Windows Analysis Report
15dasx.msi

Overview

General Information

Sample Name:	15dasx.msi
Analysis ID:	878630
MD5:	ab8ef3423324168d06b2d122f75ca130
SHA1:	a7e273ddd7cdf303e366cba16abfd4c3966f2cf6
SHA256:	4e70da2d2efc833eb5c450c9f82aaa7d433e31e39dc4ec36ca3c5ddde0f4dc00
Tags:	msi
Infos:

Detection

Qbot

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected Qbot

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Writes to foreign memory regions

Allocates memory in foreign processes

Injects a PE file into a foreign processes

C2 URLs / IPs found in malware configuration

Sample uses string decryption to hide its real strings

Potentially malicious time measurement code found

Queries the volume information (name, serial number etc) of a device

Yara signature match

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Contains functionality to dynamically determine API calls

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Modifies existing windows services

PE file contains an invalid checksum

Drops PE files

Contains functionality to read the PEB

Connects to several IPs in different countries

Launches processes in debugging mode, may be used to hinder debugging

Checks for available system drives (often done to infect USB drives)

Creates or modifies windows services

Found large amount of non-executed APIs

Uses Microsoft's Enhanced Cryptographic Provider

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Creates a process in suspended mode (likely to inject code)

Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
QakBot, qbotQbot	QBot is a modular information stealer also known as Qakbot or Pinkslipbot. It has been active for years since 2007. It has historically been known as a banking Trojan, meaning that it steals financial data from infected systems, and a loader using C2 servers for payload targeting and download.	GOLD CABIN	http://contagiodump.blogspot.com/2010/11/template.html http://www.secureworks.com/research/threat-profiles/gold-lagoon http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf https://0xthreatintel.medium.com/reversing-qakbot-tlp-white-d1b8b37ad8e7 https://asec.ahnlab.com/en/44662/	https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot

Signatures

AV Detection

Found malware configuration

Source: 00000007.00000002.1050043697.000000000037D000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Qbot {"Bot id": "BB30", "Campaign": "1685433861", "Version": "404.1320", "C2 list": ["12.172.173.82:50001", "178.175.187.254:443", "65.95.141.84:2222", "205.237.67.69:995", "83.110.223.61:443", "193.253.100.236:2222", "27.0.48.233:443", "102.159.188.125:443", "71.38.155.217:443", "58.186.75.42:443", "76.178.148.107:2222", "70.28.50.223:2087", "114.143.176.236:443", "51.14.29.227:2222", "59.28.84.65:443", "173.88.135.179:443", "103.144.201.56:2078", "96.87.28.170:2222", "105.186.128.181:995", "176.142.207.63:443", "151.62.238.176:443", "12.172.173.82:32101", "122.186.210.254:443", "82.125.44.236:2222", "84.108.200.161:443", "76.16.49.134:443", "70.28.50.223:32100", "12.172.173.82:465", "76.170.252.153:995", "184.182.66.109:443", "78.92.133.215:443", "50.68.204.71:993", "186.75.95.6:443", "113.11.92.30:443", "70.28.50.223:3389", "98.145.23.67:443", "85.57.212.13:3389", "50.68.186.195:443", "47.205.25.170:443", "12.172.173.82:993", "12.172.173.82:22", "69.242.31.249:443", "81.101.185.146:443", "79.168.224.165:2222", "75.143.236.149:443", "14.192.241.76:995", "86.195.14.72:2222", "81.229.117.95:2222", "220.240.164.182:443", "73.29.92.128:443", "12.172.173.82:21", "96.56.197.26:2222", "75.109.111.89:443", "76.86.31.59:443", "201.244.108.183:995", "68.203.69.96:443", "124.122.47.148:443", "122.184.143.86:443", "92.186.69.229:2222", "70.28.50.223:2083", "89.129.109.27:2222", "147.147.30.126:2222", "125.99.76.102:443", "88.126.94.4:50000", "151.65.167.77:443", "86.132.236.117:443", "92.154.17.149:2222", "223.166.13.95:995", "89.36.206.69:995", "96.56.197.26:2083", "78.18.105.11:443", "82.127.153.75:2222", "90.78.147.141:2222", "82.131.141.209:443", "183.87.163.165:443", "92.9.45.20:2222", "80.6.50.34:443", "80.12.88.148:2222", "69.133.162.35:443", "172.115.17.50:443", "95.45.50.93:2222", "12.172.173.82:2087", "103.140.174.20:2222", "24.198.114.130:995", "50.68.204.71:443", "69.119.123.159:2222", "64.121.161.102:443", "2.82.8.80:443", "184.181.75.148:443", "70.112.206.5:443", "198.2.51.242:993", "2.36.64.159:2078", "79.77.142.22:2222", "84.215.202.8:443", "147.219.4.194:443", "116.74.164.81:443", "70.28.50.223:2078", "12.172.173.82:995", "77.86.98.236:443", "104.35.24.154:443", "213.64.33.61:2222", "47.149.134.231:443", "72.134.124.16:443", "47.34.30.133:443", "103.42.86.42:995", "174.4.89.3:443", "161.142.103.187:995", "78.160.146.127:443", "84.35.26.14:995", "12.172.173.82:20", "70.28.50.223:2078", "124.149.143.189:2222", "70.160.67.203:443", "186.64.67.30:443", "103.123.223.133:443", "188.28.19.84:443", "174.58.146.57:443", "94.207.104.225:443", "86.97.55.89:2222", "69.123.4.221:2222"]}

