Edit tour

Windows Analysis Report
15dasx.msi

Overview

General Information

Sample Name:	15dasx.msi
Analysis ID:	878630
MD5:	ab8ef3423324168d06b2d122f75ca130
SHA1:	a7e273ddd7cdf303e366cba16abfd4c3966f2cf6
SHA256:	4e70da2d2efc833eb5c450c9f82aaa7d433e31e39dc4ec36ca3c5ddde0f4dc00
Tags:	msi
Infos:

Detection

Qbot

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected Qbot

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Writes to foreign memory regions

Allocates memory in foreign processes

Injects a PE file into a foreign processes

C2 URLs / IPs found in malware configuration

Sample uses string decryption to hide its real strings

Potentially malicious time measurement code found

Queries the volume information (name, serial number etc) of a device

Yara signature match

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Contains functionality to dynamically determine API calls

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

AV process strings found (often used to terminate AV products)

PE file contains an invalid checksum

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Connects to several IPs in different countries

Launches processes in debugging mode, may be used to hinder debugging

Checks for available system drives (often done to infect USB drives)

Found large amount of non-executed APIs

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

Process Tree

System is w10x64

msiexec.exe (PID: 5760 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\15dasx.msi" MD5: 4767B71A318E201188A0D0A420C8B608)

msiexec.exe (PID: 5708 cmdline: C:\Windows\system32\msiexec.exe /V MD5: 4767B71A318E201188A0D0A420C8B608)

rundll32.exe (PID: 5184 cmdline: rundll32.exe C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll,next MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 4028 cmdline: rundll32.exe C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll,next MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

wermgr.exe (PID: 6944 cmdline: C:\Windows\SysWOW64\wermgr.exe MD5: CCF15E662ED5CE77B5FF1A7AAE305233)

wscript.exe (PID: 1008 cmdline: wscript.exe C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin\notify.vbs MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
QakBot, qbotQbot	QBot is a modular information stealer also known as Qakbot or Pinkslipbot. It has been active for years since 2007. It has historically been known as a banking Trojan, meaning that it steals financial data from infected systems, and a loader using C2 servers for payload targeting and download.	GOLD CABIN	http://contagiodump.blogspot.com/2010/11/template.html http://www.secureworks.com/research/threat-profiles/gold-lagoon http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf https://0xthreatintel.medium.com/reversing-qakbot-tlp-white-d1b8b37ad8e7 https://asec.ahnlab.com/en/44662/	https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot

Malware Configuration

Threatname: Qbot

{"Bot id": "BB30", "Campaign": "1685433861", "Version": "404.1320", "C2 list": ["12.172.173.82:50001", "178.175.187.254:443", "65.95.141.84:2222", "205.237.67.69:995", "83.110.223.61:443", "193.253.100.236:2222", "27.0.48.233:443", "102.159.188.125:443", "71.38.155.217:443", "58.186.75.42:443", "76.178.148.107:2222", "70.28.50.223:2087", "114.143.176.236:443", "51.14.29.227:2222", "59.28.84.65:443", "173.88.135.179:443", "103.144.201.56:2078", "96.87.28.170:2222", "105.186.128.181:995", "176.142.207.63:443", "151.62.238.176:443", "12.172.173.82:32101", "122.186.210.254:443", "82.125.44.236:2222", "84.108.200.161:443", "76.16.49.134:443", "70.28.50.223:32100", "12.172.173.82:465", "76.170.252.153:995", "184.182.66.109:443", "78.92.133.215:443", "50.68.204.71:993", "186.75.95.6:443", "113.11.92.30:443", "70.28.50.223:3389", "98.145.23.67:443", "85.57.212.13:3389", "50.68.186.195:443", "47.205.25.170:443", "12.172.173.82:993", "12.172.173.82:22", "69.242.31.249:443", "81.101.185.146:443", "79.168.224.165:2222", "75.143.236.149:443", "14.192.241.76:995", "86.195.14.72:2222", "81.229.117.95:2222", "220.240.164.182:443", "73.29.92.128:443", "12.172.173.82:21", "96.56.197.26:2222", "75.109.111.89:443", "76.86.31.59:443", "201.244.108.183:995", "68.203.69.96:443", "124.122.47.148:443", "122.184.143.86:443", "92.186.69.229:2222", "70.28.50.223:2083", "89.129.109.27:2222", "147.147.30.126:2222", "125.99.76.102:443", "88.126.94.4:50000", "151.65.167.77:443", "86.132.236.117:443", "92.154.17.149:2222", "223.166.13.95:995", "89.36.206.69:995", "96.56.197.26:2083", "78.18.105.11:443", "82.127.153.75:2222", "90.78.147.141:2222", "82.131.141.209:443", "183.87.163.165:443", "92.9.45.20:2222", "80.6.50.34:443", "80.12.88.148:2222", "69.133.162.35:443", "172.115.17.50:443", "95.45.50.93:2222", "12.172.173.82:2087", "103.140.174.20:2222", "24.198.114.130:995", "50.68.204.71:443", "69.119.123.159:2222", "64.121.161.102:443", "2.82.8.80:443", "184.181.75.148:443", "70.112.206.5:443", "198.2.51.242:993", "2.36.64.159:2078", "79.77.142.22:2222", "84.215.202.8:443", "147.219.4.194:443", "116.74.164.81:443", "70.28.50.223:2078", "12.172.173.82:995", "77.86.98.236:443", "104.35.24.154:443", "213.64.33.61:2222", "47.149.134.231:443", "72.134.124.16:443", "47.34.30.133:443", "103.42.86.42:995", "174.4.89.3:443", "161.142.103.187:995", "78.160.146.127:443", "84.35.26.14:995", "12.172.173.82:20", "70.28.50.223:2078", "124.149.143.189:2222", "70.160.67.203:443", "186.64.67.30:443", "103.123.223.133:443", "188.28.19.84:443", "174.58.146.57:443", "94.207.104.225:443", "86.97.55.89:2222", "69.123.4.221:2222"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000006.00000002.554365630.000000000084A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
00000006.00000002.554539683.0000000001110000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
decrypted.memstr	JoeSecurity_Qbot	Yara detected Qbot	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
6.2.rundll32.exe.fb0000.1.unpack	MAL_QakBot_ConfigExtraction_Feb23	QakBot Config Extraction	kevoreilly	0xeb71:$params: 8B 7D 08 8B F1 57 89 55 FC E8 A0 99 FF FF 8D 9E 24 04 00 00 89 03 59 85 C0 75 08 6A FC 58 E9 0xa797:$conf: 5F 5E 5B C9 C3 51 6A 00 E8 C1 44 00 00 59 59 85 C0 75 01 C3
6.2.rundll32.exe.fb0000.1.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
6.2.rundll32.exe.860830.0.unpack	MAL_QakBot_ConfigExtraction_Feb23	QakBot Config Extraction	kevoreilly	0xdf71:$params: 8B 7D 08 8B F1 57 89 55 FC E8 A0 99 FF FF 8D 9E 24 04 00 00 89 03 59 85 C0 75 08 6A FC 58 E9 0x9b97:$conf: 5F 5E 5B C9 C3 51 6A 00 E8 C1 44 00 00 59 59 85 C0 75 01 C3
6.2.rundll32.exe.860830.0.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
6.2.rundll32.exe.860830.0.raw.unpack	MAL_QakBot_ConfigExtraction_Feb23	QakBot Config Extraction	kevoreilly	0xeb71:$params: 8B 7D 08 8B F1 57 89 55 FC E8 A0 99 FF FF 8D 9E 24 04 00 00 89 03 59 85 C0 75 08 6A FC 58 E9 0xa797:$conf: 5F 5E 5B C9 C3 51 6A 00 E8 C1 44 00 00 59 59 85 C0 75 01 C3
6.2.rundll32.exe.860830.0.raw.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
Click to see the 1 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000006.00000002.554365630.000000000084A000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Qbot {"Bot id": "BB30", "Campaign": "1685433861", "Version": "404.1320", "C2 list": ["12.172.173.82:50001", "178.175.187.254:443", "65.95.141.84:2222", "205.237.67.69:995", "83.110.223.61:443", "193.253.100.236:2222", "27.0.48.233:443", "102.159.188.125:443", "71.38.155.217:443", "58.186.75.42:443", "76.178.148.107:2222", "70.28.50.223:2087", "114.143.176.236:443", "51.14.29.227:2222", "59.28.84.65:443", "173.88.135.179:443", "103.144.201.56:2078", "96.87.28.170:2222", "105.186.128.181:995", "176.142.207.63:443", "151.62.238.176:443", "12.172.173.82:32101", "122.186.210.254:443", "82.125.44.236:2222", "84.108.200.161:443", "76.16.49.134:443", "70.28.50.223:32100", "12.172.173.82:465", "76.170.252.153:995", "184.182.66.109:443", "78.92.133.215:443", "50.68.204.71:993", "186.75.95.6:443", "113.11.92.30:443", "70.28.50.223:3389", "98.145.23.67:443", "85.57.212.13:3389", "50.68.186.195:443", "47.205.25.170:443", "12.172.173.82:993", "12.172.173.82:22", "69.242.31.249:443", "81.101.185.146:443", "79.168.224.165:2222", "75.143.236.149:443", "14.192.241.76:995", "86.195.14.72:2222", "81.229.117.95:2222", "220.240.164.182:443", "73.29.92.128:443", "12.172.173.82:21", "96.56.197.26:2222", "75.109.111.89:443", "76.86.31.59:443", "201.244.108.183:995", "68.203.69.96:443", "124.122.47.148:443", "122.184.143.86:443", "92.186.69.229:2222", "70.28.50.223:2083", "89.129.109.27:2222", "147.147.30.126:2222", "125.99.76.102:443", "88.126.94.4:50000", "151.65.167.77:443", "86.132.236.117:443", "92.154.17.149:2222", "223.166.13.95:995", "89.36.206.69:995", "96.56.197.26:2083", "78.18.105.11:443", "82.127.153.75:2222", "90.78.147.141:2222", "82.131.141.209:443", "183.87.163.165:443", "92.9.45.20:2222", "80.6.50.34:443", "80.12.88.148:2222", "69.133.162.35:443", "172.115.17.50:443", "95.45.50.93:2222", "12.172.173.82:2087", "103.140.174.20:2222", "24.198.114.130:995", "50.68.204.71:443", "69.119.123.159:2222", "64.121.161.102:443", "2.82.8.80:443", "184.181.75.148:443", "70.112.206.5:443", "198.2.51.242:993", "2.36.64.159:2078", "79.77.142.22:2222", "84.215.202.8:443", "147.219.4.194:443", "116.74.164.81:443", "70.28.50.223:2078", "12.172.173.82:995", "77.86.98.236:443", "104.35.24.154:443", "213.64.33.61:2222", "47.149.134.231:443", "72.134.124.16:443", "47.34.30.133:443", "103.42.86.42:995", "174.4.89.3:443", "161.142.103.187:995", "78.160.146.127:443", "84.35.26.14:995", "12.172.173.82:20", "70.28.50.223:2078", "124.149.143.189:2222", "70.160.67.203:443", "186.64.67.30:443", "103.123.223.133:443", "188.28.19.84:443", "174.58.146.57:443", "94.207.104.225:443", "86.97.55.89:2222", "69.123.4.221:2222"]}

