Windows Analysis Report
15dasx.msi

Overview

General Information

Sample Name:	15dasx.msi
Analysis ID:	878630
MD5:	ab8ef3423324168d06b2d122f75ca130
SHA1:	a7e273ddd7cdf303e366cba16abfd4c3966f2cf6
SHA256:	4e70da2d2efc833eb5c450c9f82aaa7d433e31e39dc4ec36ca3c5ddde0f4dc00
Tags:	msi
Infos:

Detection

Qbot

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected Qbot

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Writes to foreign memory regions

Allocates memory in foreign processes

Injects a PE file into a foreign processes

C2 URLs / IPs found in malware configuration

Sample uses string decryption to hide its real strings

Potentially malicious time measurement code found

Queries the volume information (name, serial number etc) of a device

Yara signature match

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Contains functionality to dynamically determine API calls

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

AV process strings found (often used to terminate AV products)

PE file contains an invalid checksum

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Connects to several IPs in different countries

Launches processes in debugging mode, may be used to hinder debugging

Checks for available system drives (often done to infect USB drives)

Found large amount of non-executed APIs

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
QakBot, qbotQbot	QBot is a modular information stealer also known as Qakbot or Pinkslipbot. It has been active for years since 2007. It has historically been known as a banking Trojan, meaning that it steals financial data from infected systems, and a loader using C2 servers for payload targeting and download.	GOLD CABIN	http://contagiodump.blogspot.com/2010/11/template.html http://www.secureworks.com/research/threat-profiles/gold-lagoon http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf https://0xthreatintel.medium.com/reversing-qakbot-tlp-white-d1b8b37ad8e7 https://asec.ahnlab.com/en/44662/	https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot

Signatures

AV Detection

Found malware configuration

Source: 00000006.00000002.554365630.000000000084A000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Qbot {"Bot id": "BB30", "Campaign": "1685433861", "Version": "404.1320", "C2 list": ["12.172.173.82:50001", "178.175.187.254:443", "65.95.141.84:2222", "205.237.67.69:995", "83.110.223.61:443", "193.253.100.236:2222", "27.0.48.233:443", "102.159.188.125:443", "71.38.155.217:443", "58.186.75.42:443", "76.178.148.107:2222", "70.28.50.223:2087", "114.143.176.236:443", "51.14.29.227:2222", "59.28.84.65:443", "173.88.135.179:443", "103.144.201.56:2078", "96.87.28.170:2222", "105.186.128.181:995", "176.142.207.63:443", "151.62.238.176:443", "12.172.173.82:32101", "122.186.210.254:443", "82.125.44.236:2222", "84.108.200.161:443", "76.16.49.134:443", "70.28.50.223:32100", "12.172.173.82:465", "76.170.252.153:995", "184.182.66.109:443", "78.92.133.215:443", "50.68.204.71:993", "186.75.95.6:443", "113.11.92.30:443", "70.28.50.223:3389", "98.145.23.67:443", "85.57.212.13:3389", "50.68.186.195:443", "47.205.25.170:443", "12.172.173.82:993", "12.172.173.82:22", "69.242.31.249:443", "81.101.185.146:443", "79.168.224.165:2222", "75.143.236.149:443", "14.192.241.76:995", "86.195.14.72:2222", "81.229.117.95:2222", "220.240.164.182:443", "73.29.92.128:443", "12.172.173.82:21", "96.56.197.26:2222", "75.109.111.89:443", "76.86.31.59:443", "201.244.108.183:995", "68.203.69.96:443", "124.122.47.148:443", "122.184.143.86:443", "92.186.69.229:2222", "70.28.50.223:2083", "89.129.109.27:2222", "147.147.30.126:2222", "125.99.76.102:443", "88.126.94.4:50000", "151.65.167.77:443", "86.132.236.117:443", "92.154.17.149:2222", "223.166.13.95:995", "89.36.206.69:995", "96.56.197.26:2083", "78.18.105.11:443", "82.127.153.75:2222", "90.78.147.141:2222", "82.131.141.209:443", "183.87.163.165:443", "92.9.45.20:2222", "80.6.50.34:443", "80.12.88.148:2222", "69.133.162.35:443", "172.115.17.50:443", "95.45.50.93:2222", "12.172.173.82:2087", "103.140.174.20:2222", "24.198.114.130:995", "50.68.204.71:443", "69.119.123.159:2222", "64.121.161.102:443", "2.82.8.80:443", "184.181.75.148:443", "70.112.206.5:443", "198.2.51.242:993", "2.36.64.159:2078", "79.77.142.22:2222", "84.215.202.8:443", "147.219.4.194:443", "116.74.164.81:443", "70.28.50.223:2078", "12.172.173.82:995", "77.86.98.236:443", "104.35.24.154:443", "213.64.33.61:2222", "47.149.134.231:443", "72.134.124.16:443", "47.34.30.133:443", "103.42.86.42:995", "174.4.89.3:443", "161.142.103.187:995", "78.160.146.127:443", "84.35.26.14:995", "12.172.173.82:20", "70.28.50.223:2078", "124.149.143.189:2222", "70.160.67.203:443", "186.64.67.30:443", "103.123.223.133:443", "188.28.19.84:443", "174.58.146.57:443", "94.207.104.225:443", "86.97.55.89:2222", "69.123.4.221:2222"]}

