Windows Analysis Report
A649.dll

Overview

General Information

Sample Name: A649.dll
Analysis ID: 878700
MD5: 644bff6674870c37b8bfd2f6b97616f4
SHA1: 6fdb6e4d113c4cfb43888e439c9328b2a396f947
SHA256: 15337bc14077fec44f6f4fe7f27279afad78efef637f86a384d3992b176c4694
Tags: dllqbot
Infos:

Detection

Qbot
Score: 88
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Yara detected Qbot
Antivirus / Scanner detection for submitted sample
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
C2 URLs / IPs found in malware configuration
Sample uses string decryption to hide its real strings
Potentially malicious time measurement code found
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
One or more processes crash
May sleep (evasive loops) to hinder dynamic analysis
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Creates a DirectInput object (often for capturing keystrokes)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Connects to several IPs in different countries
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)

Classification

Name Description Attribution Blogpost URLs Link
QakBot, qbotQbot QBot is a modular information stealer also known as Qakbot or Pinkslipbot. It has been active for years since 2007. It has historically been known as a banking Trojan, meaning that it steals financial data from infected systems, and a loader using C2 servers for payload targeting and download.
  • GOLD CABIN
 https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot

AV Detection
barindex
Found malware configuration
Source: 00000012.00000002.365037551.000000000075A000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: Qbot {"Bot id": "BB30", "Campaign": "1685433861", "Version": "404.1320", "C2 list": ["12.172.173.82:50001", "178.175.187.254:443", "65.95.141.84:2222", "205.237.67.69:995", "83.110.223.61:443", "193.253.100.236:2222", "27.0.48.233:443", "102.159.188.125:443", "71.38.155.217:443", "58.186.75.42:443", "76.178.148.107:2222", "70.28.50.223:2087", "114.143.176.236:443", "51.14.29.227:2222", "59.28.84.65:443", "173.88.135.179:443", "103.144.201.56:2078", "96.87.28.170:2222", "105.186.128.181:995", "176.142.207.63:443", "151.62.238.176:443", "12.172.173.82:32101", "122.186.210.254:443", "82.125.44.236:2222", "84.108.200.161:443", "76.16.49.134:443", "70.28.50.223:32100", "12.172.173.82:465", "76.170.252.153:995", "184.182.66.109:443", "78.92.133.215:443", "50.68.204.71:993", "186.75.95.6:443", "113.11.92.30:443", "70.28.50.223:3389", "98.145.23.67:443", "85.57.212.13:3389", "50.68.186.195:443", "47.205.25.170:443", "12.172.173.82:993", "12.172.173.82:22", "69.242.31.249:443", "81.101.185.146:443", "79.168.224.165:2222", "75.143.236.149:443", "14.192.241.76:995", "86.195.14.72:2222", "81.229.117.95:2222", "220.240.164.182:443", "73.29.92.128:443", "12.172.173.82:21", "96.56.197.26:2222", "75.109.111.89:443", "76.86.31.59:443", "201.244.108.183:995", "68.203.69.96:443", "124.122.47.148:443", "122.184.143.86:443", "92.186.69.229:2222", "70.28.50.223:2083", "89.129.109.27:2222", "147.147.30.126:2222", "125.99.76.102:443", "88.126.94.4:50000", "151.65.167.77:443", "86.132.236.117:443", "92.154.17.149:2222", "223.166.13.95:995", "89.36.206.69:995", "96.56.197.26:2083", "78.18.105.11:443", "82.127.153.75:2222", "90.78.147.141:2222", "82.131.141.209:443", "183.87.163.165:443", "92.9.45.20:2222", "80.6.50.34:443", "80.12.88.148:2222", "69.133.162.35:443", "172.115.17.50:443", "95.45.50.93:2222", "12.172.173.82:2087", "103.140.174.20:2222", "24.198.114.130:995", "50.68.204.71:443", "69.119.123.159:2222", "64.121.161.102:443", "2.82.8.80:443", "184.181.75.148:443", "70.112.206.5:443", "198.2.51.242:993", "2.36.64.159:2078", "79.77.142.22:2222", "84.215.202.8:443", "147.219.4.194:443", "116.74.164.81:443", "70.28.50.223:2078", "12.172.173.82:995", "77.86.98.236:443", "104.35.24.154:443", "213.64.33.61:2222", "47.149.134.231:443", "72.134.124.16:443", "47.34.30.133:443", "103.42.86.42:995", "174.4.89.3:443", "161.142.103.187:995", "78.160.146.127:443", "84.35.26.14:995", "12.172.173.82:20", "70.28.50.223:2078", "124.149.143.189:2222", "70.160.67.203:443", "186.64.67.30:443", "103.123.223.133:443", "188.28.19.84:443", "174.58.146.57:443", "94.207.104.225:443", "86.97.55.89:2222", "69.123.4.221:2222"]}
Antivirus / Scanner detection for submitted sample
Source: A649.dll Avira: detected
Sample uses string decryption to hide its real strings
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: error res='%s' err=%d len=%u
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: netstat -nao
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: runas
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: ipconfig /all
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: net localgroup
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: nltest /domain_trusts /all_trusts
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: %s %04x.%u %04x.%u res: %s seh_test: %u consts_test: %d vmdetected: %d createprocess: %d
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: Microsoft
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: SELF_TEST_1
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: p%08x
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: Self test FAILED!!!
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: Self test OK.
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: /t5
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: whoami /all
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: cmd
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: microsoft.com,google.com,cisco.com,oracle.com,verisign.com,broadcom.com,yahoo.com,xfinity.com,irs.gov,linkedin.com
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: ERROR: GetModuleFileNameW() failed with error: ERROR_INSUFFICIENT_BUFFER
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: route print
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: .lnk
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: "%s\system32\schtasks.exe" /Create /ST %02u:%02u /RU "NT AUTHORITY\SYSTEM" /SC ONCE /tr "%s" /Z /ET %02u:%02u /tn %s
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: arp -a
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: %s "$%s = \"%s\"; & $%s"
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: net share
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: cmd.exe /c set
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: Self check
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: %u;%u;%u;
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: /c ping.exe -n 6 127.0.0.1 & type "%s\System32\calc.exe" > "%s"
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: ProfileImagePath
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: at.exe %u:%u "%s" /I
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: ProgramData
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: Self check ok!
