServiceShell.exe;PccNTMon.exe;NTRTScan.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: Winsta0
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: Caption,Description,DeviceID,Manufacturer,Name,PNPDeviceID,Service,Status
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: CynetEPS.exe;CynetMS.exe;CynetConsole.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\wermgr.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: %ProgramFiles(x86)%\Internet Explorer\iexplore.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: avp.exe;kavtray.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: root\SecurityCenter2
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\backgroundTaskHost.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: MsMpEng.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: %SystemRoot%\System32\CertEnrollCtrl.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: userenv.dll
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: csc_ui.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: frida-winjector-helper-32.exe;frida-winjector-helper-64.exe;tcpdump.exe;windump.exe;ethereal.exe;wireshark.exe;ettercap.exe;rtsniff.exe;packetcapture.exe;capturenet.exe;qak_proxy;dumpcap.exe;CFF Explorer.exe;not_rundll32.exe;ProcessHacker.exe;tcpview.exe;filemon.exe;procmon.exe;idaq64.exe;loaddll32.exe;PETools.exe;ImportREC.exe;LordPE.exe;SysInspector.exe;proc_analyzer.exe;sysAnalyzer.exe;sniff_hit.exe;joeboxcontrol.exe;joeboxserver.exe;ResourceHacker.exe;x64dbg.exe;Fiddler.exe;sniff_hit.exe;sysAnalyzer.exe;BehaviorDumper.exe;processdumperx64.exe;anti-virus.EXE;sysinfoX64.exe;sctoolswrapper.exe;sysinfoX64.exe;FakeExplorer.exe;apimonitor-x86.exe;idaq.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: \\.\pipe\
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: pstorec.dll
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: NTUSER.DAT
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: from
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: %SystemRoot%\System32\sethc.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: netapi32.dll
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: %SystemRoot%\System32\Utilman.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: gdi32.dll
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: setupapi.dll
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: SELECT * FROM Win32_Processor
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: iphlpapi.dll
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: Caption
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: CrAmTray.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: ccSvcHst.exe;NortonSecurity.exe;nsWscSvc.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: Win32_ComputerSystem
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: %SystemRoot%\System32\backgroundTaskHost.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: %ProgramFiles%\Internet Explorer\iexplore.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: user32.dll
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: xagtnotif.exe;AppUIMonitor.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: %SystemRoot%\System32\dxdiag.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: SentinelServiceHost.exe;SentinelStaticEngine.exe;SentinelAgent.exe;SentinelStaticEngineScanner.exe;SentinelUI.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: \sf2.dll
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\grpconv.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: egui.exe;ekrn.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: Software\Microsoft
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: %S.%06d
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: bcrypt.dll
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: SELECT * FROM AntiVirusProduct
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\SndVol.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: %SystemRoot%\explorer.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\Utilman.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows Defender\SpyNet
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: wtsapi32.dll
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: t=%s time=[%02d:%02d:%02d-%02d/%02d/%d]
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\xwizard.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: shell32.dll
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: TRUE
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: Win32_Bios
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: SELECT * FROM Win32_OperatingSystem
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\mobsync.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: c:\hiberfil.sysss
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: /
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\AtBroker.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: abcdefghijklmnopqrstuvwxyz
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: ByteFence.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: type=0x%04X
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: snxhk_border_mywnd
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: ROOT\CIMV2
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: dwengine.exe;dwarkdaemon.exe;dwwatcher.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: https
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\explorer.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: fshoster32.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: kernelbase.dll
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: regsvr32.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: %s\system32\
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\dxdiag.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: Win32_Process
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: rundll32.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: LOCALAPPDATA
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: cmd.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: APPDATA
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: select
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: .exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: mcshield.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: advapi32.dll
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: ws2_32.dll
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: .cfg
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: aabcdeefghiijklmnoopqrstuuvwxyyz
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: Win32_Product
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: WQL
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: wininet.dll
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: LastBootUpTime
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: S:(ML;;NW;;;LW)
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\CertEnrollCtrl.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: urlmon.dll
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: Create
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: Win32_PnPEntity
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: %SystemRoot%\System32\grpconv.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: Initializing database...
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: %SystemRoot%\System32\SearchIndexer.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: winsta0\default
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: .dat
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: WBJ_IGNORE
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: next
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: %SystemRoot%\System32\AtBroker.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: wpcap.dll
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: aaebcdeeifghiiojklmnooupqrstuuyvwxyyaz
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\sethc.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: image/pjpeg
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: fmon.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: bdagent.exe;vsserv.exe;vsservppl.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: %SystemRoot%\System32\SndVol.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: vbs
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: aswhooka.dll
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: SysWOW64
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\mspaint.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: mpr.dll
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: image/gif
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: crypt32.dll
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: avgcsrvx.exe;avgsvcx.exe;avgcsrva.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: ntdll.dll
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: open
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: %SystemRoot%\explorer.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: CSFalconService.exe;CSFalconContainer.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: %SystemRoot%\System32\wextract.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: %SystemRoot%\System32\mobsync.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\SearchIndexer.exe
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack	String decryptor: Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000C0B0 mv_cast5_crypt2,	7_2_1000C0B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000B0D0 mv_camellia_crypt,	7_2_1000B0D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10013100 mv_encryption_init_info_alloc,mv_mallocz,mv_mallocz,mv_mallocz,mv_mallocz,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_calloc,	7_2_10013100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000C1B0 mv_cast5_crypt,	7_2_1000C1B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100132D0 mv_encryption_init_info_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,	7_2_100132D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10002480 mv_aes_ctr_crypt,mv_aes_crypt,	7_2_10002480
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10013480 mv_encryption_init_info_get_side_data,mv_encryption_init_info_alloc,mv_free,mv_free,mv_free,mv_free,mv_free,	7_2_10013480
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100084B0 mv_blowfish_crypt,mv_blowfish_crypt_ecb,mv_blowfish_crypt_ecb,	7_2_100084B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10032510 mv_get_random_seed,BCryptOpenAlgorithmProvider,BCryptGenRandom,BCryptCloseAlgorithmProvider,mvpriv_open,_read,_close,mvpriv_open,_read,_close,clock,clock,mv_sha_init,mv_sha_update,mv_sha_final,mv_log,abort,	7_2_10032510
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10002523 mv_aes_crypt,	7_2_10002523
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1004D590 mv_twofish_crypt,	7_2_1004D590
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001363B mv_encryption_init_info_alloc,	7_2_1001363B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000867B mv_blowfish_crypt_ecb,	7_2_1000867B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100136FB mv_encryption_init_info_alloc,	7_2_100136FB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10013860 mv_encryption_init_info_add_side_data,mv_malloc,mv_malloc,	7_2_10013860
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1004A990 mv_tea_crypt,	7_2_1004A990
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100339C0 mv_rc4_crypt,	7_2_100339C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10012A70 mv_encryption_info_alloc,mv_mallocz,mv_mallocz,mv_mallocz,mv_calloc,mv_free,mv_free,mv_free,mv_free,	7_2_10012A70

