Windows Analysis Report
r3zg12.msi

Overview

General Information

Sample Name:	r3zg12.msi
Analysis ID:	878465
MD5:	665afc8f8b7972f427fe1bd90d263032
SHA1:	cc36e48f383750eb9416961b52ee3100b6e30688
SHA256:	d764436caf7114d880f982d208bd9514a433772dcac851f27c510d1597e26edd
Tags:	msi
Infos:

Detection

Qbot

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected Qbot

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

C2 URLs / IPs found in malware configuration

Sample uses string decryption to hide its real strings

Potentially malicious time measurement code found

AV process strings found (often used to terminate AV products)

Queries the volume information (name, serial number etc) of a device

Yara signature match

PE file contains an invalid checksum

Drops PE files

Tries to load missing DLLs

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Creates files inside the system directory

Connects to several IPs in different countries

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Launches processes in debugging mode, may be used to hinder debugging

Checks for available system drives (often done to infect USB drives)

Found large amount of non-executed APIs

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
QakBot, qbotQbot	QBot is a modular information stealer also known as Qakbot or Pinkslipbot. It has been active for years since 2007. It has historically been known as a banking Trojan, meaning that it steals financial data from infected systems, and a loader using C2 servers for payload targeting and download.	GOLD CABIN	http://contagiodump.blogspot.com/2010/11/template.html http://www.secureworks.com/research/threat-profiles/gold-lagoon http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf https://0xthreatintel.medium.com/reversing-qakbot-tlp-white-d1b8b37ad8e7 https://asec.ahnlab.com/en/44662/	https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot

Signatures

AV Detection

Found malware configuration

Source: 00000004.00000002.374504814.0000000002D8A000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Qbot {"Bot id": "obama265", "Campaign": "1685436052", "Version": "404.1320", "C2 list": ["103.42.86.42:995", "174.4.89.3:443", "161.142.103.187:995", "78.160.146.127:443", "84.35.26.14:995", "12.172.173.82:20", "70.28.50.223:2078", "124.149.143.189:2222", "70.160.67.203:443", "186.64.67.30:443", "103.123.223.133:443", "94.207.104.225:443", "89.114.140.100:443", "213.64.33.61:2222", "86.176.144.234:2222", "72.134.124.16:443", "47.34.30.133:443", "109.50.149.241:2222", "85.104.105.67:443", "81.111.108.123:443", "86.173.2.12:2222", "188.28.19.84:443", "41.228.224.161:995", "12.172.173.82:50001", "178.175.187.254:443", "65.95.141.84:2222", "205.237.67.69:995", "83.110.223.61:443", "193.253.100.236:2222", "27.0.48.233:443", "102.159.188.125:443", "71.38.155.217:443", "58.186.75.42:443", "76.178.148.107:2222", "70.28.50.223:2087", "114.143.176.236:443", "51.14.29.227:2222", "59.28.84.65:443", "173.88.135.179:443", "103.144.201.56:2078", "96.87.28.170:2222", "105.184.103.97:995", "176.142.207.63:443", "151.62.238.176:443", "12.172.173.82:32101", "122.186.210.254:443", "82.125.44.236:2222", "84.108.200.161:443", "76.16.49.134:443", "70.28.50.223:32100", "12.172.173.82:465", "76.170.252.153:995", "184.182.66.109:443", "78.92.133.215:443", "50.68.204.71:993", "186.75.95.6:443", "113.11.92.30:443", "70.28.50.223:3389", "98.145.23.67:443", "85.57.212.13:3389", "50.68.186.195:443", "47.205.25.170:443", "12.172.173.82:993", "12.172.173.82:22", "69.242.31.249:443", "81.101.185.146:443", "79.168.224.165:2222", "75.143.236.149:443", "14.192.241.76:995", "86.195.14.72:2222", "81.229.117.95:2222", "220.240.164.182:443", "73.29.92.128:443", "12.172.173.82:21", "96.56.197.26:2222", "75.109.111.89:443", "76.86.31.59:443", "201.244.108.183:995", "68.203.69.96:443", "124.122.47.148:443", "122.184.143.86:443", "92.186.69.229:2222", "70.28.50.223:2083", "89.129.109.27:2222", "147.147.30.126:2222", "125.99.76.102:443", "88.126.94.4:50000", "151.65.167.77:443", "86.132.236.117:443", "92.154.17.149:2222", "223.166.13.95:995", "89.36.206.69:995", "96.56.197.26:2083", "78.18.105.11:443", "82.127.153.75:2222", "90.78.147.141:2222", "82.131.141.209:443", "183.87.163.165:443", "92.9.45.20:2222", "80.6.50.34:443", "80.12.88.148:2222", "69.133.162.35:443", "172.115.17.50:443", "95.45.50.93:2222", "12.172.173.82:2087", "103.140.174.20:2222", "24.198.114.130:995", "50.68.204.71:443", "69.119.123.159:2222", "64.121.161.102:443", "2.82.8.80:443", "184.181.75.148:443", "70.112.206.5:443", "198.2.51.242:993", "2.36.64.159:2078", "79.77.142.22:2222", "84.215.202.8:443", "147.219.4.194:443", "116.74.164.81:443", "70.28.50.223:2078"]}