Sample uses string decryption to hide its real strings

Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: error res='%s' err=%d len=%u
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: netstat -nao
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: runas
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: ipconfig /all
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: net localgroup
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: nltest /domain_trusts /all_trusts
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %s %04x.%u %04x.%u res: %s seh_test: %u consts_test: %d vmdetected: %d createprocess: %d
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Microsoft
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: SELF_TEST_1
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: p%08x
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Self test FAILED!!!
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Self test OK.
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: /t5
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: whoami /all
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: cmd
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: microsoft.com,google.com,cisco.com,oracle.com,verisign.com,broadcom.com,yahoo.com,xfinity.com,irs.gov,linkedin.com
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: ERROR: GetModuleFileNameW() failed with error: ERROR_INSUFFICIENT_BUFFER
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: route print
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: .lnk
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: "%s\system32\schtasks.exe" /Create /ST %02u:%02u /RU "NT AUTHORITY\SYSTEM" /SC ONCE /tr "%s" /Z /ET %02u:%02u /tn %s
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: arp -a
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %s "$%s = \"%s\"; & $%s"
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: net share
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: cmd.exe /c set
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Self check
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %u;%u;%u;
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: /c ping.exe -n 6 127.0.0.1 & type "%s\System32\calc.exe" > "%s"
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: ProfileImagePath
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: at.exe %u:%u "%s" /I
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: ProgramData
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Self check ok!
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: powershell.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: qwinsta
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: net view
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.%s
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Component_08
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Start screenshot
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: schtasks.exe /Delete /F /TN %u
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: appidapi.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %s \"$%s = \\\"%s\\\\; & $%s\"
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: c:\ProgramData
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Component_07
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: bUdiuy81gYguty@4frdRdpfko(eKmudeuMncueaN
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: powershell.exe -encodedCommand %S
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: ERROR: GetModuleFileNameW() failed with error: %u
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: powershell.exe -encodedCommand
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: SoNuce]ugdiB3c[doMuce2s81*uXmcvP
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: \System32\WindowsPowerShell\v1.0\powershell.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: schtasks.exe /Create /RU "NT AUTHORITY\SYSTEM" /SC ONSTART /TN %u /TR "%s" /NP /F
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: error res='%s' err=%d len=%u
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: netstat -nao
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: runas
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: ipconfig /all
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %u.%u.%u.%u.%u.%u.%04x
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\explorer.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: SystemRoot
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: cscript.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: MBAMService.exe;mbamgui.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\System32\xwizard.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\System32\wermgr.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: AvastSvc.exe;aswEngSrv.exe;aswToolsSvc.exe;afwServ.exe;aswidsagent.exe;AvastUI.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: C:\INTERNAL\__empty
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: .dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Win32_PhysicalMemory
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: ALLUSERSPROFILE
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: image/jpeg
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: LocalLow
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: displayName
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Mozilla/5.0 (Windows NT 6.1; rv:77.0) Gecko/20100101 Firefox/77.0
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: shlwapi.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\WerFault.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: CommandLine
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: {%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%02X}
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: kernel32.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: SubmitSamplesConsent
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: 1234567890
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: wbj.go
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\wextract.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Win32_DiskDrive
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: vkise.exe;isesrv.exe;cmdagent.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: System32
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Name
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\System32\WerFault.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: WRSA.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: c:\\
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: reg.exe ADD "HKLM\%s" /f /t %s /v "%s" /d "%s"
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: SpyNetReporting
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: FALSE
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: aswhookx.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Packages
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: SonicWallClientProtectionService.exe;SWDash.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: application/x-shockwave-flash
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Sophos UI.exe;SophosUI.exe;SAVAdminService.exe;SavService.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: RepUx.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\System32\mspaint.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: coreServiceShell.exe;PccNTMon.exe;NTRTScan.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Winsta0
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Caption,Description,DeviceID,Manufacturer,Name,PNPDeviceID,Service,Status
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: CynetEPS.exe;CynetMS.exe;CynetConsole.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\wermgr.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %ProgramFiles(x86)%\Internet Explorer\iexplore.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: avp.exe;kavtray.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: root\SecurityCenter2
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\backgroundTaskHost.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: MsMpEng.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\System32\CertEnrollCtrl.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: userenv.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: csc_ui.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: frida-winjector-helper-32.exe;frida-winjector-helper-64.exe;tcpdump.exe;windump.exe;ethereal.exe;wireshark.exe;ettercap.exe;rtsniff.exe;packetcapture.exe;capturenet.exe;qak_proxy;dumpcap.exe;CFF Explorer.exe;not_rundll32.exe;ProcessHacker.exe;tcpview.exe;filemon.exe;procmon.exe;idaq64.exe;loaddll32.exe;PETools.exe;ImportREC.exe;LordPE.exe;SysInspector.exe;proc_analyzer.exe;sysAnalyzer.exe;sniff_hit.exe;joeboxcontrol.exe;joeboxserver.exe;ResourceHacker.exe;x64dbg.exe;Fiddler.exe;sniff_hit.exe;sysAnalyzer.exe;BehaviorDumper.exe;processdumperx64.exe;anti-virus.EXE;sysinfoX64.exe;sctoolswrapper.exe;sysinfoX64.exe;FakeExplorer.exe;apimonitor-x86.exe;idaq.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: \\.\pipe\
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: pstorec.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: NTUSER.DAT
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: from
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\System32\sethc.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: netapi32.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\System32\Utilman.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: gdi32.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: setupapi.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: SELECT * FROM Win32_Processor
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: iphlpapi.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Caption
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: CrAmTray.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: ccSvcHst.exe;NortonSecurity.exe;nsWscSvc.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Win32_ComputerSystem
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\System32\backgroundTaskHost.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %ProgramFiles%\Internet Explorer\iexplore.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: user32.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: xagtnotif.exe;AppUIMonitor.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\System32\dxdiag.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: SentinelServiceHost.exe;SentinelStaticEngine.exe;SentinelAgent.exe;SentinelStaticEngineScanner.exe;SentinelUI.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: \sf2.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\grpconv.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: egui.exe;ekrn.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Software\Microsoft
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %S.%06d
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: bcrypt.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: SELECT * FROM AntiVirusProduct
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\SndVol.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\explorer.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\Utilman.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: SOFTWARE\Microsoft\Windows Defender\SpyNet
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: wtsapi32.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: t=%s time=[%02d:%02d:%02d-%02d/%02d/%d]
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\xwizard.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: shell32.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: TRUE
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Win32_Bios
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: SELECT * FROM Win32_OperatingSystem
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\mobsync.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: c:\hiberfil.sysss
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: /
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\AtBroker.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: abcdefghijklmnopqrstuvwxyz
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: ByteFence.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: type=0x%04X
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: snxhk_border_mywnd
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: ROOT\CIMV2
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: dwengine.exe;dwarkdaemon.exe;dwwatcher.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: https
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\explorer.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: fshoster32.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: kernelbase.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: regsvr32.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %s\system32\
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\dxdiag.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Win32_Process
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: rundll32.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: LOCALAPPDATA
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: cmd.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: APPDATA
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: select
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: .exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: mcshield.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: advapi32.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: ws2_32.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: .cfg
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: aabcdeefghiijklmnoopqrstuuvwxyyz
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Win32_Product
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: WQL
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: wininet.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: LastBootUpTime
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: S:(ML;;NW;;;LW)
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\CertEnrollCtrl.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: urlmon.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Create
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Win32_PnPEntity
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\System32\grpconv.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Initializing database...
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\System32\SearchIndexer.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: winsta0\default
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: .dat
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: WBJ_IGNORE
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: next
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\System32\AtBroker.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: wpcap.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: aaebcdeeifghiiojklmnooupqrstuuyvwxyyaz
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\sethc.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: image/pjpeg
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: fmon.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: bdagent.exe;vsserv.exe;vsservppl.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\System32\SndVol.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: vbs