Sample uses string decryption to hide its real strings

Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: error res='%s' err=%d len=%u
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: netstat -nao
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: runas
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: ipconfig /all
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: net localgroup
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: nltest /domain_trusts /all_trusts
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %s %04x.%u %04x.%u res: %s seh_test: %u consts_test: %d vmdetected: %d createprocess: %d
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Microsoft
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: SELF_TEST_1
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: p%08x
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Self test FAILED!!!
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Self test OK.
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: /t5
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: whoami /all
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: cmd
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: microsoft.com,google.com,cisco.com,oracle.com,verisign.com,broadcom.com,yahoo.com,xfinity.com,irs.gov,linkedin.com
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: ERROR: GetModuleFileNameW() failed with error: ERROR_INSUFFICIENT_BUFFER
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: route print
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: .lnk
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: "%s\system32\schtasks.exe" /Create /ST %02u:%02u /RU "NT AUTHORITY\SYSTEM" /SC ONCE /tr "%s" /Z /ET %02u:%02u /tn %s
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: arp -a
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %s "$%s = \"%s\"; & $%s"
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: net share
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: cmd.exe /c set
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Self check
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %u;%u;%u;
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: /c ping.exe -n 6 127.0.0.1 & type "%s\System32\calc.exe" > "%s"
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: ProfileImagePath
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: at.exe %u:%u "%s" /I
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: ProgramData
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Self check ok!
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: powershell.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: qwinsta
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: net view
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.%s
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Component_08
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Start screenshot
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: schtasks.exe /Delete /F /TN %u
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: appidapi.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %s \"$%s = \\\"%s\\\\; & $%s\"
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: c:\ProgramData
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Component_07
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: bUdiuy81gYguty@4frdRdpfko(eKmudeuMncueaN
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: powershell.exe -encodedCommand %S
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: ERROR: GetModuleFileNameW() failed with error: %u
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: powershell.exe -encodedCommand
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: SoNuce]ugdiB3c[doMuce2s81*uXmcvP
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: \System32\WindowsPowerShell\v1.0\powershell.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: schtasks.exe /Create /RU "NT AUTHORITY\SYSTEM" /SC ONSTART /TN %u /TR "%s" /NP /F
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: error res='%s' err=%d len=%u
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: netstat -nao
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: runas
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: ipconfig /all
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %u.%u.%u.%u.%u.%u.%04x
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\explorer.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: SystemRoot
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: cscript.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: MBAMService.exe;mbamgui.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\System32\xwizard.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\System32\wermgr.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: AvastSvc.exe;aswEngSrv.exe;aswToolsSvc.exe;afwServ.exe;aswidsagent.exe;AvastUI.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: C:\INTERNAL\__empty
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: .dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Win32_PhysicalMemory
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: ALLUSERSPROFILE
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: image/jpeg
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: LocalLow
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: displayName
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Mozilla/5.0 (Windows NT 6.1; rv:77.0) Gecko/20100101 Firefox/77.0
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: shlwapi.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\WerFault.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: CommandLine
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: {%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%02X}
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: kernel32.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: SubmitSamplesConsent
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: 1234567890
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: wbj.go
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\wextract.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Win32_DiskDrive
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: vkise.exe;isesrv.exe;cmdagent.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: System32
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Name
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\System32\WerFault.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: WRSA.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: c:\\
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: reg.exe ADD "HKLM\%s" /f /t %s /v "%s" /d "%s"
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: SpyNetReporting
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: FALSE
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: aswhookx.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Packages
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: SonicWallClientProtectionService.exe;SWDash.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: application/x-shockwave-flash
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Sophos UI.exe;SophosUI.exe;SAVAdminService.exe;SavService.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: RepUx.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\System32\mspaint.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: coreServiceShell.exe;PccNTMon.exe;NTRTScan.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Winsta0
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Caption,Description,DeviceID,Manufacturer,Name,PNPDeviceID,Service,Status
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: CynetEPS.exe;CynetMS.exe;CynetConsole.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\wermgr.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %ProgramFiles(x86)%\Internet Explorer\iexplore.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: avp.exe;kavtray.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: root\SecurityCenter2
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\backgroundTaskHost.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: MsMpEng.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\System32\CertEnrollCtrl.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: userenv.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: csc_ui.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: frida-winjector-helper-32.exe;frida-winjector-helper-64.exe;tcpdump.exe;windump.exe;ethereal.exe;wireshark.exe;ettercap.exe;rtsniff.exe;packetcapture.exe;capturenet.exe;qak_proxy;dumpcap.exe;CFF Explorer.exe;not_rundll32.exe;ProcessHacker.exe;tcpview.exe;filemon.exe;procmon.exe;idaq64.exe;loaddll32.exe;PETools.exe;ImportREC.exe;LordPE.exe;SysInspector.exe;proc_analyzer.exe;sysAnalyzer.exe;sniff_hit.exe;joeboxcontrol.exe;joeboxserver.exe;ResourceHacker.exe;x64dbg.exe;Fiddler.exe;sniff_hit.exe;sysAnalyzer.exe;BehaviorDumper.exe;processdumperx64.exe;anti-virus.EXE;sysinfoX64.exe;sctoolswrapper.exe;sysinfoX64.exe;FakeExplorer.exe;apimonitor-x86.exe;idaq.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: \\.\pipe\
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: pstorec.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: NTUSER.DAT
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: from
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\System32\sethc.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: netapi32.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\System32\Utilman.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: gdi32.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: setupapi.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: SELECT * FROM Win32_Processor
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: iphlpapi.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Caption
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: CrAmTray.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: ccSvcHst.exe;NortonSecurity.exe;nsWscSvc.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Win32_ComputerSystem
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\System32\backgroundTaskHost.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %ProgramFiles%\Internet Explorer\iexplore.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: user32.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: xagtnotif.exe;AppUIMonitor.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\System32\dxdiag.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: SentinelServiceHost.exe;SentinelStaticEngine.exe;SentinelAgent.exe;SentinelStaticEngineScanner.exe;SentinelUI.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: \sf2.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\grpconv.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: egui.exe;ekrn.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Software\Microsoft
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %S.%06d
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: bcrypt.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: SELECT * FROM AntiVirusProduct
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\SndVol.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\explorer.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\Utilman.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: SOFTWARE\Microsoft\Windows Defender\SpyNet
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: wtsapi32.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: t=%s time=[%02d:%02d:%02d-%02d/%02d/%d]
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\xwizard.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: shell32.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: TRUE
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Win32_Bios
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: SELECT * FROM Win32_OperatingSystem
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\mobsync.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: c:\hiberfil.sysss
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: /
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\AtBroker.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: abcdefghijklmnopqrstuvwxyz
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: ByteFence.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: type=0x%04X
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: snxhk_border_mywnd
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: ROOT\CIMV2
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: dwengine.exe;dwarkdaemon.exe;dwwatcher.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: https
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\explorer.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: fshoster32.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: kernelbase.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: regsvr32.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %s\system32\
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\dxdiag.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Win32_Process
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: rundll32.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: LOCALAPPDATA
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: cmd.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: APPDATA
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: select
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: .exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: mcshield.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: advapi32.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: ws2_32.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: .cfg
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: aabcdeefghiijklmnoopqrstuuvwxyyz
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Win32_Product
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: WQL
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: wininet.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: LastBootUpTime
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: S:(ML;;NW;;;LW)
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\CertEnrollCtrl.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: urlmon.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Create
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Win32_PnPEntity
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\System32\grpconv.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Initializing database...
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\System32\SearchIndexer.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: winsta0\default
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: .dat
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: WBJ_IGNORE
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: next
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\System32\AtBroker.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: wpcap.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: aaebcdeeifghiiojklmnooupqrstuuyvwxyyaz
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\sethc.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: image/pjpeg
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: fmon.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: bdagent.exe;vsserv.exe;vsservppl.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\System32\SndVol.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: vbs
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: aswhooka.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: SysWOW64
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\mspaint.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: mpr.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: image/gif
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: crypt32.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: avgcsrvx.exe;avgsvcx.exe;avgcsrva.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: ntdll.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: open
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\explorer.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: CSFalconService.exe;CSFalconContainer.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\System32\wextract.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\System32\mobsync.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\SearchIndexer.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %u.%u.%u.%u.%u.%u.%04x
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\explorer.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: SystemRoot
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: cscript.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: MBAMService.exe;mbamgui.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\System32\xwizard.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\System32\wermgr.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: AvastSvc.exe;aswEngSrv.exe;aswToolsSvc.exe;afwServ.exe;aswidsagent.exe;AvastUI.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: C:\INTERNAL\__empty
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: .dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Win32_PhysicalMemory
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: ALLUSERSPROFILE
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: image/jpeg
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: LocalLow
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: displayName
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Mozilla/5.0 (Windows NT 6.1; rv:77.0) Gecko/20100101 Firefox/77.0
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: shlwapi.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\WerFault.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: CommandLine
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: {%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%02X}
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: kernel32.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: SubmitSamplesConsent
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: 1234567890
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: wbj.go
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\wextract.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Win32_DiskDrive
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: vkise.exe;isesrv.exe;cmdagent.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: System32
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Name
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\System32\WerFault.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: WRSA.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: c:\\
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: reg.exe ADD "HKLM\%s" /f /t %s /v "%s" /d "%s"
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: SpyNetReporting
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: FALSE
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: aswhookx.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Packages
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: SonicWallClientProtectionService.exe;SWDash.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: application/x-shockwave-flash
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Sophos UI.exe;SophosUI.exe;SAVAdminService.exe;SavService.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: RepUx.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\System32\mspaint.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: coreServiceShell.exe;PccNTMon.exe;NTRTScan.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Winsta0
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Caption,Description,DeviceID,Manufacturer,Name,PNPDeviceID,Service,Status
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: CynetEPS.exe;CynetMS.exe;CynetConsole.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\wermgr.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %ProgramFiles(x86)%\Internet Explorer\iexplore.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: avp.exe;kavtray.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: root\SecurityCenter2
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\backgroundTaskHost.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: MsMpEng.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\System32\CertEnrollCtrl.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: userenv.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: csc_ui.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: frida-winjector-helper-32.exe;frida-winjector-helper-64.exe;tcpdump.exe;windump.exe;ethereal.exe;wireshark.exe;ettercap.exe;rtsniff.exe;packetcapture.exe;capturenet.exe;qak_proxy;dumpcap.exe;CFF Explorer.exe;not_rundll32.exe;ProcessHacker.exe;tcpview.exe;filemon.exe;procmon.exe;idaq64.exe;loaddll32.exe;PETools.exe;ImportREC.exe;LordPE.exe;SysInspector.exe;proc_analyzer.exe;sysAnalyzer.exe;sniff_hit.exe;joeboxcontrol.exe;joeboxserver.exe;ResourceHacker.exe;x64dbg.exe;Fiddler.exe;sniff_hit.exe;sysAnalyzer.exe;BehaviorDumper.exe;processdumperx64.exe;anti-virus.EXE;sysinfoX64.exe;sctoolswrapper.exe;sysinfoX64.exe;FakeExplorer.exe;apimonitor-x86.exe;idaq.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: \\.\pipe\
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: pstorec.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: NTUSER.DAT
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: from
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\System32\sethc.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: netapi32.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\System32\Utilman.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: gdi32.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: setupapi.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: SELECT * FROM Win32_Processor
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: iphlpapi.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Caption
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: CrAmTray.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: ccSvcHst.exe;NortonSecurity.exe;nsWscSvc.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Win32_ComputerSystem
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\System32\backgroundTaskHost.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %ProgramFiles%\Internet Explorer\iexplore.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: user32.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: xagtnotif.exe;AppUIMonitor.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\System32\dxdiag.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: SentinelServiceHost.exe;SentinelStaticEngine.exe;SentinelAgent.exe;SentinelStaticEngineScanner.exe;SentinelUI.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: \sf2.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\grpconv.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: egui.exe;ekrn.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Software\Microsoft
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %S.%06d
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: bcrypt.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: SELECT * FROM AntiVirusProduct
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\SndVol.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\explorer.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\Utilman.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: SOFTWARE\Microsoft\Windows Defender\SpyNet
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: wtsapi32.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: t=%s time=[%02d:%02d:%02d-%02d/%02d/%d]
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\xwizard.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: shell32.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: TRUE
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Win32_Bios
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: SELECT * FROM Win32_OperatingSystem
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\mobsync.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: c:\hiberfil.sysss
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: /
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\AtBroker.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: abcdefghijklmnopqrstuvwxyz
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: ByteFence.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: type=0x%04X
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: snxhk_border_mywnd
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: ROOT\CIMV2
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: dwengine.exe;dwarkdaemon.exe;dwwatcher.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: https
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\explorer.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: fshoster32.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: kernelbase.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: regsvr32.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %s\system32\
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\dxdiag.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Win32_Process
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: rundll32.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: LOCALAPPDATA
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: cmd.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: APPDATA
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: select
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: .exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: mcshield.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: advapi32.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: ws2_32.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: .cfg
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: aabcdeefghiijklmnoopqrstuuvwxyyz
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Win32_Product
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: WQL
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: wininet.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: LastBootUpTime
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: S:(ML;;NW;;;LW)
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\CertEnrollCtrl.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: urlmon.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Create
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Win32_PnPEntity
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\System32\grpconv.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Initializing database...
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\System32\SearchIndexer.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: winsta0\default
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: .dat
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: WBJ_IGNORE
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: next
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\System32\AtBroker.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: wpcap.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: aaebcdeeifghiiojklmnooupqrstuuyvwxyyaz
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\sethc.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: image/pjpeg
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: fmon.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: bdagent.exe;vsserv.exe;vsservppl.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\System32\SndVol.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: vbs
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: aswhooka.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: SysWOW64
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\mspaint.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: mpr.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: image/gif
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: crypt32.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: avgcsrvx.exe;avgsvcx.exe;avgcsrva.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: ntdll.dll
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: open
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\explorer.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: CSFalconService.exe;CSFalconContainer.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\System32\wextract.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\System32\mobsync.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\SearchIndexer.exe
Source: 6.2.rundll32.exe.fb0000.1.unpack	String decryptor: Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10035030 mv_get_random_seed,BCryptOpenAlgorithmProvider,BCryptGenRandom,BCryptCloseAlgorithmProvider,mvpriv_open,_read,_close,mvpriv_open,_read,_close,clock,clock,mv_sha_init,mv_sha_update,mv_sha_final,mv_log,abort,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100500A3 mv_twofish_crypt,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000C0B0 mv_cast5_crypt2,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000B0D0 mv_camellia_crypt,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10013100 mv_encryption_init_info_alloc,mv_mallocz,mv_mallocz,mv_mallocz,mv_mallocz,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_calloc,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000C1B0 mv_cast5_crypt,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100132D0 mv_encryption_init_info_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10002480 mv_aes_ctr_crypt,mv_aes_crypt,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10013480 mv_encryption_init_info_get_side_data,mv_encryption_init_info_alloc,mv_free,mv_free,mv_free,mv_free,mv_free,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100084B0 mv_blowfish_crypt,mv_blowfish_crypt_ecb,mv_blowfish_crypt_ecb,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1004D4B0 mv_tea_crypt,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100364E0 mv_rc4_crypt,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10002523 mv_aes_crypt,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001363B mv_encryption_init_info_alloc,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000867B mv_blowfish_crypt_ecb,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100136FB mv_encryption_init_info_alloc,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10013860 mv_encryption_init_info_add_side_data,mv_malloc,mv_malloc,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10012A70 mv_encryption_info_alloc,mv_mallocz,mv_mallocz,mv_mallocz,mv_calloc,mv_free,mv_free,mv_free,mv_free,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10012B40 mv_encryption_info_clone,mv_encryption_info_alloc,