Sample uses string decryption to hide its real strings

Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: error res='%s' err=%d len=%u
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: netstat -nao
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: runas
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: ipconfig /all
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: net localgroup
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: nltest /domain_trusts /all_trusts
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %s %04x.%u %04x.%u res: %s seh_test: %u consts_test: %d vmdetected: %d createprocess: %d
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Microsoft
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: SELF_TEST_1
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: p%08x
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Self test FAILED!!!
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Self test OK.
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: /t5
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: whoami /all
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: cmd
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: microsoft.com,google.com,cisco.com,oracle.com,verisign.com,broadcom.com,yahoo.com,xfinity.com,irs.gov,linkedin.com
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: ERROR: GetModuleFileNameW() failed with error: ERROR_INSUFFICIENT_BUFFER
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: route print
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: .lnk
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: "%s\system32\schtasks.exe" /Create /ST %02u:%02u /RU "NT AUTHORITY\SYSTEM" /SC ONCE /tr "%s" /Z /ET %02u:%02u /tn %s
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: arp -a
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %s "$%s = \"%s\"; & $%s"
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: net share
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: cmd.exe /c set
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Self check
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %u;%u;%u;
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: /c ping.exe -n 6 127.0.0.1 & type "%s\System32\calc.exe" > "%s"
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: ProfileImagePath
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: at.exe %u:%u "%s" /I
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: ProgramData
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Self check ok!
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: powershell.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: qwinsta
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: net view
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.%s
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Component_08
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Start screenshot
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: schtasks.exe /Delete /F /TN %u
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: appidapi.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %s \"$%s = \\\"%s\\\\; & $%s\"
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: c:\ProgramData
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Component_07
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: bUdiuy81gYguty@4frdRdpfko(eKmudeuMncueaN
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: powershell.exe -encodedCommand %S
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: ERROR: GetModuleFileNameW() failed with error: %u
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: powershell.exe -encodedCommand
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: SoNuce]ugdiB3c[doMuce2s81*uXmcvP
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: \System32\WindowsPowerShell\v1.0\powershell.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: schtasks.exe /Create /RU "NT AUTHORITY\SYSTEM" /SC ONSTART /TN %u /TR "%s" /NP /F
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: error res='%s' err=%d len=%u
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: netstat -nao
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: runas
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: ipconfig /all
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %u.%u.%u.%u.%u.%u.%04x
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\explorer.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: SystemRoot
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: cscript.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: MBAMService.exe;mbamgui.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\System32\xwizard.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\System32\wermgr.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: AvastSvc.exe;aswEngSrv.exe;aswToolsSvc.exe;afwServ.exe;aswidsagent.exe;AvastUI.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: C:\INTERNAL\__empty
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: .dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Win32_PhysicalMemory
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: ALLUSERSPROFILE
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: image/jpeg
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: LocalLow
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: displayName
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Mozilla/5.0 (Windows NT 6.1; rv:77.0) Gecko/20100101 Firefox/77.0
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: shlwapi.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\WerFault.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: CommandLine
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: {%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%02X}
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: kernel32.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: SubmitSamplesConsent
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: 1234567890
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: wbj.go
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\wextract.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Win32_DiskDrive
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: vkise.exe;isesrv.exe;cmdagent.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: System32
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Name
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\System32\WerFault.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: WRSA.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: c:\\
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: reg.exe ADD "HKLM\%s" /f /t %s /v "%s" /d "%s"
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: SpyNetReporting
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: FALSE
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: aswhookx.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Packages
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: SonicWallClientProtectionService.exe;SWDash.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: application/x-shockwave-flash
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Sophos UI.exe;SophosUI.exe;SAVAdminService.exe;SavService.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: RepUx.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\System32\mspaint.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: coreServiceShell.exe;PccNTMon.exe;NTRTScan.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Winsta0
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Caption,Description,DeviceID,Manufacturer,Name,PNPDeviceID,Service,Status
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: CynetEPS.exe;CynetMS.exe;CynetConsole.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\wermgr.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %ProgramFiles(x86)%\Internet Explorer\iexplore.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: avp.exe;kavtray.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: root\SecurityCenter2
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\backgroundTaskHost.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: MsMpEng.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\System32\CertEnrollCtrl.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: userenv.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: csc_ui.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: frida-winjector-helper-32.exe;frida-winjector-helper-64.exe;tcpdump.exe;windump.exe;ethereal.exe;wireshark.exe;ettercap.exe;rtsniff.exe;packetcapture.exe;capturenet.exe;qak_proxy;dumpcap.exe;CFF Explorer.exe;not_rundll32.exe;ProcessHacker.exe;tcpview.exe;filemon.exe;procmon.exe;idaq64.exe;loaddll32.exe;PETools.exe;ImportREC.exe;LordPE.exe;SysInspector.exe;proc_analyzer.exe;sysAnalyzer.exe;sniff_hit.exe;joeboxcontrol.exe;joeboxserver.exe;ResourceHacker.exe;x64dbg.exe;Fiddler.exe;sniff_hit.exe;sysAnalyzer.exe;BehaviorDumper.exe;processdumperx64.exe;anti-virus.EXE;sysinfoX64.exe;sctoolswrapper.exe;sysinfoX64.exe;FakeExplorer.exe;apimonitor-x86.exe;idaq.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: \\.\pipe\
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: pstorec.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: NTUSER.DAT
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: from
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\System32\sethc.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: netapi32.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\System32\Utilman.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: gdi32.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: setupapi.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: SELECT * FROM Win32_Processor
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: iphlpapi.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Caption
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: CrAmTray.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: ccSvcHst.exe;NortonSecurity.exe;nsWscSvc.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Win32_ComputerSystem
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\System32\backgroundTaskHost.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %ProgramFiles%\Internet Explorer\iexplore.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: user32.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: xagtnotif.exe;AppUIMonitor.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\System32\dxdiag.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: SentinelServiceHost.exe;SentinelStaticEngine.exe;SentinelAgent.exe;SentinelStaticEngineScanner.exe;SentinelUI.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: \sf2.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\grpconv.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: egui.exe;ekrn.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Software\Microsoft
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %S.%06d
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: bcrypt.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: SELECT * FROM AntiVirusProduct
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\SndVol.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\explorer.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\Utilman.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows Defender\SpyNet
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: wtsapi32.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: t=%s time=[%02d:%02d:%02d-%02d/%02d/%d]
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\xwizard.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: shell32.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: TRUE
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Win32_Bios
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: SELECT * FROM Win32_OperatingSystem
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\mobsync.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: c:\hiberfil.sysss
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: /
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\AtBroker.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: abcdefghijklmnopqrstuvwxyz
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: ByteFence.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: type=0x%04X
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: snxhk_border_mywnd
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: ROOT\CIMV2
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: dwengine.exe;dwarkdaemon.exe;dwwatcher.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: https
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\explorer.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: fshoster32.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: kernelbase.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: regsvr32.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %s\system32\
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\dxdiag.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Win32_Process
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: rundll32.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: LOCALAPPDATA
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: cmd.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: APPDATA
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: select
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: .exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: mcshield.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: advapi32.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: ws2_32.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: .cfg
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: aabcdeefghiijklmnoopqrstuuvwxyyz
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Win32_Product
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: WQL
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: wininet.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: LastBootUpTime
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: S:(ML;;NW;;;LW)
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\CertEnrollCtrl.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: urlmon.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Create
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Win32_PnPEntity
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\System32\grpconv.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Initializing database...
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\System32\SearchIndexer.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: winsta0\default
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: .dat
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: WBJ_IGNORE
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: next
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\System32\AtBroker.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: wpcap.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: aaebcdeeifghiiojklmnooupqrstuuyvwxyyaz
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\sethc.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: image/pjpeg