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then push ebx		7_2_1008B470
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]		7_2_1008B700

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 103.42.86.42:995
Source: Malware configuration extractor	IPs: 174.4.89.3:443
Source: Malware configuration extractor	IPs: 161.142.103.187:995
Source: Malware configuration extractor	IPs: 78.160.146.127:443
Source: Malware configuration extractor	IPs: 84.35.26.14:995
Source: Malware configuration extractor	IPs: 12.172.173.82:20
Source: Malware configuration extractor	IPs: 70.28.50.223:2078
Source: Malware configuration extractor	IPs: 124.149.143.189:2222
Source: Malware configuration extractor	IPs: 70.160.67.203:443
Source: Malware configuration extractor	IPs: 186.64.67.30:443
Source: Malware configuration extractor	IPs: 103.123.223.133:443
Source: Malware configuration extractor	IPs: 94.207.104.225:443
Source: Malware configuration extractor	IPs: 89.114.140.100:443
Source: Malware configuration extractor	IPs: 213.64.33.61:2222
Source: Malware configuration extractor	IPs: 86.176.144.234:2222
Source: Malware configuration extractor	IPs: 72.134.124.16:443
Source: Malware configuration extractor	IPs: 47.34.30.133:443
Source: Malware configuration extractor	IPs: 109.50.149.241:2222
Source: Malware configuration extractor	IPs: 85.104.105.67:443
Source: Malware configuration extractor	IPs: 81.111.108.123:443
Source: Malware configuration extractor	IPs: 86.173.2.12:2222
Source: Malware configuration extractor	IPs: 188.28.19.84:443
Source: Malware configuration extractor	IPs: 41.228.224.161:995
Source: Malware configuration extractor	IPs: 12.172.173.82:50001
Source: Malware configuration extractor	IPs: 178.175.187.254:443
Source: Malware configuration extractor	IPs: 65.95.141.84:2222
Source: Malware configuration extractor	IPs: 205.237.67.69:995
Source: Malware configuration extractor	IPs: 83.110.223.61:443
Source: Malware configuration extractor	IPs: 193.253.100.236:2222
Source: Malware configuration extractor	IPs: 27.0.48.233:443
Source: Malware configuration extractor	IPs: 102.159.188.125:443
Source: Malware configuration extractor	IPs: 71.38.155.217:443
Source: Malware configuration extractor	IPs: 58.186.75.42:443
Source: Malware configuration extractor	IPs: 76.178.148.107:2222
Source: Malware configuration extractor	IPs: 70.28.50.223:2087
Source: Malware configuration extractor	IPs: 114.143.176.236:443
Source: Malware configuration extractor	IPs: 51.14.29.227:2222
Source: Malware configuration extractor	IPs: 59.28.84.65:443
Source: Malware configuration extractor	IPs: 173.88.135.179:443
Source: Malware configuration extractor	IPs: 103.144.201.56:2078
Source: Malware configuration extractor	IPs: 96.87.28.170:2222
Source: Malware configuration extractor	IPs: 105.184.103.97:995
Source: Malware configuration extractor	IPs: 176.142.207.63:443
Source: Malware configuration extractor	IPs: 151.62.238.176:443
Source: Malware configuration extractor	IPs: 12.172.173.82:32101
Source: Malware configuration extractor	IPs: 122.186.210.254:443
Source: Malware configuration extractor	IPs: 82.125.44.236:2222
Source: Malware configuration extractor	IPs: 84.108.200.161:443
Source: Malware configuration extractor	IPs: 76.16.49.134:443
Source: Malware configuration extractor	IPs: 70.28.50.223:32100
Source: Malware configuration extractor	IPs: 12.172.173.82:465
Source: Malware configuration extractor	IPs: 76.170.252.153:995
Source: Malware configuration extractor	IPs: 184.182.66.109:443
Source: Malware configuration extractor	IPs: 78.92.133.215:443
Source: Malware configuration extractor	IPs: 50.68.204.71:993
Source: Malware configuration extractor	IPs: 186.75.95.6:443
Source: Malware configuration extractor	IPs: 113.11.92.30:443
Source: Malware configuration extractor	IPs: 70.28.50.223:3389
Source: Malware configuration extractor	IPs: 98.145.23.67:443