Source: C:\Windows\System32\msiexec.exe	File opened: z:
Source: C:\Windows\System32\msiexec.exe	File opened: x:
Source: C:\Windows\System32\msiexec.exe	File opened: v:
Source: C:\Windows\System32\msiexec.exe	File opened: t:
Source: C:\Windows\System32\msiexec.exe	File opened: r:
Source: C:\Windows\System32\msiexec.exe	File opened: p:
Source: C:\Windows\System32\msiexec.exe	File opened: n:
Source: C:\Windows\System32\msiexec.exe	File opened: l:
Source: C:\Windows\System32\msiexec.exe	File opened: j:
Source: C:\Windows\System32\msiexec.exe	File opened: h:
Source: C:\Windows\System32\msiexec.exe	File opened: f:
Source: C:\Windows\System32\msiexec.exe	File opened: b:
Source: C:\Windows\System32\msiexec.exe	File opened: y:
Source: C:\Windows\System32\msiexec.exe	File opened: w:
Source: C:\Windows\System32\msiexec.exe	File opened: u:
Source: C:\Windows\System32\msiexec.exe	File opened: s:
Source: C:\Windows\System32\msiexec.exe	File opened: q:
Source: C:\Windows\System32\msiexec.exe	File opened: o:
Source: C:\Windows\System32\msiexec.exe	File opened: m:
Source: C:\Windows\System32\msiexec.exe	File opened: k:
Source: C:\Windows\System32\msiexec.exe	File opened: i:
Source: C:\Windows\System32\msiexec.exe	File opened: g:
Source: C:\Windows\System32\msiexec.exe	File opened: e:
Source: C:\Windows\System32\wscript.exe	File opened: c:
Source: C:\Windows\System32\msiexec.exe	File opened: a:

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 12.172.173.82:50001
Source: Malware configuration extractor	IPs: 178.175.187.254:443
Source: Malware configuration extractor	IPs: 65.95.141.84:2222
Source: Malware configuration extractor	IPs: 205.237.67.69:995
Source: Malware configuration extractor	IPs: 83.110.223.61:443
Source: Malware configuration extractor	IPs: 193.253.100.236:2222
Source: Malware configuration extractor	IPs: 27.0.48.233:443
Source: Malware configuration extractor	IPs: 102.159.188.125:443
Source: Malware configuration extractor	IPs: 71.38.155.217:443
Source: Malware configuration extractor	IPs: 58.186.75.42:443
Source: Malware configuration extractor	IPs: 76.178.148.107:2222
Source: Malware configuration extractor	IPs: 70.28.50.223:2087
Source: Malware configuration extractor	IPs: 114.143.176.236:443
Source: Malware configuration extractor	IPs: 51.14.29.227:2222
Source: Malware configuration extractor	IPs: 59.28.84.65:443
Source: Malware configuration extractor	IPs: 173.88.135.179:443
Source: Malware configuration extractor	IPs: 103.144.201.56:2078
Source: Malware configuration extractor	IPs: 96.87.28.170:2222
Source: Malware configuration extractor	IPs: 105.186.128.181:995
Source: Malware configuration extractor	IPs: 176.142.207.63:443
Source: Malware configuration extractor	IPs: 151.62.238.176:443
Source: Malware configuration extractor	IPs: 12.172.173.82:32101
Source: Malware configuration extractor	IPs: 122.186.210.254:443
Source: Malware configuration extractor	IPs: 82.125.44.236:2222
Source: Malware configuration extractor	IPs: 84.108.200.161:443
Source: Malware configuration extractor	IPs: 76.16.49.134:443
Source: Malware configuration extractor	IPs: 70.28.50.223:32100
Source: Malware configuration extractor	IPs: 12.172.173.82:465
Source: Malware configuration extractor	IPs: 76.170.252.153:995
Source: Malware configuration extractor	IPs: 184.182.66.109:443
Source: Malware configuration extractor	IPs: 78.92.133.215:443
Source: Malware configuration extractor	IPs: 50.68.204.71:993
Source: Malware configuration extractor	IPs: 186.75.95.6:443
Source: Malware configuration extractor	IPs: 113.11.92.30:443
Source: Malware configuration extractor	IPs: 70.28.50.223:3389
Source: Malware configuration extractor	IPs: 98.145.23.67:443
Source: Malware configuration extractor	IPs: 85.57.212.13:3389
Source: Malware configuration extractor	IPs: 50.68.186.195:443
Source: Malware configuration extractor	IPs: 47.205.25.170:443
Source: Malware configuration extractor	IPs: 12.172.173.82:993
Source: Malware configuration extractor	IPs: 12.172.173.82:22
Source: Malware configuration extractor	IPs: 69.242.31.249:443
Source: Malware configuration extractor	IPs: 81.101.185.146:443
Source: Malware configuration extractor	IPs: 79.168.224.165:2222
Source: Malware configuration extractor	IPs: 75.143.236.149:443
Source: Malware configuration extractor	IPs: 14.192.241.76:995
Source: Malware configuration extractor	IPs: 86.195.14.72:2222
Source: Malware configuration extractor	IPs: 81.229.117.95:2222
Source: Malware configuration extractor	IPs: 220.240.164.182:443
Source: Malware configuration extractor	IPs: 73.29.92.128:443
Source: Malware configuration extractor	IPs: 12.172.173.82:21
Source: Malware configuration extractor	IPs: 96.56.197.26:2222
Source: Malware configuration extractor	IPs: 75.109.111.89:443
Source: Malware configuration extractor	IPs: 76.86.31.59:443
Source: Malware configuration extractor	IPs: 201.244.108.183:995
Source: Malware configuration extractor	IPs: 68.203.69.96:443
Source: Malware configuration extractor	IPs: 124.122.47.148:443
Source: Malware configuration extractor	IPs: 122.184.143.86:443
Source: Malware configuration extractor	IPs: 92.186.69.229:2222
Source: Malware configuration extractor	IPs: 70.28.50.223:2083
Source: Malware configuration extractor	IPs: 89.129.109.27:2222
Source: Malware configuration extractor	IPs: 147.147.30.126:2222
Source: Malware configuration extractor	IPs: 125.99.76.102:443
Source: Malware configuration extractor	IPs: 88.126.94.4:50000
Source: Malware configuration extractor	IPs: 151.65.167.77:443
Source: Malware configuration extractor	IPs: 86.132.236.117:443
Source: Malware configuration extractor	IPs: 92.154.17.149:2222
Source: Malware configuration extractor	IPs: 223.166.13.95:995
Source: Malware configuration extractor	IPs: 89.36.206.69:995
Source: Malware configuration extractor	IPs: 96.56.197.26:2083
Source: Malware configuration extractor	IPs: 78.18.105.11:443
Source: Malware configuration extractor	IPs: 82.127.153.75:2222
Source: Malware configuration extractor	IPs: 90.78.147.141:2222
Source: Malware configuration extractor	IPs: 82.131.141.209:443
Source: Malware configuration extractor	IPs: 183.87.163.165:443
Source: Malware configuration extractor	IPs: 92.9.45.20:2222
Source: Malware configuration extractor	IPs: 80.6.50.34:443
Source: Malware configuration extractor	IPs: 80.12.88.148:2222
Source: Malware configuration extractor	IPs: 69.133.162.35:443
Source: Malware configuration extractor	IPs: 172.115.17.50:443
Source: Malware configuration extractor	IPs: 95.45.50.93:2222
Source: Malware configuration extractor	IPs: 12.172.173.82:2087
Source: Malware configuration extractor	IPs: 103.140.174.20:2222
Source: Malware configuration extractor	IPs: 24.198.114.130:995
Source: Malware configuration extractor	IPs: 50.68.204.71:443
Source: Malware configuration extractor	IPs: 69.119.123.159:2222
Source: Malware configuration extractor	IPs: 64.121.161.102:443
Source: Malware configuration extractor	IPs: 2.82.8.80:443
Source: Malware configuration extractor	IPs: 184.181.75.148:443
Source: Malware configuration extractor	IPs: 70.112.206.5:443
Source: Malware configuration extractor	IPs: 198.2.51.242:993
Source: Malware configuration extractor	IPs: 2.36.64.159:2078
Source: Malware configuration extractor	IPs: 79.77.142.22:2222
Source: Malware configuration extractor	IPs: 84.215.202.8:443
Source: Malware configuration extractor	IPs: 147.219.4.194:443
Source: Malware configuration extractor	IPs: 116.74.164.81:443
Source: Malware configuration extractor	IPs: 70.28.50.223:2078
Source: Malware configuration extractor	IPs: 12.172.173.82:995
Source: Malware configuration extractor	IPs: 77.86.98.236:443
Source: Malware configuration extractor	IPs: 104.35.24.154:443
Source: Malware configuration extractor	IPs: 213.64.33.61:2222
Source: Malware configuration extractor	IPs: 47.149.134.231:443
Source: Malware configuration extractor	IPs: 72.134.124.16:443
Source: Malware configuration extractor	IPs: 47.34.30.133:443
Source: Malware configuration extractor	IPs: 103.42.86.42:995
Source: Malware configuration extractor	IPs: 174.4.89.3:443
Source: Malware configuration extractor	IPs: 161.142.103.187:995
Source: Malware configuration extractor	IPs: 78.160.146.127:443
Source: Malware configuration extractor	IPs: 84.35.26.14:995
Source: Malware configuration extractor	IPs: 12.172.173.82:20
Source: Malware configuration extractor	IPs: 70.28.50.223:2078
Source: Malware configuration extractor	IPs: 124.149.143.189:2222
Source: Malware configuration extractor	IPs: 70.160.67.203:443
Source: Malware configuration extractor	IPs: 186.64.67.30:443
Source: Malware configuration extractor	IPs: 103.123.223.133:443
Source: Malware configuration extractor	IPs: 188.28.19.84:443
Source: Malware configuration extractor	IPs: 174.58.146.57:443
Source: Malware configuration extractor	IPs: 94.207.104.225:443
Source: Malware configuration extractor	IPs: 86.97.55.89:2222
Source: Malware configuration extractor	IPs: 69.123.4.221:2222

Source: Joe Sandbox View	ASN Name: MEO-RESIDENCIALPT MEO-RESIDENCIALPT
Source: Joe Sandbox View	ASN Name: ASN-CXA-ALL-CCI-22773-RDCUS ASN-CXA-ALL-CCI-22773-RDCUS

Source: Joe Sandbox View	IP Address: 2.82.8.80 2.82.8.80
Source: Joe Sandbox View	IP Address: 70.160.67.203 70.160.67.203

Source: unknown

Network traffic detected: IP country count 30

Source: rundll32.exe, rundll32.exe, 00000006.00000002.554837079.00000000100AE000.00000002.00000001.01000000.00000005.sdmp, main.dll.2.dr

String found in binary or memory: https://streams.videolan.org/upload/

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 6_2_1004D9B0 mv_thread_message_queue_recv,AcquireSRWLockExclusive,SleepConditionVariableSRW,SleepConditionVariableSRW,mv_fifo_can_read,mv_fifo_can_read,ReleaseSRWLockExclusive,mv_fifo_read,WakeConditionVariable,mv_fifo_can_read,