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: fmon.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: bdagent.exe;vsserv.exe;vsservppl.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\System32\SndVol.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: vbs
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: aswhooka.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: SysWOW64
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\mspaint.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: mpr.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: image/gif
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: crypt32.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: avgcsrvx.exe;avgsvcx.exe;avgcsrva.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: ntdll.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: open
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\explorer.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: CSFalconService.exe;CSFalconContainer.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\System32\wextract.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\System32\mobsync.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\SearchIndexer.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %u.%u.%u.%u.%u.%u.%04x
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\explorer.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: SystemRoot
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: cscript.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: MBAMService.exe;mbamgui.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\System32\xwizard.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\System32\wermgr.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: AvastSvc.exe;aswEngSrv.exe;aswToolsSvc.exe;afwServ.exe;aswidsagent.exe;AvastUI.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: C:\INTERNAL\__empty
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: .dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Win32_PhysicalMemory
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: ALLUSERSPROFILE
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: image/jpeg
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: LocalLow
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: displayName
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Mozilla/5.0 (Windows NT 6.1; rv:77.0) Gecko/20100101 Firefox/77.0
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: shlwapi.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\WerFault.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: CommandLine
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: {%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%02X}
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: kernel32.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: SubmitSamplesConsent
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: 1234567890
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: wbj.go
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\wextract.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Win32_DiskDrive
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: vkise.exe;isesrv.exe;cmdagent.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: System32
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Name
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\System32\WerFault.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: WRSA.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: c:\\
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: reg.exe ADD "HKLM\%s" /f /t %s /v "%s" /d "%s"
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: SpyNetReporting
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: FALSE
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: aswhookx.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Packages
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: SonicWallClientProtectionService.exe;SWDash.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: application/x-shockwave-flash
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Sophos UI.exe;SophosUI.exe;SAVAdminService.exe;SavService.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: RepUx.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\System32\mspaint.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: coreServiceShell.exe;PccNTMon.exe;NTRTScan.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Winsta0
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Caption,Description,DeviceID,Manufacturer,Name,PNPDeviceID,Service,Status
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: CynetEPS.exe;CynetMS.exe;CynetConsole.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\wermgr.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %ProgramFiles(x86)%\Internet Explorer\iexplore.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: avp.exe;kavtray.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: root\SecurityCenter2
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\backgroundTaskHost.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: MsMpEng.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\System32\CertEnrollCtrl.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: userenv.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: csc_ui.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: frida-winjector-helper-32.exe;frida-winjector-helper-64.exe;tcpdump.exe;windump.exe;ethereal.exe;wireshark.exe;ettercap.exe;rtsniff.exe;packetcapture.exe;capturenet.exe;qak_proxy;dumpcap.exe;CFF Explorer.exe;not_rundll32.exe;ProcessHacker.exe;tcpview.exe;filemon.exe;procmon.exe;idaq64.exe;loaddll32.exe;PETools.exe;ImportREC.exe;LordPE.exe;SysInspector.exe;proc_analyzer.exe;sysAnalyzer.exe;sniff_hit.exe;joeboxcontrol.exe;joeboxserver.exe;ResourceHacker.exe;x64dbg.exe;Fiddler.exe;sniff_hit.exe;sysAnalyzer.exe;BehaviorDumper.exe;processdumperx64.exe;anti-virus.EXE;sysinfoX64.exe;sctoolswrapper.exe;sysinfoX64.exe;FakeExplorer.exe;apimonitor-x86.exe;idaq.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: \\.\pipe\
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: pstorec.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: NTUSER.DAT
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: from
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\System32\sethc.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: netapi32.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\System32\Utilman.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: gdi32.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: setupapi.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: SELECT * FROM Win32_Processor
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: iphlpapi.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Caption
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: CrAmTray.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: ccSvcHst.exe;NortonSecurity.exe;nsWscSvc.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Win32_ComputerSystem
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\System32\backgroundTaskHost.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %ProgramFiles%\Internet Explorer\iexplore.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: user32.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: xagtnotif.exe;AppUIMonitor.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\System32\dxdiag.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: SentinelServiceHost.exe;SentinelStaticEngine.exe;SentinelAgent.exe;SentinelStaticEngineScanner.exe;SentinelUI.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: \sf2.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\grpconv.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: egui.exe;ekrn.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Software\Microsoft
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %S.%06d
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: bcrypt.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: SELECT * FROM AntiVirusProduct
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\SndVol.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\explorer.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\Utilman.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows Defender\SpyNet
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: wtsapi32.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: t=%s time=[%02d:%02d:%02d-%02d/%02d/%d]
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\xwizard.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: shell32.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: TRUE
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Win32_Bios
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: SELECT * FROM Win32_OperatingSystem
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\mobsync.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: c:\hiberfil.sysss
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: /
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\AtBroker.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: abcdefghijklmnopqrstuvwxyz
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: ByteFence.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: type=0x%04X
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: snxhk_border_mywnd
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: ROOT\CIMV2
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: dwengine.exe;dwarkdaemon.exe;dwwatcher.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: https
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\explorer.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: fshoster32.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: kernelbase.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: regsvr32.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %s\system32\
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\dxdiag.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Win32_Process
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: rundll32.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: LOCALAPPDATA
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: cmd.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: APPDATA
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: select
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: .exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: mcshield.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: advapi32.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: ws2_32.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: .cfg
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: aabcdeefghiijklmnoopqrstuuvwxyyz
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Win32_Product
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: WQL
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: wininet.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: LastBootUpTime
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: S:(ML;;NW;;;LW)
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\CertEnrollCtrl.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: urlmon.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Create
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Win32_PnPEntity
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\System32\grpconv.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Initializing database...
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\System32\SearchIndexer.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: winsta0\default
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: .dat
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: WBJ_IGNORE
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: next
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\System32\AtBroker.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: wpcap.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: aaebcdeeifghiiojklmnooupqrstuuyvwxyyaz
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\sethc.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: image/pjpeg
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: fmon.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: bdagent.exe;vsserv.exe;vsservppl.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\System32\SndVol.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: vbs
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: aswhooka.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: SysWOW64
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\mspaint.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: mpr.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: image/gif
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: crypt32.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: avgcsrvx.exe;avgsvcx.exe;avgcsrva.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: ntdll.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: open
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\explorer.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: CSFalconService.exe;CSFalconContainer.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\System32\wextract.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\System32\mobsync.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\SearchIndexer.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000C0B0 mv_cast5_crypt2,	4_2_1000C0B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000B0D0 mv_camellia_crypt,	4_2_1000B0D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10013100 mv_encryption_init_info_alloc,mv_mallocz,mv_mallocz,mv_mallocz,mv_mallocz,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_calloc,	4_2_10013100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000C1B0 mv_cast5_crypt,	4_2_1000C1B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100132D0 mv_encryption_init_info_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,	4_2_100132D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10002480 mv_aes_ctr_crypt,mv_aes_crypt,	4_2_10002480
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10013480 mv_encryption_init_info_get_side_data,mv_encryption_init_info_alloc,mv_free,mv_free,mv_free,mv_free,mv_free,	4_2_10013480
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100084B0 mv_blowfish_crypt,mv_blowfish_crypt_ecb,mv_blowfish_crypt_ecb,	4_2_100084B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10032510 mv_get_random_seed,BCryptOpenAlgorithmProvider,BCryptGenRandom,BCryptCloseAlgorithmProvider,mvpriv_open,_read,_close,mvpriv_open,_read,_close,clock,clock,mv_sha_init,mv_sha_update,mv_sha_final,mv_log,abort,	4_2_10032510
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10002523 mv_aes_crypt,	4_2_10002523
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1004D583 mv_twofish_crypt,	4_2_1004D583
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001363B mv_encryption_init_info_alloc,	4_2_1001363B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000867B mv_blowfish_crypt_ecb,	4_2_1000867B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100136FB mv_encryption_init_info_alloc,	4_2_100136FB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10013860 mv_encryption_init_info_add_side_data,mv_malloc,mv_malloc,	4_2_10013860