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: powershell.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: qwinsta
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: net view
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.%s
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: Component_08
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: Start screenshot
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: schtasks.exe /Delete /F /TN %u
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: appidapi.dll
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: %s \"$%s = \\\"%s\\\\; & $%s\"
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: c:\ProgramData
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: Component_07
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: bUdiuy81gYguty@4frdRdpfko(eKmudeuMncueaN
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: powershell.exe -encodedCommand %S
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: ERROR: GetModuleFileNameW() failed with error: %u
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: powershell.exe -encodedCommand
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: SoNuce]ugdiB3c[doMuce2s81*uXmcvP
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: \System32\WindowsPowerShell\v1.0\powershell.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: schtasks.exe /Create /RU "NT AUTHORITY\SYSTEM" /SC ONSTART /TN %u /TR "%s" /NP /F
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: error res='%s' err=%d len=%u
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: netstat -nao
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: runas
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: ipconfig /all
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: %u.%u.%u.%u.%u.%u.%04x
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: %SystemRoot%\SysWOW64\explorer.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: SystemRoot
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: cscript.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: MBAMService.exe;mbamgui.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: %SystemRoot%\System32\xwizard.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: %SystemRoot%\System32\wermgr.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: AvastSvc.exe;aswEngSrv.exe;aswToolsSvc.exe;afwServ.exe;aswidsagent.exe;AvastUI.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: C:\INTERNAL\__empty
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: .dll
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: Win32_PhysicalMemory
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: ALLUSERSPROFILE
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: image/jpeg
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: LocalLow
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: displayName
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: Mozilla/5.0 (Windows NT 6.1; rv:77.0) Gecko/20100101 Firefox/77.0
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: shlwapi.dll
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: %SystemRoot%\SysWOW64\WerFault.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: CommandLine
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: {%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%02X}
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: kernel32.dll
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: SubmitSamplesConsent
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: 1234567890
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: wbj.go
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: %SystemRoot%\SysWOW64\wextract.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: Win32_DiskDrive
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: vkise.exe;isesrv.exe;cmdagent.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: System32
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: Name
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: %SystemRoot%\System32\WerFault.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: WRSA.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: c:\\
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: reg.exe ADD "HKLM\%s" /f /t %s /v "%s" /d "%s"
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: SpyNetReporting
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: FALSE
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: aswhookx.dll
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: Packages
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: SonicWallClientProtectionService.exe;SWDash.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: application/x-shockwave-flash
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: Sophos UI.exe;SophosUI.exe;SAVAdminService.exe;SavService.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: RepUx.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: %SystemRoot%\System32\mspaint.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: coreServiceShell.exe;PccNTMon.exe;NTRTScan.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: Winsta0
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: Caption,Description,DeviceID,Manufacturer,Name,PNPDeviceID,Service,Status
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: CynetEPS.exe;CynetMS.exe;CynetConsole.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: %SystemRoot%\SysWOW64\wermgr.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: %ProgramFiles(x86)%\Internet Explorer\iexplore.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: avp.exe;kavtray.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: root\SecurityCenter2
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: %SystemRoot%\SysWOW64\backgroundTaskHost.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: MsMpEng.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: %SystemRoot%\System32\CertEnrollCtrl.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: userenv.dll
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: csc_ui.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: frida-winjector-helper-32.exe;frida-winjector-helper-64.exe;tcpdump.exe;windump.exe;ethereal.exe;wireshark.exe;ettercap.exe;rtsniff.exe;packetcapture.exe;capturenet.exe;qak_proxy;dumpcap.exe;CFF Explorer.exe;not_rundll32.exe;ProcessHacker.exe;tcpview.exe;filemon.exe;procmon.exe;idaq64.exe;loaddll32.exe;PETools.exe;ImportREC.exe;LordPE.exe;SysInspector.exe;proc_analyzer.exe;sysAnalyzer.exe;sniff_hit.exe;joeboxcontrol.exe;joeboxserver.exe;ResourceHacker.exe;x64dbg.exe;Fiddler.exe;sniff_hit.exe;sysAnalyzer.exe;BehaviorDumper.exe;processdumperx64.exe;anti-virus.EXE;sysinfoX64.exe;sctoolswrapper.exe;sysinfoX64.exe;FakeExplorer.exe;apimonitor-x86.exe;idaq.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: \\.\pipe\
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: pstorec.dll
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: NTUSER.DAT
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: from
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: %SystemRoot%\System32\sethc.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: netapi32.dll
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: %SystemRoot%\System32\Utilman.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: gdi32.dll
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: setupapi.dll
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: SELECT * FROM Win32_Processor
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: iphlpapi.dll
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: Caption
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: CrAmTray.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: ccSvcHst.exe;NortonSecurity.exe;nsWscSvc.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: Win32_ComputerSystem
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: %SystemRoot%\System32\backgroundTaskHost.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: %ProgramFiles%\Internet Explorer\iexplore.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: user32.dll
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: xagtnotif.exe;AppUIMonitor.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: %SystemRoot%\System32\dxdiag.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: SentinelServiceHost.exe;SentinelStaticEngine.exe;SentinelAgent.exe;SentinelStaticEngineScanner.exe;SentinelUI.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: \sf2.dll
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: %SystemRoot%\SysWOW64\grpconv.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: egui.exe;ekrn.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: Software\Microsoft
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: %S.%06d
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: bcrypt.dll
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: SELECT * FROM AntiVirusProduct
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: %SystemRoot%\SysWOW64\SndVol.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: %SystemRoot%\explorer.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: %SystemRoot%\SysWOW64\Utilman.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: SOFTWARE\Microsoft\Windows Defender\SpyNet
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: wtsapi32.dll
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: t=%s time=[%02d:%02d:%02d-%02d/%02d/%d]
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: %SystemRoot%\SysWOW64\xwizard.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: shell32.dll
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: TRUE
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: Win32_Bios
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: SELECT * FROM Win32_OperatingSystem
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: %SystemRoot%\SysWOW64\mobsync.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: c:\hiberfil.sysss
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: */*
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: %SystemRoot%\SysWOW64\AtBroker.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: abcdefghijklmnopqrstuvwxyz
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: ByteFence.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: type=0x%04X
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: snxhk_border_mywnd
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: ROOT\CIMV2
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: dwengine.exe;dwarkdaemon.exe;dwwatcher.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: https
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: %SystemRoot%\SysWOW64\explorer.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: fshoster32.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: kernelbase.dll
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: regsvr32.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: %s\system32\
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: %SystemRoot%\SysWOW64\dxdiag.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: Win32_Process
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: rundll32.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: LOCALAPPDATA
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: cmd.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: APPDATA
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: select
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: .exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: mcshield.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: advapi32.dll
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: ws2_32.dll
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: .cfg
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: aabcdeefghiijklmnoopqrstuuvwxyyz
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: Win32_Product
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: WQL
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: wininet.dll
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: LastBootUpTime
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: S:(ML;;NW;;;LW)
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: %SystemRoot%\SysWOW64\CertEnrollCtrl.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: urlmon.dll
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: Create
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: Win32_PnPEntity
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: %SystemRoot%\System32\grpconv.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: Initializing database...