Sample uses string decryption to hide its real strings

Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: error res='%s' err=%d len=%u
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: netstat -nao
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: runas
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: ipconfig /all
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: net localgroup
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: nltest /domain_trusts /all_trusts
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: %s %04x.%u %04x.%u res: %s seh_test: %u consts_test: %d vmdetected: %d createprocess: %d
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: Microsoft
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: SELF_TEST_1
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: p%08x
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: Self test FAILED!!!
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: Self test OK.
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: /t5
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: whoami /all
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: cmd
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: microsoft.com,google.com,cisco.com,oracle.com,verisign.com,broadcom.com,yahoo.com,xfinity.com,irs.gov,linkedin.com
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: ERROR: GetModuleFileNameW() failed with error: ERROR_INSUFFICIENT_BUFFER
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: route print
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: .lnk
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: "%s\system32\schtasks.exe" /Create /ST %02u:%02u /RU "NT AUTHORITY\SYSTEM" /SC ONCE /tr "%s" /Z /ET %02u:%02u /tn %s
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: arp -a
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: %s "$%s = \"%s\"; & $%s"
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: net share
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: cmd.exe /c set
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: Self check
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: %u;%u;%u;
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: /c ping.exe -n 6 127.0.0.1 & type "%s\System32\calc.exe" > "%s"
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: ProfileImagePath
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: at.exe %u:%u "%s" /I
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: ProgramData
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: Self check ok!
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: powershell.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: qwinsta
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: net view
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.%s
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: Component_08
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: Start screenshot
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: schtasks.exe /Delete /F /TN %u
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: appidapi.dll
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: %s \"$%s = \\\"%s\\\\; & $%s\"
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: c:\ProgramData
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: Component_07
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: bUdiuy81gYguty@4frdRdpfko(eKmudeuMncueaN
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: powershell.exe -encodedCommand %S
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: ERROR: GetModuleFileNameW() failed with error: %u
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: powershell.exe -encodedCommand
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: SoNuce]ugdiB3c[doMuce2s81*uXmcvP
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: \System32\WindowsPowerShell\v1.0\powershell.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: schtasks.exe /Create /RU "NT AUTHORITY\SYSTEM" /SC ONSTART /TN %u /TR "%s" /NP /F
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: error res='%s' err=%d len=%u
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: netstat -nao
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: runas
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: ipconfig /all
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: %u.%u.%u.%u.%u.%u.%04x
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\explorer.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: SystemRoot
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: cscript.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: MBAMService.exe;mbamgui.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: %SystemRoot%\System32\xwizard.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: %SystemRoot%\System32\wermgr.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: AvastSvc.exe;aswEngSrv.exe;aswToolsSvc.exe;afwServ.exe;aswidsagent.exe;AvastUI.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: C:\INTERNAL\__empty
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: .dll
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: Win32_PhysicalMemory
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: ALLUSERSPROFILE
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: image/jpeg
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: LocalLow
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: displayName
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: Mozilla/5.0 (Windows NT 6.1; rv:77.0) Gecko/20100101 Firefox/77.0
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: shlwapi.dll
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\WerFault.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: CommandLine
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: {%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%02X}
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: kernel32.dll
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: SubmitSamplesConsent
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: 1234567890
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: wbj.go
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\wextract.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: Win32_DiskDrive
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: vkise.exe;isesrv.exe;cmdagent.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: System32
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: Name
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: %SystemRoot%\System32\WerFault.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: WRSA.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: c:\\
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: reg.exe ADD "HKLM\%s" /f /t %s /v "%s" /d "%s"
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: SpyNetReporting
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: FALSE
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: aswhookx.dll
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: Packages
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: SonicWallClientProtectionService.exe;SWDash.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: application/x-shockwave-flash
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: Sophos UI.exe;SophosUI.exe;SAVAdminService.exe;SavService.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: RepUx.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: %SystemRoot%\System32\mspaint.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: coreServiceShell.exe;PccNTMon.exe;NTRTScan.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: Winsta0
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: Caption,Description,DeviceID,Manufacturer,Name,PNPDeviceID,Service,Status
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: CynetEPS.exe;CynetMS.exe;CynetConsole.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\wermgr.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: %ProgramFiles(x86)%\Internet Explorer\iexplore.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: avp.exe;kavtray.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: root\SecurityCenter2
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\backgroundTaskHost.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: MsMpEng.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: %SystemRoot%\System32\CertEnrollCtrl.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: userenv.dll
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: csc_ui.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: frida-winjector-helper-32.exe;frida-winjector-helper-64.exe;tcpdump.exe;windump.exe;ethereal.exe;wireshark.exe;ettercap.exe;rtsniff.exe;packetcapture.exe;capturenet.exe;qak_proxy;dumpcap.exe;CFF Explorer.exe;not_rundll32.exe;ProcessHacker.exe;tcpview.exe;filemon.exe;procmon.exe;idaq64.exe;loaddll32.exe;PETools.exe;ImportREC.exe;LordPE.exe;SysInspector.exe;proc_analyzer.exe;sysAnalyzer.exe;sniff_hit.exe;joeboxcontrol.exe;joeboxserver.exe;ResourceHacker.exe;x64dbg.exe;Fiddler.exe;sniff_hit.exe;sysAnalyzer.exe;BehaviorDumper.exe;processdumperx64.exe;anti-virus.EXE;sysinfoX64.exe;sctoolswrapper.exe;sysinfoX64.exe;FakeExplorer.exe;apimonitor-x86.exe;idaq.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: \\.\pipe\
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: pstorec.dll
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: NTUSER.DAT
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: from
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: %SystemRoot%\System32\sethc.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: netapi32.dll
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: %SystemRoot%\System32\Utilman.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: gdi32.dll
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: setupapi.dll
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: SELECT * FROM Win32_Processor
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: iphlpapi.dll
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: Caption
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: CrAmTray.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: ccSvcHst.exe;NortonSecurity.exe;nsWscSvc.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: Win32_ComputerSystem
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: %SystemRoot%\System32\backgroundTaskHost.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: %ProgramFiles%\Internet Explorer\iexplore.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: user32.dll
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: xagtnotif.exe;AppUIMonitor.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: %SystemRoot%\System32\dxdiag.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: SentinelServiceHost.exe;SentinelStaticEngine.exe;SentinelAgent.exe;SentinelStaticEngineScanner.exe;SentinelUI.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: \sf2.dll
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\grpconv.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: egui.exe;ekrn.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: Software\Microsoft
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: %S.%06d
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: bcrypt.dll
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: SELECT * FROM AntiVirusProduct
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\SndVol.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: %SystemRoot%\explorer.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\Utilman.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows Defender\SpyNet
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: wtsapi32.dll
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: t=%s time=[%02d:%02d:%02d-%02d/%02d/%d]
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\xwizard.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: shell32.dll
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: TRUE
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: Win32_Bios
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: SELECT * FROM Win32_OperatingSystem
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\mobsync.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: c:\hiberfil.sysss
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: /
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\AtBroker.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: abcdefghijklmnopqrstuvwxyz
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: ByteFence.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: type=0x%04X
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: snxhk_border_mywnd
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: ROOT\CIMV2
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: dwengine.exe;dwarkdaemon.exe;dwwatcher.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: https
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\explorer.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: fshoster32.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: kernelbase.dll
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: regsvr32.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: %s\system32\
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\dxdiag.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: Win32_Process
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: rundll32.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: LOCALAPPDATA
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: cmd.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: APPDATA
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: select
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: .exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: mcshield.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: advapi32.dll
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: ws2_32.dll
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: .cfg
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: aabcdeefghiijklmnoopqrstuuvwxyyz
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: Win32_Product
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: WQL
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: wininet.dll
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: LastBootUpTime
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: S:(ML;;NW;;;LW)
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\CertEnrollCtrl.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: urlmon.dll
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: Create
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: Win32_PnPEntity
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: %SystemRoot%\System32\grpconv.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: Initializing database...
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: %SystemRoot%\System32\SearchIndexer.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: winsta0\default
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: .dat
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: WBJ_IGNORE
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: next
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: %SystemRoot%\System32\AtBroker.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: wpcap.dll
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: aaebcdeeifghiiojklmnooupqrstuuyvwxyyaz
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\sethc.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: image/pjpeg
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: fmon.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: bdagent.exe;vsserv.exe;vsservppl.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: %SystemRoot%\System32\SndVol.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: vbs
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: aswhooka.dll
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: SysWOW64
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\mspaint.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: mpr.dll
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: image/gif
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: crypt32.dll
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: avgcsrvx.exe;avgsvcx.exe;avgcsrva.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: ntdll.dll