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 103.42.86.42:995
Source: Malware configuration extractor	IPs: 174.4.89.3:443
Source: Malware configuration extractor	IPs: 161.142.103.187:995
Source: Malware configuration extractor	IPs: 78.160.146.127:443
Source: Malware configuration extractor	IPs: 84.35.26.14:995
Source: Malware configuration extractor	IPs: 12.172.173.82:20
Source: Malware configuration extractor	IPs: 70.28.50.223:2078
Source: Malware configuration extractor	IPs: 124.149.143.189:2222
Source: Malware configuration extractor	IPs: 70.160.67.203:443
Source: Malware configuration extractor	IPs: 186.64.67.30:443
Source: Malware configuration extractor	IPs: 103.123.223.133:443
Source: Malware configuration extractor	IPs: 94.207.104.225:443
Source: Malware configuration extractor	IPs: 89.114.140.100:443
Source: Malware configuration extractor	IPs: 213.64.33.61:2222
Source: Malware configuration extractor	IPs: 86.176.144.234:2222
Source: Malware configuration extractor	IPs: 72.134.124.16:443
Source: Malware configuration extractor	IPs: 47.34.30.133:443
Source: Malware configuration extractor	IPs: 109.50.149.241:2222
Source: Malware configuration extractor	IPs: 85.104.105.67:443
Source: Malware configuration extractor	IPs: 81.111.108.123:443
Source: Malware configuration extractor	IPs: 86.173.2.12:2222
Source: Malware configuration extractor	IPs: 188.28.19.84:443
Source: Malware configuration extractor	IPs: 41.228.224.161:995
Source: Malware configuration extractor	IPs: 12.172.173.82:50001
Source: Malware configuration extractor	IPs: 178.175.187.254:443
Source: Malware configuration extractor	IPs: 65.95.141.84:2222
Source: Malware configuration extractor	IPs: 205.237.67.69:995
Source: Malware configuration extractor	IPs: 83.110.223.61:443
Source: Malware configuration extractor	IPs: 193.253.100.236:2222
Source: Malware configuration extractor	IPs: 27.0.48.233:443
Source: Malware configuration extractor	IPs: 102.159.188.125:443
Source: Malware configuration extractor	IPs: 71.38.155.217:443
Source: Malware configuration extractor	IPs: 58.186.75.42:443
Source: Malware configuration extractor	IPs: 76.178.148.107:2222
Source: Malware configuration extractor	IPs: 70.28.50.223:2087
Source: Malware configuration extractor	IPs: 114.143.176.236:443
Source: Malware configuration extractor	IPs: 51.14.29.227:2222
Source: Malware configuration extractor	IPs: 59.28.84.65:443
Source: Malware configuration extractor	IPs: 173.88.135.179:443
Source: Malware configuration extractor	IPs: 103.144.201.56:2078
Source: Malware configuration extractor	IPs: 96.87.28.170:2222
Source: Malware configuration extractor	IPs: 105.184.103.97:995
Source: Malware configuration extractor	IPs: 176.142.207.63:443
Source: Malware configuration extractor	IPs: 151.62.238.176:443
Source: Malware configuration extractor	IPs: 12.172.173.82:32101
Source: Malware configuration extractor	IPs: 122.186.210.254:443
Source: Malware configuration extractor	IPs: 82.125.44.236:2222
Source: Malware configuration extractor	IPs: 84.108.200.161:443
Source: Malware configuration extractor	IPs: 76.16.49.134:443
Source: Malware configuration extractor	IPs: 70.28.50.223:32100
Source: Malware configuration extractor	IPs: 12.172.173.82:465
Source: Malware configuration extractor	IPs: 76.170.252.153:995
Source: Malware configuration extractor	IPs: 184.182.66.109:443
Source: Malware configuration extractor	IPs: 78.92.133.215:443
Source: Malware configuration extractor	IPs: 50.68.204.71:993
Source: Malware configuration extractor	IPs: 186.75.95.6:443
Source: Malware configuration extractor	IPs: 113.11.92.30:443
Source: Malware configuration extractor	IPs: 70.28.50.223:3389
Source: Malware configuration extractor	IPs: 98.145.23.67:443
Source: Malware configuration extractor	IPs: 85.57.212.13:3389
Source: Malware configuration extractor	IPs: 50.68.186.195:443
Source: Malware configuration extractor	IPs: 47.205.25.170:443
Source: Malware configuration extractor	IPs: 12.172.173.82:993
Source: Malware configuration extractor	IPs: 12.172.173.82:22
Source: Malware configuration extractor	IPs: 69.242.31.249:443
Source: Malware configuration extractor	IPs: 81.101.185.146:443
Source: Malware configuration extractor	IPs: 79.168.224.165:2222
Source: Malware configuration extractor	IPs: 75.143.236.149:443
Source: Malware configuration extractor	IPs: 14.192.241.76:995
Source: Malware configuration extractor	IPs: 86.195.14.72:2222
Source: Malware configuration extractor	IPs: 81.229.117.95:2222
Source: Malware configuration extractor	IPs: 220.240.164.182:443
Source: Malware configuration extractor	IPs: 73.29.92.128:443
Source: Malware configuration extractor	IPs: 12.172.173.82:21
Source: Malware configuration extractor	IPs: 96.56.197.26:2222
Source: Malware configuration extractor	IPs: 75.109.111.89:443
Source: Malware configuration extractor	IPs: 76.86.31.59:443
Source: Malware configuration extractor	IPs: 201.244.108.183:995
Source: Malware configuration extractor	IPs: 68.203.69.96:443
Source: Malware configuration extractor	IPs: 124.122.47.148:443
Source: Malware configuration extractor	IPs: 122.184.143.86:443
Source: Malware configuration extractor	IPs: 92.186.69.229:2222
Source: Malware configuration extractor	IPs: 70.28.50.223:2083
Source: Malware configuration extractor	IPs: 89.129.109.27:2222
Source: Malware configuration extractor	IPs: 147.147.30.126:2222
Source: Malware configuration extractor	IPs: 125.99.76.102:443
Source: Malware configuration extractor	IPs: 88.126.94.4:50000
Source: Malware configuration extractor	IPs: 151.65.167.77:443
Source: Malware configuration extractor	IPs: 86.132.236.117:443
Source: Malware configuration extractor	IPs: 92.154.17.149:2222
Source: Malware configuration extractor	IPs: 223.166.13.95:995
Source: Malware configuration extractor	IPs: 89.36.206.69:995
Source: Malware configuration extractor	IPs: 96.56.197.26:2083
Source: Malware configuration extractor	IPs: 78.18.105.11:443
Source: Malware configuration extractor	IPs: 82.127.153.75:2222
Source: Malware configuration extractor	IPs: 90.78.147.141:2222
Source: Malware configuration extractor	IPs: 82.131.141.209:443
Source: Malware configuration extractor	IPs: 183.87.163.165:443
Source: Malware configuration extractor	IPs: 92.9.45.20:2222
Source: Malware configuration extractor	IPs: 80.6.50.34:443
Source: Malware configuration extractor	IPs: 80.12.88.148:2222
Source: Malware configuration extractor	IPs: 69.133.162.35:443
Source: Malware configuration extractor	IPs: 172.115.17.50:443
Source: Malware configuration extractor	IPs: 95.45.50.93:2222
Source: Malware configuration extractor	IPs: 12.172.173.82:2087
Source: Malware configuration extractor	IPs: 103.140.174.20:2222
Source: Malware configuration extractor	IPs: 24.198.114.130:995
Source: Malware configuration extractor	IPs: 50.68.204.71:443
Source: Malware configuration extractor	IPs: 69.119.123.159:2222
Source: Malware configuration extractor	IPs: 64.121.161.102:443
Source: Malware configuration extractor	IPs: 2.82.8.80:443
Source: Malware configuration extractor	IPs: 184.181.75.148:443
Source: Malware configuration extractor	IPs: 70.112.206.5:443
Source: Malware configuration extractor	IPs: 198.2.51.242:993
Source: Malware configuration extractor	IPs: 2.36.64.159:2078
Source: Malware configuration extractor	IPs: 79.77.142.22:2222
Source: Malware configuration extractor	IPs: 84.215.202.8:443
Source: Malware configuration extractor	IPs: 147.219.4.194:443
Source: Malware configuration extractor	IPs: 116.74.164.81:443
Source: Malware configuration extractor	IPs: 70.28.50.223:2078