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: %SystemRoot%\System32\SearchIndexer.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: winsta0\default
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: .dat
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: WBJ_IGNORE
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: next
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: %SystemRoot%\System32\AtBroker.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: wpcap.dll
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: aaebcdeeifghiiojklmnooupqrstuuyvwxyyaz
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: %SystemRoot%\SysWOW64\sethc.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: image/pjpeg
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: fmon.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: bdagent.exe;vsserv.exe;vsservppl.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: %SystemRoot%\System32\SndVol.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: vbs
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: aswhooka.dll
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: SysWOW64
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: %SystemRoot%\SysWOW64\mspaint.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: mpr.dll
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: image/gif
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: crypt32.dll
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: avgcsrvx.exe;avgsvcx.exe;avgcsrva.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: ntdll.dll
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: open
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: %SystemRoot%\explorer.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: CSFalconService.exe;CSFalconContainer.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: %SystemRoot%\System32\wextract.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: %SystemRoot%\System32\mobsync.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: %SystemRoot%\SysWOW64\SearchIndexer.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: %u.%u.%u.%u.%u.%u.%04x
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: %SystemRoot%\SysWOW64\explorer.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: SystemRoot
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: cscript.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: MBAMService.exe;mbamgui.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: %SystemRoot%\System32\xwizard.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: %SystemRoot%\System32\wermgr.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: AvastSvc.exe;aswEngSrv.exe;aswToolsSvc.exe;afwServ.exe;aswidsagent.exe;AvastUI.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: C:\INTERNAL\__empty
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: .dll
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: Win32_PhysicalMemory
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: ALLUSERSPROFILE
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: image/jpeg
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: LocalLow
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: displayName
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: Mozilla/5.0 (Windows NT 6.1; rv:77.0) Gecko/20100101 Firefox/77.0
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: shlwapi.dll
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: %SystemRoot%\SysWOW64\WerFault.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: CommandLine
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: {%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%02X}
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: kernel32.dll
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: SubmitSamplesConsent
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: 1234567890
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: wbj.go
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: %SystemRoot%\SysWOW64\wextract.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: Win32_DiskDrive
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: vkise.exe;isesrv.exe;cmdagent.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: System32
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: Name
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: %SystemRoot%\System32\WerFault.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: WRSA.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: c:\\
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: reg.exe ADD "HKLM\%s" /f /t %s /v "%s" /d "%s"
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: SpyNetReporting
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: FALSE
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: aswhookx.dll
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: Packages
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: SonicWallClientProtectionService.exe;SWDash.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: application/x-shockwave-flash
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: Sophos UI.exe;SophosUI.exe;SAVAdminService.exe;SavService.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: RepUx.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: %SystemRoot%\System32\mspaint.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: coreServiceShell.exe;PccNTMon.exe;NTRTScan.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: Winsta0
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: Caption,Description,DeviceID,Manufacturer,Name,PNPDeviceID,Service,Status
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: CynetEPS.exe;CynetMS.exe;CynetConsole.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: %SystemRoot%\SysWOW64\wermgr.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: %ProgramFiles(x86)%\Internet Explorer\iexplore.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: avp.exe;kavtray.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: root\SecurityCenter2
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: %SystemRoot%\SysWOW64\backgroundTaskHost.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: MsMpEng.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: %SystemRoot%\System32\CertEnrollCtrl.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: userenv.dll
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: csc_ui.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: frida-winjector-helper-32.exe;frida-winjector-helper-64.exe;tcpdump.exe;windump.exe;ethereal.exe;wireshark.exe;ettercap.exe;rtsniff.exe;packetcapture.exe;capturenet.exe;qak_proxy;dumpcap.exe;CFF Explorer.exe;not_rundll32.exe;ProcessHacker.exe;tcpview.exe;filemon.exe;procmon.exe;idaq64.exe;loaddll32.exe;PETools.exe;ImportREC.exe;LordPE.exe;SysInspector.exe;proc_analyzer.exe;sysAnalyzer.exe;sniff_hit.exe;joeboxcontrol.exe;joeboxserver.exe;ResourceHacker.exe;x64dbg.exe;Fiddler.exe;sniff_hit.exe;sysAnalyzer.exe;BehaviorDumper.exe;processdumperx64.exe;anti-virus.EXE;sysinfoX64.exe;sctoolswrapper.exe;sysinfoX64.exe;FakeExplorer.exe;apimonitor-x86.exe;idaq.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: \\.\pipe\
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: pstorec.dll
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: NTUSER.DAT
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: from
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: %SystemRoot%\System32\sethc.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: netapi32.dll
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: %SystemRoot%\System32\Utilman.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: gdi32.dll
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: setupapi.dll
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: SELECT * FROM Win32_Processor
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: iphlpapi.dll
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: Caption
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: CrAmTray.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: ccSvcHst.exe;NortonSecurity.exe;nsWscSvc.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: Win32_ComputerSystem
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: %SystemRoot%\System32\backgroundTaskHost.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: %ProgramFiles%\Internet Explorer\iexplore.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: user32.dll
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: xagtnotif.exe;AppUIMonitor.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: %SystemRoot%\System32\dxdiag.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: SentinelServiceHost.exe;SentinelStaticEngine.exe;SentinelAgent.exe;SentinelStaticEngineScanner.exe;SentinelUI.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: \sf2.dll
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: %SystemRoot%\SysWOW64\grpconv.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: egui.exe;ekrn.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: Software\Microsoft
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: %S.%06d
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: bcrypt.dll
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: SELECT * FROM AntiVirusProduct
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: %SystemRoot%\SysWOW64\SndVol.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: %SystemRoot%\explorer.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: %SystemRoot%\SysWOW64\Utilman.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: SOFTWARE\Microsoft\Windows Defender\SpyNet
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: wtsapi32.dll
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: t=%s time=[%02d:%02d:%02d-%02d/%02d/%d]
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: %SystemRoot%\SysWOW64\xwizard.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: shell32.dll
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: TRUE
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: Win32_Bios
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: SELECT * FROM Win32_OperatingSystem
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: %SystemRoot%\SysWOW64\mobsync.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: c:\hiberfil.sysss
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: */*
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: %SystemRoot%\SysWOW64\AtBroker.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: abcdefghijklmnopqrstuvwxyz
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: ByteFence.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: type=0x%04X
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: snxhk_border_mywnd
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: ROOT\CIMV2
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: dwengine.exe;dwarkdaemon.exe;dwwatcher.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: https
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: %SystemRoot%\SysWOW64\explorer.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: fshoster32.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: kernelbase.dll
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: regsvr32.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: %s\system32\
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: %SystemRoot%\SysWOW64\dxdiag.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: Win32_Process
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: rundll32.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: LOCALAPPDATA
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: cmd.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: APPDATA
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: select
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: .exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: mcshield.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: advapi32.dll
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: ws2_32.dll
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: .cfg
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: aabcdeefghiijklmnoopqrstuuvwxyyz
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: Win32_Product
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: WQL
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: wininet.dll
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: LastBootUpTime
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: S:(ML;;NW;;;LW)
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: %SystemRoot%\SysWOW64\CertEnrollCtrl.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: urlmon.dll
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: Create
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: Win32_PnPEntity
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: %SystemRoot%\System32\grpconv.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: Initializing database...