Source: 6.2.rundll32.exe.fb0000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_QakBot_ConfigExtraction_Feb23 cape_options = bp0=$params+23,action0=setdump:eax::ecx,bp1=$c2list1+40,bp1=$c2list2+38,action1=dump,bp2=$conf+13,action2=dump,count=1,typestring=QakBot Config, date = 2023-02-17, author = kevoreilly, description = QakBot Config Extraction, reference = https://github.com/kevoreilly/CAPEv2/blob/master/analyzer/windows/data/yara/QakBot.yar, license = https://github.com/kevoreilly/CAPEv2/blob/master/LICENSE, packed = f084d87078a1e4b0ee208539c53e4853a52b5698e98f0578d7c12948e3831a68
Source: 6.2.rundll32.exe.860830.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QakBot_ConfigExtraction_Feb23 cape_options = bp0=$params+23,action0=setdump:eax::ecx,bp1=$c2list1+40,bp1=$c2list2+38,action1=dump,bp2=$conf+13,action2=dump,count=1,typestring=QakBot Config, date = 2023-02-17, author = kevoreilly, description = QakBot Config Extraction, reference = https://github.com/kevoreilly/CAPEv2/blob/master/analyzer/windows/data/yara/QakBot.yar, license = https://github.com/kevoreilly/CAPEv2/blob/master/LICENSE, packed = f084d87078a1e4b0ee208539c53e4853a52b5698e98f0578d7c12948e3831a68
Source: 6.2.rundll32.exe.860830.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QakBot_ConfigExtraction_Feb23 cape_options = bp0=$params+23,action0=setdump:eax::ecx,bp1=$c2list1+40,bp1=$c2list2+38,action1=dump,bp2=$conf+13,action2=dump,count=1,typestring=QakBot Config, date = 2023-02-17, author = kevoreilly, description = QakBot Config Extraction, reference = https://github.com/kevoreilly/CAPEv2/blob/master/analyzer/windows/data/yara/QakBot.yar, license = https://github.com/kevoreilly/CAPEv2/blob/master/LICENSE, packed = f084d87078a1e4b0ee208539c53e4853a52b5698e98f0578d7c12948e3831a68

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\61e624.msi

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\Installer\61e622.msi

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1004F020
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000D060
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10028070
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100500A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1002B0B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000B0D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100500E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10008144
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1002A1A1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100101D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001021B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10058218
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10027220
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10033261
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10007270
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10024280
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10023350
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100353B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100243C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10013480
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1004D4B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1004C4C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000D4D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1004E517
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001F523
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100105C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100215D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10023620
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000164B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100206A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1004E71B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10010750
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000E760
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10010778
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1002A800
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10030800
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000B830
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10026870
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10001900
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10091900
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000D910
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001F91B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1009D970
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10010980
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001099C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100339B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000C9F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000FA00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000AA10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10091A40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10007A50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000EAC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000FAE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000FAF7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10025B0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000AB30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10003BA5

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: String function: 100089C0 appears 32 times

Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll

Source: C:\Windows\System32\rundll32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\15dasx.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll,next
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\wscript.exe wscript.exe C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin\notify.vbs
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll,next
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll,next
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\wscript.exe wscript.exe C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin\notify.vbs
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll,next
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\TEMP\~DF1942D938D9238C10.TMP

Jump to behavior

Source: classification engine

Classification label: mal92.troj.evad.winMSI@10/21@0/100

Source: C:\Windows\System32\msiexec.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll,next

Source: C:\Windows\SysWOW64\wermgr.exe	Mutant created: \Sessions\1\BaseNamedObjects\{B8083B9F-5F92-428D-9F9F-70E8D5BB328A}
Source: C:\Windows\SysWOW64\wermgr.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{B8083B9F-5F92-428D-9F9F-70E8D5BB328A}
Source: C:\Windows\SysWOW64\wermgr.exe	Mutant created: \Sessions\1\BaseNamedObjects\{CE145F37-D420-4881-8117-69BB8378B64A}

Source: C:\Windows\System32\msiexec.exe

Process created: C:\Windows\System32\wscript.exe wscript.exe C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin\notify.vbs

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 6_2_100A2A90 push eax; mov dword ptr [esp], esi

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 6_2_1001F523 mv_dict_get,LoadLibraryA,LoadLibraryA,InitOnceBeginInitialize,InitOnceComplete,LoadLibraryA,GetProcAddress,mv_log,atoi,mv_log,mv_log,GetProcAddress,

Source: main.dll.2.dr

Static PE information: real checksum: 0xf1b7b should be: 0xf8504

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Windows\SysWOW64\rundll32.exe

Memory written: PID: 6944 base: 913C50 value: E9 63 D7 4F 02

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\SysWOW64\rundll32.exe TID: 3984

Thread sleep count: 182 > 30

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 6_2_10035030 rdtsc

Source: C:\Windows\SysWOW64\rundll32.exe

API coverage: 0.1 %

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation

Anti Debugging

Potentially malicious time measurement code found

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 6_2_10035030 Start: 10035315 End: 1003515E

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 6_2_1001F523 mv_dict_get,LoadLibraryA,LoadLibraryA,InitOnceBeginInitialize,InitOnceComplete,LoadLibraryA,GetProcAddress,mv_log,atoi,mv_log,mv_log,GetProcAddress,

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 6_2_10035030 rdtsc

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_3_00E82297 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001E0D9 mov eax, dword ptr fs:[00000030h]

Source: C:\Windows\System32\msiexec.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll,next

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\wermgr.exe base: 2E40000
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\wermgr.exe base: 2E10000
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\wermgr.exe base: 913C50

Allocates memory in foreign processes

Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: C:\Windows\SysWOW64\wermgr.exe base: 2E10000 protect: page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: C:\Windows\SysWOW64\wermgr.exe base: 2E40000 protect: page read and write

Injects a PE file into a foreign processes

Source: C:\Windows\SysWOW64\rundll32.exe

Memory written: C:\Windows\SysWOW64\wermgr.exe base: 2E10000 value starts with: 4D5A

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\wermgr.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\wermgr.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 6_2_1008DB50 cpuid

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 6_2_100A0AD0 GetCurrentThread,GetThreadTimes,GetSystemTimeAsFileTime,QueryPerformanceFrequency,QueryPerformanceCounter,GetCurrentProcess,GetProcessTimes,_errno,GetModuleHandleA,GetProcAddress,

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 6_2_10092180 GetTimeZoneInformation,GetModuleHandleA,GetProcAddress,

Source: rundll32.exe, 00000006.00000003.545687978.000000000118F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bdagent.exe
Source: rundll32.exe, 00000006.00000003.545687978.000000000118F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vsserv.exe
Source: rundll32.exe, 00000006.00000003.545687978.000000000118F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avp.exe
Source: rundll32.exe, 00000006.00000003.545687978.000000000118F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avgcsrvx.exe
Source: rundll32.exe, 00000006.00000003.545687978.000000000118F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: mcshield.exe
Source: rundll32.exe, 00000006.00000003.545687978.000000000118F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Qbot

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 6.2.rundll32.exe.fb0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.860830.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.860830.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.554365630.000000000084A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.554539683.0000000001110000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected Qbot

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 6.2.rundll32.exe.fb0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.860830.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.860830.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.554365630.000000000084A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.554539683.0000000001110000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
1 Replication Through Removable Media	11 Scripting	1 DLL Side-Loading	311 Process Injection	11 Masquerading	1 Credential API Hooking	2 System Time Discovery	1 Replication Through Removable Media	1 Credential API Hooking	Exfiltration Over Other Network Medium	2 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	LSASS Memory	2 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Disable or Modify Tools	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	311 Process Injection	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	11 Peripheral Device Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	11 Scripting	Cached Domain Credentials	24 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	2 Obfuscated Files or Information	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 Rundll32	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	1 DLL Side-Loading	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	1 File Deletion	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
15dasx.msi	0%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll	0%	ReversingLabs