Connects to several IPs in different countries

Source: unknown

Network traffic detected: IP country count 30

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: MEO-RESIDENCIALPT MEO-RESIDENCIALPT

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 2.82.8.80 2.82.8.80

Source: rundll32.exe, rundll32.exe, 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmp, main.dll.1.dr

String found in binary or memory: https://streams.videolan.org/upload/

Yara signature match

Source: 4.2.rundll32.exe.2c90000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QakBot_ConfigExtraction_Feb23 cape_options = bp0=$params+23,action0=setdump:eax::ecx,bp1=$c2list1+40,bp1=$c2list2+38,action1=dump,bp2=$conf+13,action2=dump,count=1,typestring=QakBot Config, date = 2023-02-17, author = kevoreilly, description = QakBot Config Extraction, reference = https://github.com/kevoreilly/CAPEv2/blob/master/analyzer/windows/data/yara/QakBot.yar, license = https://github.com/kevoreilly/CAPEv2/blob/master/LICENSE, packed = f084d87078a1e4b0ee208539c53e4853a52b5698e98f0578d7c12948e3831a68
Source: 4.2.rundll32.exe.2da0830.1.unpack, type: UNPACKEDPE	Matched rule: MAL_QakBot_ConfigExtraction_Feb23 cape_options = bp0=$params+23,action0=setdump:eax::ecx,bp1=$c2list1+40,bp1=$c2list2+38,action1=dump,bp2=$conf+13,action2=dump,count=1,typestring=QakBot Config, date = 2023-02-17, author = kevoreilly, description = QakBot Config Extraction, reference = https://github.com/kevoreilly/CAPEv2/blob/master/analyzer/windows/data/yara/QakBot.yar, license = https://github.com/kevoreilly/CAPEv2/blob/master/LICENSE, packed = f084d87078a1e4b0ee208539c53e4853a52b5698e98f0578d7c12948e3831a68
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QakBot_ConfigExtraction_Feb23 cape_options = bp0=$params+23,action0=setdump:eax::ecx,bp1=$c2list1+40,bp1=$c2list2+38,action1=dump,bp2=$conf+13,action2=dump,count=1,typestring=QakBot Config, date = 2023-02-17, author = kevoreilly, description = QakBot Config Extraction, reference = https://github.com/kevoreilly/CAPEv2/blob/master/analyzer/windows/data/yara/QakBot.yar, license = https://github.com/kevoreilly/CAPEv2/blob/master/LICENSE, packed = f084d87078a1e4b0ee208539c53e4853a52b5698e98f0578d7c12948e3831a68