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: %SystemRoot%\System32\SearchIndexer.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: winsta0\default
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: .dat
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: WBJ_IGNORE
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: next
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: %SystemRoot%\System32\AtBroker.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: wpcap.dll
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: aaebcdeeifghiiojklmnooupqrstuuyvwxyyaz
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: %SystemRoot%\SysWOW64\sethc.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: image/pjpeg
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: fmon.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: bdagent.exe;vsserv.exe;vsservppl.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: %SystemRoot%\System32\SndVol.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: vbs
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: aswhooka.dll
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: SysWOW64
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: %SystemRoot%\SysWOW64\mspaint.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: mpr.dll
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: image/gif
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: crypt32.dll
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: avgcsrvx.exe;avgsvcx.exe;avgcsrva.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: ntdll.dll
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: open
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: %SystemRoot%\explorer.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: CSFalconService.exe;CSFalconContainer.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: %SystemRoot%\System32\wextract.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: %SystemRoot%\System32\mobsync.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: %SystemRoot%\SysWOW64\SearchIndexer.exe
Source: 18.2.rundll32.exe.720000.0.unpack String decryptor: Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10035030 mv_get_random_seed,BCryptOpenAlgorithmProvider,BCryptGenRandom,BCryptCloseAlgorithmProvider,mvpriv_open,_read,_close,mvpriv_open,_read,_close,clock,clock,mv_sha_init,mv_sha_update,mv_sha_final,mv_log,abort, 3_2_10035030
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10013860 mv_encryption_init_info_add_side_data,mv_malloc,mv_malloc, 3_2_10013860
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000C0B0 mv_cast5_crypt2, 3_2_1000C0B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000B0D0 mv_camellia_crypt, 3_2_1000B0D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10013100 mv_encryption_init_info_alloc,mv_mallocz,mv_mallocz,mv_mallocz,mv_mallocz,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_calloc, 3_2_10013100
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000C1B0 mv_cast5_crypt, 3_2_1000C1B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10012A70 mv_encryption_info_alloc,mv_mallocz,mv_mallocz,mv_mallocz,mv_calloc,mv_free,mv_free,mv_free,mv_free, 3_2_10012A70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_100132D0 mv_encryption_init_info_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free, 3_2_100132D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10012B40 mv_encryption_info_clone,mv_encryption_info_alloc, 3_2_10012B40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10001BF0 mv_aes_crypt, 3_2_10001BF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10002480 mv_aes_ctr_crypt,mv_aes_crypt, 3_2_10002480
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10013480 mv_encryption_init_info_get_side_data,mv_encryption_init_info_alloc,mv_free,mv_free,mv_free,mv_free,mv_free, 3_2_10013480
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_100084B0 mv_blowfish_crypt,mv_blowfish_crypt_ecb,mv_blowfish_crypt_ecb, 3_2_100084B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10012CF0 mv_encryption_info_free,mv_free,mv_free,mv_free, 3_2_10012CF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10002523 mv_aes_crypt, 3_2_10002523
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10012D40 mv_encryption_info_get_side_data,mv_encryption_info_alloc, 3_2_10012D40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10007DC0 mv_blowfish_crypt_ecb, 3_2_10007DC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1001363B mv_encryption_init_info_alloc, 3_2_1001363B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10010E40 mv_des_crypt, 3_2_10010E40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000867B mv_blowfish_crypt_ecb, 3_2_1000867B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_100136FB mv_encryption_init_info_alloc, 3_2_100136FB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10012F30 mv_encryption_info_add_side_data,mv_malloc, 3_2_10012F30
Uses 32bit PE files
Source: A649.dll Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
Source: unknown HTTPS traffic detected: 54.68.22.26:443 -> 192.168.2.7:49717 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.28.19.84:443 -> 192.168.2.7:49719 version: TLS 1.2
Source: A649.dll Static PE information: DYNAMIC_BASE, NX_COMPAT

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 12.172.173.82:50001
Source: Malware configuration extractor IPs: 178.175.187.254:443
Source: Malware configuration extractor IPs: 65.95.141.84:2222
Source: Malware configuration extractor IPs: 205.237.67.69:995
Source: Malware configuration extractor IPs: 83.110.223.61:443
Source: Malware configuration extractor IPs: 193.253.100.236:2222
Source: Malware configuration extractor IPs: 27.0.48.233:443
Source: Malware configuration extractor IPs: 102.159.188.125:443
Source: Malware configuration extractor IPs: 71.38.155.217:443
Source: Malware configuration extractor IPs: 58.186.75.42:443
Source: Malware configuration extractor IPs: 76.178.148.107:2222
Source: Malware configuration extractor IPs: 70.28.50.223:2087
Source: Malware configuration extractor IPs: 114.143.176.236:443
Source: Malware configuration extractor IPs: 51.14.29.227:2222
Source: Malware configuration extractor IPs: 59.28.84.65:443
Source: Malware configuration extractor IPs: 173.88.135.179:443
Source: Malware configuration extractor IPs: 103.144.201.56:2078
Source: Malware configuration extractor IPs: 96.87.28.170:2222
Source: Malware configuration extractor IPs: 105.186.128.181:995
Source: Malware configuration extractor IPs: 176.142.207.63:443
Source: Malware configuration extractor IPs: 151.62.238.176:443
Source: Malware configuration extractor IPs: 12.172.173.82:32101
Source: Malware configuration extractor IPs: 122.186.210.254:443
Source: Malware configuration extractor IPs: 82.125.44.236:2222
Source: Malware configuration extractor IPs: 84.108.200.161:443
Source: Malware configuration extractor IPs: 76.16.49.134:443
Source: Malware configuration extractor IPs: 70.28.50.223:32100
Source: Malware configuration extractor IPs: 12.172.173.82:465
Source: Malware configuration extractor IPs: 76.170.252.153:995
Source: Malware configuration extractor IPs: 184.182.66.109:443
Source: Malware configuration extractor IPs: 78.92.133.215:443
Source: Malware configuration extractor IPs: 50.68.204.71:993
Source: Malware configuration extractor IPs: 186.75.95.6:443
Source: Malware configuration extractor IPs: 113.11.92.30:443
Source: Malware configuration extractor IPs: 70.28.50.223:3389
Source: Malware configuration extractor IPs: 98.145.23.67:443
Source: Malware configuration extractor IPs: 85.57.212.13:3389
Source: Malware configuration extractor IPs: 50.68.186.195:443
Source: Malware configuration extractor IPs: 47.205.25.170:443
Source: Malware configuration extractor IPs: 12.172.173.82:993
Source: Malware configuration extractor IPs: 12.172.173.82:22
Source: Malware configuration extractor IPs: 69.242.31.249:443
Source: Malware configuration extractor IPs: 81.101.185.146:443
Source: Malware configuration extractor IPs: 79.168.224.165:2222