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: open
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: %SystemRoot%\explorer.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: CSFalconService.exe;CSFalconContainer.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: %SystemRoot%\System32\wextract.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: %SystemRoot%\System32\mobsync.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\SearchIndexer.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: %u.%u.%u.%u.%u.%u.%04x
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\explorer.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: SystemRoot
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: cscript.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: MBAMService.exe;mbamgui.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: %SystemRoot%\System32\xwizard.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: %SystemRoot%\System32\wermgr.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: AvastSvc.exe;aswEngSrv.exe;aswToolsSvc.exe;afwServ.exe;aswidsagent.exe;AvastUI.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: C:\INTERNAL\__empty
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: .dll
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: Win32_PhysicalMemory
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: ALLUSERSPROFILE
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: image/jpeg
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: LocalLow
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: displayName
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: Mozilla/5.0 (Windows NT 6.1; rv:77.0) Gecko/20100101 Firefox/77.0
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: shlwapi.dll
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\WerFault.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: CommandLine
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: {%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%02X}
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: kernel32.dll
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: SubmitSamplesConsent
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: 1234567890
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: wbj.go
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\wextract.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: Win32_DiskDrive
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: vkise.exe;isesrv.exe;cmdagent.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: System32
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: Name
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: %SystemRoot%\System32\WerFault.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: WRSA.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: c:\\
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: reg.exe ADD "HKLM\%s" /f /t %s /v "%s" /d "%s"
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: SpyNetReporting
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: FALSE
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: aswhookx.dll
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: Packages
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: SonicWallClientProtectionService.exe;SWDash.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: application/x-shockwave-flash
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: Sophos UI.exe;SophosUI.exe;SAVAdminService.exe;SavService.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: RepUx.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: %SystemRoot%\System32\mspaint.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: coreServiceShell.exe;PccNTMon.exe;NTRTScan.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: Winsta0
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: Caption,Description,DeviceID,Manufacturer,Name,PNPDeviceID,Service,Status
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: CynetEPS.exe;CynetMS.exe;CynetConsole.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\wermgr.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: %ProgramFiles(x86)%\Internet Explorer\iexplore.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: avp.exe;kavtray.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: root\SecurityCenter2
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\backgroundTaskHost.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: MsMpEng.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: %SystemRoot%\System32\CertEnrollCtrl.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: userenv.dll
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: csc_ui.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: frida-winjector-helper-32.exe;frida-winjector-helper-64.exe;tcpdump.exe;windump.exe;ethereal.exe;wireshark.exe;ettercap.exe;rtsniff.exe;packetcapture.exe;capturenet.exe;qak_proxy;dumpcap.exe;CFF Explorer.exe;not_rundll32.exe;ProcessHacker.exe;tcpview.exe;filemon.exe;procmon.exe;idaq64.exe;loaddll32.exe;PETools.exe;ImportREC.exe;LordPE.exe;SysInspector.exe;proc_analyzer.exe;sysAnalyzer.exe;sniff_hit.exe;joeboxcontrol.exe;joeboxserver.exe;ResourceHacker.exe;x64dbg.exe;Fiddler.exe;sniff_hit.exe;sysAnalyzer.exe;BehaviorDumper.exe;processdumperx64.exe;anti-virus.EXE;sysinfoX64.exe;sctoolswrapper.exe;sysinfoX64.exe;FakeExplorer.exe;apimonitor-x86.exe;idaq.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: \\.\pipe\
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: pstorec.dll
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: NTUSER.DAT
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: from
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: %SystemRoot%\System32\sethc.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: netapi32.dll
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: %SystemRoot%\System32\Utilman.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: gdi32.dll
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: setupapi.dll
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: SELECT * FROM Win32_Processor
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: iphlpapi.dll
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: Caption
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: CrAmTray.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: ccSvcHst.exe;NortonSecurity.exe;nsWscSvc.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: Win32_ComputerSystem
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: %SystemRoot%\System32\backgroundTaskHost.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: %ProgramFiles%\Internet Explorer\iexplore.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: user32.dll
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: xagtnotif.exe;AppUIMonitor.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: %SystemRoot%\System32\dxdiag.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: SentinelServiceHost.exe;SentinelStaticEngine.exe;SentinelAgent.exe;SentinelStaticEngineScanner.exe;SentinelUI.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: \sf2.dll
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\grpconv.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: egui.exe;ekrn.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: Software\Microsoft
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: %S.%06d
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: bcrypt.dll
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: SELECT * FROM AntiVirusProduct
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\SndVol.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: %SystemRoot%\explorer.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\Utilman.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows Defender\SpyNet
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: wtsapi32.dll
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: t=%s time=[%02d:%02d:%02d-%02d/%02d/%d]
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\xwizard.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: shell32.dll
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: TRUE
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: Win32_Bios
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: SELECT * FROM Win32_OperatingSystem
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\mobsync.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: c:\hiberfil.sysss
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: /
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\AtBroker.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: abcdefghijklmnopqrstuvwxyz
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: ByteFence.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: type=0x%04X
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: snxhk_border_mywnd
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: ROOT\CIMV2
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: dwengine.exe;dwarkdaemon.exe;dwwatcher.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: https
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\explorer.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: fshoster32.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: kernelbase.dll
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: regsvr32.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: %s\system32\
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\dxdiag.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: Win32_Process
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: rundll32.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: LOCALAPPDATA
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: cmd.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: APPDATA
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: select
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: .exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: mcshield.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: advapi32.dll
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: ws2_32.dll
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: .cfg
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: aabcdeefghiijklmnoopqrstuuvwxyyz
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: Win32_Product
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: WQL
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: wininet.dll
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: LastBootUpTime
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: S:(ML;;NW;;;LW)
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\CertEnrollCtrl.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: urlmon.dll
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: Create
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: Win32_PnPEntity
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: %SystemRoot%\System32\grpconv.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: Initializing database...
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: %SystemRoot%\System32\SearchIndexer.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: winsta0\default
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: .dat
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: WBJ_IGNORE
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: next
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: %SystemRoot%\System32\AtBroker.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: wpcap.dll
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: aaebcdeeifghiiojklmnooupqrstuuyvwxyyaz
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\sethc.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: image/pjpeg
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: fmon.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: bdagent.exe;vsserv.exe;vsservppl.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: %SystemRoot%\System32\SndVol.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: vbs
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: aswhooka.dll
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: SysWOW64
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\mspaint.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: mpr.dll
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: image/gif
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: crypt32.dll
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: avgcsrvx.exe;avgsvcx.exe;avgcsrva.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: ntdll.dll
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: open
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: %SystemRoot%\explorer.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: CSFalconService.exe;CSFalconContainer.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: %SystemRoot%\System32\wextract.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: %SystemRoot%\System32\mobsync.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\SearchIndexer.exe
Source: 7.2.rundll32.exe.1b0000.0.unpack	String decryptor: Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10035030 mv_get_random_seed,BCryptOpenAlgorithmProvider,BCryptGenRandom,BCryptCloseAlgorithmProvider,mvpriv_open,_read,_close,mvpriv_open,_read,_close,clock,clock,mv_sha_init,mv_sha_update,mv_sha_final,mv_log,abort,	7_2_10035030
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000C0B0 mv_cast5_crypt2,	7_2_1000C0B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100500B0 mv_twofish_crypt,	7_2_100500B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000B0D0 mv_camellia_crypt,	7_2_1000B0D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10013100 mv_encryption_init_info_alloc,mv_mallocz,mv_mallocz,mv_mallocz,mv_mallocz,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_calloc,	7_2_10013100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000C1B0 mv_cast5_crypt,	7_2_1000C1B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100132D0 mv_encryption_init_info_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,	7_2_100132D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10002480 mv_aes_ctr_crypt,mv_aes_crypt,	7_2_10002480
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10013480 mv_encryption_init_info_get_side_data,mv_encryption_init_info_alloc,mv_free,mv_free,mv_free,mv_free,mv_free,	7_2_10013480
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100084B0 mv_blowfish_crypt,mv_blowfish_crypt_ecb,mv_blowfish_crypt_ecb,	7_2_100084B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1004D4B0 mv_tea_crypt,	7_2_1004D4B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100364E0 mv_rc4_crypt,	7_2_100364E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10002523 mv_aes_crypt,	7_2_10002523
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001363B mv_encryption_init_info_alloc,	7_2_1001363B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000867B mv_blowfish_crypt_ecb,	7_2_1000867B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100136FB mv_encryption_init_info_alloc,	7_2_100136FB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100907D0 mv_xtea_crypt,	7_2_100907D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10013860 mv_encryption_init_info_add_side_data,mv_malloc,mv_malloc,	7_2_10013860
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10090910 mv_xtea_le_crypt,	7_2_10090910
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10012A70 mv_encryption_info_alloc,mv_mallocz,mv_mallocz,mv_mallocz,mv_calloc,mv_free,mv_free,mv_free,mv_free,	7_2_10012A70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10012B40 mv_encryption_info_clone,mv_encryption_info_alloc,	7_2_10012B40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10001BF0 mv_aes_crypt,	7_2_10001BF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10012CF0 mv_encryption_info_free,mv_free,mv_free,mv_free,	7_2_10012CF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10012D40 mv_encryption_info_get_side_data,mv_encryption_info_alloc,	7_2_10012D40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10007DC0 mv_blowfish_crypt_ecb,	7_2_10007DC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10010E40 mv_des_crypt,	7_2_10010E40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10012F30 mv_encryption_info_add_side_data,mv_malloc,	7_2_10012F30