Name	Source	Malicious	Antivirus Detection	Reputation
https://streams.videolan.org/upload/	rundll32.exe, rundll32.exe, 00000006.00000002.554837079.00000000100AE000.00000002.00000001.01000000.00000005.sdmp, main.dll.2.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
2.82.8.80	unknown	Portugal	3243	MEO-RESIDENCIALPT	true
70.160.67.203	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	true
75.143.236.149	unknown	United States	20115	CHARTER-20115US	true
83.110.223.61	unknown	United Arab Emirates	5384	EMIRATES-INTERNETEmiratesInternetAE	true
86.195.14.72	unknown	France	3215	FranceTelecom-OrangeFR	true
84.215.202.8	unknown	Norway	41164	GET-NOGETNorwayNO	true
184.182.66.109	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	true
92.186.69.229	unknown	France	12479	UNI2-ASES	true
174.4.89.3	unknown	Canada	6327	SHAWCA	true
161.142.103.187	unknown	Malaysia	9930	TTNET-MYTIMEdotComBerhadMY	true
114.143.176.236	unknown	India	17762	HTIL-TTML-IN-APTataTeleservicesMaharashtraLtdIN	true
14.192.241.76	unknown	Malaysia	9534	MAXIS-AS1-APBinariangBerhadMY	true
173.88.135.179	unknown	United States	10796	TWC-10796-MIDWESTUS	true
84.108.200.161	unknown	Israel	8551	BEZEQ-INTERNATIONAL-ASBezeqintInternetBackboneIL	true
47.34.30.133	unknown	United States	20115	CHARTER-20115US	true
183.87.163.165	unknown	India	132220	JPRDIGITAL-INJPRDigitalPvtLtdIN	true
184.181.75.148	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	true
124.149.143.189	unknown	Australia	7545	TPG-INTERNET-APTPGTelecomLimitedAU	true
84.35.26.14	unknown	Netherlands	21221	INFOPACT-ASTheNetherlandsNL	true
73.29.92.128	unknown	United States	7922	COMCAST-7922US	true
68.203.69.96	unknown	United States	11427	TWC-11427-TEXASUS	true
82.131.141.209	unknown	Hungary	20845	DIGICABLEHU	true
64.121.161.102	unknown	United States	6079	RCN-ASUS	true
178.175.187.254	unknown	Moldova Republic of	43289	TRABIAMD	true
96.56.197.26	unknown	United States	6128	CABLE-NET-1US	true
186.64.67.30	unknown	Argentina	27953	NODOSUDSAAR	true
188.28.19.84	unknown	United Kingdom	206067	H3GUKGB	true
125.99.76.102	unknown	India	17488	HATHWAY-NET-APHathwayIPOverCableInternetIN	true
81.101.185.146	unknown	United Kingdom	5089	NTLGB	true
59.28.84.65	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	true
105.186.128.181	unknown	South Africa	37457	Telkom-InternetZA	true
76.86.31.59	unknown	United States	20001	TWC-20001-PACWESTUS	true
147.147.30.126	unknown	United Kingdom	6871	PLUSNETUKInternetServiceProviderGB	true
96.87.28.170	unknown	United States	7922	COMCAST-7922US	true
75.109.111.89	unknown	United States	19108	SUDDENLINK-COMMUNICATIONSUS	true
78.92.133.215	unknown	Hungary	5483	MAGYAR-TELEKOM-MAIN-ASMagyarTelekomNyrtHU	true
124.122.47.148	unknown	Thailand	17552	TRUE-AS-APTrueInternetCoLtdTH	true
88.126.94.4	unknown	France	12322	PROXADFR	true
51.14.29.227	unknown	United Kingdom	2856	BT-UK-ASBTnetUKRegionalnetworkGB	true
85.57.212.13	unknown	Spain	12479	UNI2-ASES	true
47.205.25.170	unknown	United States	5650	FRONTIER-FRTRUS	true
95.45.50.93	unknown	Ireland	5466	EIRCOMInternetHouseIE	true
80.12.88.148	unknown	France	3215	FranceTelecom-OrangeFR	true
69.133.162.35	unknown	United States	11426	TWC-11426-CAROLINASUS	true
86.132.236.117	unknown	United Kingdom	2856	BT-UK-ASBTnetUKRegionalnetworkGB	true
151.62.238.176	unknown	Italy	1267	ASN-WINDTREIUNETEU	true
70.112.206.5	unknown	United States	11427	TWC-11427-TEXASUS	true
205.237.67.69	unknown	Canada	11290	CC-3272CA	true
102.159.188.125	unknown	Tunisia	37705	TOPNETTN	true
151.65.167.77	unknown	Italy	1267	ASN-WINDTREIUNETEU	true
76.178.148.107	unknown	United States	10838	OCEANIC-INTERNET-RRUS	true
89.36.206.69	unknown	Italy	48544	TECNOADSL-ASIT	true
69.242.31.249	unknown	United States	7922	COMCAST-7922US	true
193.253.100.236	unknown	France	3215	FranceTelecom-OrangeFR	true
76.16.49.134	unknown	United States	7922	COMCAST-7922US	true
94.207.104.225	unknown	United Arab Emirates	15802	DU-AS1AE	true
201.244.108.183	unknown	Colombia	19429	ETB-ColombiaCO	true
103.42.86.42	unknown	India	133660	EDIGITAL-ASE-InfrastructureandEntertainmentIndiaPvtLt	true
78.18.105.11	unknown	Ireland	2110	AS-BTIREBTIrelandwaspreviouslyknownasEsatNetEUnet	true
80.6.50.34	unknown	United Kingdom	5089	NTLGB	true
103.144.201.56	unknown	unknown	139762	MSSOLUTION-AS-APSolutionBD	true
27.0.48.233	unknown	India	132573	SAINGN-AS-INSAINGNNetworkServicesIN	true
70.28.50.223	unknown	Canada	577	BACOMCA	true
98.145.23.67	unknown	United States	20001	TWC-20001-PACWESTUS	true
47.149.134.231	unknown	United States	5650	FRONTIER-FRTRUS	true
82.125.44.236	unknown	France	3215	FranceTelecom-OrangeFR	true
81.229.117.95	unknown	Sweden	3301	TELIANET-SWEDENTeliaCompanySE	true
89.129.109.27	unknown	Spain	12479	UNI2-ASES	true
122.186.210.254	unknown	India	9498	BBIL-APBHARTIAirtelLtdIN	true
79.77.142.22	unknown	United Kingdom	9105	TISCALI-UKTalkTalkCommunicationsLimitedGB	true
90.78.147.141	unknown	France	3215	FranceTelecom-OrangeFR	true
122.184.143.86	unknown	India	9498	BBIL-APBHARTIAirtelLtdIN	true
186.75.95.6	unknown	Panama	11556	CableWirelessPanamaPA	true
50.68.186.195	unknown	Canada	6327	SHAWCA	true
12.172.173.82	unknown	United States	2386	INS-ASUS	true
213.64.33.61	unknown	Sweden	3301	TELIANET-SWEDENTeliaCompanySE	true
79.168.224.165	unknown	Portugal	2860	NOS_COMUNICACOESPT	true
86.97.55.89	unknown	United Arab Emirates	5384	EMIRATES-INTERNETEmiratesInternetAE	true
176.142.207.63	unknown	France	5410	BOUYGTEL-ISPFR	true
92.154.17.149	unknown	France	3215	FranceTelecom-OrangeFR	true
174.58.146.57	unknown	United States	7922	COMCAST-7922US	true
78.160.146.127	unknown	Turkey	9121	TTNETTR	true
58.186.75.42	unknown	Viet Nam	18403	FPT-AS-APTheCorporationforFinancingPromotingTechnolo	true
223.166.13.95	unknown	China	17621	CNCGROUP-SHChinaUnicomShanghainetworkCN	true
65.95.141.84	unknown	Canada	577	BACOMCA	true
50.68.204.71	unknown	Canada	6327	SHAWCA	true
71.38.155.217	unknown	United States	209	CENTURYLINK-US-LEGACY-QWESTUS	true
104.35.24.154	unknown	United States	20001	TWC-20001-PACWESTUS	true
220.240.164.182	unknown	Australia	7545	TPG-INTERNET-APTPGTelecomLimitedAU	true
103.123.223.133	unknown	India	138329	KWS-AS-APKenstarWebSolutionsPrivateLimitedIN	true
24.198.114.130	unknown	United States	11351	TWC-11351-NORTHEASTUS	true
2.36.64.159	unknown	Italy	30722	VODAFONE-IT-ASNIT	true
198.2.51.242	unknown	United States	20001	TWC-20001-PACWESTUS	true
92.9.45.20	unknown	United Kingdom	13285	OPALTELECOM-ASTalkTalkCommunicationsLimitedGB	true
113.11.92.30	unknown	Bangladesh	7565	BDCOM-BDRangsNiluSquare5thFloorHouse75Road5AD	true
69.119.123.159	unknown	United States	6128	CABLE-NET-1US	true
69.123.4.221	unknown	United States	6128	CABLE-NET-1US	true
172.115.17.50	unknown	United States	20001	TWC-20001-PACWESTUS	true
77.86.98.236	unknown	United Kingdom	12390	KINGSTON-UK-ASGB	true
147.219.4.194	unknown	United States	1498	DNIC-ASBLK-01498-01499US	true

General Information

Joe Sandbox Version:	37.1.0 Beryl
Analysis ID:	878630
Start date and time:	2023-05-30 22:54:44 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 35s
Hypervisor based Inspection enabled:	false
Report type:	light
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Potential for more IOCs and behavior
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	15dasx.msi
Detection:	MAL
Classification:	mal92.troj.evad.winMSI@10/21@0/100
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 5% (good quality ratio 2.2%) Quality average: 19.7% Quality standard deviation: 28.2%
HCA Information:	Successful, ratio: 89% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .msi Close Viewer

Warnings

Exclude process from analysis (whitelisted): audiodg.exe, WMIADAP.exe
Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
Report size getting too big, too many NtProtectVirtualMemory calls found.
VT rate limit hit for: 15dasx.msi

Simulations

Behavior and APIs

Time	Type	Description
22:55:51	API Interceptor	9x Sleep call for process: wermgr.exe modified

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	modified
Size (bytes):	8918
Entropy (8bit):	5.58962421937737
Encrypted:	false
SSDEEP:	192:zXF6eaSEBwgr6SEBwgQH6NBIUVpy8T8amhl:z6rwPrwJc3i
MD5:	5E1B15017AF6242863525CEA042AE1E7
SHA1:	B1FFD512C754AA8AE9EA56A28E365C00119E6101
SHA-256:	4C9CFC15B5802B3FEFDB33C25095CD51A2DB9F1BCADF0F55AFBB4FC9A14AB7D9
SHA-512:	65FFC4E9437045D22CB345773768930DB4D97D195E08FBD2E89FA2F03E4D80991F6D8A9A87C3FC70C4E31B639C45BC80CAF933ED7F40CD435B1951C564939192
Malicious:	false
Preview:	...@IXOS.@.....@...V.@.....@.....@.....@.....@.....@......&.{64EDF889-FC17-466B-8E9A-5A8688EB1CDC}'.Adobe Acrobat PDF Browser Plugin 4.8.25..15dasx.msi.@.....@.....@.....@........&.{6ECD3C06-98A2-44A1-A41E-271C903F257F}.....@.....@.....@.....@.......@.....@.....@.......@....'.Adobe Acrobat PDF Browser Plugin 4.8.25......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{82B5B2FD-2237-42AB-9F03-B3B9EAB30000}&.{64EDF889-FC17-466B-8E9A-5A8688EB1CDC}.@........InstallFiles..Copying new files&.File: [1], Directory: [9], Size: [6]..:.C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin\....B.C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll....D.C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin\notify.vbs....WriteRegistryValues..Writing system registry values..Key: [1], Name: [2], Value: [3]$..@....%.Software\AdobeAcrobatPDFBrowserPlugin...@....(.&...AdobeAcrobatPDFBro