Source: Malware configuration extractor IPs: 75.143.236.149:443
Source: Malware configuration extractor IPs: 14.192.241.76:995
Source: Malware configuration extractor IPs: 86.195.14.72:2222
Source: Malware configuration extractor IPs: 81.229.117.95:2222
Source: Malware configuration extractor IPs: 220.240.164.182:443
Source: Malware configuration extractor IPs: 73.29.92.128:443
Source: Malware configuration extractor IPs: 12.172.173.82:21
Source: Malware configuration extractor IPs: 96.56.197.26:2222
Source: Malware configuration extractor IPs: 75.109.111.89:443
Source: Malware configuration extractor IPs: 76.86.31.59:443
Source: Malware configuration extractor IPs: 201.244.108.183:995
Source: Malware configuration extractor IPs: 68.203.69.96:443
Source: Malware configuration extractor IPs: 124.122.47.148:443
Source: Malware configuration extractor IPs: 122.184.143.86:443
Source: Malware configuration extractor IPs: 92.186.69.229:2222
Source: Malware configuration extractor IPs: 70.28.50.223:2083
Source: Malware configuration extractor IPs: 89.129.109.27:2222
Source: Malware configuration extractor IPs: 147.147.30.126:2222
Source: Malware configuration extractor IPs: 125.99.76.102:443
Source: Malware configuration extractor IPs: 88.126.94.4:50000
Source: Malware configuration extractor IPs: 151.65.167.77:443
Source: Malware configuration extractor IPs: 86.132.236.117:443
Source: Malware configuration extractor IPs: 92.154.17.149:2222
Source: Malware configuration extractor IPs: 223.166.13.95:995
Source: Malware configuration extractor IPs: 89.36.206.69:995
Source: Malware configuration extractor IPs: 96.56.197.26:2083
Source: Malware configuration extractor IPs: 78.18.105.11:443
Source: Malware configuration extractor IPs: 82.127.153.75:2222
Source: Malware configuration extractor IPs: 90.78.147.141:2222
Source: Malware configuration extractor IPs: 82.131.141.209:443
Source: Malware configuration extractor IPs: 183.87.163.165:443
Source: Malware configuration extractor IPs: 92.9.45.20:2222
Source: Malware configuration extractor IPs: 80.6.50.34:443
Source: Malware configuration extractor IPs: 80.12.88.148:2222
Source: Malware configuration extractor IPs: 69.133.162.35:443
Source: Malware configuration extractor IPs: 172.115.17.50:443
Source: Malware configuration extractor IPs: 95.45.50.93:2222
Source: Malware configuration extractor IPs: 12.172.173.82:2087
Source: Malware configuration extractor IPs: 103.140.174.20:2222
Source: Malware configuration extractor IPs: 24.198.114.130:995
Source: Malware configuration extractor IPs: 50.68.204.71:443
Source: Malware configuration extractor IPs: 69.119.123.159:2222
Source: Malware configuration extractor IPs: 64.121.161.102:443
Source: Malware configuration extractor IPs: 2.82.8.80:443
Source: Malware configuration extractor IPs: 184.181.75.148:443
Source: Malware configuration extractor IPs: 70.112.206.5:443
Source: Malware configuration extractor IPs: 198.2.51.242:993
Source: Malware configuration extractor IPs: 2.36.64.159:2078
Source: Malware configuration extractor IPs: 79.77.142.22:2222
Source: Malware configuration extractor IPs: 84.215.202.8:443
Source: Malware configuration extractor IPs: 147.219.4.194:443
Source: Malware configuration extractor IPs: 116.74.164.81:443
Source: Malware configuration extractor IPs: 70.28.50.223:2078
Source: Malware configuration extractor IPs: 12.172.173.82:995
Source: Malware configuration extractor IPs: 77.86.98.236:443
Source: Malware configuration extractor IPs: 104.35.24.154:443
Source: Malware configuration extractor IPs: 213.64.33.61:2222
Source: Malware configuration extractor IPs: 47.149.134.231:443
Source: Malware configuration extractor IPs: 72.134.124.16:443
Source: Malware configuration extractor IPs: 47.34.30.133:443
Source: Malware configuration extractor IPs: 103.42.86.42:995
Source: Malware configuration extractor IPs: 174.4.89.3:443
Source: Malware configuration extractor IPs: 161.142.103.187:995
Source: Malware configuration extractor IPs: 78.160.146.127:443
Source: Malware configuration extractor IPs: 84.35.26.14:995
Source: Malware configuration extractor IPs: 12.172.173.82:20
Source: Malware configuration extractor IPs: 70.28.50.223:2078
Source: Malware configuration extractor IPs: 124.149.143.189:2222
Source: Malware configuration extractor IPs: 70.160.67.203:443
Source: Malware configuration extractor IPs: 186.64.67.30:443
Source: Malware configuration extractor IPs: 103.123.223.133:443
Source: Malware configuration extractor IPs: 188.28.19.84:443
Source: Malware configuration extractor IPs: 174.58.146.57:443
Source: Malware configuration extractor IPs: 94.207.104.225:443
Source: Malware configuration extractor IPs: 86.97.55.89:2222
Source: Malware configuration extractor IPs: 69.123.4.221:2222
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: MEO-RESIDENCIALPT MEO-RESIDENCIALPT
Source: Joe Sandbox View ASN Name: ASN-CXA-ALL-CCI-22773-RDCUS ASN-CXA-ALL-CCI-22773-RDCUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 2.82.8.80 2.82.8.80
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: broadcom.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /t5 HTTP/1.1Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 188.28.19.84Content-Length: 78Cache-Control: no-cache
Connects to several IPs in different countries
Source: unknown Network traffic detected: IP country count 30
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown TCP traffic detected without corresponding DNS query: 188.28.19.84
Source: unknown TCP traffic detected without corresponding DNS query: 188.28.19.84
Source: unknown TCP traffic detected without corresponding DNS query: 188.28.19.84
Source: unknown TCP traffic detected without corresponding DNS query: 188.28.19.84
Source: unknown TCP traffic detected without corresponding DNS query: 188.28.19.84
Source: unknown TCP traffic detected without corresponding DNS query: 188.28.19.84
Source: unknown TCP traffic detected without corresponding DNS query: 188.28.19.84
Source: unknown TCP traffic detected without corresponding DNS query: 188.28.19.84
Source: unknown TCP traffic detected without corresponding DNS query: 188.28.19.84
Source: unknown TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown TCP traffic detected without corresponding DNS query: 102.159.188.125
Source: Amcache.hve.8.dr String found in binary or memory: http://upx.sf.net
Source: V262JUIP.htm.24.dr String found in binary or memory: https://cdn.cookielaw.org/scripttemplates/otSDKStub.js
Source: V262JUIP.htm.24.dr String found in binary or memory: https://jp.broadcom.com
Source: V262JUIP.htm.24.dr String found in binary or memory: https://static.broadcom.com
Source: rundll32.exe, 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.361922166.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.361922492.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000002.362839772.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000011.00000002.355387583.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000012.00000002.366635490.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, A649.dll String found in binary or memory: https://streams.videolan.org/upload/
Source: V262JUIP.htm.24.dr String found in binary or memory: https://www.broadcom.cn
Source: V262JUIP.htm.24.dr String found in binary or memory: https://www.broadcom.com
Source: V262JUIP.htm.24.dr String found in binary or memory: https://www.broadcom.com/media/blt4ac44e0e6c6d8341/blt476a993c2707b028/62e16f3bd3b8a5700456394e/wwwB
Source: V262JUIP.htm.24.dr String found in binary or memory: https://www.googletagmanager.com/gtm.js?id=
Source: V262JUIP.htm.24.dr String found in binary or memory: https://www.googletagmanager.com/ns.html?id=GTM-KF7XWD
Source: unknown HTTP traffic detected: POST /t5 HTTP/1.1Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 188.28.19.84Content-Length: 78Cache-Control: no-cache
Source: unknown DNS traffic detected: queries for: broadcom.com
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: broadcom.comCache-Control: no-cache