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 12.172.173.82:50001
Source: Malware configuration extractor	IPs: 178.175.187.254:443
Source: Malware configuration extractor	IPs: 65.95.141.84:2222
Source: Malware configuration extractor	IPs: 205.237.67.69:995
Source: Malware configuration extractor	IPs: 83.110.223.61:443
Source: Malware configuration extractor	IPs: 193.253.100.236:2222
Source: Malware configuration extractor	IPs: 27.0.48.233:443
Source: Malware configuration extractor	IPs: 102.159.188.125:443
Source: Malware configuration extractor	IPs: 71.38.155.217:443
Source: Malware configuration extractor	IPs: 58.186.75.42:443
Source: Malware configuration extractor	IPs: 76.178.148.107:2222
Source: Malware configuration extractor	IPs: 70.28.50.223:2087
Source: Malware configuration extractor	IPs: 114.143.176.236:443
Source: Malware configuration extractor	IPs: 51.14.29.227:2222
Source: Malware configuration extractor	IPs: 59.28.84.65:443
Source: Malware configuration extractor	IPs: 173.88.135.179:443
Source: Malware configuration extractor	IPs: 103.144.201.56:2078
Source: Malware configuration extractor	IPs: 96.87.28.170:2222
Source: Malware configuration extractor	IPs: 105.186.128.181:995
Source: Malware configuration extractor	IPs: 176.142.207.63:443
Source: Malware configuration extractor	IPs: 151.62.238.176:443
Source: Malware configuration extractor	IPs: 12.172.173.82:32101
Source: Malware configuration extractor	IPs: 122.186.210.254:443
Source: Malware configuration extractor	IPs: 82.125.44.236:2222
Source: Malware configuration extractor	IPs: 84.108.200.161:443
Source: Malware configuration extractor	IPs: 76.16.49.134:443
Source: Malware configuration extractor	IPs: 70.28.50.223:32100
Source: Malware configuration extractor	IPs: 12.172.173.82:465
Source: Malware configuration extractor	IPs: 76.170.252.153:995
Source: Malware configuration extractor	IPs: 184.182.66.109:443
Source: Malware configuration extractor	IPs: 78.92.133.215:443
Source: Malware configuration extractor	IPs: 50.68.204.71:993
Source: Malware configuration extractor	IPs: 186.75.95.6:443
Source: Malware configuration extractor	IPs: 113.11.92.30:443
Source: Malware configuration extractor	IPs: 70.28.50.223:3389
Source: Malware configuration extractor	IPs: 98.145.23.67:443
Source: Malware configuration extractor	IPs: 85.57.212.13:3389
Source: Malware configuration extractor	IPs: 50.68.186.195:443
Source: Malware configuration extractor	IPs: 47.205.25.170:443
Source: Malware configuration extractor	IPs: 12.172.173.82:993
Source: Malware configuration extractor	IPs: 12.172.173.82:22
Source: Malware configuration extractor	IPs: 69.242.31.249:443
Source: Malware configuration extractor	IPs: 81.101.185.146:443
Source: Malware configuration extractor	IPs: 79.168.224.165:2222
Source: Malware configuration extractor	IPs: 75.143.236.149:443
Source: Malware configuration extractor	IPs: 14.192.241.76:995
Source: Malware configuration extractor	IPs: 86.195.14.72:2222
Source: Malware configuration extractor	IPs: 81.229.117.95:2222
Source: Malware configuration extractor	IPs: 220.240.164.182:443
Source: Malware configuration extractor	IPs: 73.29.92.128:443
Source: Malware configuration extractor	IPs: 12.172.173.82:21
Source: Malware configuration extractor	IPs: 96.56.197.26:2222
Source: Malware configuration extractor	IPs: 75.109.111.89:443
Source: Malware configuration extractor	IPs: 76.86.31.59:443
Source: Malware configuration extractor	IPs: 201.244.108.183:995
Source: Malware configuration extractor	IPs: 68.203.69.96:443
Source: Malware configuration extractor	IPs: 124.122.47.148:443
Source: Malware configuration extractor	IPs: 122.184.143.86:443
Source: Malware configuration extractor	IPs: 92.186.69.229:2222
Source: Malware configuration extractor	IPs: 70.28.50.223:2083
Source: Malware configuration extractor	IPs: 89.129.109.27:2222
Source: Malware configuration extractor	IPs: 147.147.30.126:2222
Source: Malware configuration extractor	IPs: 125.99.76.102:443
Source: Malware configuration extractor	IPs: 88.126.94.4:50000
Source: Malware configuration extractor	IPs: 151.65.167.77:443
Source: Malware configuration extractor	IPs: 86.132.236.117:443
Source: Malware configuration extractor	IPs: 92.154.17.149:2222
Source: Malware configuration extractor	IPs: 223.166.13.95:995
Source: Malware configuration extractor	IPs: 89.36.206.69:995
Source: Malware configuration extractor	IPs: 96.56.197.26:2083
Source: Malware configuration extractor	IPs: 78.18.105.11:443
Source: Malware configuration extractor	IPs: 82.127.153.75:2222
Source: Malware configuration extractor	IPs: 90.78.147.141:2222
Source: Malware configuration extractor	IPs: 82.131.141.209:443
Source: Malware configuration extractor	IPs: 183.87.163.165:443
Source: Malware configuration extractor	IPs: 92.9.45.20:2222
Source: Malware configuration extractor	IPs: 80.6.50.34:443
Source: Malware configuration extractor	IPs: 80.12.88.148:2222
Source: Malware configuration extractor	IPs: 69.133.162.35:443
Source: Malware configuration extractor	IPs: 172.115.17.50:443
Source: Malware configuration extractor	IPs: 95.45.50.93:2222
Source: Malware configuration extractor	IPs: 12.172.173.82:2087
Source: Malware configuration extractor	IPs: 103.140.174.20:2222
Source: Malware configuration extractor	IPs: 24.198.114.130:995
Source: Malware configuration extractor	IPs: 50.68.204.71:443
Source: Malware configuration extractor	IPs: 69.119.123.159:2222
Source: Malware configuration extractor	IPs: 64.121.161.102:443
Source: Malware configuration extractor	IPs: 2.82.8.80:443
Source: Malware configuration extractor	IPs: 184.181.75.148:443
Source: Malware configuration extractor	IPs: 70.112.206.5:443
Source: Malware configuration extractor	IPs: 198.2.51.242:993
Source: Malware configuration extractor	IPs: 2.36.64.159:2078
Source: Malware configuration extractor	IPs: 79.77.142.22:2222
Source: Malware configuration extractor	IPs: 84.215.202.8:443
Source: Malware configuration extractor	IPs: 147.219.4.194:443
Source: Malware configuration extractor	IPs: 116.74.164.81:443
Source: Malware configuration extractor	IPs: 70.28.50.223:2078
Source: Malware configuration extractor	IPs: 12.172.173.82:995
Source: Malware configuration extractor	IPs: 77.86.98.236:443
Source: Malware configuration extractor	IPs: 104.35.24.154:443
Source: Malware configuration extractor	IPs: 213.64.33.61:2222
Source: Malware configuration extractor	IPs: 47.149.134.231:443
Source: Malware configuration extractor	IPs: 72.134.124.16:443
Source: Malware configuration extractor	IPs: 47.34.30.133:443
Source: Malware configuration extractor	IPs: 103.42.86.42:995
Source: Malware configuration extractor	IPs: 174.4.89.3:443
Source: Malware configuration extractor	IPs: 161.142.103.187:995
Source: Malware configuration extractor	IPs: 78.160.146.127:443
Source: Malware configuration extractor	IPs: 84.35.26.14:995
Source: Malware configuration extractor	IPs: 12.172.173.82:20
Source: Malware configuration extractor	IPs: 70.28.50.223:2078
Source: Malware configuration extractor	IPs: 124.149.143.189:2222
Source: Malware configuration extractor	IPs: 70.160.67.203:443
Source: Malware configuration extractor	IPs: 186.64.67.30:443
Source: Malware configuration extractor	IPs: 103.123.223.133:443
Source: Malware configuration extractor	IPs: 188.28.19.84:443
Source: Malware configuration extractor	IPs: 174.58.146.57:443
Source: Malware configuration extractor	IPs: 94.207.104.225:443
Source: Malware configuration extractor	IPs: 86.97.55.89:2222
Source: Malware configuration extractor	IPs: 69.123.4.221:2222

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: MEO-RESIDENCIALPT MEO-RESIDENCIALPT
Source: Joe Sandbox View	ASN Name: ASN-CXA-ALL-CCI-22773-RDCUS ASN-CXA-ALL-CCI-22773-RDCUS

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 2.82.8.80 2.82.8.80

Connects to several IPs in different countries

Source: unknown

Network traffic detected: IP country count 30

Source: rundll32.exe, rundll32.exe, 00000007.00000002.1050425390.00000000100AE000.00000002.00000001.01000000.00000006.sdmp, main.dll.2.dr

String found in binary or memory: https://streams.videolan.org/upload/

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_1004D9B0 mv_thread_message_queue_recv,AcquireSRWLockExclusive,SleepConditionVariableSRW,SleepConditionVariableSRW,mv_fifo_can_read,mv_fifo_can_read,ReleaseSRWLockExclusive,mv_fifo_read,WakeConditionVariable,mv_fifo_can_read,

7_2_1004D9B0

Yara signature match

Source: 7.2.rundll32.exe.38a328.1.unpack, type: UNPACKEDPE	Matched rule: MAL_QakBot_ConfigExtraction_Feb23 cape_options = bp0=$params+23,action0=setdump:eax::ecx,bp1=$c2list1+40,bp1=$c2list2+38,action1=dump,bp2=$conf+13,action2=dump,count=1,typestring=QakBot Config, date = 2023-02-17, author = kevoreilly, description = QakBot Config Extraction, reference = https://github.com/kevoreilly/CAPEv2/blob/master/analyzer/windows/data/yara/QakBot.yar, license = https://github.com/kevoreilly/CAPEv2/blob/master/LICENSE, packed = f084d87078a1e4b0ee208539c53e4853a52b5698e98f0578d7c12948e3831a68
Source: 7.2.rundll32.exe.1b0000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QakBot_ConfigExtraction_Feb23 cape_options = bp0=$params+23,action0=setdump:eax::ecx,bp1=$c2list1+40,bp1=$c2list2+38,action1=dump,bp2=$conf+13,action2=dump,count=1,typestring=QakBot Config, date = 2023-02-17, author = kevoreilly, description = QakBot Config Extraction, reference = https://github.com/kevoreilly/CAPEv2/blob/master/analyzer/windows/data/yara/QakBot.yar, license = https://github.com/kevoreilly/CAPEv2/blob/master/LICENSE, packed = f084d87078a1e4b0ee208539c53e4853a52b5698e98f0578d7c12948e3831a68
Source: 7.2.rundll32.exe.38a328.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QakBot_ConfigExtraction_Feb23 cape_options = bp0=$params+23,action0=setdump:eax::ecx,bp1=$c2list1+40,bp1=$c2list2+38,action1=dump,bp2=$conf+13,action2=dump,count=1,typestring=QakBot Config, date = 2023-02-17, author = kevoreilly, description = QakBot Config Extraction, reference = https://github.com/kevoreilly/CAPEv2/blob/master/analyzer/windows/data/yara/QakBot.yar, license = https://github.com/kevoreilly/CAPEv2/blob/master/LICENSE, packed = f084d87078a1e4b0ee208539c53e4853a52b5698e98f0578d7c12948e3831a68

Deletes files inside the Windows folder

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\6bb81b.ipi

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1007A002	7_2_1007A002
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1004F020	7_2_1004F020
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10080031	7_2_10080031
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000D060	7_2_1000D060
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10028070	7_2_10028070
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10085070	7_2_10085070
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1002B0B0	7_2_1002B0B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100500B0	7_2_100500B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000B0D0	7_2_1000B0D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100500E1	7_2_100500E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1007F101	7_2_1007F101
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10008144	7_2_10008144
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1008D160	7_2_1008D160
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10083180	7_2_10083180
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1002A1B0	7_2_1002A1B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100691B1	7_2_100691B1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100101D0	7_2_100101D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001021B	7_2_1001021B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10058218	7_2_10058218
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10027220	7_2_10027220
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100A722C	7_2_100A722C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1008A268	7_2_1008A268
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1007C260	7_2_1007C260
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10007270	7_2_10007270
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10033270	7_2_10033270
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1008A270	7_2_1008A270
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10024280	7_2_10024280
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100792E0	7_2_100792E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10088310	7_2_10088310
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10023350	7_2_10023350
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100353B0	7_2_100353B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100243C0	7_2_100243C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10082420	7_2_10082420
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100A8460	7_2_100A8460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10013480	7_2_10013480
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1004D4B0	7_2_1004D4B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1004C4C0	7_2_1004C4C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000D4D0	7_2_1000D4D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001F523	7_2_1001F523
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1004E520	7_2_1004E520
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100A8599	7_2_100A8599
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100105C0	7_2_100105C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1007F5D7	7_2_1007F5D7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100215D0	7_2_100215D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10084610	7_2_10084610
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10023620	7_2_10023620
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1007B630	7_2_1007B630
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100A8637	7_2_100A8637
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000164B	7_2_1000164B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100206A7	7_2_100206A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1004E720	7_2_1004E720
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10010750	7_2_10010750
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000E760	7_2_1000E760
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1008B768	7_2_1008B768
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10010778	7_2_10010778
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1007D7B6	7_2_1007D7B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100977C9	7_2_100977C9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100807C7	7_2_100807C7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100897F0	7_2_100897F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1002A800	7_2_1002A800
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10030800	7_2_10030800
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000B830	7_2_1000B830
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1007E856	7_2_1007E856
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10087860	7_2_10087860
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10026870	7_2_10026870
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10082895	7_2_10082895
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100798E0	7_2_100798E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10001900	7_2_10001900
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10091900	7_2_10091900
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000D910	7_2_1000D910
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10090910	7_2_10090910
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001F91B	7_2_1001F91B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1009D970	7_2_1009D970
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10010980	7_2_10010980
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001099C	7_2_1001099C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100339C0	7_2_100339C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100809D9	7_2_100809D9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000C9F0	7_2_1000C9F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000FA00	7_2_1000FA00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000AA10	7_2_1000AA10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10085A30	7_2_10085A30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10091A40	7_2_10091A40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10007A50	7_2_10007A50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000EAC0	7_2_1000EAC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000FAE0	7_2_1000FAE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000FAF7	7_2_1000FAF7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10025B10	7_2_10025B10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000AB30	7_2_1000AB30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1007BB30	7_2_1007BB30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10003BA5	7_2_10003BA5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10083BB1	7_2_10083BB1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000FBC0	7_2_1000FBC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10001C10	7_2_10001C10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000DC10	7_2_1000DC10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000EC10	7_2_1000EC10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1007CC13	7_2_1007CC13
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1009AC38	7_2_1009AC38
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10031C30	7_2_10031C30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000BC40	7_2_1000BC40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100A6C8E	7_2_100A6C8E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10004C96	7_2_10004C96
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1008ACB4	7_2_1008ACB4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000ECC9	7_2_1000ECC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000DD40	7_2_1000DD40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000CD50	7_2_1000CD50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1002DD90	7_2_1002DD90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000EDB0	7_2_1000EDB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10007DC0	7_2_10007DC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1004DDD0	7_2_1004DDD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10077E10	7_2_10077E10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10086E10	7_2_10086E10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10088E30	7_2_10088E30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1007FE67	7_2_1007FE67
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10023E60	7_2_10023E60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10004E92	7_2_10004E92
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000CEA0	7_2_1000CEA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1002EEB0	7_2_1002EEB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1004FED0	7_2_1004FED0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10050F00	7_2_10050F00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1007EF35	7_2_1007EF35
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1002EF48	7_2_1002EF48

Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 77620000 page execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 77740000 page execute and read and write			Jump to behavior

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\15dasx.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll,next
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\wscript.exe wscript.exe C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin\notify.vbs
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll,next
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll,next	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\wscript.exe wscript.exe C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin\notify.vbs	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll,next	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe	Jump to behavior

Source: C:\Windows\SysWOW64\wermgr.exe	Mutant created: \Sessions\1\BaseNamedObjects\{065B9DAD-62CE-4CBE-AFA4-0D608B2434EA}
Source: C:\Windows\SysWOW64\wermgr.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{065B9DAD-62CE-4CBE-AFA4-0D608B2434EA}
Source: C:\Windows\SysWOW64\wermgr.exe	Mutant created: \Sessions\1\BaseNamedObjects\{B4DCC149-5F2E-4517-ACAA-2922F89FD530}

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\msiexec.exe TID: 2600	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\msiexec.exe TID: 2600	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\msiexec.exe TID: 616	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 2624	Thread sleep count: 102 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe TID: 2640	Thread sleep time: -60000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_3_00182297 mov eax, dword ptr fs:[00000030h]		7_3_00182297
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001E0D9 mov eax, dword ptr fs:[00000030h]		7_2_1001E0D9

Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\wermgr.exe base: 130000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\wermgr.exe base: 100000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\wermgr.exe base: 2D2AFF	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: C:\Windows\SysWOW64\wermgr.exe base: 100000 protect: page execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: C:\Windows\SysWOW64\wermgr.exe base: 130000 protect: page read and write			Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 7.2.rundll32.exe.38a328.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.1b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.38a328.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.1050273322.00000000023DD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1050043697.000000000037D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

IP	Domain	Country	ASN	ASN Name	Malicious
2.82.8.80	unknown	Portugal	3243	MEO-RESIDENCIALPT	true
70.160.67.203	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	true
75.143.236.149	unknown	United States	20115	CHARTER-20115US	true
83.110.223.61	unknown	United Arab Emirates	5384	EMIRATES-INTERNETEmiratesInternetAE	true
86.195.14.72	unknown	France	3215	FranceTelecom-OrangeFR	true
84.215.202.8	unknown	Norway	41164	GET-NOGETNorwayNO	true
184.182.66.109	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	true
92.186.69.229	unknown	France	12479	UNI2-ASES	true
174.4.89.3	unknown	Canada	6327	SHAWCA	true
161.142.103.187	unknown	Malaysia	9930	TTNET-MYTIMEdotComBerhadMY	true
114.143.176.236	unknown	India	17762	HTIL-TTML-IN-APTataTeleservicesMaharashtraLtdIN	true
14.192.241.76	unknown	Malaysia	9534	MAXIS-AS1-APBinariangBerhadMY	true
173.88.135.179	unknown	United States	10796	TWC-10796-MIDWESTUS	true
84.108.200.161	unknown	Israel	8551	BEZEQ-INTERNATIONAL-ASBezeqintInternetBackboneIL	true
47.34.30.133	unknown	United States	20115	CHARTER-20115US	true
183.87.163.165	unknown	India	132220	JPRDIGITAL-INJPRDigitalPvtLtdIN	true
184.181.75.148	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	true
124.149.143.189	unknown	Australia	7545	TPG-INTERNET-APTPGTelecomLimitedAU	true
84.35.26.14	unknown	Netherlands	21221	INFOPACT-ASTheNetherlandsNL	true
73.29.92.128	unknown	United States	7922	COMCAST-7922US	true
68.203.69.96	unknown	United States	11427	TWC-11427-TEXASUS	true
82.131.141.209	unknown	Hungary	20845	DIGICABLEHU	true
64.121.161.102	unknown	United States	6079	RCN-ASUS	true
178.175.187.254	unknown	Moldova Republic of	43289	TRABIAMD	true
96.56.197.26	unknown	United States	6128	CABLE-NET-1US	true
186.64.67.30	unknown	Argentina	27953	NODOSUDSAAR	true
188.28.19.84	unknown	United Kingdom	206067	H3GUKGB	true
125.99.76.102	unknown	India	17488	HATHWAY-NET-APHathwayIPOverCableInternetIN	true
81.101.185.146	unknown	United Kingdom	5089	NTLGB	true
59.28.84.65	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	true
105.186.128.181	unknown	South Africa	37457	Telkom-InternetZA	true
76.86.31.59	unknown	United States	20001	TWC-20001-PACWESTUS	true
147.147.30.126	unknown	United Kingdom	6871	PLUSNETUKInternetServiceProviderGB	true
96.87.28.170	unknown	United States	7922	COMCAST-7922US	true
75.109.111.89	unknown	United States	19108	SUDDENLINK-COMMUNICATIONSUS	true
78.92.133.215	unknown	Hungary	5483	MAGYAR-TELEKOM-MAIN-ASMagyarTelekomNyrtHU	true
124.122.47.148	unknown	Thailand	17552	TRUE-AS-APTrueInternetCoLtdTH	true
88.126.94.4	unknown	France	12322	PROXADFR	true
51.14.29.227	unknown	United Kingdom	2856	BT-UK-ASBTnetUKRegionalnetworkGB	true
85.57.212.13	unknown	Spain	12479	UNI2-ASES	true
47.205.25.170	unknown	United States	5650	FRONTIER-FRTRUS	true
95.45.50.93	unknown	Ireland	5466	EIRCOMInternetHouseIE	true
80.12.88.148	unknown	France	3215	FranceTelecom-OrangeFR	true
69.133.162.35	unknown	United States	11426	TWC-11426-CAROLINASUS	true
86.132.236.117	unknown	United Kingdom	2856	BT-UK-ASBTnetUKRegionalnetworkGB	true
151.62.238.176	unknown	Italy	1267	ASN-WINDTREIUNETEU	true
70.112.206.5	unknown	United States	11427	TWC-11427-TEXASUS	true
205.237.67.69	unknown	Canada	11290	CC-3272CA	true
102.159.188.125	unknown	Tunisia	37705	TOPNETTN	true
151.65.167.77	unknown	Italy	1267	ASN-WINDTREIUNETEU	true
76.178.148.107	unknown	United States	10838	OCEANIC-INTERNET-RRUS	true
89.36.206.69	unknown	Italy	48544	TECNOADSL-ASIT	true
69.242.31.249	unknown	United States	7922	COMCAST-7922US	true
193.253.100.236	unknown	France	3215	FranceTelecom-OrangeFR	true
76.16.49.134	unknown	United States	7922	COMCAST-7922US	true
94.207.104.225	unknown	United Arab Emirates	15802	DU-AS1AE	true
201.244.108.183	unknown	Colombia	19429	ETB-ColombiaCO	true
103.42.86.42	unknown	India	133660	EDIGITAL-ASE-InfrastructureandEntertainmentIndiaPvtLt	true
78.18.105.11	unknown	Ireland	2110	AS-BTIREBTIrelandwaspreviouslyknownasEsatNetEUnet	true
80.6.50.34	unknown	United Kingdom	5089	NTLGB	true
103.144.201.56	unknown	unknown	139762	MSSOLUTION-AS-APSolutionBD	true
27.0.48.233	unknown	India	132573	SAINGN-AS-INSAINGNNetworkServicesIN	true
70.28.50.223	unknown	Canada	577	BACOMCA	true
98.145.23.67	unknown	United States	20001	TWC-20001-PACWESTUS	true
47.149.134.231	unknown	United States	5650	FRONTIER-FRTRUS	true
82.125.44.236	unknown	France	3215	FranceTelecom-OrangeFR	true
81.229.117.95	unknown	Sweden	3301	TELIANET-SWEDENTeliaCompanySE	true
89.129.109.27	unknown	Spain	12479	UNI2-ASES	true
122.186.210.254	unknown	India	9498	BBIL-APBHARTIAirtelLtdIN	true
79.77.142.22	unknown	United Kingdom	9105	TISCALI-UKTalkTalkCommunicationsLimitedGB	true
90.78.147.141	unknown	France	3215	FranceTelecom-OrangeFR	true
122.184.143.86	unknown	India	9498	BBIL-APBHARTIAirtelLtdIN	true
186.75.95.6	unknown	Panama	11556	CableWirelessPanamaPA	true
50.68.186.195	unknown	Canada	6327	SHAWCA	true
12.172.173.82	unknown	United States	2386	INS-ASUS	true
213.64.33.61	unknown	Sweden	3301	TELIANET-SWEDENTeliaCompanySE	true
79.168.224.165	unknown	Portugal	2860	NOS_COMUNICACOESPT	true
86.97.55.89	unknown	United Arab Emirates	5384	EMIRATES-INTERNETEmiratesInternetAE	true
176.142.207.63	unknown	France	5410	BOUYGTEL-ISPFR	true
92.154.17.149	unknown	France	3215	FranceTelecom-OrangeFR	true
174.58.146.57	unknown	United States	7922	COMCAST-7922US	true
78.160.146.127	unknown	Turkey	9121	TTNETTR	true
58.186.75.42	unknown	Viet Nam	18403	FPT-AS-APTheCorporationforFinancingPromotingTechnolo	true
223.166.13.95	unknown	China	17621	CNCGROUP-SHChinaUnicomShanghainetworkCN	true
65.95.141.84	unknown	Canada	577	BACOMCA	true
50.68.204.71	unknown	Canada	6327	SHAWCA	true
71.38.155.217	unknown	United States	209	CENTURYLINK-US-LEGACY-QWESTUS	true
104.35.24.154	unknown	United States	20001	TWC-20001-PACWESTUS	true
220.240.164.182	unknown	Australia	7545	TPG-INTERNET-APTPGTelecomLimitedAU	true
103.123.223.133	unknown	India	138329	KWS-AS-APKenstarWebSolutionsPrivateLimitedIN	true
24.198.114.130	unknown	United States	11351	TWC-11351-NORTHEASTUS	true
2.36.64.159	unknown	Italy	30722	VODAFONE-IT-ASNIT	true
198.2.51.242	unknown	United States	20001	TWC-20001-PACWESTUS	true
92.9.45.20	unknown	United Kingdom	13285	OPALTELECOM-ASTalkTalkCommunicationsLimitedGB	true
113.11.92.30	unknown	Bangladesh	7565	BDCOM-BDRangsNiluSquare5thFloorHouse75Road5AD	true
69.119.123.159	unknown	United States	6128	CABLE-NET-1US	true
69.123.4.221	unknown	United States	6128	CABLE-NET-1US	true
172.115.17.50	unknown	United States	20001	TWC-20001-PACWESTUS	true
77.86.98.236	unknown	United Kingdom	12390	KINGSTON-UK-ASGB	true
147.219.4.194	unknown	United States	1498	DNIC-ASBLK-01498-01499US	true