Tries to load missing DLLs

Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior

Deletes files inside the Windows folder

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\5334e9.msi

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000D060	4_2_1000D060
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000B0D0	4_2_1000B0D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1002F110	4_2_1002F110
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10008144	4_2_10008144
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100101D0	4_2_100101D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001021B	4_2_1001021B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10007270	4_2_10007270
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1002B270	4_2_1002B270
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1004B2A5	4_2_1004B2A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10021340	4_2_10021340
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1002C390	4_2_1002C390
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1004D3B0	4_2_1004D3B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1004E3E0	4_2_1004E3E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1002C428	4_2_1002C428
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10013480	4_2_10013480
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000D4D0	4_2_1000D4D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1004C500	4_2_1004C500
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10025550	4_2_10025550
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1004D583	4_2_1004D583
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10028590	4_2_10028590
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100105C0	4_2_100105C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1004D5C1	4_2_1004D5C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000164B	4_2_1000164B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10027681	4_2_10027681
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10024700	4_2_10024700
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10030741	4_2_10030741
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10010750	4_2_10010750
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000E760	4_2_1000E760
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10021760	4_2_10021760
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10010778	4_2_10010778
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1002082C	4_2_1002082C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000B830	4_2_1000B830
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10032890	4_2_10032890
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100218A0	4_2_100218A0

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\r3zg12.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll,next
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\wscript.exe wscript.exe C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin\notify.vbs
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll,next
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll,next	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\wscript.exe wscript.exe C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin\notify.vbs	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll,next	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe	Jump to behavior

Source: C:\Windows\SysWOW64\wermgr.exe	Mutant created: \Sessions\1\BaseNamedObjects\{8F685A84-3827-4907-9724-729A0BCDED7E}
Source: C:\Windows\SysWOW64\wermgr.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{A15EDEFB-4B9B-46D3-AB82-3EBC136071E3}
Source: C:\Windows\SysWOW64\wermgr.exe	Mutant created: \Sessions\1\BaseNamedObjects\{A15EDEFB-4B9B-46D3-AB82-3EBC136071E3}

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe TID: 2360	Thread sleep count: 176 > 30			Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe TID: 7104	Thread sleep time: -45000s >= -30000s			Jump to behavior

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: rundll32.exe, 00000004.00000003.367456417.0000000004B2F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bdagent.exe
Source: rundll32.exe, 00000004.00000003.367456417.0000000004B2F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vsserv.exe
Source: rundll32.exe, 00000004.00000003.367456417.0000000004B2F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avp.exe
Source: rundll32.exe, 00000004.00000003.367456417.0000000004B2F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avgcsrvx.exe
Source: rundll32.exe, 00000004.00000003.367456417.0000000004B2F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: mcshield.exe
Source: rundll32.exe, 00000004.00000003.367456417.0000000004B2F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: MsMpEng.exe

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 4.2.rundll32.exe.2c90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.2da0830.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.2da0830.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.374504814.0000000002D8A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.374584964.0000000004AB0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