Source: unknown HTTPS traffic detected: 54.68.22.26:443 -> 192.168.2.7:49717 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.28.19.84:443 -> 192.168.2.7:49719 version: TLS 1.2
Creates a DirectInput object (often for capturing keystrokes)
Source: loaddll32.exe, 00000000.00000002.355017026.000000000153B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Uses 32bit PE files
Source: A649.dll Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
Yara signature match
Source: 18.2.rundll32.exe.720000.0.unpack, type: UNPACKEDPE Matched rule: MAL_QakBot_ConfigExtraction_Feb23 cape_options = bp0=$params+23,action0=setdump:eax::ecx,bp1=$c2list1+40,bp1=$c2list2+38,action1=dump,bp2=$conf+13,action2=dump,count=1,typestring=QakBot Config, date = 2023-02-17, author = kevoreilly, description = QakBot Config Extraction, reference = https://github.com/kevoreilly/CAPEv2/blob/master/analyzer/windows/data/yara/QakBot.yar, license = https://github.com/kevoreilly/CAPEv2/blob/master/LICENSE, packed = f084d87078a1e4b0ee208539c53e4853a52b5698e98f0578d7c12948e3831a68
Source: 18.2.rundll32.exe.770a48.1.unpack, type: UNPACKEDPE Matched rule: MAL_QakBot_ConfigExtraction_Feb23 cape_options = bp0=$params+23,action0=setdump:eax::ecx,bp1=$c2list1+40,bp1=$c2list2+38,action1=dump,bp2=$conf+13,action2=dump,count=1,typestring=QakBot Config, date = 2023-02-17, author = kevoreilly, description = QakBot Config Extraction, reference = https://github.com/kevoreilly/CAPEv2/blob/master/analyzer/windows/data/yara/QakBot.yar, license = https://github.com/kevoreilly/CAPEv2/blob/master/LICENSE, packed = f084d87078a1e4b0ee208539c53e4853a52b5698e98f0578d7c12948e3831a68
Source: 18.2.rundll32.exe.770a48.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_QakBot_ConfigExtraction_Feb23 cape_options = bp0=$params+23,action0=setdump:eax::ecx,bp1=$c2list1+40,bp1=$c2list2+38,action1=dump,bp2=$conf+13,action2=dump,count=1,typestring=QakBot Config, date = 2023-02-17, author = kevoreilly, description = QakBot Config Extraction, reference = https://github.com/kevoreilly/CAPEv2/blob/master/analyzer/windows/data/yara/QakBot.yar, license = https://github.com/kevoreilly/CAPEv2/blob/master/LICENSE, packed = f084d87078a1e4b0ee208539c53e4853a52b5698e98f0578d7c12948e3831a68
One or more processes crash
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3828 -s 656
Creates files inside the system directory
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\Windows\AppCompat\Programs\Amcache.hve.tmp Jump to behavior
Detected potential crypto function
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1002A800 3_2_1002A800
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000B830 3_2_1000B830
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000D060 3_2_1000D060
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10028070 3_2_10028070
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000B0D0 3_2_1000B0D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10001900 3_2_10001900
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10091900 3_2_10091900
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000D910 3_2_1000D910
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1001F91B 3_2_1001F91B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10008144 3_2_10008144
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10010980 3_2_10010980
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1001099C 3_2_1001099C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_100101D0 3_2_100101D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000C9F0 3_2_1000C9F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000FA00 3_2_1000FA00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000AA10 3_2_1000AA10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1001021B 3_2_1001021B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10027220 3_2_10027220
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10091A40 3_2_10091A40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10007A50 3_2_10007A50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10007270 3_2_10007270
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10024280 3_2_10024280
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000EAC0 3_2_1000EAC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000FAE0 3_2_1000FAE0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000FAF7 3_2_1000FAF7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000AB30 3_2_1000AB30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1002334C 3_2_1002334C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10003BA5 3_2_10003BA5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_100353B0 3_2_100353B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000FBC0 3_2_1000FBC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_100243C0 3_2_100243C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10001C10 3_2_10001C10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000DC10 3_2_1000DC10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000EC10 3_2_1000EC10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000BC40 3_2_1000BC40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10013480 3_2_10013480
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10004C96 3_2_10004C96
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1004C4C0 3_2_1004C4C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000ECC9 3_2_1000ECC9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000D4D0 3_2_1000D4D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1001F523 3_2_1001F523
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000DD40 3_2_1000DD40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000CD50 3_2_1000CD50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000EDB0 3_2_1000EDB0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10007DC0 3_2_10007DC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_100105C0 3_2_100105C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_100215D0 3_2_100215D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000164B 3_2_1000164B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10023E60 3_2_10023E60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10004E92 3_2_10004E92
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000CEA0 3_2_1000CEA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_100206A7 3_2_100206A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10010750 3_2_10010750
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000E760 3_2_1000E760
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10010778 3_2_10010778
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10002F80 3_2_10002F80
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000CF80 3_2_1000CF80
Sample file is different than original file name gathered from version info
Source: A649.dll Binary or memory string: OriginalFilenameavutil-lav-57.dll. vs A649.dll
Tries to load missing DLLs
Source: C:\Windows\SysWOW64\wermgr.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\SysWOW64\wermgr.exe Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\wermgr.exe Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\wermgr.exe Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\wermgr.exe Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\wermgr.exe Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\wermgr.exe Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\wermgr.exe Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\wermgr.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\wermgr.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\wermgr.exe Section loaded: schannel.dll
Source: C:\Windows\SysWOW64\wermgr.exe Section loaded: mskeyprotect.dll
Source: C:\Windows\SysWOW64\wermgr.exe Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\wermgr.exe Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\wermgr.exe Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\wermgr.exe Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\wermgr.exe Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\wermgr.exe Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\wermgr.exe Section loaded: ncryptsslp.dll