ID:	878630
Product:	CloudBasic
Start time:	22:46:08
Start date:	30.05.2023
Sample:	15dasx.msi
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	ab8ef3423324168d06b2d122f75ca130
SHA1:	a7e273ddd7cdf303e366cba16abfd4c3966f2cf6
SHA256:	4e70da2d2efc833eb5c450c9f82aaa7d433e31e39dc4ec36ca3c5ddde0f4dc00
Filetype:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%

Name	Type	MD5	SHA1	SHA256
C:\Config.Msi\6bb81c.rbs	data	2EB510D377D89068BE09E7B1E3D5A70A	DFF25995677E5F263F829188E8304ABDE3D994D5	AE9951F7F09A03785CE94F7F4ECCD7A5DE0C4DE352234C83D6B6C929CBD03D04
C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows	A55C357391C089F93F5EF157BE209F63	A859A7AB02760EE8CD4DCF219EB1D460371350A8	8D0C96718D4C7944FB648DF446D70ABBB87C5D4FF7C9735CF3BD9B2F11246A9E
C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin\notify.vbs	ASCII text, with CRLF line terminators	0D4C9F15CE74465C59AE36A27F98C817	9CCE8EEFA4D3D9C5E161C5DBB860CFE1489C6B1A	D24E3399060B51F3A1C9D41A67DE2601888A35C99DA8DB70070D757BB3F1913A
C:\Users\user\AppData\Local\Temp\~DF4899FDBF77CB7EDE.TMP	data	82E43552F0F7875FD425564DAB1C45C5	A85775C63AF567CCBCEECF01E8E10B3CB56661E7	31D5DF542C7533A468E811F5E32ABD1B0988FC35D56A233FFC4CA4211202FB2A
C:\Users\user\AppData\Local\Temp\~DFA9753353B6A77A75.TMP	data	F8B41D211697EEE05791DF7A862B3942	63B8F609BB546B14FBDB82E1B13B436A94260BBD	55C89653912C2FE98C7DC855191898A4445FA78AE8C557CAABC00B58C5554747
C:\Users\user\AppData\Local\Temp\~DFC65A62CAF401C2CF.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Windows\Installer\6bb81a.msi	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Adobe Acrobat PDF Browser Plugin 4.8.25, Author: Adobe Inc., Keywords: Installer, Comments: Adobe Acrobat PDF Browser Plugin, Template: Intel;1033, Revision Number: {6ECD3C06-98A2-44A1-A41E-271C903F257F}, Create Time/Date: Tue May 30 15:19:58 2023, Last Saved Time/Date: Tue May 30 15:19:58 2023, Number of Pages: 200, Number of Words: 10, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2	AB8EF3423324168D06B2D122F75CA130	A7E273DDD7CDF303E366CBA16ABFD4C3966F2CF6	4E70DA2D2EFC833EB5C450C9F82AAA7D433E31E39DC4EC36CA3C5DDDE0F4DC00
C:\Windows\Installer\6bb81b.ipi	Composite Document File V2 Document, Cannot read section info	4F184BE6D7D0C90A3675262A41E494CC	FF0A74C16271E7EEDF96732229B90492921B52EC	72D06F2C743AE20C220767EAB4FEAF666CAF92E31D0EE37DD4253027FE2E2B3F
C:\Windows\Installer\6bb81d.msi	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Adobe Acrobat PDF Browser Plugin 4.8.25, Author: Adobe Inc., Keywords: Installer, Comments: Adobe Acrobat PDF Browser Plugin, Template: Intel;1033, Revision Number: {6ECD3C06-98A2-44A1-A41E-271C903F257F}, Create Time/Date: Tue May 30 15:19:58 2023, Last Saved Time/Date: Tue May 30 15:19:58 2023, Number of Pages: 200, Number of Words: 10, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2	AB8EF3423324168D06B2D122F75CA130	A7E273DDD7CDF303E366CBA16ABFD4C3966F2CF6	4E70DA2D2EFC833EB5C450C9F82AAA7D433E31E39DC4EC36CA3C5DDDE0F4DC00
C:\Windows\Installer\MSI8ED9.tmp	data	98D6FE23EEFA66343D02362715DE6A1B	8F0C0BE4E71FF7D71A5A77DD823D70C39E506856	65A632BED627509E9FF49A6A16666B11E4EBEA3A26FC069E6C156290F4023B0D
C:\Windows\Installer\SourceHash{64EDF889-FC17-466B-8E9A-5A8688EB1CDC}	Composite Document File V2 Document, Cannot read section info	A30D6EE443F5F383CD600F105CD74165	E5CCC5ADD0A5AB95D5168E4889C4D8BA6CB24CA5	A1A5E17B1DDA584A2FBDF8AAB33A2F3962F8775A13E7E314CA344E04B4C5BDA7

Windows Analysis Report 15dasx.msi

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Windows Analysis Report
15dasx.msi

Malware Threat Intel
Provided by