Source: Malware configuration extractor	IPs: 85.57.212.13:3389
Source: Malware configuration extractor	IPs: 50.68.186.195:443
Source: Malware configuration extractor	IPs: 47.205.25.170:443
Source: Malware configuration extractor	IPs: 12.172.173.82:993
Source: Malware configuration extractor	IPs: 12.172.173.82:22
Source: Malware configuration extractor	IPs: 69.242.31.249:443
Source: Malware configuration extractor	IPs: 81.101.185.146:443
Source: Malware configuration extractor	IPs: 79.168.224.165:2222
Source: Malware configuration extractor	IPs: 75.143.236.149:443
Source: Malware configuration extractor	IPs: 14.192.241.76:995
Source: Malware configuration extractor	IPs: 86.195.14.72:2222
Source: Malware configuration extractor	IPs: 81.229.117.95:2222
Source: Malware configuration extractor	IPs: 220.240.164.182:443
Source: Malware configuration extractor	IPs: 73.29.92.128:443
Source: Malware configuration extractor	IPs: 12.172.173.82:21
Source: Malware configuration extractor	IPs: 96.56.197.26:2222
Source: Malware configuration extractor	IPs: 75.109.111.89:443
Source: Malware configuration extractor	IPs: 76.86.31.59:443
Source: Malware configuration extractor	IPs: 201.244.108.183:995
Source: Malware configuration extractor	IPs: 68.203.69.96:443
Source: Malware configuration extractor	IPs: 124.122.47.148:443
Source: Malware configuration extractor	IPs: 122.184.143.86:443
Source: Malware configuration extractor	IPs: 92.186.69.229:2222
Source: Malware configuration extractor	IPs: 70.28.50.223:2083
Source: Malware configuration extractor	IPs: 89.129.109.27:2222
Source: Malware configuration extractor	IPs: 147.147.30.126:2222
Source: Malware configuration extractor	IPs: 125.99.76.102:443
Source: Malware configuration extractor	IPs: 88.126.94.4:50000
Source: Malware configuration extractor	IPs: 151.65.167.77:443
Source: Malware configuration extractor	IPs: 86.132.236.117:443
Source: Malware configuration extractor	IPs: 92.154.17.149:2222
Source: Malware configuration extractor	IPs: 223.166.13.95:995
Source: Malware configuration extractor	IPs: 89.36.206.69:995
Source: Malware configuration extractor	IPs: 96.56.197.26:2083
Source: Malware configuration extractor	IPs: 78.18.105.11:443
Source: Malware configuration extractor	IPs: 82.127.153.75:2222
Source: Malware configuration extractor	IPs: 90.78.147.141:2222
Source: Malware configuration extractor	IPs: 82.131.141.209:443
Source: Malware configuration extractor	IPs: 183.87.163.165:443
Source: Malware configuration extractor	IPs: 92.9.45.20:2222
Source: Malware configuration extractor	IPs: 80.6.50.34:443
Source: Malware configuration extractor	IPs: 80.12.88.148:2222
Source: Malware configuration extractor	IPs: 69.133.162.35:443
Source: Malware configuration extractor	IPs: 172.115.17.50:443
Source: Malware configuration extractor	IPs: 95.45.50.93:2222
Source: Malware configuration extractor	IPs: 12.172.173.82:2087
Source: Malware configuration extractor	IPs: 103.140.174.20:2222
Source: Malware configuration extractor	IPs: 24.198.114.130:995
Source: Malware configuration extractor	IPs: 50.68.204.71:443
Source: Malware configuration extractor	IPs: 69.119.123.159:2222
Source: Malware configuration extractor	IPs: 64.121.161.102:443
Source: Malware configuration extractor	IPs: 2.82.8.80:443
Source: Malware configuration extractor	IPs: 184.181.75.148:443
Source: Malware configuration extractor	IPs: 70.112.206.5:443
Source: Malware configuration extractor	IPs: 198.2.51.242:993
Source: Malware configuration extractor	IPs: 2.36.64.159:2078
Source: Malware configuration extractor	IPs: 79.77.142.22:2222
Source: Malware configuration extractor	IPs: 84.215.202.8:443
Source: Malware configuration extractor	IPs: 147.219.4.194:443
Source: Malware configuration extractor	IPs: 116.74.164.81:443
Source: Malware configuration extractor	IPs: 70.28.50.223:2078

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: MEO-RESIDENCIALPT MEO-RESIDENCIALPT

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 2.82.8.80 2.82.8.80

Connects to several IPs in different countries

Source: unknown

Network traffic detected: IP country count 30

Source: rundll32.exe, rundll32.exe, 00000007.00000002.1072236585.00000000100AB000.00000002.00000001.01000000.00000006.sdmp, main.dll.2.dr

String found in binary or memory: https://streams.videolan.org/upload/

Yara signature match

Source: 7.2.rundll32.exe.1c0000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QakBot_ConfigExtraction_Feb23 cape_options = bp0=$params+23,action0=setdump:eax::ecx,bp1=$c2list1+40,bp1=$c2list2+38,action1=dump,bp2=$conf+13,action2=dump,count=1,typestring=QakBot Config, date = 2023-02-17, author = kevoreilly, description = QakBot Config Extraction, reference = https://github.com/kevoreilly/CAPEv2/blob/master/analyzer/windows/data/yara/QakBot.yar, license = https://github.com/kevoreilly/CAPEv2/blob/master/LICENSE, packed = f084d87078a1e4b0ee208539c53e4853a52b5698e98f0578d7c12948e3831a68
Source: 7.2.rundll32.exe.2aa328.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QakBot_ConfigExtraction_Feb23 cape_options = bp0=$params+23,action0=setdump:eax::ecx,bp1=$c2list1+40,bp1=$c2list2+38,action1=dump,bp2=$conf+13,action2=dump,count=1,typestring=QakBot Config, date = 2023-02-17, author = kevoreilly, description = QakBot Config Extraction, reference = https://github.com/kevoreilly/CAPEv2/blob/master/analyzer/windows/data/yara/QakBot.yar, license = https://github.com/kevoreilly/CAPEv2/blob/master/LICENSE, packed = f084d87078a1e4b0ee208539c53e4853a52b5698e98f0578d7c12948e3831a68
Source: 7.2.rundll32.exe.2aa328.1.unpack, type: UNPACKEDPE	Matched rule: MAL_QakBot_ConfigExtraction_Feb23 cape_options = bp0=$params+23,action0=setdump:eax::ecx,bp1=$c2list1+40,bp1=$c2list2+38,action1=dump,bp2=$conf+13,action2=dump,count=1,typestring=QakBot Config, date = 2023-02-17, author = kevoreilly, description = QakBot Config Extraction, reference = https://github.com/kevoreilly/CAPEv2/blob/master/analyzer/windows/data/yara/QakBot.yar, license = https://github.com/kevoreilly/CAPEv2/blob/master/LICENSE, packed = f084d87078a1e4b0ee208539c53e4853a52b5698e98f0578d7c12948e3831a68

Deletes files inside the Windows folder

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\725f13.ipi

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10079010	7_2_10079010
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000D060	7_2_1000D060
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10081091	7_2_10081091
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000B0D0	7_2_1000B0D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1007A0F3	7_2_1007A0F3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10098118	7_2_10098118
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1002F110	7_2_1002F110
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10008144	7_2_10008144
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100A415E	7_2_100A415E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100A615C	7_2_100A615C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10088194	7_2_10088194
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100101D0	7_2_100101D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001021B	7_2_1001021B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10007270	7_2_10007270
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1002B270	7_2_1002B270
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1004B2B0	7_2_1004B2B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100752F0	7_2_100752F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100842F0	7_2_100842F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10086310	7_2_10086310
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1007D347	7_2_1007D347
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10021340	7_2_10021340
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1002C390	7_2_1002C390
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1004D3B0	7_2_1004D3B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1004E3E0	7_2_1004E3E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1007C415	7_2_1007C415
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1002C428	7_2_1002C428
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10013480	7_2_10013480
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000D4D0	7_2_1000D4D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100774E2	7_2_100774E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1004C500	7_2_1004C500
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1007D511	7_2_1007D511
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10025550	7_2_10025550
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10082550	7_2_10082550
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10028590	7_2_10028590
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1004D590	7_2_1004D590
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100105C0	7_2_100105C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1004D5C1	7_2_1004D5C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1007C5E1	7_2_1007C5E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1008A640	7_2_1008A640
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000164B	7_2_1000164B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100A566C	7_2_100A566C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10080660	7_2_10080660
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10027690	7_2_10027690
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10066691	7_2_10066691
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100A46FC	7_2_100A46FC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100556F8	7_2_100556F8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10024700	7_2_10024700
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10087748	7_2_10087748
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10079740	7_2_10079740
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10010750	7_2_10010750
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10030750	7_2_10030750
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10087750	7_2_10087750
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000E760	7_2_1000E760
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10021760	7_2_10021760
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10010778	7_2_10010778
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100A57A5	7_2_100A57A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100767C0	7_2_100767C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100857F0	7_2_100857F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000B830	7_2_1000B830
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10020830	7_2_10020830
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100A5843	7_2_100A5843
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10032890	7_2_10032890
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100218A0	7_2_100218A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10001900	7_2_10001900
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1007F900	7_2_1007F900
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000D910	7_2_1000D910
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10010980	7_2_10010980
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1004A990	7_2_1004A990
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001099C	7_2_1001099C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100499A0	7_2_100499A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000C9F0	7_2_1000C9F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000FA00	7_2_1000FA00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1004BA00	7_2_1004BA00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000AA10	7_2_1000AA10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10007A50	7_2_10007A50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1007CAB7	7_2_1007CAB7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001EAB0	7_2_1001EAB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000EAC0	7_2_1000EAC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000FAE0	7_2_1000FAE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000FAF7	7_2_1000FAF7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10081AF0	7_2_10081AF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10020B00	7_2_10020B00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10078B10	7_2_10078B10

Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 77620000 page execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 77740000 page execute and read and write			Jump to behavior

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\r3zg12.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll,next
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\wscript.exe wscript.exe C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin\notify.vbs
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll,next
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll,next	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\wscript.exe wscript.exe C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin\notify.vbs	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll,next	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe	Jump to behavior

Source: C:\Windows\SysWOW64\wermgr.exe	Mutant created: \Sessions\1\BaseNamedObjects\{7DD17790-B8AD-4410-A157-17ED3BEC62EE}
Source: C:\Windows\SysWOW64\wermgr.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{7DD17790-B8AD-4410-A157-17ED3BEC62EE}
Source: C:\Windows\SysWOW64\wermgr.exe	Mutant created: \Sessions\1\BaseNamedObjects\{4F34BA3E-DAF6-44F5-9C34-3488F9C4B308}

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1008C51C push es; ret		7_2_1008C521
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1008C5CA push es; ret		7_2_1008C5CB

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\msiexec.exe TID: 2388	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\msiexec.exe TID: 3288	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\msiexec.exe TID: 2572	Thread sleep time: -360000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 3264	Thread sleep count: 109 > 30	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_3_00142297 mov eax, dword ptr fs:[00000030h]		7_3_00142297
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1002A9E9 mov eax, dword ptr fs:[00000030h]		7_2_1002A9E9

Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\wermgr.exe base: 80000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\wermgr.exe base: 130000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\wermgr.exe base: BD2AFF	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: C:\Windows\SysWOW64\wermgr.exe base: 130000 protect: page execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: C:\Windows\SysWOW64\wermgr.exe base: 80000 protect: page read and write			Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 7.2.rundll32.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.2aa328.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.2aa328.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.1071797162.000000000029D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1072022431.0000000000E3D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

IP	Domain	Country	ASN	ASN Name	Malicious
2.82.8.80	unknown	Portugal	3243	MEO-RESIDENCIALPT	true
70.160.67.203	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	true
75.143.236.149	unknown	United States	20115	CHARTER-20115US	true
83.110.223.61	unknown	United Arab Emirates	5384	EMIRATES-INTERNETEmiratesInternetAE	true
86.195.14.72	unknown	France	3215	FranceTelecom-OrangeFR	true
84.215.202.8	unknown	Norway	41164	GET-NOGETNorwayNO	true
184.182.66.109	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	true
105.184.103.97	unknown	South Africa	37457	Telkom-InternetZA	true
92.186.69.229	unknown	France	12479	UNI2-ASES	true
174.4.89.3	unknown	Canada	6327	SHAWCA	true
161.142.103.187	unknown	Malaysia	9930	TTNET-MYTIMEdotComBerhadMY	true
114.143.176.236	unknown	India	17762	HTIL-TTML-IN-APTataTeleservicesMaharashtraLtdIN	true
14.192.241.76	unknown	Malaysia	9534	MAXIS-AS1-APBinariangBerhadMY	true
173.88.135.179	unknown	United States	10796	TWC-10796-MIDWESTUS	true
84.108.200.161	unknown	Israel	8551	BEZEQ-INTERNATIONAL-ASBezeqintInternetBackboneIL	true
47.34.30.133	unknown	United States	20115	CHARTER-20115US	true
183.87.163.165	unknown	India	132220	JPRDIGITAL-INJPRDigitalPvtLtdIN	true
124.149.143.189	unknown	Australia	7545	TPG-INTERNET-APTPGTelecomLimitedAU	true
184.181.75.148	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	true
84.35.26.14	unknown	Netherlands	21221	INFOPACT-ASTheNetherlandsNL	true
73.29.92.128	unknown	United States	7922	COMCAST-7922US	true
68.203.69.96	unknown	United States	11427	TWC-11427-TEXASUS	true
82.131.141.209	unknown	Hungary	20845	DIGICABLEHU	true
64.121.161.102	unknown	United States	6079	RCN-ASUS	true
178.175.187.254	unknown	Moldova Republic of	43289	TRABIAMD	true
96.56.197.26	unknown	United States	6128	CABLE-NET-1US	true
186.64.67.30	unknown	Argentina	27953	NODOSUDSAAR	true
188.28.19.84	unknown	United Kingdom	206067	H3GUKGB	true
125.99.76.102	unknown	India	17488	HATHWAY-NET-APHathwayIPOverCableInternetIN	true
81.101.185.146	unknown	United Kingdom	5089	NTLGB	true
86.176.144.234	unknown	United Kingdom	2856	BT-UK-ASBTnetUKRegionalnetworkGB	true
59.28.84.65	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	true
76.86.31.59	unknown	United States	20001	TWC-20001-PACWESTUS	true
147.147.30.126	unknown	United Kingdom	6871	PLUSNETUKInternetServiceProviderGB	true
96.87.28.170	unknown	United States	7922	COMCAST-7922US	true
75.109.111.89	unknown	United States	19108	SUDDENLINK-COMMUNICATIONSUS	true
78.92.133.215	unknown	Hungary	5483	MAGYAR-TELEKOM-MAIN-ASMagyarTelekomNyrtHU	true
124.122.47.148	unknown	Thailand	17552	TRUE-AS-APTrueInternetCoLtdTH	true
88.126.94.4	unknown	France	12322	PROXADFR	true
51.14.29.227	unknown	United Kingdom	2856	BT-UK-ASBTnetUKRegionalnetworkGB	true
85.57.212.13	unknown	Spain	12479	UNI2-ASES	true
47.205.25.170	unknown	United States	5650	FRONTIER-FRTRUS	true
95.45.50.93	unknown	Ireland	5466	EIRCOMInternetHouseIE	true
80.12.88.148	unknown	France	3215	FranceTelecom-OrangeFR	true
81.111.108.123	unknown	United Kingdom	5089	NTLGB	true
69.133.162.35	unknown	United States	11426	TWC-11426-CAROLINASUS	true
86.132.236.117	unknown	United Kingdom	2856	BT-UK-ASBTnetUKRegionalnetworkGB	true
151.62.238.176	unknown	Italy	1267	ASN-WINDTREIUNETEU	true
70.112.206.5	unknown	United States	11427	TWC-11427-TEXASUS	true
41.228.224.161	unknown	Tunisia	37693	TUNISIANATN	true
205.237.67.69	unknown	Canada	11290	CC-3272CA	true
102.159.188.125	unknown	Tunisia	37705	TOPNETTN	true
151.65.167.77	unknown	Italy	1267	ASN-WINDTREIUNETEU	true
76.178.148.107	unknown	United States	10838	OCEANIC-INTERNET-RRUS	true
89.36.206.69	unknown	Italy	48544	TECNOADSL-ASIT	true
69.242.31.249	unknown	United States	7922	COMCAST-7922US	true
85.104.105.67	unknown	Turkey	9121	TTNETTR	true
94.207.104.225	unknown	United Arab Emirates	15802	DU-AS1AE	true
193.253.100.236	unknown	France	3215	FranceTelecom-OrangeFR	true
76.16.49.134	unknown	United States	7922	COMCAST-7922US	true
201.244.108.183	unknown	Colombia	19429	ETB-ColombiaCO	true
103.42.86.42	unknown	India	133660	EDIGITAL-ASE-InfrastructureandEntertainmentIndiaPvtLt	true
78.18.105.11	unknown	Ireland	2110	AS-BTIREBTIrelandwaspreviouslyknownasEsatNetEUnet	true
80.6.50.34	unknown	United Kingdom	5089	NTLGB	true
103.144.201.56	unknown	unknown	139762	MSSOLUTION-AS-APSolutionBD	true
27.0.48.233	unknown	India	132573	SAINGN-AS-INSAINGNNetworkServicesIN	true
70.28.50.223	unknown	Canada	577	BACOMCA	true
98.145.23.67	unknown	United States	20001	TWC-20001-PACWESTUS	true
82.125.44.236	unknown	France	3215	FranceTelecom-OrangeFR	true
81.229.117.95	unknown	Sweden	3301	TELIANET-SWEDENTeliaCompanySE	true
89.129.109.27	unknown	Spain	12479	UNI2-ASES	true
122.186.210.254	unknown	India	9498	BBIL-APBHARTIAirtelLtdIN	true
79.77.142.22	unknown	United Kingdom	9105	TISCALI-UKTalkTalkCommunicationsLimitedGB	true
90.78.147.141	unknown	France	3215	FranceTelecom-OrangeFR	true
122.184.143.86	unknown	India	9498	BBIL-APBHARTIAirtelLtdIN	true
186.75.95.6	unknown	Panama	11556	CableWirelessPanamaPA	true
50.68.186.195	unknown	Canada	6327	SHAWCA	true
12.172.173.82	unknown	United States	2386	INS-ASUS	true
213.64.33.61	unknown	Sweden	3301	TELIANET-SWEDENTeliaCompanySE	true
79.168.224.165	unknown	Portugal	2860	NOS_COMUNICACOESPT	true
176.142.207.63	unknown	France	5410	BOUYGTEL-ISPFR	true
86.173.2.12	unknown	United Kingdom	2856	BT-UK-ASBTnetUKRegionalnetworkGB	true
92.154.17.149	unknown	France	3215	FranceTelecom-OrangeFR	true
78.160.146.127	unknown	Turkey	9121	TTNETTR	true
58.186.75.42	unknown	Viet Nam	18403	FPT-AS-APTheCorporationforFinancingPromotingTechnolo	true
223.166.13.95	unknown	China	17621	CNCGROUP-SHChinaUnicomShanghainetworkCN	true
65.95.141.84	unknown	Canada	577	BACOMCA	true
50.68.204.71	unknown	Canada	6327	SHAWCA	true
71.38.155.217	unknown	United States	209	CENTURYLINK-US-LEGACY-QWESTUS	true
220.240.164.182	unknown	Australia	7545	TPG-INTERNET-APTPGTelecomLimitedAU	true
103.123.223.133	unknown	India	138329	KWS-AS-APKenstarWebSolutionsPrivateLimitedIN	true
24.198.114.130	unknown	United States	11351	TWC-11351-NORTHEASTUS	true
2.36.64.159	unknown	Italy	30722	VODAFONE-IT-ASNIT	true
198.2.51.242	unknown	United States	20001	TWC-20001-PACWESTUS	true
92.9.45.20	unknown	United Kingdom	13285	OPALTELECOM-ASTalkTalkCommunicationsLimitedGB	true
113.11.92.30	unknown	Bangladesh	7565	BDCOM-BDRangsNiluSquare5thFloorHouse75Road5AD	true
109.50.149.241	unknown	Portugal	2860	NOS_COMUNICACOESPT	true
69.119.123.159	unknown	United States	6128	CABLE-NET-1US	true
172.115.17.50	unknown	United States	20001	TWC-20001-PACWESTUS	true
147.219.4.194	unknown	United States	1498	DNIC-ASBLK-01498-01499US	true

ID:	878465
Product:	CloudBasic
Start time:	17:55:55
Start date:	30.05.2023
Sample:	r3zg12.msi
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	665afc8f8b7972f427fe1bd90d263032
SHA1:	cc36e48f383750eb9416961b52ee3100b6e30688
SHA256:	d764436caf7114d880f982d208bd9514a433772dcac851f27c510d1597e26edd
Filetype:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%

Name	Type	MD5	SHA1	SHA256
C:\Config.Msi\725f14.rbs	data	C3EE277FD29FA58F348CE837640A6248	9A776BC167BD6816A2F16488D1CA279144076CE2	5C577159B0F56A406D538702FC2E0E56F66E43CDF0E39C4BFB5F4681317B4A45
C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows	5E107608DD00957472DB2C1FCC77599D	D9BFA3E88CA0F86182CB84D4008AC6B346B755E9	185737016A01E84BF88523A4681723B4F2D0D22520E77B76740CC3C6323E38BF
C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin\notify.vbs	ASCII text, with CRLF line terminators	0D4C9F15CE74465C59AE36A27F98C817	9CCE8EEFA4D3D9C5E161C5DBB860CFE1489C6B1A	D24E3399060B51F3A1C9D41A67DE2601888A35C99DA8DB70070D757BB3F1913A
C:\Users\user\AppData\Local\Temp\~DF737A82605D542653.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Users\user\AppData\Local\Temp\~DF9424631930F5E6F6.TMP	data	D429E7962EAB07E07C545C296E8B0F35	9AC331509B3E15434194BAECFA89488D380435FC	14064733FE0126C92AE648CE46DD3AF9820F19CA4F87B6FFCD9134C3A4FD19EE
C:\Users\user\AppData\Local\Temp\~DFCE21E83529306783.TMP	data	152881F8DC204D99AEBA2705A3782FCB	660CC21C9CAC248ABAEDB2BA0C5584BCA6336755	9BF23AB3B18670ADA93F47C692FADA5B6652AC14C1887F6D78932E237B141BE6
C:\Windows\Installer\725f12.msi	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Adobe Acrobat PDF Browser Plugin 4.8.25, Author: Adobe Inc., Keywords: Installer, Comments: Adobe Acrobat PDF Browser Plugin, Template: Intel;1033, Revision Number: {880CDD59-0C2C-49AC-BA45-82BB01CD8BD1}, Create Time/Date: Tue May 30 14:29:16 2023, Last Saved Time/Date: Tue May 30 14:29:16 2023, Number of Pages: 200, Number of Words: 10, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2	665AFC8F8B7972F427FE1BD90D263032	CC36E48F383750EB9416961B52EE3100B6E30688	D764436CAF7114D880F982D208BD9514A433772DCAC851F27C510D1597E26EDD
C:\Windows\Installer\725f13.ipi	Composite Document File V2 Document, Cannot read section info	F79FA452955160DEA66B355C79633348	DF8591F44D592B2DED4CC19C50944D0C9C7A1EA2	98D499E3EE487BC8A41B4339F34E48ADF45D504D743F381DBA3979CF4B63BA46
C:\Windows\Installer\725f15.msi	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Adobe Acrobat PDF Browser Plugin 4.8.25, Author: Adobe Inc., Keywords: Installer, Comments: Adobe Acrobat PDF Browser Plugin, Template: Intel;1033, Revision Number: {880CDD59-0C2C-49AC-BA45-82BB01CD8BD1}, Create Time/Date: Tue May 30 14:29:16 2023, Last Saved Time/Date: Tue May 30 14:29:16 2023, Number of Pages: 200, Number of Words: 10, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2	665AFC8F8B7972F427FE1BD90D263032	CC36E48F383750EB9416961B52EE3100B6E30688	D764436CAF7114D880F982D208BD9514A433772DCAC851F27C510D1597E26EDD
C:\Windows\Installer\MSIDFB6.tmp	data	D677AFC93165EECE0A0BF927F0813BC0	374BAA5C81F013F5A665D23376BE78FD27A97A26	9C430E95C05E227034C66BBFE82596D108E698689CE7146E1A64139674C29607
C:\Windows\Installer\SourceHash{BADFC54D-C40E-45B2-8055-C154444F1F83}	Composite Document File V2 Document, Cannot read section info	43D53436CE3F850800B0ACC9CDAA39B9	E7C780CC0555D1E5A10AF2B0736C1985D2294758	913C3DA22ABBA627ECFB121EF494CDC045D0BD6659BE7C8F2FD2328A45ED879C

Windows Analysis Report r3zg12.msi

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Windows Analysis Report
r3zg12.msi

Malware Threat Intel
Provided by