Source: A649.dll Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\A649.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\A649.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\A649.dll,mv_add_i
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A649.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3828 -s 656
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 664
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\A649.dll,mv_add_q
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\A649.dll,mv_add_stable
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3980 -s 652
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A649.dll",mv_add_i
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A649.dll",mv_add_q
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A649.dll",mv_add_stable
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A649.dll",next
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A649.dll",mvutil_license
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A649.dll",mvutil_configuration
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2252 -s 652
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\A649.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\A649.dll,mv_add_i Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\A649.dll,mv_add_q Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\A649.dll,mv_add_stable Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A649.dll",mv_add_i Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A649.dll",mv_add_q Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A649.dll",mv_add_stable Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A649.dll",next Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A649.dll",mvutil_license Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A649.dll",mvutil_configuration Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A649.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Shuetpioi
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER2ACD.tmp Jump to behavior
Source: classification engine Classification label: mal88.troj.evad.winDLL@30/22@2/100
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\A649.dll,mv_add_i
Source: C:\Windows\SysWOW64\wermgr.exe Mutant created: \Sessions\1\BaseNamedObjects\{4CC3B386-6951-446B-A2C7-1BDDD9E57705}
Source: C:\Windows\SysWOW64\wermgr.exe Mutant created: \Sessions\1\BaseNamedObjects\{85E7EFE6-30C6-426C-A3AF-83E4C788615A}
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2756
Source: C:\Windows\SysWOW64\wermgr.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{4CC3B386-6951-446B-A2C7-1BDDD9E57705}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2872:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3828
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3980
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2252
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\wermgr.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\wermgr.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: A649.dll Static PE information: More than 582 > 100 exports found
Source: A649.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1001F523 mv_dict_get,LoadLibraryA,LoadLibraryA,InitOnceBeginInitialize,InitOnceComplete,LoadLibraryA,GetProcAddress,mv_log,atoi,mv_log,mv_log,GetProcAddress, 3_2_1001F523
PE file contains an invalid checksum
Source: A649.dll Static PE information: real checksum: 0xf1b7b should be: 0xf06c9

Hooking and other Techniques for Hiding and Protection
barindex
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7340 base: E43C50 value: E9 63 D7 03 02 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wermgr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wermgr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wermgr.exe Process information set: NOOPENFILEERRORBOX
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\rundll32.exe TID: 3224 Thread sleep count: 204 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe TID: 7356 Thread sleep time: -45000s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10035030 rdtsc 3_2_10035030
Source: C:\Windows\SysWOW64\wermgr.exe Process information queried: ProcessInformation
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 120000 Jump to behavior
Source: Amcache.hve.8.dr Binary or memory string: VMware
Source: Amcache.hve.8.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.8.dr Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.8.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.8.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.8.dr Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.8.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.8.dr Binary or memory string: VMware7,1
Source: Amcache.hve.8.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.8.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.8.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.8.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.8.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.8.dr Binary or memory string: VMware, Inc.me
Source: Amcache.hve.8.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.8.dr Binary or memory string: VMware-42 35 44 6e 75 85 11 47-bd a2 bb ed 21 43 9f 89
Source: Amcache.hve.8.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Anti Debugging
barindex
Potentially malicious time measurement code found
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10035030 Start: 10035315 End: 1003515E 3_2_10035030
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1001F523 mv_dict_get,LoadLibraryA,LoadLibraryA,InitOnceBeginInitialize,InitOnceComplete,LoadLibraryA,GetProcAddress,mv_log,atoi,mv_log,mv_log,GetProcAddress, 3_2_1001F523
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10035030 rdtsc 3_2_10035030
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1001E0D9 mov eax, dword ptr fs:[00000030h] 3_2_1001E0D9
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A649.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\wermgr.exe Queries volume information: C:\ VolumeInformation
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1008DB50 cpuid 3_2_1008DB50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10092180 GetTimeZoneInformation,GetModuleHandleA,GetProcAddress, 3_2_10092180
AV process strings found (often used to terminate AV products)
Source: rundll32.exe, 00000012.00000003.354766471.0000000000E9F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: bdagent.exe
Source: rundll32.exe, 00000012.00000003.354766471.0000000000E9F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vsserv.exe
Source: rundll32.exe, 00000012.00000003.354766471.0000000000E9F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: avp.exe
Source: Amcache.hve.8.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: rundll32.exe, 00000012.00000003.354766471.0000000000E9F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: avgcsrvx.exe
Source: rundll32.exe, 00000012.00000003.354766471.0000000000E9F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: mcshield.exe
Source: rundll32.exe, 00000012.00000003.354766471.0000000000E9F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected Qbot
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: 18.2.rundll32.exe.720000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.rundll32.exe.770a48.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.rundll32.exe.770a48.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000012.00000002.365037551.000000000075A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.365131799.0000000000E20000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected Qbot
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: 18.2.rundll32.exe.720000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.rundll32.exe.770a48.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.rundll32.exe.770a48.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000012.00000002.365037551.000000000075A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.365131799.0000000000E20000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 878700 Sample: A649.dll Startdate: 31/05/2023 Architecture: WINDOWS Score: 88 33 2.36.64.159 VODAFONE-IT-ASNIT Italy 2->33 35 85.57.212.13 UNI2-ASES Spain 2->35 37 93 other IPs or domains 2->37 47 Found malware configuration 2->47 49 Antivirus / Scanner detection for submitted sample 2->49 51 Yara detected Qbot 2->51 53 2 other signatures 2->53 9 loaddll32.exe 1 2->9         started        signatures3 process4 process5 11 rundll32.exe 9->11         started        14 rundll32.exe 9->14         started        16 cmd.exe 1 9->16         started        18 8 other processes 9->18 signatures6 55 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 11->55 20 wermgr.exe 11->20         started        57 Potentially malicious time measurement code found 14->57 23 WerFault.exe 9 14->23         started        25 rundll32.exe 16->25         started        27 WerFault.exe 9 18->27         started        29 WerFault.exe 4 9 18->29         started        process7 dnsIp8 39 102.159.188.125, 443, 49732 TOPNETTN Tunisia 20->39 41 188.28.19.84, 443, 49719 H3GUKGB United Kingdom 20->41 45 4 other IPs or domains 20->45 43 192.168.2.1 unknown unknown 23->43 31 WerFault.exe 25 10 25->31         started        process9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
2.82.8.80
 unknown Portugal
3243 MEO-RESIDENCIALPT true
70.160.67.203
 unknown United States
22773 ASN-CXA-ALL-CCI-22773-RDCUS true
75.143.236.149
 unknown United States
20115 CHARTER-20115US true
83.110.223.61
 unknown United Arab Emirates
5384 EMIRATES-INTERNETEmiratesInternetAE true
86.195.14.72
 unknown France
3215 FranceTelecom-OrangeFR true
84.215.202.8
 unknown Norway
41164 GET-NOGETNorwayNO true
184.182.66.109
 unknown United States
22773 ASN-CXA-ALL-CCI-22773-RDCUS true
92.186.69.229
 unknown France
12479 UNI2-ASES true
174.4.89.3
 unknown Canada
6327 SHAWCA true
161.142.103.187
 unknown Malaysia
9930 TTNET-MYTIMEdotComBerhadMY true
114.143.176.236
 unknown India
17762 HTIL-TTML-IN-APTataTeleservicesMaharashtraLtdIN true
14.192.241.76
 unknown Malaysia
9534 MAXIS-AS1-APBinariangBerhadMY true
173.88.135.179
 unknown United States
10796 TWC-10796-MIDWESTUS true
84.108.200.161
 unknown Israel
8551 BEZEQ-INTERNATIONAL-ASBezeqintInternetBackboneIL true
47.34.30.133
 unknown United States
20115 CHARTER-20115US true
183.87.163.165
 unknown India
132220 JPRDIGITAL-INJPRDigitalPvtLtdIN true
184.181.75.148
 unknown United States
22773 ASN-CXA-ALL-CCI-22773-RDCUS true
124.149.143.189
 unknown Australia
7545 TPG-INTERNET-APTPGTelecomLimitedAU true
84.35.26.14
 unknown Netherlands
21221 INFOPACT-ASTheNetherlandsNL true
73.29.92.128
 unknown United States
7922 COMCAST-7922US true
54.68.22.26
 broadcom.com United States
16509 AMAZON-02US false
68.203.69.96
 unknown United States
11427 TWC-11427-TEXASUS true
82.131.141.209
 unknown Hungary
20845 DIGICABLEHU true
64.121.161.102
 unknown United States
6079 RCN-ASUS true
178.175.187.254
 unknown Moldova Republic of
43289 TRABIAMD true
96.56.197.26
 unknown United States
6128 CABLE-NET-1US true
188.28.19.84
 unknown United Kingdom
206067 H3GUKGB true
186.64.67.30
 unknown Argentina
27953 NODOSUDSAAR true
125.99.76.102
 unknown India
17488 HATHWAY-NET-APHathwayIPOverCableInternetIN true
81.101.185.146
 unknown United Kingdom
5089 NTLGB true
59.28.84.65
 unknown Korea Republic of
4766 KIXS-AS-KRKoreaTelecomKR true
105.186.128.181
 unknown South Africa
37457 Telkom-InternetZA true
76.86.31.59
 unknown United States
20001 TWC-20001-PACWESTUS true
147.147.30.126
 unknown United Kingdom
6871 PLUSNETUKInternetServiceProviderGB true
96.87.28.170
 unknown United States
7922 COMCAST-7922US true
75.109.111.89
 unknown United States
19108 SUDDENLINK-COMMUNICATIONSUS true
78.92.133.215
 unknown Hungary
5483 MAGYAR-TELEKOM-MAIN-ASMagyarTelekomNyrtHU true
124.122.47.148
 unknown Thailand
17552 TRUE-AS-APTrueInternetCoLtdTH true
88.126.94.4
 unknown France
12322 PROXADFR true
51.14.29.227
 unknown United Kingdom
2856 BT-UK-ASBTnetUKRegionalnetworkGB true
85.57.212.13
 unknown Spain
12479 UNI2-ASES true
47.205.25.170
 unknown United States
5650 FRONTIER-FRTRUS true
95.45.50.93
 unknown Ireland
5466 EIRCOMInternetHouseIE true
80.12.88.148
 unknown France
3215 FranceTelecom-OrangeFR true
69.133.162.35
 unknown United States
11426 TWC-11426-CAROLINASUS true
86.132.236.117
 unknown United Kingdom
2856 BT-UK-ASBTnetUKRegionalnetworkGB true
151.62.238.176
 unknown Italy
1267 ASN-WINDTREIUNETEU true
70.112.206.5
 unknown United States
11427 TWC-11427-TEXASUS true
102.159.188.125
 unknown Tunisia
37705 TOPNETTN true
205.237.67.69
 unknown Canada
11290 CC-3272CA true
151.65.167.77
 unknown Italy
1267 ASN-WINDTREIUNETEU true
76.178.148.107
 unknown United States
10838 OCEANIC-INTERNET-RRUS true
89.36.206.69
 unknown Italy
48544 TECNOADSL-ASIT true
69.242.31.249
 unknown United States
7922 COMCAST-7922US true
193.253.100.236
 unknown France
3215 FranceTelecom-OrangeFR true
76.16.49.134
 unknown United States
7922 COMCAST-7922US true
94.207.104.225
 unknown United Arab Emirates
15802 DU-AS1AE true
201.244.108.183
 unknown Colombia
19429 ETB-ColombiaCO true
103.42.86.42
 unknown India
133660 EDIGITAL-ASE-InfrastructureandEntertainmentIndiaPvtLt true
78.18.105.11
 unknown Ireland
2110 AS-BTIREBTIrelandwaspreviouslyknownasEsatNetEUnet true
80.6.50.34
 unknown United Kingdom
5089 NTLGB true
103.144.201.56
 unknown unknown
139762 MSSOLUTION-AS-APSolutionBD true
27.0.48.233
 unknown India
132573 SAINGN-AS-INSAINGNNetworkServicesIN true
70.28.50.223
 unknown Canada
577 BACOMCA true
98.145.23.67
 unknown United States
20001 TWC-20001-PACWESTUS true
47.149.134.231
 unknown United States
5650 FRONTIER-FRTRUS true
82.125.44.236
 unknown France
3215 FranceTelecom-OrangeFR true
81.229.117.95
 unknown Sweden
3301 TELIANET-SWEDENTeliaCompanySE true
89.129.109.27
 unknown Spain
12479 UNI2-ASES true
122.186.210.254
 unknown India
9498 BBIL-APBHARTIAirtelLtdIN true
79.77.142.22
 unknown United Kingdom
9105 TISCALI-UKTalkTalkCommunicationsLimitedGB true
90.78.147.141
 unknown France
3215 FranceTelecom-OrangeFR true
122.184.143.86
 unknown India
9498 BBIL-APBHARTIAirtelLtdIN true
186.75.95.6
 unknown Panama
11556 CableWirelessPanamaPA true
50.68.186.195
 unknown Canada
6327 SHAWCA true
12.172.173.82
 unknown United States
2386 INS-ASUS true
213.64.33.61
 unknown Sweden
3301 TELIANET-SWEDENTeliaCompanySE true
79.168.224.165
 unknown Portugal
2860 NOS_COMUNICACOESPT true
86.97.55.89
 unknown United Arab Emirates
5384 EMIRATES-INTERNETEmiratesInternetAE true
176.142.207.63
 unknown France
5410 BOUYGTEL-ISPFR true
92.154.17.149
 unknown France
3215 FranceTelecom-OrangeFR true
174.58.146.57
 unknown United States
7922 COMCAST-7922US true
78.160.146.127
 unknown Turkey
9121 TTNETTR true
58.186.75.42
 unknown Viet Nam
18403 FPT-AS-APTheCorporationforFinancingPromotingTechnolo true
223.166.13.95
 unknown China
17621 CNCGROUP-SHChinaUnicomShanghainetworkCN true
65.95.141.84
 unknown Canada
577 BACOMCA true
50.68.204.71
 unknown Canada
6327 SHAWCA true
71.38.155.217
 unknown United States
209 CENTURYLINK-US-LEGACY-QWESTUS true
104.35.24.154
 unknown United States
20001 TWC-20001-PACWESTUS true
220.240.164.182
 unknown Australia
7545 TPG-INTERNET-APTPGTelecomLimitedAU true
103.123.223.133
 unknown India
138329 KWS-AS-APKenstarWebSolutionsPrivateLimitedIN true
24.198.114.130
 unknown United States
11351 TWC-11351-NORTHEASTUS true
2.36.64.159
 unknown Italy
30722 VODAFONE-IT-ASNIT true
198.2.51.242
 unknown United States
20001 TWC-20001-PACWESTUS true
92.9.45.20
 unknown United Kingdom
13285 OPALTELECOM-ASTalkTalkCommunicationsLimitedGB true
113.11.92.30
 unknown Bangladesh
7565 BDCOM-BDRangsNiluSquare5thFloorHouse75Road5AD true
69.119.123.159
 unknown United States
6128 CABLE-NET-1US true
69.123.4.221
 unknown United States
6128 CABLE-NET-1US true
172.115.17.50
 unknown United States
20001 TWC-20001-PACWESTUS true

Private

IP
192.168.2.1

Contacted Domains

Name IP Active
broadcom.com 54.68.22.26 true
www.broadcom.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://broadcom.com/ false
    		high
    https://188.28.19.84/t5 true
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		 unknown