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: aswhooka.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: SysWOW64
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\mspaint.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: mpr.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: image/gif
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: crypt32.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: avgcsrvx.exe;avgsvcx.exe;avgcsrva.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: ntdll.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: open
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\explorer.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: CSFalconService.exe;CSFalconContainer.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\System32\wextract.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\System32\mobsync.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\SearchIndexer.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %u.%u.%u.%u.%u.%u.%04x
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\explorer.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: SystemRoot
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: cscript.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: MBAMService.exe;mbamgui.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\System32\xwizard.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\System32\wermgr.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: AvastSvc.exe;aswEngSrv.exe;aswToolsSvc.exe;afwServ.exe;aswidsagent.exe;AvastUI.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: C:\INTERNAL\__empty
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: .dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Win32_PhysicalMemory
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: ALLUSERSPROFILE
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: image/jpeg
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: LocalLow
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: displayName
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Mozilla/5.0 (Windows NT 6.1; rv:77.0) Gecko/20100101 Firefox/77.0
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: shlwapi.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\WerFault.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: CommandLine
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: {%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%02X}
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: kernel32.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: SubmitSamplesConsent
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: 1234567890
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: wbj.go
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\wextract.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Win32_DiskDrive
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: vkise.exe;isesrv.exe;cmdagent.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: System32
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Name
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\System32\WerFault.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: WRSA.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: c:\\
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: reg.exe ADD "HKLM\%s" /f /t %s /v "%s" /d "%s"
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: SpyNetReporting
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: FALSE
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: aswhookx.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Packages
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: SonicWallClientProtectionService.exe;SWDash.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: application/x-shockwave-flash
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Sophos UI.exe;SophosUI.exe;SAVAdminService.exe;SavService.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: RepUx.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\System32\mspaint.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: coreServiceShell.exe;PccNTMon.exe;NTRTScan.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Winsta0
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Caption,Description,DeviceID,Manufacturer,Name,PNPDeviceID,Service,Status
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: CynetEPS.exe;CynetMS.exe;CynetConsole.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\wermgr.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %ProgramFiles(x86)%\Internet Explorer\iexplore.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: avp.exe;kavtray.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: root\SecurityCenter2
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\backgroundTaskHost.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: MsMpEng.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\System32\CertEnrollCtrl.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: userenv.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: csc_ui.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: frida-winjector-helper-32.exe;frida-winjector-helper-64.exe;tcpdump.exe;windump.exe;ethereal.exe;wireshark.exe;ettercap.exe;rtsniff.exe;packetcapture.exe;capturenet.exe;qak_proxy;dumpcap.exe;CFF Explorer.exe;not_rundll32.exe;ProcessHacker.exe;tcpview.exe;filemon.exe;procmon.exe;idaq64.exe;loaddll32.exe;PETools.exe;ImportREC.exe;LordPE.exe;SysInspector.exe;proc_analyzer.exe;sysAnalyzer.exe;sniff_hit.exe;joeboxcontrol.exe;joeboxserver.exe;ResourceHacker.exe;x64dbg.exe;Fiddler.exe;sniff_hit.exe;sysAnalyzer.exe;BehaviorDumper.exe;processdumperx64.exe;anti-virus.EXE;sysinfoX64.exe;sctoolswrapper.exe;sysinfoX64.exe;FakeExplorer.exe;apimonitor-x86.exe;idaq.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: \\.\pipe\
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: pstorec.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: NTUSER.DAT
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: from
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\System32\sethc.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: netapi32.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\System32\Utilman.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: gdi32.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: setupapi.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: SELECT * FROM Win32_Processor
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: iphlpapi.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Caption
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: CrAmTray.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: ccSvcHst.exe;NortonSecurity.exe;nsWscSvc.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Win32_ComputerSystem
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\System32\backgroundTaskHost.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %ProgramFiles%\Internet Explorer\iexplore.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: user32.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: xagtnotif.exe;AppUIMonitor.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\System32\dxdiag.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: SentinelServiceHost.exe;SentinelStaticEngine.exe;SentinelAgent.exe;SentinelStaticEngineScanner.exe;SentinelUI.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: \sf2.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\grpconv.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: egui.exe;ekrn.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Software\Microsoft
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %S.%06d
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: bcrypt.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: SELECT * FROM AntiVirusProduct
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\SndVol.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\explorer.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\Utilman.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: SOFTWARE\Microsoft\Windows Defender\SpyNet
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: wtsapi32.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: t=%s time=[%02d:%02d:%02d-%02d/%02d/%d]
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\xwizard.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: shell32.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: TRUE
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Win32_Bios
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: SELECT * FROM Win32_OperatingSystem
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\mobsync.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: c:\hiberfil.sysss
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: /
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\AtBroker.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: abcdefghijklmnopqrstuvwxyz
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: ByteFence.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: type=0x%04X
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: snxhk_border_mywnd
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: ROOT\CIMV2
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: dwengine.exe;dwarkdaemon.exe;dwwatcher.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: https
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\explorer.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: fshoster32.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: kernelbase.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: regsvr32.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %s\system32\
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\dxdiag.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Win32_Process
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: rundll32.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: LOCALAPPDATA
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: cmd.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: APPDATA
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: select
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: .exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: mcshield.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: advapi32.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: ws2_32.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: .cfg
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: aabcdeefghiijklmnoopqrstuuvwxyyz
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Win32_Product
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: WQL
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: wininet.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: LastBootUpTime
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: S:(ML;;NW;;;LW)
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\CertEnrollCtrl.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: urlmon.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Create
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Win32_PnPEntity
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\System32\grpconv.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Initializing database...
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\System32\SearchIndexer.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: winsta0\default
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: .dat
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: WBJ_IGNORE
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: next
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\System32\AtBroker.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: wpcap.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: aaebcdeeifghiiojklmnooupqrstuuyvwxyyaz
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\sethc.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: image/pjpeg
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: fmon.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: bdagent.exe;vsserv.exe;vsservppl.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\System32\SndVol.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: vbs
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: aswhooka.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: SysWOW64
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\mspaint.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: mpr.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: image/gif
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: crypt32.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: avgcsrvx.exe;avgsvcx.exe;avgcsrva.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: ntdll.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: open
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\explorer.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: CSFalconService.exe;CSFalconContainer.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\System32\wextract.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\System32\mobsync.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\SearchIndexer.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10035030 mv_get_random_seed,BCryptOpenAlgorithmProvider,BCryptGenRandom,BCryptCloseAlgorithmProvider,mvpriv_open,_read,_close,mvpriv_open,_read,_close,clock,clock,mv_sha_init,mv_sha_update,mv_sha_final,mv_log,abort,	6_2_10035030
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100500A3 mv_twofish_crypt,	6_2_100500A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000C0B0 mv_cast5_crypt2,	6_2_1000C0B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000B0D0 mv_camellia_crypt,	6_2_1000B0D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10013100 mv_encryption_init_info_alloc,mv_mallocz,mv_mallocz,mv_mallocz,mv_mallocz,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_calloc,	6_2_10013100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000C1B0 mv_cast5_crypt,	6_2_1000C1B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100132D0 mv_encryption_init_info_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,	6_2_100132D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10002480 mv_aes_ctr_crypt,mv_aes_crypt,	6_2_10002480
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10013480 mv_encryption_init_info_get_side_data,mv_encryption_init_info_alloc,mv_free,mv_free,mv_free,mv_free,mv_free,	6_2_10013480
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100084B0 mv_blowfish_crypt,mv_blowfish_crypt_ecb,mv_blowfish_crypt_ecb,	6_2_100084B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1004D4B0 mv_tea_crypt,	6_2_1004D4B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100364E0 mv_rc4_crypt,	6_2_100364E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10002523 mv_aes_crypt,	6_2_10002523
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001363B mv_encryption_init_info_alloc,	6_2_1001363B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000867B mv_blowfish_crypt_ecb,	6_2_1000867B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100136FB mv_encryption_init_info_alloc,	6_2_100136FB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10013860 mv_encryption_init_info_add_side_data,mv_malloc,mv_malloc,	6_2_10013860
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10012A70 mv_encryption_info_alloc,mv_mallocz,mv_mallocz,mv_mallocz,mv_calloc,mv_free,mv_free,mv_free,mv_free,	6_2_10012A70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10012B40 mv_encryption_info_clone,mv_encryption_info_alloc,	6_2_10012B40

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 12.172.173.82:50001
Source: Malware configuration extractor	IPs: 178.175.187.254:443
Source: Malware configuration extractor	IPs: 65.95.141.84:2222
Source: Malware configuration extractor	IPs: 205.237.67.69:995
Source: Malware configuration extractor	IPs: 83.110.223.61:443
Source: Malware configuration extractor	IPs: 193.253.100.236:2222
Source: Malware configuration extractor	IPs: 27.0.48.233:443
Source: Malware configuration extractor	IPs: 102.159.188.125:443
Source: Malware configuration extractor	IPs: 71.38.155.217:443
Source: Malware configuration extractor	IPs: 58.186.75.42:443
Source: Malware configuration extractor	IPs: 76.178.148.107:2222
Source: Malware configuration extractor	IPs: 70.28.50.223:2087
Source: Malware configuration extractor	IPs: 114.143.176.236:443
Source: Malware configuration extractor	IPs: 51.14.29.227:2222
Source: Malware configuration extractor	IPs: 59.28.84.65:443
Source: Malware configuration extractor	IPs: 173.88.135.179:443
Source: Malware configuration extractor	IPs: 103.144.201.56:2078
Source: Malware configuration extractor	IPs: 96.87.28.170:2222
Source: Malware configuration extractor	IPs: 105.186.128.181:995
Source: Malware configuration extractor	IPs: 176.142.207.63:443
Source: Malware configuration extractor	IPs: 151.62.238.176:443
Source: Malware configuration extractor	IPs: 12.172.173.82:32101
Source: Malware configuration extractor	IPs: 122.186.210.254:443
Source: Malware configuration extractor	IPs: 82.125.44.236:2222
Source: Malware configuration extractor	IPs: 84.108.200.161:443
Source: Malware configuration extractor	IPs: 76.16.49.134:443
Source: Malware configuration extractor	IPs: 70.28.50.223:32100
Source: Malware configuration extractor	IPs: 12.172.173.82:465
Source: Malware configuration extractor	IPs: 76.170.252.153:995
Source: Malware configuration extractor	IPs: 184.182.66.109:443
Source: Malware configuration extractor	IPs: 78.92.133.215:443
Source: Malware configuration extractor	IPs: 50.68.204.71:993
Source: Malware configuration extractor	IPs: 186.75.95.6:443
Source: Malware configuration extractor	IPs: 113.11.92.30:443
Source: Malware configuration extractor	IPs: 70.28.50.223:3389
Source: Malware configuration extractor	IPs: 98.145.23.67:443
Source: Malware configuration extractor	IPs: 85.57.212.13:3389
Source: Malware configuration extractor	IPs: 50.68.186.195:443
Source: Malware configuration extractor	IPs: 47.205.25.170:443
Source: Malware configuration extractor	IPs: 12.172.173.82:993
Source: Malware configuration extractor	IPs: 12.172.173.82:22
Source: Malware configuration extractor	IPs: 69.242.31.249:443
Source: Malware configuration extractor	IPs: 81.101.185.146:443
Source: Malware configuration extractor	IPs: 79.168.224.165:2222
Source: Malware configuration extractor	IPs: 75.143.236.149:443
Source: Malware configuration extractor	IPs: 14.192.241.76:995
Source: Malware configuration extractor	IPs: 86.195.14.72:2222
Source: Malware configuration extractor	IPs: 81.229.117.95:2222
Source: Malware configuration extractor	IPs: 220.240.164.182:443
Source: Malware configuration extractor	IPs: 73.29.92.128:443
Source: Malware configuration extractor	IPs: 12.172.173.82:21
Source: Malware configuration extractor	IPs: 96.56.197.26:2222
Source: Malware configuration extractor	IPs: 75.109.111.89:443
Source: Malware configuration extractor	IPs: 76.86.31.59:443
Source: Malware configuration extractor	IPs: 201.244.108.183:995
Source: Malware configuration extractor	IPs: 68.203.69.96:443
Source: Malware configuration extractor	IPs: 124.122.47.148:443
Source: Malware configuration extractor	IPs: 122.184.143.86:443
Source: Malware configuration extractor	IPs: 92.186.69.229:2222
Source: Malware configuration extractor	IPs: 70.28.50.223:2083
Source: Malware configuration extractor	IPs: 89.129.109.27:2222
Source: Malware configuration extractor	IPs: 147.147.30.126:2222
Source: Malware configuration extractor	IPs: 125.99.76.102:443
Source: Malware configuration extractor	IPs: 88.126.94.4:50000
Source: Malware configuration extractor	IPs: 151.65.167.77:443
Source: Malware configuration extractor	IPs: 86.132.236.117:443
Source: Malware configuration extractor	IPs: 92.154.17.149:2222
Source: Malware configuration extractor	IPs: 223.166.13.95:995
Source: Malware configuration extractor	IPs: 89.36.206.69:995
Source: Malware configuration extractor	IPs: 96.56.197.26:2083
Source: Malware configuration extractor	IPs: 78.18.105.11:443
Source: Malware configuration extractor	IPs: 82.127.153.75:2222
Source: Malware configuration extractor	IPs: 90.78.147.141:2222
Source: Malware configuration extractor	IPs: 82.131.141.209:443
Source: Malware configuration extractor	IPs: 183.87.163.165:443
Source: Malware configuration extractor	IPs: 92.9.45.20:2222
Source: Malware configuration extractor	IPs: 80.6.50.34:443
Source: Malware configuration extractor	IPs: 80.12.88.148:2222
Source: Malware configuration extractor	IPs: 69.133.162.35:443
Source: Malware configuration extractor	IPs: 172.115.17.50:443
Source: Malware configuration extractor	IPs: 95.45.50.93:2222
Source: Malware configuration extractor	IPs: 12.172.173.82:2087
Source: Malware configuration extractor	IPs: 103.140.174.20:2222
Source: Malware configuration extractor	IPs: 24.198.114.130:995
Source: Malware configuration extractor	IPs: 50.68.204.71:443
Source: Malware configuration extractor	IPs: 69.119.123.159:2222
Source: Malware configuration extractor	IPs: 64.121.161.102:443
Source: Malware configuration extractor	IPs: 2.82.8.80:443
Source: Malware configuration extractor	IPs: 184.181.75.148:443
Source: Malware configuration extractor	IPs: 70.112.206.5:443
Source: Malware configuration extractor	IPs: 198.2.51.242:993
Source: Malware configuration extractor	IPs: 2.36.64.159:2078
Source: Malware configuration extractor	IPs: 79.77.142.22:2222
Source: Malware configuration extractor	IPs: 84.215.202.8:443
Source: Malware configuration extractor	IPs: 147.219.4.194:443
Source: Malware configuration extractor	IPs: 116.74.164.81:443
Source: Malware configuration extractor	IPs: 70.28.50.223:2078
Source: Malware configuration extractor	IPs: 12.172.173.82:995
Source: Malware configuration extractor	IPs: 77.86.98.236:443
Source: Malware configuration extractor	IPs: 104.35.24.154:443
Source: Malware configuration extractor	IPs: 213.64.33.61:2222
Source: Malware configuration extractor	IPs: 47.149.134.231:443
Source: Malware configuration extractor	IPs: 72.134.124.16:443
Source: Malware configuration extractor	IPs: 47.34.30.133:443
Source: Malware configuration extractor	IPs: 103.42.86.42:995
Source: Malware configuration extractor	IPs: 174.4.89.3:443
Source: Malware configuration extractor	IPs: 161.142.103.187:995
Source: Malware configuration extractor	IPs: 78.160.146.127:443
Source: Malware configuration extractor	IPs: 84.35.26.14:995
Source: Malware configuration extractor	IPs: 12.172.173.82:20
Source: Malware configuration extractor	IPs: 70.28.50.223:2078
Source: Malware configuration extractor	IPs: 124.149.143.189:2222
Source: Malware configuration extractor	IPs: 70.160.67.203:443
Source: Malware configuration extractor	IPs: 186.64.67.30:443
Source: Malware configuration extractor	IPs: 103.123.223.133:443
Source: Malware configuration extractor	IPs: 188.28.19.84:443
Source: Malware configuration extractor	IPs: 174.58.146.57:443
Source: Malware configuration extractor	IPs: 94.207.104.225:443
Source: Malware configuration extractor	IPs: 86.97.55.89:2222
Source: Malware configuration extractor	IPs: 69.123.4.221:2222

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: MEO-RESIDENCIALPT MEO-RESIDENCIALPT
Source: Joe Sandbox View	ASN Name: ASN-CXA-ALL-CCI-22773-RDCUS ASN-CXA-ALL-CCI-22773-RDCUS

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 2.82.8.80 2.82.8.80
Source: Joe Sandbox View	IP Address: 70.160.67.203 70.160.67.203

Connects to several IPs in different countries

Source: unknown

Network traffic detected: IP country count 30

Source: rundll32.exe, rundll32.exe, 00000006.00000002.554837079.00000000100AE000.00000002.00000001.01000000.00000005.sdmp, main.dll.2.dr

String found in binary or memory: https://streams.videolan.org/upload/

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 6_2_1004D9B0 mv_thread_message_queue_recv,AcquireSRWLockExclusive,SleepConditionVariableSRW,SleepConditionVariableSRW,mv_fifo_can_read,mv_fifo_can_read,ReleaseSRWLockExclusive,mv_fifo_read,WakeConditionVariable,mv_fifo_can_read,

6_2_1004D9B0

Yara signature match

Source: 6.2.rundll32.exe.fb0000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_QakBot_ConfigExtraction_Feb23 cape_options = bp0=$params+23,action0=setdump:eax::ecx,bp1=$c2list1+40,bp1=$c2list2+38,action1=dump,bp2=$conf+13,action2=dump,count=1,typestring=QakBot Config, date = 2023-02-17, author = kevoreilly, description = QakBot Config Extraction, reference = https://github.com/kevoreilly/CAPEv2/blob/master/analyzer/windows/data/yara/QakBot.yar, license = https://github.com/kevoreilly/CAPEv2/blob/master/LICENSE, packed = f084d87078a1e4b0ee208539c53e4853a52b5698e98f0578d7c12948e3831a68
Source: 6.2.rundll32.exe.860830.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QakBot_ConfigExtraction_Feb23 cape_options = bp0=$params+23,action0=setdump:eax::ecx,bp1=$c2list1+40,bp1=$c2list2+38,action1=dump,bp2=$conf+13,action2=dump,count=1,typestring=QakBot Config, date = 2023-02-17, author = kevoreilly, description = QakBot Config Extraction, reference = https://github.com/kevoreilly/CAPEv2/blob/master/analyzer/windows/data/yara/QakBot.yar, license = https://github.com/kevoreilly/CAPEv2/blob/master/LICENSE, packed = f084d87078a1e4b0ee208539c53e4853a52b5698e98f0578d7c12948e3831a68
Source: 6.2.rundll32.exe.860830.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QakBot_ConfigExtraction_Feb23 cape_options = bp0=$params+23,action0=setdump:eax::ecx,bp1=$c2list1+40,bp1=$c2list2+38,action1=dump,bp2=$conf+13,action2=dump,count=1,typestring=QakBot Config, date = 2023-02-17, author = kevoreilly, description = QakBot Config Extraction, reference = https://github.com/kevoreilly/CAPEv2/blob/master/analyzer/windows/data/yara/QakBot.yar, license = https://github.com/kevoreilly/CAPEv2/blob/master/LICENSE, packed = f084d87078a1e4b0ee208539c53e4853a52b5698e98f0578d7c12948e3831a68

Deletes files inside the Windows folder

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\61e624.msi

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1004F020	6_2_1004F020
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000D060	6_2_1000D060
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10028070	6_2_10028070
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100500A3	6_2_100500A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1002B0B0	6_2_1002B0B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000B0D0	6_2_1000B0D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100500E1	6_2_100500E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10008144	6_2_10008144
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1002A1A1	6_2_1002A1A1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100101D0	6_2_100101D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001021B	6_2_1001021B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10058218	6_2_10058218
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10027220	6_2_10027220
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10033261	6_2_10033261
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10007270	6_2_10007270
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10024280	6_2_10024280
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10023350	6_2_10023350
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100353B0	6_2_100353B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100243C0	6_2_100243C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10013480	6_2_10013480
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1004D4B0	6_2_1004D4B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1004C4C0	6_2_1004C4C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000D4D0	6_2_1000D4D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1004E517	6_2_1004E517
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001F523	6_2_1001F523
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100105C0	6_2_100105C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100215D0	6_2_100215D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10023620	6_2_10023620
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000164B	6_2_1000164B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100206A7	6_2_100206A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1004E71B	6_2_1004E71B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10010750	6_2_10010750
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000E760	6_2_1000E760
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10010778	6_2_10010778
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1002A800	6_2_1002A800
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10030800	6_2_10030800
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000B830	6_2_1000B830
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10026870	6_2_10026870
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10001900	6_2_10001900
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10091900	6_2_10091900
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000D910	6_2_1000D910
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001F91B	6_2_1001F91B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1009D970	6_2_1009D970
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10010980	6_2_10010980
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001099C	6_2_1001099C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100339B9	6_2_100339B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000C9F0	6_2_1000C9F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000FA00	6_2_1000FA00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000AA10	6_2_1000AA10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10091A40	6_2_10091A40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10007A50	6_2_10007A50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000EAC0	6_2_1000EAC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000FAE0	6_2_1000FAE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000FAF7	6_2_1000FAF7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10025B0C	6_2_10025B0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000AB30	6_2_1000AB30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10003BA5	6_2_10003BA5

Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\15dasx.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll,next
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\wscript.exe wscript.exe C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin\notify.vbs
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll,next
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll,next	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\wscript.exe wscript.exe C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin\notify.vbs	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll,next	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe	Jump to behavior

Source: C:\Windows\SysWOW64\wermgr.exe	Mutant created: \Sessions\1\BaseNamedObjects\{B8083B9F-5F92-428D-9F9F-70E8D5BB328A}
Source: C:\Windows\SysWOW64\wermgr.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{B8083B9F-5F92-428D-9F9F-70E8D5BB328A}
Source: C:\Windows\SysWOW64\wermgr.exe	Mutant created: \Sessions\1\BaseNamedObjects\{CE145F37-D420-4881-8117-69BB8378B64A}

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_3_00E82297 mov eax, dword ptr fs:[00000030h]		6_3_00E82297
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001E0D9 mov eax, dword ptr fs:[00000030h]		6_2_1001E0D9

Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\wermgr.exe base: 2E40000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\wermgr.exe base: 2E10000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\wermgr.exe base: 913C50	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: C:\Windows\SysWOW64\wermgr.exe base: 2E10000 protect: page execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: C:\Windows\SysWOW64\wermgr.exe base: 2E40000 protect: page read and write			Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: rundll32.exe, 00000006.00000003.545687978.000000000118F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bdagent.exe
Source: rundll32.exe, 00000006.00000003.545687978.000000000118F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vsserv.exe
Source: rundll32.exe, 00000006.00000003.545687978.000000000118F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avp.exe
Source: rundll32.exe, 00000006.00000003.545687978.000000000118F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avgcsrvx.exe
Source: rundll32.exe, 00000006.00000003.545687978.000000000118F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: mcshield.exe
Source: rundll32.exe, 00000006.00000003.545687978.000000000118F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: MsMpEng.exe

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 6.2.rundll32.exe.fb0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.860830.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.860830.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.554365630.000000000084A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.554539683.0000000001110000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

IP	Domain	Country	ASN	ASN Name	Malicious
2.82.8.80	unknown	Portugal	3243	MEO-RESIDENCIALPT	true
70.160.67.203	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	true
75.143.236.149	unknown	United States	20115	CHARTER-20115US	true
83.110.223.61	unknown	United Arab Emirates	5384	EMIRATES-INTERNETEmiratesInternetAE	true
86.195.14.72	unknown	France	3215	FranceTelecom-OrangeFR	true
84.215.202.8	unknown	Norway	41164	GET-NOGETNorwayNO	true
184.182.66.109	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	true
92.186.69.229	unknown	France	12479	UNI2-ASES	true
174.4.89.3	unknown	Canada	6327	SHAWCA	true
161.142.103.187	unknown	Malaysia	9930	TTNET-MYTIMEdotComBerhadMY	true
114.143.176.236	unknown	India	17762	HTIL-TTML-IN-APTataTeleservicesMaharashtraLtdIN	true
14.192.241.76	unknown	Malaysia	9534	MAXIS-AS1-APBinariangBerhadMY	true
173.88.135.179	unknown	United States	10796	TWC-10796-MIDWESTUS	true
84.108.200.161	unknown	Israel	8551	BEZEQ-INTERNATIONAL-ASBezeqintInternetBackboneIL	true
47.34.30.133	unknown	United States	20115	CHARTER-20115US	true
183.87.163.165	unknown	India	132220	JPRDIGITAL-INJPRDigitalPvtLtdIN	true
184.181.75.148	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	true
124.149.143.189	unknown	Australia	7545	TPG-INTERNET-APTPGTelecomLimitedAU	true
84.35.26.14	unknown	Netherlands	21221	INFOPACT-ASTheNetherlandsNL	true
73.29.92.128	unknown	United States	7922	COMCAST-7922US	true
68.203.69.96	unknown	United States	11427	TWC-11427-TEXASUS	true
82.131.141.209	unknown	Hungary	20845	DIGICABLEHU	true
64.121.161.102	unknown	United States	6079	RCN-ASUS	true
178.175.187.254	unknown	Moldova Republic of	43289	TRABIAMD	true
96.56.197.26	unknown	United States	6128	CABLE-NET-1US	true
186.64.67.30	unknown	Argentina	27953	NODOSUDSAAR	true
188.28.19.84	unknown	United Kingdom	206067	H3GUKGB	true
125.99.76.102	unknown	India	17488	HATHWAY-NET-APHathwayIPOverCableInternetIN	true
81.101.185.146	unknown	United Kingdom	5089	NTLGB	true
59.28.84.65	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	true
105.186.128.181	unknown	South Africa	37457	Telkom-InternetZA	true
76.86.31.59	unknown	United States	20001	TWC-20001-PACWESTUS	true
147.147.30.126	unknown	United Kingdom	6871	PLUSNETUKInternetServiceProviderGB	true
96.87.28.170	unknown	United States	7922	COMCAST-7922US	true
75.109.111.89	unknown	United States	19108	SUDDENLINK-COMMUNICATIONSUS	true
78.92.133.215	unknown	Hungary	5483	MAGYAR-TELEKOM-MAIN-ASMagyarTelekomNyrtHU	true
124.122.47.148	unknown	Thailand	17552	TRUE-AS-APTrueInternetCoLtdTH	true
88.126.94.4	unknown	France	12322	PROXADFR	true
51.14.29.227	unknown	United Kingdom	2856	BT-UK-ASBTnetUKRegionalnetworkGB	true
85.57.212.13	unknown	Spain	12479	UNI2-ASES	true
47.205.25.170	unknown	United States	5650	FRONTIER-FRTRUS	true
95.45.50.93	unknown	Ireland	5466	EIRCOMInternetHouseIE	true
80.12.88.148	unknown	France	3215	FranceTelecom-OrangeFR	true
69.133.162.35	unknown	United States	11426	TWC-11426-CAROLINASUS	true
86.132.236.117	unknown	United Kingdom	2856	BT-UK-ASBTnetUKRegionalnetworkGB	true
151.62.238.176	unknown	Italy	1267	ASN-WINDTREIUNETEU	true
70.112.206.5	unknown	United States	11427	TWC-11427-TEXASUS	true
205.237.67.69	unknown	Canada	11290	CC-3272CA	true
102.159.188.125	unknown	Tunisia	37705	TOPNETTN	true
151.65.167.77	unknown	Italy	1267	ASN-WINDTREIUNETEU	true
76.178.148.107	unknown	United States	10838	OCEANIC-INTERNET-RRUS	true
89.36.206.69	unknown	Italy	48544	TECNOADSL-ASIT	true
69.242.31.249	unknown	United States	7922	COMCAST-7922US	true
193.253.100.236	unknown	France	3215	FranceTelecom-OrangeFR	true
76.16.49.134	unknown	United States	7922	COMCAST-7922US	true
94.207.104.225	unknown	United Arab Emirates	15802	DU-AS1AE	true
201.244.108.183	unknown	Colombia	19429	ETB-ColombiaCO	true
103.42.86.42	unknown	India	133660	EDIGITAL-ASE-InfrastructureandEntertainmentIndiaPvtLt	true
78.18.105.11	unknown	Ireland	2110	AS-BTIREBTIrelandwaspreviouslyknownasEsatNetEUnet	true
80.6.50.34	unknown	United Kingdom	5089	NTLGB	true
103.144.201.56	unknown	unknown	139762	MSSOLUTION-AS-APSolutionBD	true
27.0.48.233	unknown	India	132573	SAINGN-AS-INSAINGNNetworkServicesIN	true
70.28.50.223	unknown	Canada	577	BACOMCA	true
98.145.23.67	unknown	United States	20001	TWC-20001-PACWESTUS	true
47.149.134.231	unknown	United States	5650	FRONTIER-FRTRUS	true
82.125.44.236	unknown	France	3215	FranceTelecom-OrangeFR	true
81.229.117.95	unknown	Sweden	3301	TELIANET-SWEDENTeliaCompanySE	true
89.129.109.27	unknown	Spain	12479	UNI2-ASES	true
122.186.210.254	unknown	India	9498	BBIL-APBHARTIAirtelLtdIN	true
79.77.142.22	unknown	United Kingdom	9105	TISCALI-UKTalkTalkCommunicationsLimitedGB	true
90.78.147.141	unknown	France	3215	FranceTelecom-OrangeFR	true
122.184.143.86	unknown	India	9498	BBIL-APBHARTIAirtelLtdIN	true
186.75.95.6	unknown	Panama	11556	CableWirelessPanamaPA	true
50.68.186.195	unknown	Canada	6327	SHAWCA	true
12.172.173.82	unknown	United States	2386	INS-ASUS	true
213.64.33.61	unknown	Sweden	3301	TELIANET-SWEDENTeliaCompanySE	true
79.168.224.165	unknown	Portugal	2860	NOS_COMUNICACOESPT	true
86.97.55.89	unknown	United Arab Emirates	5384	EMIRATES-INTERNETEmiratesInternetAE	true
176.142.207.63	unknown	France	5410	BOUYGTEL-ISPFR	true
92.154.17.149	unknown	France	3215	FranceTelecom-OrangeFR	true
174.58.146.57	unknown	United States	7922	COMCAST-7922US	true
78.160.146.127	unknown	Turkey	9121	TTNETTR	true
58.186.75.42	unknown	Viet Nam	18403	FPT-AS-APTheCorporationforFinancingPromotingTechnolo	true
223.166.13.95	unknown	China	17621	CNCGROUP-SHChinaUnicomShanghainetworkCN	true
65.95.141.84	unknown	Canada	577	BACOMCA	true
50.68.204.71	unknown	Canada	6327	SHAWCA	true
71.38.155.217	unknown	United States	209	CENTURYLINK-US-LEGACY-QWESTUS	true
104.35.24.154	unknown	United States	20001	TWC-20001-PACWESTUS	true
220.240.164.182	unknown	Australia	7545	TPG-INTERNET-APTPGTelecomLimitedAU	true
103.123.223.133	unknown	India	138329	KWS-AS-APKenstarWebSolutionsPrivateLimitedIN	true
24.198.114.130	unknown	United States	11351	TWC-11351-NORTHEASTUS	true
2.36.64.159	unknown	Italy	30722	VODAFONE-IT-ASNIT	true
198.2.51.242	unknown	United States	20001	TWC-20001-PACWESTUS	true
92.9.45.20	unknown	United Kingdom	13285	OPALTELECOM-ASTalkTalkCommunicationsLimitedGB	true
113.11.92.30	unknown	Bangladesh	7565	BDCOM-BDRangsNiluSquare5thFloorHouse75Road5AD	true
69.119.123.159	unknown	United States	6128	CABLE-NET-1US	true
69.123.4.221	unknown	United States	6128	CABLE-NET-1US	true
172.115.17.50	unknown	United States	20001	TWC-20001-PACWESTUS	true
77.86.98.236	unknown	United Kingdom	12390	KINGSTON-UK-ASGB	true
147.219.4.194	unknown	United States	1498	DNIC-ASBLK-01498-01499US	true

ID:	878630
Product:	CloudBasic
Start time:	22:54:44
Start date:	30.05.2023
Sample:	15dasx.msi
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	ab8ef3423324168d06b2d122f75ca130
SHA1:	a7e273ddd7cdf303e366cba16abfd4c3966f2cf6
SHA256:	4e70da2d2efc833eb5c450c9f82aaa7d433e31e39dc4ec36ca3c5ddde0f4dc00
Filetype:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%

Name	Type	MD5	SHA1	SHA256
C:\Config.Msi\61e623.rbs	data	5E1B15017AF6242863525CEA042AE1E7	B1FFD512C754AA8AE9EA56A28E365C00119E6101	4C9CFC15B5802B3FEFDB33C25095CD51A2DB9F1BCADF0F55AFBB4FC9A14AB7D9
C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows	A55C357391C089F93F5EF157BE209F63	A859A7AB02760EE8CD4DCF219EB1D460371350A8	8D0C96718D4C7944FB648DF446D70ABBB87C5D4FF7C9735CF3BD9B2F11246A9E
C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin\notify.vbs	ASCII text, with CRLF line terminators	0D4C9F15CE74465C59AE36A27F98C817	9CCE8EEFA4D3D9C5E161C5DBB860CFE1489C6B1A	D24E3399060B51F3A1C9D41A67DE2601888A35C99DA8DB70070D757BB3F1913A
C:\Windows\Installer\61e622.msi	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Adobe Acrobat PDF Browser Plugin 4.8.25, Author: Adobe Inc., Keywords: Installer, Comments: Adobe Acrobat PDF Browser Plugin, Template: Intel;1033, Revision Number: {6ECD3C06-98A2-44A1-A41E-271C903F257F}, Create Time/Date: Tue May 30 15:19:58 2023, Last Saved Time/Date: Tue May 30 15:19:58 2023, Number of Pages: 200, Number of Words: 10, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2	AB8EF3423324168D06B2D122F75CA130	A7E273DDD7CDF303E366CBA16ABFD4C3966F2CF6	4E70DA2D2EFC833EB5C450C9F82AAA7D433E31E39DC4EC36CA3C5DDDE0F4DC00
C:\Windows\Installer\61e624.msi	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Adobe Acrobat PDF Browser Plugin 4.8.25, Author: Adobe Inc., Keywords: Installer, Comments: Adobe Acrobat PDF Browser Plugin, Template: Intel;1033, Revision Number: {6ECD3C06-98A2-44A1-A41E-271C903F257F}, Create Time/Date: Tue May 30 15:19:58 2023, Last Saved Time/Date: Tue May 30 15:19:58 2023, Number of Pages: 200, Number of Words: 10, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2	AB8EF3423324168D06B2D122F75CA130	A7E273DDD7CDF303E366CBA16ABFD4C3966F2CF6	4E70DA2D2EFC833EB5C450C9F82AAA7D433E31E39DC4EC36CA3C5DDDE0F4DC00
C:\Windows\Installer\MSIE8E1.tmp	data	0B9D3C758584EFBC3D985C5162C20293	C52730B3195BB336B0EF282A2BD0156370E58946	7258FD70ADEAA67C3FF2519AFD0B9B202A113D3E1A7CDB79AD14093211596014
C:\Windows\Installer\SourceHash{64EDF889-FC17-466B-8E9A-5A8688EB1CDC}	Composite Document File V2 Document, Cannot read section info	761F50755F94D674E4A0718AE489EEA6	376CD210E0C0A763F0275EB0FAFA81854D53CD4C	C50AF6F0221FC0F08047984BD35891BC143B85051F0F713DF8FEDDF4459F8DB8
C:\Windows\Installer\inprogressinstallinfo.ipi	Composite Document File V2 Document, Cannot read section info	F5A23A6FA744EEF09C2A7F8541FE5DBD	58DF694B007EF6DA2684EE80B1A150FBD06B1548	3DA02C45DDA5D077670C8CDD0D85A7CEC4D36FB08AAAE3E70A8FA6A3E04CB15F
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	F2FB6C9C2B6BE3CF826D2DBE6C29F575	8D7A1AB2F22024BD1E7F41506C05DAC7967EC6D8	6DC9DFDE23D1421DDA60C7A94E25C4DE0024FCFE965CFA186EF5F55A085638DA
C:\Windows\Temp\~DF0BFC98B297E831EB.TMP	Composite Document File V2 Document, Cannot read section info	18D15B6891825B20A3FBBD04738B6633	69E5E10D9DE4E4C3E0C9F4D9AD51C071228EB6B1	5788AACC4AC4E19C88C167DE4CF4E160D4065A20C3A317FD96AD8DA3432ED381
C:\Windows\Temp\~DF1942D938D9238C10.TMP	data	A5ACCD3443CED8BC0B4137E3EA396278	CCA264CCC071A3FCC3AEA76C934A3F9C313D61D4	463244DE3829B3C5D994719E93594B2BB0BF9E382BBEEAE37E153BE97C8DED9E
C:\Windows\Temp\~DF1EBAA0DF6957A59B.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Windows\Temp\~DF26625000C3DFA716.TMP	Composite Document File V2 Document, Cannot read section info	18D15B6891825B20A3FBBD04738B6633	69E5E10D9DE4E4C3E0C9F4D9AD51C071228EB6B1	5788AACC4AC4E19C88C167DE4CF4E160D4065A20C3A317FD96AD8DA3432ED381
C:\Windows\Temp\~DF515B98A092999243.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Windows\Temp\~DF5DCD941B825AFF81.TMP	Composite Document File V2 Document, Cannot read section info	F5A23A6FA744EEF09C2A7F8541FE5DBD	58DF694B007EF6DA2684EE80B1A150FBD06B1548	3DA02C45DDA5D077670C8CDD0D85A7CEC4D36FB08AAAE3E70A8FA6A3E04CB15F
C:\Windows\Temp\~DFC281F47278832CCC.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Windows\Temp\~DFD46BF27CA9C44E38.TMP	Composite Document File V2 Document, Cannot read section info	18D15B6891825B20A3FBBD04738B6633	69E5E10D9DE4E4C3E0C9F4D9AD51C071228EB6B1	5788AACC4AC4E19C88C167DE4CF4E160D4065A20C3A317FD96AD8DA3432ED381
C:\Windows\Temp\~DFD92D1524EDDCFC25.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Windows\Temp\~DFEAFD4A49B5364FC1.TMP	Composite Document File V2 Document, Cannot read section info	F5A23A6FA744EEF09C2A7F8541FE5DBD	58DF694B007EF6DA2684EE80B1A150FBD06B1548	3DA02C45DDA5D077670C8CDD0D85A7CEC4D36FB08AAAE3E70A8FA6A3E04CB15F
C:\Windows\Temp\~DFF6F31659CEE207E5.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Windows\Temp\~DFFD8F8C1867A8E867.TMP	data	82E43552F0F7875FD425564DAB1C45C5	A85775C63AF567CCBCEECF01E8E10B3CB56661E7	31D5DF542C7533A468E811F5E32ABD1B0988FC35D56A233FFC4CA4211202FB2A

Windows Analysis Report 15dasx.msi

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Windows Analysis Report
15dasx.msi

Malware Threat Intel
Provided by