IP	Domain	Country	ASN	ASN Name	Malicious
2.82.8.80	unknown	Portugal	3243	MEO-RESIDENCIALPT	true
70.160.67.203	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	true
75.143.236.149	unknown	United States	20115	CHARTER-20115US	true
83.110.223.61	unknown	United Arab Emirates	5384	EMIRATES-INTERNETEmiratesInternetAE	true
86.195.14.72	unknown	France	3215	FranceTelecom-OrangeFR	true
84.215.202.8	unknown	Norway	41164	GET-NOGETNorwayNO	true
184.182.66.109	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	true
105.184.103.97	unknown	South Africa	37457	Telkom-InternetZA	true
92.186.69.229	unknown	France	12479	UNI2-ASES	true
174.4.89.3	unknown	Canada	6327	SHAWCA	true
161.142.103.187	unknown	Malaysia	9930	TTNET-MYTIMEdotComBerhadMY	true
114.143.176.236	unknown	India	17762	HTIL-TTML-IN-APTataTeleservicesMaharashtraLtdIN	true
14.192.241.76	unknown	Malaysia	9534	MAXIS-AS1-APBinariangBerhadMY	true
173.88.135.179	unknown	United States	10796	TWC-10796-MIDWESTUS	true
84.108.200.161	unknown	Israel	8551	BEZEQ-INTERNATIONAL-ASBezeqintInternetBackboneIL	true
47.34.30.133	unknown	United States	20115	CHARTER-20115US	true
183.87.163.165	unknown	India	132220	JPRDIGITAL-INJPRDigitalPvtLtdIN	true
124.149.143.189	unknown	Australia	7545	TPG-INTERNET-APTPGTelecomLimitedAU	true
184.181.75.148	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	true
84.35.26.14	unknown	Netherlands	21221	INFOPACT-ASTheNetherlandsNL	true
73.29.92.128	unknown	United States	7922	COMCAST-7922US	true
68.203.69.96	unknown	United States	11427	TWC-11427-TEXASUS	true
82.131.141.209	unknown	Hungary	20845	DIGICABLEHU	true
64.121.161.102	unknown	United States	6079	RCN-ASUS	true
178.175.187.254	unknown	Moldova Republic of	43289	TRABIAMD	true
96.56.197.26	unknown	United States	6128	CABLE-NET-1US	true
186.64.67.30	unknown	Argentina	27953	NODOSUDSAAR	true
188.28.19.84	unknown	United Kingdom	206067	H3GUKGB	true
125.99.76.102	unknown	India	17488	HATHWAY-NET-APHathwayIPOverCableInternetIN	true
81.101.185.146	unknown	United Kingdom	5089	NTLGB	true
86.176.144.234	unknown	United Kingdom	2856	BT-UK-ASBTnetUKRegionalnetworkGB	true
59.28.84.65	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	true
76.86.31.59	unknown	United States	20001	TWC-20001-PACWESTUS	true
147.147.30.126	unknown	United Kingdom	6871	PLUSNETUKInternetServiceProviderGB	true
96.87.28.170	unknown	United States	7922	COMCAST-7922US	true
75.109.111.89	unknown	United States	19108	SUDDENLINK-COMMUNICATIONSUS	true
78.92.133.215	unknown	Hungary	5483	MAGYAR-TELEKOM-MAIN-ASMagyarTelekomNyrtHU	true
124.122.47.148	unknown	Thailand	17552	TRUE-AS-APTrueInternetCoLtdTH	true
88.126.94.4	unknown	France	12322	PROXADFR	true
51.14.29.227	unknown	United Kingdom	2856	BT-UK-ASBTnetUKRegionalnetworkGB	true
85.57.212.13	unknown	Spain	12479	UNI2-ASES	true
47.205.25.170	unknown	United States	5650	FRONTIER-FRTRUS	true
95.45.50.93	unknown	Ireland	5466	EIRCOMInternetHouseIE	true
80.12.88.148	unknown	France	3215	FranceTelecom-OrangeFR	true
81.111.108.123	unknown	United Kingdom	5089	NTLGB	true
69.133.162.35	unknown	United States	11426	TWC-11426-CAROLINASUS	true
86.132.236.117	unknown	United Kingdom	2856	BT-UK-ASBTnetUKRegionalnetworkGB	true
151.62.238.176	unknown	Italy	1267	ASN-WINDTREIUNETEU	true
70.112.206.5	unknown	United States	11427	TWC-11427-TEXASUS	true
41.228.224.161	unknown	Tunisia	37693	TUNISIANATN	true
205.237.67.69	unknown	Canada	11290	CC-3272CA	true
102.159.188.125	unknown	Tunisia	37705	TOPNETTN	true
151.65.167.77	unknown	Italy	1267	ASN-WINDTREIUNETEU	true
76.178.148.107	unknown	United States	10838	OCEANIC-INTERNET-RRUS	true
89.36.206.69	unknown	Italy	48544	TECNOADSL-ASIT	true
69.242.31.249	unknown	United States	7922	COMCAST-7922US	true
85.104.105.67	unknown	Turkey	9121	TTNETTR	true
94.207.104.225	unknown	United Arab Emirates	15802	DU-AS1AE	true
193.253.100.236	unknown	France	3215	FranceTelecom-OrangeFR	true
76.16.49.134	unknown	United States	7922	COMCAST-7922US	true
201.244.108.183	unknown	Colombia	19429	ETB-ColombiaCO	true
103.42.86.42	unknown	India	133660	EDIGITAL-ASE-InfrastructureandEntertainmentIndiaPvtLt	true
78.18.105.11	unknown	Ireland	2110	AS-BTIREBTIrelandwaspreviouslyknownasEsatNetEUnet	true
80.6.50.34	unknown	United Kingdom	5089	NTLGB	true
103.144.201.56	unknown	unknown	139762	MSSOLUTION-AS-APSolutionBD	true
27.0.48.233	unknown	India	132573	SAINGN-AS-INSAINGNNetworkServicesIN	true
70.28.50.223	unknown	Canada	577	BACOMCA	true
98.145.23.67	unknown	United States	20001	TWC-20001-PACWESTUS	true
82.125.44.236	unknown	France	3215	FranceTelecom-OrangeFR	true
81.229.117.95	unknown	Sweden	3301	TELIANET-SWEDENTeliaCompanySE	true
89.129.109.27	unknown	Spain	12479	UNI2-ASES	true
122.186.210.254	unknown	India	9498	BBIL-APBHARTIAirtelLtdIN	true
79.77.142.22	unknown	United Kingdom	9105	TISCALI-UKTalkTalkCommunicationsLimitedGB	true
90.78.147.141	unknown	France	3215	FranceTelecom-OrangeFR	true
122.184.143.86	unknown	India	9498	BBIL-APBHARTIAirtelLtdIN	true
186.75.95.6	unknown	Panama	11556	CableWirelessPanamaPA	true
50.68.186.195	unknown	Canada	6327	SHAWCA	true
12.172.173.82	unknown	United States	2386	INS-ASUS	true
213.64.33.61	unknown	Sweden	3301	TELIANET-SWEDENTeliaCompanySE	true
79.168.224.165	unknown	Portugal	2860	NOS_COMUNICACOESPT	true
176.142.207.63	unknown	France	5410	BOUYGTEL-ISPFR	true
86.173.2.12	unknown	United Kingdom	2856	BT-UK-ASBTnetUKRegionalnetworkGB	true
92.154.17.149	unknown	France	3215	FranceTelecom-OrangeFR	true
78.160.146.127	unknown	Turkey	9121	TTNETTR	true
58.186.75.42	unknown	Viet Nam	18403	FPT-AS-APTheCorporationforFinancingPromotingTechnolo	true
223.166.13.95	unknown	China	17621	CNCGROUP-SHChinaUnicomShanghainetworkCN	true
65.95.141.84	unknown	Canada	577	BACOMCA	true
50.68.204.71	unknown	Canada	6327	SHAWCA	true
71.38.155.217	unknown	United States	209	CENTURYLINK-US-LEGACY-QWESTUS	true
220.240.164.182	unknown	Australia	7545	TPG-INTERNET-APTPGTelecomLimitedAU	true
103.123.223.133	unknown	India	138329	KWS-AS-APKenstarWebSolutionsPrivateLimitedIN	true
24.198.114.130	unknown	United States	11351	TWC-11351-NORTHEASTUS	true
2.36.64.159	unknown	Italy	30722	VODAFONE-IT-ASNIT	true
198.2.51.242	unknown	United States	20001	TWC-20001-PACWESTUS	true
92.9.45.20	unknown	United Kingdom	13285	OPALTELECOM-ASTalkTalkCommunicationsLimitedGB	true
113.11.92.30	unknown	Bangladesh	7565	BDCOM-BDRangsNiluSquare5thFloorHouse75Road5AD	true
109.50.149.241	unknown	Portugal	2860	NOS_COMUNICACOESPT	true
69.119.123.159	unknown	United States	6128	CABLE-NET-1US	true
172.115.17.50	unknown	United States	20001	TWC-20001-PACWESTUS	true
147.219.4.194	unknown	United States	1498	DNIC-ASBLK-01498-01499US	true

ID:	878465
Product:	CloudBasic
Start time:	18:05:23
Start date:	30.05.2023
Sample:	r3zg12.msi
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	665afc8f8b7972f427fe1bd90d263032
SHA1:	cc36e48f383750eb9416961b52ee3100b6e30688
SHA256:	d764436caf7114d880f982d208bd9514a433772dcac851f27c510d1597e26edd
Filetype:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%

Name	Type	MD5	SHA1	SHA256
C:\Config.Msi\5334e8.rbs	data	C812AA360AFC13D5A8C4449856D77BA8	CC95BB7FE63ECAA1B3B37AE30C6D2338AEB1DAB9	4CFFB89764A8A7C0EDE2242FB8968A6A2F1EEEF03B881A3A788FAA0DFA1F824A
C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows	5E107608DD00957472DB2C1FCC77599D	D9BFA3E88CA0F86182CB84D4008AC6B346B755E9	185737016A01E84BF88523A4681723B4F2D0D22520E77B76740CC3C6323E38BF
C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin\notify.vbs	ASCII text, with CRLF line terminators	0D4C9F15CE74465C59AE36A27F98C817	9CCE8EEFA4D3D9C5E161C5DBB860CFE1489C6B1A	D24E3399060B51F3A1C9D41A67DE2601888A35C99DA8DB70070D757BB3F1913A
C:\Windows\Installer\5334e7.msi	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Adobe Acrobat PDF Browser Plugin 4.8.25, Author: Adobe Inc., Keywords: Installer, Comments: Adobe Acrobat PDF Browser Plugin, Template: Intel;1033, Revision Number: {880CDD59-0C2C-49AC-BA45-82BB01CD8BD1}, Create Time/Date: Tue May 30 14:29:16 2023, Last Saved Time/Date: Tue May 30 14:29:16 2023, Number of Pages: 200, Number of Words: 10, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2	665AFC8F8B7972F427FE1BD90D263032	CC36E48F383750EB9416961B52EE3100B6E30688	D764436CAF7114D880F982D208BD9514A433772DCAC851F27C510D1597E26EDD
C:\Windows\Installer\5334e9.msi	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Adobe Acrobat PDF Browser Plugin 4.8.25, Author: Adobe Inc., Keywords: Installer, Comments: Adobe Acrobat PDF Browser Plugin, Template: Intel;1033, Revision Number: {880CDD59-0C2C-49AC-BA45-82BB01CD8BD1}, Create Time/Date: Tue May 30 14:29:16 2023, Last Saved Time/Date: Tue May 30 14:29:16 2023, Number of Pages: 200, Number of Words: 10, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2	665AFC8F8B7972F427FE1BD90D263032	CC36E48F383750EB9416961B52EE3100B6E30688	D764436CAF7114D880F982D208BD9514A433772DCAC851F27C510D1597E26EDD
C:\Windows\Installer\MSI36EA.tmp	data	1F6513D8FA2AB1C6046B39CC245944A4	B10AB5ACCE2B699F17C849407F8C3E7B3B1B8AFB	DB342F3508603862C738AA37C27F04FA57E10FFD7C165662DC2FE04DEF7BE192
C:\Windows\Installer\SourceHash{BADFC54D-C40E-45B2-8055-C154444F1F83}	Composite Document File V2 Document, Cannot read section info	37AB2087D8192F73564465B95F0BDA79	1406A27DC80D84250F76BF21BD56687AC594249F	9D7BD6336C836A1991242C4A183A064021894E9A9F38F8CC6081274863C54DA7
C:\Windows\Installer\inprogressinstallinfo.ipi	Composite Document File V2 Document, Cannot read section info	430F2ADF3561DDB478079AF68E971D68	7431BA57FB0275B6276BBA7370A317D67552D8B6	8A709B97AFBFAA9E5CD5D3C566F95D370FE69AC31260A6F3C2FF82619F3D1026
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	3B520410F621CAAC0C856D080A24DC73	62B660B648C06F16DFDEE47AC468EF44F9E81D14	D71D62F7FA3DAF2E96B31CF428170D103C5D17C9326C1BCA9805C6FA561F2F40
C:\Windows\Temp\~DF09B6AE6DA39A576A.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Windows\Temp\~DF29580D728BC5B4ED.TMP	data	5A66F5FD08B8CA2249380DDDF49D9D33	B4BD32E998A3A44BCC463E516596546E00296F96	7825ED9BF119F45394DD851AAE50644AF5B0A10637237F55A7611CCCBDCCB99A
C:\Windows\Temp\~DF385081A1CE239BA3.TMP	Composite Document File V2 Document, Cannot read section info	5F8C47B7D4AFB1220F17DA429EAACB81	14180142867FDD137664D86CE077E44BB66C5DF9	99A8B2F8F6B46ABADD467B39C55BECCE99C50AD04E3CCD0C5238548AA14257F7
C:\Windows\Temp\~DF3DD2B7692E631D41.TMP	Composite Document File V2 Document, Cannot read section info	5F8C47B7D4AFB1220F17DA429EAACB81	14180142867FDD137664D86CE077E44BB66C5DF9	99A8B2F8F6B46ABADD467B39C55BECCE99C50AD04E3CCD0C5238548AA14257F7
C:\Windows\Temp\~DF4C3BF86A9825BAFE.TMP	Composite Document File V2 Document, Cannot read section info	5F8C47B7D4AFB1220F17DA429EAACB81	14180142867FDD137664D86CE077E44BB66C5DF9	99A8B2F8F6B46ABADD467B39C55BECCE99C50AD04E3CCD0C5238548AA14257F7
C:\Windows\Temp\~DF5DF60473004ABCC7.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Windows\Temp\~DF6B3BC2C5354ED014.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Windows\Temp\~DF7864E6E6496DBA61.TMP	Composite Document File V2 Document, Cannot read section info	430F2ADF3561DDB478079AF68E971D68	7431BA57FB0275B6276BBA7370A317D67552D8B6	8A709B97AFBFAA9E5CD5D3C566F95D370FE69AC31260A6F3C2FF82619F3D1026
C:\Windows\Temp\~DF8AE2E68986D61390.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Windows\Temp\~DF934EA1F7B18385F5.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Windows\Temp\~DFC5E20CC9F13FECB6.TMP	Composite Document File V2 Document, Cannot read section info	430F2ADF3561DDB478079AF68E971D68	7431BA57FB0275B6276BBA7370A317D67552D8B6	8A709B97AFBFAA9E5CD5D3C566F95D370FE69AC31260A6F3C2FF82619F3D1026
C:\Windows\Temp\~DFDD7490D2FF8A1B23.TMP	data	D429E7962EAB07E07C545C296E8B0F35	9AC331509B3E15434194BAECFA89488D380435FC	14064733FE0126C92AE648CE46DD3AF9820F19CA4F87B6FFCD9134C3A4FD19EE

Windows Analysis Report r3zg12.msi

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Windows Analysis Report
r3zg12.msi

Malware Threat Intel
Provided by