C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	962048
Entropy (8bit):	6.7504689709982175
Encrypted:	false
SSDEEP:	24576:D7AkdHt+UnNtqbVotX4Dw/9JGCZdBK/+NYouXFPn/yd47:DZ8RDwlJGoY7X7
MD5:	A55C357391C089F93F5EF157BE209F63
SHA1:	A859A7AB02760EE8CD4DCF219EB1D460371350A8
SHA-256:	8D0C96718D4C7944FB648DF446D70ABBB87C5D4FF7C9735CF3BD9B2F11246A9E
SHA-512:	36152E39BACA8A0566C31DB97FF35D30E995FED246509C9816966D49F82143155225FE4BF07B7975DB1BEDC299008442FEC05D5A7588C18F6FD6EE1E821A471B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....0d...........#...'.....................................................0 .....{.....@... .........................hC...........0..x....................@..(A...........................a......................(................................text...$...........................`..`.data...............................@....rdata..$...........................@..@.bss....d............`...................edata..hC.......D...`..............@..@.idata..............................@....CRT....0...........................@....tls......... ......................@....rsrc...N....0......................@....reloc..(A.......B...l..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin\notify.vbs

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	132
Entropy (8bit):	4.599233980549996
Encrypted:	false
SSDEEP:	3:LwBxFkvH4dGmMKLVKRLGPz4VAFkvH4dGmMKLVKRLGH:cHFkvYdlZKRLi7FkvYdlZKRL4
MD5:	0D4C9F15CE74465C59AE36A27F98C817
SHA1:	9CCE8EEFA4D3D9C5E161C5DBB860CFE1489C6B1A
SHA-256:	D24E3399060B51F3A1C9D41A67DE2601888A35C99DA8DB70070D757BB3F1913A
SHA-512:	9BED0EAFC2CF2A2360850CA1070FFB04AC14F04C78379485998A93F45012B5C11CC7F6F68129F65B8B5F90437CB965908C6A1BB9D83A56B068D6BDE1D5FDAD1F
Malicious:	false
Preview:	MsgBox "Adobe Acrobat PDF Browser Plugin installation error 0x00000328", 16, "Adobe Acrobat PDF Browser Plugin installation error"..

C:\Windows\Installer\61e622.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Adobe Acrobat PDF Browser Plugin 4.8.25, Author: Adobe Inc., Keywords: Installer, Comments: Adobe Acrobat PDF Browser Plugin, Template: Intel;1033, Revision Number: {6ECD3C06-98A2-44A1-A41E-271C903F257F}, Create Time/Date: Tue May 30 15:19:58 2023, Last Saved Time/Date: Tue May 30 15:19:58 2023, Number of Pages: 200, Number of Words: 10, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
Category:	dropped
Size (bytes):	516096
Entropy (8bit):	7.918002678282303
Encrypted:	false
SSDEEP:	6144:jESkw7402pCiyBH6DlIxtWb9jOyHLmsjzcGet8Rghs0O892YptgrGzjkacDO+cDb:3kdiMHHLmKzQ8tfacDO+wVydjSavjQ
MD5:	AB8EF3423324168D06B2D122F75CA130
SHA1:	A7E273DDD7CDF303E366CBA16ABFD4C3966F2CF6
SHA-256:	4E70DA2D2EFC833EB5C450C9F82AAA7D433E31E39DC4EC36CA3C5DDDE0F4DC00
SHA-512:	8AADA720840A74A361D92DB1174D3AE8119FF2F70903A396BC0AE60ACFDFDF5D7FB781315B155F0B507B7B260A3F4FF8435DC9BA13E05F1547F2ABEA0C7DA220
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\61e624.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Adobe Acrobat PDF Browser Plugin 4.8.25, Author: Adobe Inc., Keywords: Installer, Comments: Adobe Acrobat PDF Browser Plugin, Template: Intel;1033, Revision Number: {6ECD3C06-98A2-44A1-A41E-271C903F257F}, Create Time/Date: Tue May 30 15:19:58 2023, Last Saved Time/Date: Tue May 30 15:19:58 2023, Number of Pages: 200, Number of Words: 10, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
Category:	dropped
Size (bytes):	516096
Entropy (8bit):	7.918002678282303
Encrypted:	false
SSDEEP:	6144:jESkw7402pCiyBH6DlIxtWb9jOyHLmsjzcGet8Rghs0O892YptgrGzjkacDO+cDb:3kdiMHHLmKzQ8tfacDO+wVydjSavjQ
MD5:	AB8EF3423324168D06B2D122F75CA130
SHA1:	A7E273DDD7CDF303E366CBA16ABFD4C3966F2CF6
SHA-256:	4E70DA2D2EFC833EB5C450C9F82AAA7D433E31E39DC4EC36CA3C5DDDE0F4DC00
SHA-512:	8AADA720840A74A361D92DB1174D3AE8119FF2F70903A396BC0AE60ACFDFDF5D7FB781315B155F0B507B7B260A3F4FF8435DC9BA13E05F1547F2ABEA0C7DA220
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSIE8E1.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	2138
Entropy (8bit):	5.594517269430135
Encrypted:	false
SSDEEP:	48:uf1lnOLJwCP3PDufgL8YPRBoD8SY1eU/L4nLu1lnCnfaEVltdtc1ln2n:uXSx8YPrAuei4LeefaEP62n
MD5:	0B9D3C758584EFBC3D985C5162C20293
SHA1:	C52730B3195BB336B0EF282A2BD0156370E58946
SHA-256:	7258FD70ADEAA67C3FF2519AFD0B9B202A113D3E1A7CDB79AD14093211596014
SHA-512:	E7CE00C7CBD26543B17EE34BE456CAD607FCED4A8696670AA0FE36557EAB998AE92F731BC7F90DCD9CE43A3F3BC9BCB1711BCFA1F93969FB63F68E7D79877D6C
Malicious:	false
Preview:	...@IXOS.@.....@...V.@.....@.....@.....@.....@.....@......&.{64EDF889-FC17-466B-8E9A-5A8688EB1CDC}'.Adobe Acrobat PDF Browser Plugin 4.8.25..15dasx.msi.@.....@.....@.....@........&.{6ECD3C06-98A2-44A1-A41E-271C903F257F}.....@.....@.....@.....@.......@.....@.....@.......@....'.Adobe Acrobat PDF Browser Plugin 4.8.25......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@.....@.....@.]....&.{82B5B2FD-2237-42AB-9F03-B3B9EAB30000}F.01:\Software\AdobeAcrobatPDFBrowserPlugin\AdobeAcrobatPDFBrowserPlugin.@.......@.....@.....@........InstallFiles..Copying new files&.File: [1], Directory: [9], Size: [6]...@.....@.....@......:.C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin\..).1\xssanpen\\|AdobeAcrobatPDFBrowserPlugin\......Please insert the disk: ..media3.cab.@.....@......C:\Windows\Installer\61e622.msi.........@........main.dll..dll_main..main.dll.@.....@.....@.......@...

C:\Windows\Installer\SourceHash{64EDF889-FC17-466B-8E9A-5A8688EB1CDC}

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.1628561562250028
Encrypted:	false
SSDEEP:	12:JSbX72FjSSAGiLIlHVRpth/7777777777777777777777777vDHFPuC77HrpSl0G:JASQI5pFBHlF
MD5:	761F50755F94D674E4A0718AE489EEA6
SHA1:	376CD210E0C0A763F0275EB0FAFA81854D53CD4C
SHA-256:	C50AF6F0221FC0F08047984BD35891BC143B85051F0F713DF8FEDDF4459F8DB8
SHA-512:	0BFF860E332AC3E530CCA69FFDEB7CB65A942759984B0B1A9DE21B9609A099FE8684C9F776E51AEF9011AC2347030D1BB034C6EB6AAB24EF423CDE2946F2C889
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\inprogressinstallinfo.ipi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5046533420623267
Encrypted:	false
SSDEEP:	48:S8PhfuRc06WXJ8FT50zPHW9MS5o7rD6W9MSI818l:9hf1fFTaTjA
MD5:	F5A23A6FA744EEF09C2A7F8541FE5DBD
SHA1:	58DF694B007EF6DA2684EE80B1A150FBD06B1548
SHA-256:	3DA02C45DDA5D077670C8CDD0D85A7CEC4D36FB08AAAE3E70A8FA6A3E04CB15F
SHA-512:	79EF5CB1B4B46677FB0432A43533B0D7C6A2092BF627E5B9186BF067BB59CAFB9F6A82340BBD627780EC7A20811A3D746CC9D2F578A647A4D1EFDC2B5688F2E5
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	79122
Entropy (8bit):	5.2821177886063175
Encrypted:	false
SSDEEP:	192:jmXs969ozNSkk3peTBYeHt0tfoI9qsjl0urmwYyidu:yXs9UogeWeH29qclhmwYyidu
MD5:	F2FB6C9C2B6BE3CF826D2DBE6C29F575
SHA1:	8D7A1AB2F22024BD1E7F41506C05DAC7967EC6D8
SHA-256:	6DC9DFDE23D1421DDA60C7A94E25C4DE0024FCFE965CFA186EF5F55A085638DA
SHA-512:	10CE96B3726376A8956F5462C4DF497295574872976D52D3EFAFBE57EB89070570BBF3D5128785D11D92EE4DF14F784B1306970826DB34039114F23078B89D89
Malicious:	false
Preview:	.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..07/23/2020 03:22:38.143 [320]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.Office.Tools.Outlook, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /NoDependencies ..07/23/2020 03:22:38.159 [320]: ngen returning 0x00000000..07/23/2020 03:22:38.222 [3748]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.Office.Tools.Word, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /NoDependencies ..07/23/2020 03:22:38.237 [3748]: ngen returning 0x00000000..07/23/2020 03:22:38.284 [64]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.Office.Tools.Common.Implementation, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /NoDependencies ..07/23/2020 03:22:38.300 [64]:

C:\Windows\Temp\~DF0BFC98B297E831EB.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2093196290859516
Encrypted:	false
SSDEEP:	48:1sHugPveFXJxT5AzPHW9MS5o7rD6W9MSI818l:iHAJTWTjA
MD5:	18D15B6891825B20A3FBBD04738B6633
SHA1:	69E5E10D9DE4E4C3E0C9F4D9AD51C071228EB6B1
SHA-256:	5788AACC4AC4E19C88C167DE4CF4E160D4065A20C3A317FD96AD8DA3432ED381
SHA-512:	F052F7D843B69C8CECE9DFA8A683188C3CD1CB37E2457942E358F143D0C000F5F9124FE680F0A1A19745788E604CB934A74DB51D85A8FB5BA9F11A00152390A0
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF1942D938D9238C10.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	0.12041817052530558
Encrypted:	false
SSDEEP:	24:Cr7I818lOdWm29qrb9ipVIdWm29qrb9ipV7V2BwG/lrkgX+Yre8:j818lEW9MSoW9MS5o7rXp1
MD5:	A5ACCD3443CED8BC0B4137E3EA396278
SHA1:	CCA264CCC071A3FCC3AEA76C934A3F9C313D61D4
SHA-256:	463244DE3829B3C5D994719E93594B2BB0BF9E382BBEEAE37E153BE97C8DED9E
SHA-512:	4F9B9577C32DB85762287074EBD87BE04D617AC15D9857613E1F81216B52BB14708D84EC2244D0BFB8DA8834B6EA1470EC622714D76366E1B80654ECE958BACB
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF1EBAA0DF6957A59B.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF26625000C3DFA716.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2093196290859516
Encrypted:	false
SSDEEP:	48:1sHugPveFXJxT5AzPHW9MS5o7rD6W9MSI818l:iHAJTWTjA
MD5:	18D15B6891825B20A3FBBD04738B6633
SHA1:	69E5E10D9DE4E4C3E0C9F4D9AD51C071228EB6B1
SHA-256:	5788AACC4AC4E19C88C167DE4CF4E160D4065A20C3A317FD96AD8DA3432ED381
SHA-512:	F052F7D843B69C8CECE9DFA8A683188C3CD1CB37E2457942E358F143D0C000F5F9124FE680F0A1A19745788E604CB934A74DB51D85A8FB5BA9F11A00152390A0
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF515B98A092999243.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF5DCD941B825AFF81.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5046533420623267
Encrypted:	false
SSDEEP:	48:S8PhfuRc06WXJ8FT50zPHW9MS5o7rD6W9MSI818l:9hf1fFTaTjA
MD5:	F5A23A6FA744EEF09C2A7F8541FE5DBD
SHA1:	58DF694B007EF6DA2684EE80B1A150FBD06B1548
SHA-256:	3DA02C45DDA5D077670C8CDD0D85A7CEC4D36FB08AAAE3E70A8FA6A3E04CB15F
SHA-512:	79EF5CB1B4B46677FB0432A43533B0D7C6A2092BF627E5B9186BF067BB59CAFB9F6A82340BBD627780EC7A20811A3D746CC9D2F578A647A4D1EFDC2B5688F2E5
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFC281F47278832CCC.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFD46BF27CA9C44E38.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2093196290859516
Encrypted:	false
SSDEEP:	48:1sHugPveFXJxT5AzPHW9MS5o7rD6W9MSI818l:iHAJTWTjA
MD5:	18D15B6891825B20A3FBBD04738B6633
SHA1:	69E5E10D9DE4E4C3E0C9F4D9AD51C071228EB6B1
SHA-256:	5788AACC4AC4E19C88C167DE4CF4E160D4065A20C3A317FD96AD8DA3432ED381
SHA-512:	F052F7D843B69C8CECE9DFA8A683188C3CD1CB37E2457942E358F143D0C000F5F9124FE680F0A1A19745788E604CB934A74DB51D85A8FB5BA9F11A00152390A0
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFD92D1524EDDCFC25.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFEAFD4A49B5364FC1.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5046533420623267
Encrypted:	false
SSDEEP:	48:S8PhfuRc06WXJ8FT50zPHW9MS5o7rD6W9MSI818l:9hf1fFTaTjA
MD5:	F5A23A6FA744EEF09C2A7F8541FE5DBD
SHA1:	58DF694B007EF6DA2684EE80B1A150FBD06B1548
SHA-256:	3DA02C45DDA5D077670C8CDD0D85A7CEC4D36FB08AAAE3E70A8FA6A3E04CB15F
SHA-512:	79EF5CB1B4B46677FB0432A43533B0D7C6A2092BF627E5B9186BF067BB59CAFB9F6A82340BBD627780EC7A20811A3D746CC9D2F578A647A4D1EFDC2B5688F2E5
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFF6F31659CEE207E5.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFFD8F8C1867A8E867.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.06981092353499595
Encrypted:	false
SSDEEP:	6:2/9LG7iVCnLG7iVrKOzPLHKOzTuC77BhXKPQVky6lS:2F0i8n0itFzDHFPuC77HWS
MD5:	82E43552F0F7875FD425564DAB1C45C5
SHA1:	A85775C63AF567CCBCEECF01E8E10B3CB56661E7
SHA-256:	31D5DF542C7533A468E811F5E32ABD1B0988FC35D56A233FFC4CA4211202FB2A
SHA-512:	F1936D8774A71CF61F23D07D5076864EE447765BCEF5C00C6647EF8951C6CABA1486ADAD3C986A2C6904567D6601CE5C49DF990772ACFD19B5A0717796592842
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Adobe Acrobat PDF Browser Plugin 4.8.25, Author: Adobe Inc., Keywords: Installer, Comments: Adobe Acrobat PDF Browser Plugin, Template: Intel;1033, Revision Number: {6ECD3C06-98A2-44A1-A41E-271C903F257F}, Create Time/Date: Tue May 30 15:19:58 2023, Last Saved Time/Date: Tue May 30 15:19:58 2023, Number of Pages: 200, Number of Words: 10, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
Entropy (8bit):	7.918002678282303
TrID:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%
File name:	15dasx.msi
File size:	516096
MD5:	ab8ef3423324168d06b2d122f75ca130
SHA1:	a7e273ddd7cdf303e366cba16abfd4c3966f2cf6
SHA256:	4e70da2d2efc833eb5c450c9f82aaa7d433e31e39dc4ec36ca3c5ddde0f4dc00
SHA512:	8aada720840a74a361d92db1174d3ae8119ff2f70903a396bc0ae60acfdfdf5d7fb781315b155f0b507b7b260a3f4ff8435dc9ba13e05f1547f2abea0c7da220
SSDEEP:	6144:jESkw7402pCiyBH6DlIxtWb9jOyHLmsjzcGet8Rghs0O892YptgrGzjkacDO+cDb:3kdiMHHLmKzQ8tfacDO+wVydjSavjQ
TLSH:	DDB4231536022373C5014B72DC9D87ECA70A3E59756AB61F7E09F8480EB6B7D12B72A3
File Content Preview:	........................>......................................................................................................................................................................................................................................

File Icon


Icon Hash:	2d2e3797b32b2b99

Target ID:	0
Start time:	22:55:39
Start date:	30/05/2023
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\15dasx.msi"
Imagebase:	0x7ff7d4ee0000
File size:	66048 bytes
MD5 hash:	4767B71A318E201188A0D0A420C8B608
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: msiexec.exePID: 5708, Parent PID: 576

General

Target ID:	2
Start time:	22:55:39
Start date:	30/05/2023
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff7d4ee0000
File size:	66048 bytes
MD5 hash:	4767B71A318E201188A0D0A420C8B608
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exePID: 5184, Parent PID: 5708

General

Target ID:	4
Start time:	22:55:42
Start date:	30/05/2023
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll,next
Imagebase:	0x7ff7004d0000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: wscript.exePID: 1008, Parent PID: 5708

General

Target ID:	5
Start time:	22:55:42
Start date:	30/05/2023
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	wscript.exe C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin\notify.vbs
Imagebase:	0x7ff68fed0000
File size:	163840 bytes
MD5 hash:	9A68ADD12EB50DDE7586782C3EB9FF9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exePID: 4028, Parent PID: 5184

General

Target ID:	6
Start time:	22:55:42
Start date:	30/05/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll,next
Imagebase:	0x11b0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000006.00000002.554365630.000000000084A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000006.00000002.554539683.0000000001110000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: wermgr.exePID: 6944, Parent PID: 4028

General

Target ID:	7
Start time:	22:55:46
Start date:	30/05/2023
Path:	C:\Windows\SysWOW64\wermgr.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\wermgr.exe
Imagebase:	0x7ff7c72c0000
File size:	191904 bytes
MD5 hash:	CCF15E662ED5CE77B5FF1A7AAE305233
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Disassembly

⊘No disassembly

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Data loss prevention, File monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 15dasx.msi

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Qbot

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Config.Msi\61e623.rbs

C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll

C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin\notify.vbs

C:\Windows\Installer\61e622.msi

C:\Windows\Installer\61e624.msi

C:\Windows\Installer\MSIE8E1.tmp

C:\Windows\Installer\SourceHash{64EDF889-FC17-466B-8E9A-5A8688EB1CDC}

C:\Windows\Installer\inprogressinstallinfo.ipi

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

C:\Windows\Temp\~DF0BFC98B297E831EB.TMP

C:\Windows\Temp\~DF1942D938D9238C10.TMP

C:\Windows\Temp\~DF1EBAA0DF6957A59B.TMP

C:\Windows\Temp\~DF26625000C3DFA716.TMP

C:\Windows\Temp\~DF515B98A092999243.TMP

C:\Windows\Temp\~DF5DCD941B825AFF81.TMP

C:\Windows\Temp\~DFC281F47278832CCC.TMP

Windows Analysis Report
15dasx.msi

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre