Edit tour

Windows Analysis Report
qbot1.dll

Overview

General Information

Sample Name:	qbot1.dll
Analysis ID:	880144
MD5:	682b7633158d20f720ca61cc96c45c50
SHA1:	1f409c817fdf4d65c1f2009f925b583672f67619
SHA256:	83380409b59ca7c171c09f2972034ec5d1789b6e5830e333a897dc4ac1ec885e
Infos:

Detection

Qbot

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected Qbot

Multi AV Scanner detection for submitted file

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Writes to foreign memory regions

Queries memory information (via WMI often done to detect virtual machines)

Allocates memory in foreign processes

Injects a PE file into a foreign processes

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

C2 URLs / IPs found in malware configuration

Uses whoami command line tool to query computer and username

Uses ipconfig to lookup or modify the Windows network settings

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

One or more processes crash

Contains functionality to check if a debugger is running (IsDebuggerPresent)

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Found evasive API chain (date check)

Creates files inside the system directory

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

AV process strings found (often used to terminate AV products)

Sample file is different than original file name gathered from version info

PE file contains an invalid checksum

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Found evasive API chain checking for process token information

Detected TCP or UDP traffic on non-standard ports

Checks if the current process is being debugged

Connects to several IPs in different countries

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Creates a process in suspended mode (likely to inject code)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 5568 cmdline: loaddll32.exe "C:\Users\user\Desktop\qbot1.dll" MD5: 3B4636AE519868037940CA5C4272091B)

conhost.exe (PID: 6356 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 6348 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\qbot1.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 6268 cmdline: rundll32.exe "C:\Users\user\Desktop\qbot1.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 6644 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6268 -s 660 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

rundll32.exe (PID: 6336 cmdline: rundll32.exe C:\Users\user\Desktop\qbot1.dll,m?0API@ScScript@@IAE@AAVEngine@1@H@Z MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 6648 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6336 -s 656 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

rundll32.exe (PID: 5044 cmdline: rundll32.exe C:\Users\user\Desktop\qbot1.dll,m?0BinaryNode@ScScript@@QAE@ABUScanInfo@1@PAVNode@1@1@Z MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 7044 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 672 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

rundll32.exe (PID: 5772 cmdline: rundll32.exe C:\Users\user\Desktop\qbot1.dll,m?0BreakpointInfo@ScScript@@QAE@ABV01@@Z MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 7072 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5772 -s 648 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

rundll32.exe (PID: 7156 cmdline: rundll32.exe "C:\Users\user\Desktop\qbot1.dll",m?0API@ScScript@@IAE@AAVEngine@1@H@Z MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 6612 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7156 -s 652 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

rundll32.exe (PID: 5444 cmdline: rundll32.exe "C:\Users\user\Desktop\qbot1.dll",m?0BinaryNode@ScScript@@QAE@ABUScanInfo@1@PAVNode@1@1@Z MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 6868 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5444 -s 648 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

rundll32.exe (PID: 5428 cmdline: rundll32.exe "C:\Users\user\Desktop\qbot1.dll",m?0BreakpointInfo@ScScript@@QAE@ABV01@@Z MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 6504 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5428 -s 652 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

rundll32.exe (PID: 7020 cmdline: rundll32.exe "C:\Users\user\Desktop\qbot1.dll",next MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

wermgr.exe (PID: 7148 cmdline: C:\Windows\SysWOW64\wermgr.exe MD5: CCF15E662ED5CE77B5FF1A7AAE305233)

ipconfig.exe (PID: 2244 cmdline: ipconfig /all MD5: B0C7423D02A007461C850CD0DFE09318)

conhost.exe (PID: 4332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

whoami.exe (PID: 5324 cmdline: whoami /all MD5: 2E498B32E15CD7C0177A254E2410559C)

conhost.exe (PID: 5500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

rundll32.exe (PID: 4604 cmdline: rundll32.exe "C:\Users\user\Desktop\qbot1.dll",munlockRef@Engine@ScScript@@QAEXABVVariant@ScCore@@@Z MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 5668 cmdline: rundll32.exe "C:\Users\user\Desktop\qbot1.dll",mundefinedError@Callback@ScScript@@UAE_NAAVEngine@2@ABVVariant@ScCore@@1AAV45@@Z MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

msiexec.exe (PID: 5520 cmdline: C:\Windows\system32\msiexec.exe /V MD5: 4767B71A318E201188A0D0A420C8B608)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
QakBot, qbotQbot	QBot is a modular information stealer also known as Qakbot or Pinkslipbot. It has been active for years since 2007. It has historically been known as a banking Trojan, meaning that it steals financial data from infected systems, and a loader using C2 servers for payload targeting and download.	GOLD CABIN	http://contagiodump.blogspot.com/2010/11/template.html http://www.secureworks.com/research/threat-profiles/gold-lagoon http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf https://0xthreatintel.medium.com/reversing-qakbot-tlp-white-d1b8b37ad8e7 https://asec.ahnlab.com/en/44662/	https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot

Malware Configuration

Threatname: Qbot

{"Bot id": "BB30", "Campaign": "1685604052", "Version": "404.1346", "C2 list": ["47.199.241.39:443", "93.147.235.8:443", "75.141.227.169:443", "45.243.142.31:995", "79.92.15.6:443", "85.104.105.67:443", "89.129.109.27:2222", "86.176.83.44:2222", "24.234.220.88:993", "89.32.156.5:995", "12.172.173.82:22", "103.101.203.177:443", "70.28.50.223:2083", "98.187.21.2:443", "70.49.205.198:2222", "96.56.197.26:2222", "92.9.45.20:2222", "86.195.14.72:2222", "172.115.17.50:443", "100.4.163.158:2222", "80.12.88.148:2222", "213.64.33.92:2222", "113.11.92.30:443", "78.192.109.105:2222", "47.34.30.133:443", "122.184.143.86:443", "198.2.51.242:993", "165.120.169.171:2222", "88.126.94.4:50000", "82.125.44.236:2222", "117.195.16.105:993", "147.219.4.194:443", "80.167.196.79:443", "92.154.17.149:2222", "184.181.75.148:443", "95.45.50.93:2222", "84.35.26.14:995", "201.143.215.69:443", "12.172.173.82:2087", "50.68.204.71:443", "64.121.161.102:443", "2.82.8.80:443", "79.77.142.22:2222", "12.172.173.82:995", "223.166.13.95:995", "72.134.124.16:443", "213.55.33.103:443", "183.87.163.165:443", "174.4.89.3:443", "27.253.11.10:2222", "2.49.63.160:2222", "92.186.69.229:2222", "69.133.162.35:443", "81.111.108.123:443", "12.172.173.82:20", "188.28.19.84:443", "90.29.86.138:2222", "70.160.67.203:443", "186.64.67.30:443", "5.107.153.132:2222", "125.63.125.205:2078", "2.36.64.159:2078", "71.38.155.217:443", "205.237.67.69:995", "70.64.77.115:443", "24.234.220.88:990", "96.56.197.26:2083", "70.28.50.223:2078", "103.123.223.133:443", "199.27.66.213:443", "83.249.198.100:2222", "94.204.202.106:443", "77.126.99.230:443", "72.205.104.134:443", "65.95.141.84:2222", "70.28.50.223:2078", "173.88.135.179:443", "220.240.164.182:443", "96.87.28.170:2222", "176.142.207.63:443", "12.172.173.82:32101", "70.50.83.216:2222", "161.142.103.187:995", "45.62.70.33:443", "24.234.220.88:465", "103.141.50.43:995", "90.7.72.46:2222", "76.178.148.107:2222", "116.74.163.130:443", "46.246.254.242:995", "70.28.50.223:2087", "12.172.173.82:465", "178.175.187.254:443", "27.0.48.233:443", "83.110.223.61:443", "184.182.66.109:443", "70.28.50.223:32100", "50.68.204.71:993", "70.28.50.223:3389", "50.68.186.195:443", "47.205.25.170:443", "12.172.173.82:993", "76.170.252.153:995", "69.242.31.249:443", "79.168.224.165:2222", "75.143.236.149:443", "14.192.241.76:995", "81.229.117.95:2222", "98.145.23.67:443", "98.37.25.99:443", "69.160.121.6:61201", "12.172.173.82:21", "75.109.111.89:443", "76.86.31.59:443", "80.6.50.34:443", "116.120.145.170:995", "201.244.108.183:995", "58.186.75.42:443", "68.203.69.96:443", "47.149.134.231:443"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000013.00000002.424621480.0000000002C4A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
00000013.00000002.425037724.0000000004870000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
decrypted.memstr	JoeSecurity_Qbot	Yara detected Qbot	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
19.2.rundll32.exe.2c60a28.1.unpack	MAL_QakBot_ConfigExtraction_Feb23	QakBot Config Extraction	kevoreilly	0xe055:$params: 8B 7D 08 8B F1 57 89 55 FC E8 84 99 FF FF 8D 9E 24 04 00 00 89 03 59 85 C0 75 08 6A FC 58 E9 0x9c7b:$conf: 5F 5E 5B C9 C3 51 6A 00 E8 C1 44 00 00 59 59 85 C0 75 01 C3
19.2.rundll32.exe.2c60a28.1.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
19.2.rundll32.exe.29a0000.0.unpack	MAL_QakBot_ConfigExtraction_Feb23	QakBot Config Extraction	kevoreilly	0xec55:$params: 8B 7D 08 8B F1 57 89 55 FC E8 84 99 FF FF 8D 9E 24 04 00 00 89 03 59 85 C0 75 08 6A FC 58 E9 0xa87b:$conf: 5F 5E 5B C9 C3 51 6A 00 E8 C1 44 00 00 59 59 85 C0 75 01 C3
19.2.rundll32.exe.29a0000.0.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
19.2.rundll32.exe.2c60a28.1.raw.unpack	MAL_QakBot_ConfigExtraction_Feb23	QakBot Config Extraction	kevoreilly	0xec55:$params: 8B 7D 08 8B F1 57 89 55 FC E8 84 99 FF FF 8D 9E 24 04 00 00 89 03 59 85 C0 75 08 6A FC 58 E9 0xa87b:$conf: 5F 5E 5B C9 C3 51 6A 00 E8 C1 44 00 00 59 59 85 C0 75 01 C3
19.2.rundll32.exe.2c60a28.1.raw.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
Click to see the 1 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000013.00000002.424621480.0000000002C4A000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Qbot {"Bot id": "BB30", "Campaign": "1685604052", "Version": "404.1346", "C2 list": ["47.199.241.39:443", "93.147.235.8:443", "75.141.227.169:443", "45.243.142.31:995", "79.92.15.6:443", "85.104.105.67:443", "89.129.109.27:2222", "86.176.83.44:2222", "24.234.220.88:993", "89.32.156.5:995", "12.172.173.82:22", "103.101.203.177:443", "70.28.50.223:2083", "98.187.21.2:443", "70.49.205.198:2222", "96.56.197.26:2222", "92.9.45.20:2222", "86.195.14.72:2222", "172.115.17.50:443", "100.4.163.158:2222", "80.12.88.148:2222", "213.64.33.92:2222", "113.11.92.30:443", "78.192.109.105:2222", "47.34.30.133:443", "122.184.143.86:443", "198.2.51.242:993", "165.120.169.171:2222", "88.126.94.4:50000", "82.125.44.236:2222", "117.195.16.105:993", "147.219.4.194:443", "80.167.196.79:443", "92.154.17.149:2222", "184.181.75.148:443", "95.45.50.93:2222", "84.35.26.14:995", "201.143.215.69:443", "12.172.173.82:2087", "50.68.204.71:443", "64.121.161.102:443", "2.82.8.80:443", "79.77.142.22:2222", "12.172.173.82:995", "223.166.13.95:995", "72.134.124.16:443", "213.55.33.103:443", "183.87.163.165:443", "174.4.89.3:443", "27.253.11.10:2222", "2.49.63.160:2222", "92.186.69.229:2222", "69.133.162.35:443", "81.111.108.123:443", "12.172.173.82:20", "188.28.19.84:443", "90.29.86.138:2222", "70.160.67.203:443", "186.64.67.30:443", "5.107.153.132:2222", "125.63.125.205:2078", "2.36.64.159:2078", "71.38.155.217:443", "205.237.67.69:995", "70.64.77.115:443", "24.234.220.88:990", "96.56.197.26:2083", "70.28.50.223:2078", "103.123.223.133:443", "199.27.66.213:443", "83.249.198.100:2222", "94.204.202.106:443", "77.126.99.230:443", "72.205.104.134:443", "65.95.141.84:2222", "70.28.50.223:2078", "173.88.135.179:443", "220.240.164.182:443", "96.87.28.170:2222", "176.142.207.63:443", "12.172.173.82:32101", "70.50.83.216:2222", "161.142.103.187:995", "45.62.70.33:443", "24.234.220.88:465", "103.141.50.43:995", "90.7.72.46:2222", "76.178.148.107:2222", "116.74.163.130:443", "46.246.254.242:995", "70.28.50.223:2087", "12.172.173.82:465", "178.175.187.254:443", "27.0.48.233:443", "83.110.223.61:443", "184.182.66.109:443", "70.28.50.223:32100", "50.68.204.71:993", "70.28.50.223:3389", "50.68.186.195:443", "47.205.25.170:443", "12.172.173.82:993", "76.170.252.153:995", "69.242.31.249:443", "79.168.224.165:2222", "75.143.236.149:443", "14.192.241.76:995", "81.229.117.95:2222", "98.145.23.67:443", "98.37.25.99:443", "69.160.121.6:61201", "12.172.173.82:21", "75.109.111.89:443", "76.86.31.59:443", "80.6.50.34:443", "116.120.145.170:995", "201.244.108.183:995", "58.186.75.42:443", "68.203.69.96:443", "47.149.134.231:443"]}

Multi AV Scanner detection for submitted file

Source: qbot1.dll

Virustotal: Detection: 12%

Perma Link

Sample uses string decryption to hide its real strings

Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: error res='%s' err=%d len=%u
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: netstat -nao
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: runas
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: ipconfig /all
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: net localgroup
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: nltest /domain_trusts /all_trusts
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: %s %04x.%u %04x.%u res: %s seh_test: %u consts_test: %d vmdetected: %d createprocess: %d
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: Microsoft
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: SELF_TEST_1
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: p%08x
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: Self test FAILED!!!
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: Self test OK.
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: /t5
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: whoami /all
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: cmd
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: microsoft.com,google.com,cisco.com,oracle.com,verisign.com,broadcom.com,yahoo.com,xfinity.com,irs.gov,linkedin.com
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: ERROR: GetModuleFileNameW() failed with error: ERROR_INSUFFICIENT_BUFFER
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: route print
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: .lnk
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: "%s\system32\schtasks.exe" /Create /ST %02u:%02u /RU "NT AUTHORITY\SYSTEM" /SC ONCE /tr "%s" /Z /ET %02u:%02u /tn %s
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: arp -a
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: %s "$%s = \"%s\"; & $%s"
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: net share
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: cmd.exe /c set
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: Self check
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: %u;%u;%u;
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: /c ping.exe -n 6 127.0.0.1 & type "%s\System32\calc.exe" > "%s"
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: ProfileImagePath
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: at.exe %u:%u "%s" /I
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: ProgramData
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: Self check ok!
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: powershell.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: qwinsta
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: net view
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.%s
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: Component_08
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: Start screenshot
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: schtasks.exe /Delete /F /TN %u
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: appidapi.dll
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: %s \"$%s = \\\"%s\\\\; & $%s\"
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: c:\ProgramData
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: Component_07
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: bUdiuy81gYguty@4frdRdpfko(eKmudeuMncueaN
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: powershell.exe -encodedCommand %S
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: ERROR: GetModuleFileNameW() failed with error: %u
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: powershell.exe -encodedCommand
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: SoNuce]ugdiB3c[doMuce2s81*uXmcvP
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: \System32\WindowsPowerShell\v1.0\powershell.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: schtasks.exe /Create /RU "NT AUTHORITY\SYSTEM" /SC ONSTART /TN %u /TR "%s" /NP /F
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: error res='%s' err=%d len=%u
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: netstat -nao
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: runas
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: ipconfig /all
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: %u.%u.%u.%u.%u.%u.%04x
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\explorer.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: SystemRoot
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: cscript.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: MBAMService.exe;mbamgui.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: %SystemRoot%\System32\xwizard.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: %SystemRoot%\System32\wermgr.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: AvastSvc.exe;aswEngSrv.exe;aswToolsSvc.exe;afwServ.exe;aswidsagent.exe;AvastUI.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: C:\INTERNAL\__empty
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: .dll
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: Win32_PhysicalMemory
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: ALLUSERSPROFILE
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: image/jpeg
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: LocalLow
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: displayName
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: Mozilla/5.0 (Windows NT 6.1; rv:77.0) Gecko/20100101 Firefox/77.0
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: shlwapi.dll
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\WerFault.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: CommandLine
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: {%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%02X}
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: kernel32.dll
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: SubmitSamplesConsent
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: 1234567890
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: wbj.go
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\wextract.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: Win32_DiskDrive
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: vkise.exe;isesrv.exe;cmdagent.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: System32
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: Name
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: %SystemRoot%\System32\WerFault.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: WRSA.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: c:\\
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: reg.exe ADD "HKLM\%s" /f /t %s /v "%s" /d "%s"
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: SpyNetReporting
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: FALSE
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: aswhookx.dll
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: Packages
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: SonicWallClientProtectionService.exe;SWDash.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: application/x-shockwave-flash
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: Sophos UI.exe;SophosUI.exe;SAVAdminService.exe;SavService.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: RepUx.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: %SystemRoot%\System32\mspaint.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: coreServiceShell.exe;PccNTMon.exe;NTRTScan.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: Winsta0
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: Caption,Description,DeviceID,Manufacturer,Name,PNPDeviceID,Service,Status
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: CynetEPS.exe;CynetMS.exe;CynetConsole.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\wermgr.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: %ProgramFiles(x86)%\Internet Explorer\iexplore.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: avp.exe;kavtray.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: root\SecurityCenter2
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\backgroundTaskHost.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: MsMpEng.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: %SystemRoot%\System32\CertEnrollCtrl.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: userenv.dll
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: csc_ui.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: frida-winjector-helper-32.exe;frida-winjector-helper-64.exe;tcpdump.exe;windump.exe;ethereal.exe;wireshark.exe;ettercap.exe;rtsniff.exe;packetcapture.exe;capturenet.exe;qak_proxy;dumpcap.exe;CFF Explorer.exe;not_rundll32.exe;ProcessHacker.exe;tcpview.exe;filemon.exe;procmon.exe;idaq64.exe;loaddll32.exe;PETools.exe;ImportREC.exe;LordPE.exe;SysInspector.exe;proc_analyzer.exe;sysAnalyzer.exe;sniff_hit.exe;joeboxcontrol.exe;joeboxserver.exe;ResourceHacker.exe;x64dbg.exe;Fiddler.exe;sniff_hit.exe;sysAnalyzer.exe;BehaviorDumper.exe;processdumperx64.exe;anti-virus.EXE;sysinfoX64.exe;sctoolswrapper.exe;sysinfoX64.exe;FakeExplorer.exe;apimonitor-x86.exe;idaq.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: \\.\pipe\
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: pstorec.dll
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: NTUSER.DAT
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: from
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: %SystemRoot%\System32\sethc.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: netapi32.dll
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: %SystemRoot%\System32\Utilman.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: gdi32.dll
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: setupapi.dll
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: SELECT * FROM Win32_Processor
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: iphlpapi.dll
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: Caption
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: CrAmTray.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: ccSvcHst.exe;NortonSecurity.exe;nsWscSvc.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: Win32_ComputerSystem
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: %SystemRoot%\System32\backgroundTaskHost.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: %ProgramFiles%\Internet Explorer\iexplore.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: user32.dll
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: xagtnotif.exe;AppUIMonitor.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: %SystemRoot%\System32\dxdiag.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: SentinelServiceHost.exe;SentinelStaticEngine.exe;SentinelAgent.exe;SentinelStaticEngineScanner.exe;SentinelUI.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: \sf2.dll
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\grpconv.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: egui.exe;ekrn.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: Software\Microsoft
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: %S.%06d
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: bcrypt.dll
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: SELECT * FROM AntiVirusProduct
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\SndVol.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: %SystemRoot%\explorer.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\Utilman.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows Defender\SpyNet
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: wtsapi32.dll
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: t=%s time=[%02d:%02d:%02d-%02d/%02d/%d]
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\xwizard.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: shell32.dll
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: TRUE
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: Win32_Bios
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: SELECT * FROM Win32_OperatingSystem
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\mobsync.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: c:\hiberfil.sysss
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: /
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\AtBroker.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: abcdefghijklmnopqrstuvwxyz
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: ByteFence.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: type=0x%04X
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: snxhk_border_mywnd
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: ROOT\CIMV2
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: dwengine.exe;dwarkdaemon.exe;dwwatcher.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: https
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\explorer.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: fshoster32.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: kernelbase.dll
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: regsvr32.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: %s\system32\
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\dxdiag.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: Win32_Process
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: rundll32.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: LOCALAPPDATA
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: cmd.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: APPDATA
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: select
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: .exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: mcshield.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: advapi32.dll
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: ws2_32.dll
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: .cfg
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: aabcdeefghiijklmnoopqrstuuvwxyyz
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: Win32_Product
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: WQL
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: wininet.dll
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: LastBootUpTime
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: S:(ML;;NW;;;LW)
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\CertEnrollCtrl.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: urlmon.dll
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: Create
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: Win32_PnPEntity
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: %SystemRoot%\System32\grpconv.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: Initializing database...
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: %SystemRoot%\System32\SearchIndexer.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: winsta0\default
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: .dat
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: WBJ_IGNORE
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: next
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: %SystemRoot%\System32\AtBroker.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: wpcap.dll
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: aaebcdeeifghiiojklmnooupqrstuuyvwxyyaz
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\sethc.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: image/pjpeg
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: fmon.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: bdagent.exe;vsserv.exe;vsservppl.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: %SystemRoot%\System32\SndVol.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: vbs
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: aswhooka.dll
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: SysWOW64
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\mspaint.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: mpr.dll
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: image/gif
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: crypt32.dll
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: avgcsrvx.exe;avgsvcx.exe;avgcsrva.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: ntdll.dll
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: open
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: %SystemRoot%\explorer.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: CSFalconService.exe;CSFalconContainer.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: %SystemRoot%\System32\wextract.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: %SystemRoot%\System32\mobsync.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\SearchIndexer.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: %u.%u.%u.%u.%u.%u.%04x
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\explorer.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: SystemRoot
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: cscript.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: MBAMService.exe;mbamgui.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: %SystemRoot%\System32\xwizard.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: %SystemRoot%\System32\wermgr.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: AvastSvc.exe;aswEngSrv.exe;aswToolsSvc.exe;afwServ.exe;aswidsagent.exe;AvastUI.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: C:\INTERNAL\__empty
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: .dll
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: Win32_PhysicalMemory
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: ALLUSERSPROFILE
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: image/jpeg
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: LocalLow
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: displayName
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: Mozilla/5.0 (Windows NT 6.1; rv:77.0) Gecko/20100101 Firefox/77.0
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: shlwapi.dll
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\WerFault.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: CommandLine
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: {%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%02X}
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: kernel32.dll
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: SubmitSamplesConsent
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: 1234567890
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: wbj.go
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\wextract.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: Win32_DiskDrive
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: vkise.exe;isesrv.exe;cmdagent.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: System32
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: Name
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: %SystemRoot%\System32\WerFault.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: WRSA.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: c:\\
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: reg.exe ADD "HKLM\%s" /f /t %s /v "%s" /d "%s"
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: SpyNetReporting
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: FALSE
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: aswhookx.dll
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: Packages
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: SonicWallClientProtectionService.exe;SWDash.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: application/x-shockwave-flash
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: Sophos UI.exe;SophosUI.exe;SAVAdminService.exe;SavService.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: RepUx.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: %SystemRoot%\System32\mspaint.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: coreServiceShell.exe;PccNTMon.exe;NTRTScan.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: Winsta0
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: Caption,Description,DeviceID,Manufacturer,Name,PNPDeviceID,Service,Status
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: CynetEPS.exe;CynetMS.exe;CynetConsole.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\wermgr.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: %ProgramFiles(x86)%\Internet Explorer\iexplore.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: avp.exe;kavtray.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: root\SecurityCenter2
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\backgroundTaskHost.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: MsMpEng.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: %SystemRoot%\System32\CertEnrollCtrl.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: userenv.dll
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: csc_ui.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: frida-winjector-helper-32.exe;frida-winjector-helper-64.exe;tcpdump.exe;windump.exe;ethereal.exe;wireshark.exe;ettercap.exe;rtsniff.exe;packetcapture.exe;capturenet.exe;qak_proxy;dumpcap.exe;CFF Explorer.exe;not_rundll32.exe;ProcessHacker.exe;tcpview.exe;filemon.exe;procmon.exe;idaq64.exe;loaddll32.exe;PETools.exe;ImportREC.exe;LordPE.exe;SysInspector.exe;proc_analyzer.exe;sysAnalyzer.exe;sniff_hit.exe;joeboxcontrol.exe;joeboxserver.exe;ResourceHacker.exe;x64dbg.exe;Fiddler.exe;sniff_hit.exe;sysAnalyzer.exe;BehaviorDumper.exe;processdumperx64.exe;anti-virus.EXE;sysinfoX64.exe;sctoolswrapper.exe;sysinfoX64.exe;FakeExplorer.exe;apimonitor-x86.exe;idaq.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: \\.\pipe\
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: pstorec.dll
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: NTUSER.DAT
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: from
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: %SystemRoot%\System32\sethc.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: netapi32.dll
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: %SystemRoot%\System32\Utilman.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: gdi32.dll
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: setupapi.dll
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: SELECT * FROM Win32_Processor
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: iphlpapi.dll
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: Caption
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: CrAmTray.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: ccSvcHst.exe;NortonSecurity.exe;nsWscSvc.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: Win32_ComputerSystem
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: %SystemRoot%\System32\backgroundTaskHost.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: %ProgramFiles%\Internet Explorer\iexplore.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: user32.dll
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: xagtnotif.exe;AppUIMonitor.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: %SystemRoot%\System32\dxdiag.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: SentinelServiceHost.exe;SentinelStaticEngine.exe;SentinelAgent.exe;SentinelStaticEngineScanner.exe;SentinelUI.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: \sf2.dll
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\grpconv.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: egui.exe;ekrn.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: Software\Microsoft
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: %S.%06d
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: bcrypt.dll
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: SELECT * FROM AntiVirusProduct
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\SndVol.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: %SystemRoot%\explorer.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\Utilman.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows Defender\SpyNet
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: wtsapi32.dll
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: t=%s time=[%02d:%02d:%02d-%02d/%02d/%d]
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\xwizard.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: shell32.dll
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: TRUE
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: Win32_Bios
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: SELECT * FROM Win32_OperatingSystem
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\mobsync.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: c:\hiberfil.sysss
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: /
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\AtBroker.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: abcdefghijklmnopqrstuvwxyz
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: ByteFence.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: type=0x%04X
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: snxhk_border_mywnd
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: ROOT\CIMV2
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: dwengine.exe;dwarkdaemon.exe;dwwatcher.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: https
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\explorer.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: fshoster32.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: kernelbase.dll
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: regsvr32.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: %s\system32\
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\dxdiag.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: Win32_Process
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: rundll32.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: LOCALAPPDATA
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: cmd.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: APPDATA
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: select
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: .exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: mcshield.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: advapi32.dll
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: ws2_32.dll
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: .cfg
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: aabcdeefghiijklmnoopqrstuuvwxyyz
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: Win32_Product
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: WQL
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: wininet.dll
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: LastBootUpTime
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: S:(ML;;NW;;;LW)
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\CertEnrollCtrl.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: urlmon.dll
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: Create
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: Win32_PnPEntity
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: %SystemRoot%\System32\grpconv.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: Initializing database...
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: %SystemRoot%\System32\SearchIndexer.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: winsta0\default
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: .dat
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: WBJ_IGNORE
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: next
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: %SystemRoot%\System32\AtBroker.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: wpcap.dll
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: aaebcdeeifghiiojklmnooupqrstuuyvwxyyaz
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\sethc.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: image/pjpeg
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: fmon.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: bdagent.exe;vsserv.exe;vsservppl.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: %SystemRoot%\System32\SndVol.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: vbs
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: aswhooka.dll
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: SysWOW64
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\mspaint.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: mpr.dll
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: image/gif
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: crypt32.dll
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: avgcsrvx.exe;avgsvcx.exe;avgcsrva.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: ntdll.dll
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: open
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: %SystemRoot%\explorer.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: CSFalconService.exe;CSFalconContainer.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: %SystemRoot%\System32\wextract.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: %SystemRoot%\System32\mobsync.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\SearchIndexer.exe
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack	String decryptor: Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName

Source: qbot1.dll

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL

Source: unknown	HTTPS traffic detected: 54.161.105.65:443 -> 192.168.2.5:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 87.248.100.215:443 -> 192.168.2.5:49737 version: TLS 1.2

Source: qbot1.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: ExtendScript.pdb source: rundll32.exe, 00000003.00000002.398530807.000000001006A000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.398962293.000000001006A000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.403691320.000000001006A000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.409151582.000000001006A000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.417454259.000000001006A000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000011.00000002.417658145.000000001006A000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000012.00000002.418188854.000000001006A000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000013.00000002.429703826.000000001006A000.00000002.00000001.01000000.00000003.sdmp, qbot1.dll
Source:	Binary string: ExtendScript.pdb source: rundll32.exe, 00000003.00000002.398530807.000000001006A000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.398962293.000000001006A000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.403691320.000000001006A000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.409151582.000000001006A000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.417454259.000000001006A000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000011.00000002.417658145.000000001006A000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000012.00000002.418188854.000000001006A000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000013.00000002.429703826.000000001006A000.00000002.00000001.01000000.00000003.sdmp, qbot1.dll

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 19_2_029A9E70 FindFirstFileW,FindNextFileW,

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 47.199.241.39:443
Source: Malware configuration extractor	IPs: 93.147.235.8:443
Source: Malware configuration extractor	IPs: 75.141.227.169:443
Source: Malware configuration extractor	IPs: 45.243.142.31:995
Source: Malware configuration extractor	IPs: 79.92.15.6:443
Source: Malware configuration extractor	IPs: 85.104.105.67:443
Source: Malware configuration extractor	IPs: 89.129.109.27:2222
Source: Malware configuration extractor	IPs: 86.176.83.44:2222
Source: Malware configuration extractor	IPs: 24.234.220.88:993
Source: Malware configuration extractor	IPs: 89.32.156.5:995
Source: Malware configuration extractor	IPs: 12.172.173.82:22
Source: Malware configuration extractor	IPs: 103.101.203.177:443
Source: Malware configuration extractor	IPs: 70.28.50.223:2083
Source: Malware configuration extractor	IPs: 98.187.21.2:443
Source: Malware configuration extractor	IPs: 70.49.205.198:2222
Source: Malware configuration extractor	IPs: 96.56.197.26:2222
Source: Malware configuration extractor	IPs: 92.9.45.20:2222
Source: Malware configuration extractor	IPs: 86.195.14.72:2222
Source: Malware configuration extractor	IPs: 172.115.17.50:443
Source: Malware configuration extractor	IPs: 100.4.163.158:2222
Source: Malware configuration extractor	IPs: 80.12.88.148:2222
Source: Malware configuration extractor	IPs: 213.64.33.92:2222
Source: Malware configuration extractor	IPs: 113.11.92.30:443
Source: Malware configuration extractor	IPs: 78.192.109.105:2222
Source: Malware configuration extractor	IPs: 47.34.30.133:443
Source: Malware configuration extractor	IPs: 122.184.143.86:443
Source: Malware configuration extractor	IPs: 198.2.51.242:993
Source: Malware configuration extractor	IPs: 165.120.169.171:2222
Source: Malware configuration extractor	IPs: 88.126.94.4:50000
Source: Malware configuration extractor	IPs: 82.125.44.236:2222
Source: Malware configuration extractor	IPs: 117.195.16.105:993
Source: Malware configuration extractor	IPs: 147.219.4.194:443
Source: Malware configuration extractor	IPs: 80.167.196.79:443
Source: Malware configuration extractor	IPs: 92.154.17.149:2222
Source: Malware configuration extractor	IPs: 184.181.75.148:443
Source: Malware configuration extractor	IPs: 95.45.50.93:2222
Source: Malware configuration extractor	IPs: 84.35.26.14:995
Source: Malware configuration extractor	IPs: 201.143.215.69:443
Source: Malware configuration extractor	IPs: 12.172.173.82:2087
Source: Malware configuration extractor	IPs: 50.68.204.71:443
Source: Malware configuration extractor	IPs: 64.121.161.102:443
Source: Malware configuration extractor	IPs: 2.82.8.80:443
Source: Malware configuration extractor	IPs: 79.77.142.22:2222
Source: Malware configuration extractor	IPs: 12.172.173.82:995
Source: Malware configuration extractor	IPs: 223.166.13.95:995
Source: Malware configuration extractor	IPs: 72.134.124.16:443
Source: Malware configuration extractor	IPs: 213.55.33.103:443
Source: Malware configuration extractor	IPs: 183.87.163.165:443
Source: Malware configuration extractor	IPs: 174.4.89.3:443
Source: Malware configuration extractor	IPs: 27.253.11.10:2222
Source: Malware configuration extractor	IPs: 2.49.63.160:2222
Source: Malware configuration extractor	IPs: 92.186.69.229:2222
Source: Malware configuration extractor	IPs: 69.133.162.35:443
Source: Malware configuration extractor	IPs: 81.111.108.123:443
Source: Malware configuration extractor	IPs: 12.172.173.82:20
Source: Malware configuration extractor	IPs: 188.28.19.84:443
Source: Malware configuration extractor	IPs: 90.29.86.138:2222
Source: Malware configuration extractor	IPs: 70.160.67.203:443
Source: Malware configuration extractor	IPs: 186.64.67.30:443
Source: Malware configuration extractor	IPs: 5.107.153.132:2222
Source: Malware configuration extractor	IPs: 125.63.125.205:2078
Source: Malware configuration extractor	IPs: 2.36.64.159:2078
Source: Malware configuration extractor	IPs: 71.38.155.217:443
Source: Malware configuration extractor	IPs: 205.237.67.69:995
Source: Malware configuration extractor	IPs: 70.64.77.115:443
Source: Malware configuration extractor	IPs: 24.234.220.88:990
Source: Malware configuration extractor	IPs: 96.56.197.26:2083
Source: Malware configuration extractor	IPs: 70.28.50.223:2078
Source: Malware configuration extractor	IPs: 103.123.223.133:443
Source: Malware configuration extractor	IPs: 199.27.66.213:443
Source: Malware configuration extractor	IPs: 83.249.198.100:2222
Source: Malware configuration extractor	IPs: 94.204.202.106:443
Source: Malware configuration extractor	IPs: 77.126.99.230:443
Source: Malware configuration extractor	IPs: 72.205.104.134:443
Source: Malware configuration extractor	IPs: 65.95.141.84:2222
Source: Malware configuration extractor	IPs: 70.28.50.223:2078
Source: Malware configuration extractor	IPs: 173.88.135.179:443
Source: Malware configuration extractor	IPs: 220.240.164.182:443
Source: Malware configuration extractor	IPs: 96.87.28.170:2222
Source: Malware configuration extractor	IPs: 176.142.207.63:443
Source: Malware configuration extractor	IPs: 12.172.173.82:32101
Source: Malware configuration extractor	IPs: 70.50.83.216:2222
Source: Malware configuration extractor	IPs: 161.142.103.187:995
Source: Malware configuration extractor	IPs: 45.62.70.33:443
Source: Malware configuration extractor	IPs: 24.234.220.88:465
Source: Malware configuration extractor	IPs: 103.141.50.43:995
Source: Malware configuration extractor	IPs: 90.7.72.46:2222
Source: Malware configuration extractor	IPs: 76.178.148.107:2222
Source: Malware configuration extractor	IPs: 116.74.163.130:443
Source: Malware configuration extractor	IPs: 46.246.254.242:995
Source: Malware configuration extractor	IPs: 70.28.50.223:2087
Source: Malware configuration extractor	IPs: 12.172.173.82:465
Source: Malware configuration extractor	IPs: 178.175.187.254:443
Source: Malware configuration extractor	IPs: 27.0.48.233:443
Source: Malware configuration extractor	IPs: 83.110.223.61:443
Source: Malware configuration extractor	IPs: 184.182.66.109:443
Source: Malware configuration extractor	IPs: 70.28.50.223:32100
Source: Malware configuration extractor	IPs: 50.68.204.71:993
Source: Malware configuration extractor	IPs: 70.28.50.223:3389
Source: Malware configuration extractor	IPs: 50.68.186.195:443
Source: Malware configuration extractor	IPs: 47.205.25.170:443
Source: Malware configuration extractor	IPs: 12.172.173.82:993
Source: Malware configuration extractor	IPs: 76.170.252.153:995
Source: Malware configuration extractor	IPs: 69.242.31.249:443
Source: Malware configuration extractor	IPs: 79.168.224.165:2222
Source: Malware configuration extractor	IPs: 75.143.236.149:443
Source: Malware configuration extractor	IPs: 14.192.241.76:995
Source: Malware configuration extractor	IPs: 81.229.117.95:2222
Source: Malware configuration extractor	IPs: 98.145.23.67:443
Source: Malware configuration extractor	IPs: 98.37.25.99:443
Source: Malware configuration extractor	IPs: 69.160.121.6:61201
Source: Malware configuration extractor	IPs: 12.172.173.82:21
Source: Malware configuration extractor	IPs: 75.109.111.89:443
Source: Malware configuration extractor	IPs: 76.86.31.59:443
Source: Malware configuration extractor	IPs: 80.6.50.34:443
Source: Malware configuration extractor	IPs: 116.120.145.170:995
Source: Malware configuration extractor	IPs: 201.244.108.183:995
Source: Malware configuration extractor	IPs: 58.186.75.42:443
Source: Malware configuration extractor	IPs: 68.203.69.96:443
Source: Malware configuration extractor	IPs: 47.149.134.231:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, /User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: yahoo.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, /User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheConnection: Keep-AliveHost: www.yahoo.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, /User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: www.yahoo.comConnection: Keep-Alive

Source: global traffic

TCP traffic: 192.168.2.5:49730 -> 213.64.33.92:2222

Source: unknown

Network traffic detected: IP country count 29

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 213.64.33.92
Source: unknown	TCP traffic detected without corresponding DNS query: 213.64.33.92
Source: unknown	TCP traffic detected without corresponding DNS query: 213.64.33.92
Source: unknown	TCP traffic detected without corresponding DNS query: 213.64.33.92
Source: unknown	TCP traffic detected without corresponding DNS query: 213.64.33.92
Source: unknown	TCP traffic detected without corresponding DNS query: 213.64.33.92
Source: unknown	TCP traffic detected without corresponding DNS query: 213.64.33.92
Source: unknown	TCP traffic detected without corresponding DNS query: 213.64.33.92
Source: unknown	TCP traffic detected without corresponding DNS query: 213.64.33.92
Source: unknown	TCP traffic detected without corresponding DNS query: 213.64.33.92
Source: unknown	TCP traffic detected without corresponding DNS query: 213.64.33.92
Source: unknown	TCP traffic detected without corresponding DNS query: 213.64.33.92
Source: unknown	TCP traffic detected without corresponding DNS query: 213.64.33.92
Source: unknown	TCP traffic detected without corresponding DNS query: 213.64.33.92
Source: unknown	TCP traffic detected without corresponding DNS query: 213.64.33.92
Source: unknown	TCP traffic detected without corresponding DNS query: 213.64.33.92
Source: unknown	TCP traffic detected without corresponding DNS query: 213.64.33.92
Source: unknown	TCP traffic detected without corresponding DNS query: 213.64.33.92
Source: unknown	TCP traffic detected without corresponding DNS query: 213.64.33.92
Source: unknown	TCP traffic detected without corresponding DNS query: 213.64.33.92
Source: unknown	TCP traffic detected without corresponding DNS query: 213.64.33.92
Source: unknown	TCP traffic detected without corresponding DNS query: 213.64.33.92
Source: unknown	TCP traffic detected without corresponding DNS query: 213.64.33.92
Source: unknown	TCP traffic detected without corresponding DNS query: 213.64.33.92
Source: unknown	TCP traffic detected without corresponding DNS query: 213.64.33.92
Source: unknown	TCP traffic detected without corresponding DNS query: 213.64.33.92
Source: unknown	TCP traffic detected without corresponding DNS query: 213.64.33.92
Source: unknown	TCP traffic detected without corresponding DNS query: 213.64.33.92
Source: unknown	TCP traffic detected without corresponding DNS query: 213.64.33.92
Source: unknown	TCP traffic detected without corresponding DNS query: 213.64.33.92
Source: unknown	TCP traffic detected without corresponding DNS query: 213.64.33.92
Source: unknown	TCP traffic detected without corresponding DNS query: 213.64.33.92
Source: unknown	TCP traffic detected without corresponding DNS query: 213.64.33.92
Source: unknown	TCP traffic detected without corresponding DNS query: 213.64.33.92
Source: unknown	TCP traffic detected without corresponding DNS query: 213.64.33.92
Source: unknown	TCP traffic detected without corresponding DNS query: 213.64.33.92
Source: unknown	TCP traffic detected without corresponding DNS query: 213.64.33.92
Source: unknown	TCP traffic detected without corresponding DNS query: 213.64.33.92
Source: unknown	TCP traffic detected without corresponding DNS query: 213.64.33.92
Source: unknown	TCP traffic detected without corresponding DNS query: 213.64.33.92
Source: unknown	TCP traffic detected without corresponding DNS query: 213.64.33.92
Source: unknown	TCP traffic detected without corresponding DNS query: 213.64.33.92
Source: unknown	TCP traffic detected without corresponding DNS query: 213.64.33.92
Source: unknown	TCP traffic detected without corresponding DNS query: 213.64.33.92
Source: unknown	TCP traffic detected without corresponding DNS query: 213.64.33.92
Source: unknown	TCP traffic detected without corresponding DNS query: 213.64.33.92
Source: unknown	TCP traffic detected without corresponding DNS query: 213.64.33.92
Source: unknown	TCP traffic detected without corresponding DNS query: 213.64.33.92
Source: unknown	TCP traffic detected without corresponding DNS query: 213.64.33.92
Source: unknown	TCP traffic detected without corresponding DNS query: 213.64.33.92

Source: J7NKSXWB.htm.30.dr	String found in binary or memory: C = {"useYAC":0,"usePE":0,"servicePath":"https:\/\/www.yahoo.com\/pdarla\/php\/fc.php","xservicePath":"","beaconPath":"https:\/\/www.yahoo.com\/pdarla\/php\/b.php","renderPath":"","allowFiF":false,"srenderPath":"https:\/\/s.yimg.com\/rq\/darla\/4-11-1\/html\/r-sf.html","renderFile":"https:\/\/s.yimg.com\/rq\/darla\/4-11-1\/html\/r-sf.html","sfbrenderPath":"https:\/\/s.yimg.com\/rq\/darla\/4-11-1\/html\/r-sf.html","msgPath":"https:\/\/fc.yahoo.com\/unsupported-1946.html","cscPath":"https:\/\/s.yimg.com\/rq\/darla\/4-11-1\/html\/r-csc.html","root":"pdarla","edgeRoot":"https:\/\/s.yimg.com\/rq\/darla\/4-11-1","sedgeRoot":"https:\/\/s.yimg.com\/rq\/darla\/4-11-1","version":"4-11-1","tpbURI":"","hostFile":"https:\/\/s.yimg.com\/rq\/darla\/4-11-1\/js\/g-r-min.js","beaconsDisabled":true,"rotationTimingDisabled":true,"fdb_locale":"What don't you like about this ad?\|It's offensive\|Something else\|Thank you for helping us improve your Yahoo experience\|It's not relevant\|It's distracting\|I don't like this ad\|Send\|Done\|Why do I see ads?\|Learn more about your feedback.\|Want an ad-free inbox? Upgrade to Yahoo Mail Pro!\|Upgrade Now","positions":{"DEFAULT":{"supports":false},"LDRB":{"w":728,"h":90},"LREC":{"w":300,"h":250},"MAST":{"w":1,"h":1},"MON":{"w":1,"h":1}},"lang":"en-US"}, equals www.yahoo.com (Yahoo)
Source: J7NKSXWB.htm.30.dr	String found in binary or memory: C.events = {"AUTO":{"autoDDG":1,"autoIV":1,"autoMax":25,"autoRT":10000,"autoStart":1,"name":"AUTO","ps":{"LREC":{"autoIV":1,"autoMax":25,"autoRT":"10000"},"LREC3":{"autoIV":1,"autoMax":25,"autoRT":"10000"},"LREC4":{"autoIV":1,"autoMax":25,"autoRT":"10000"},"MON":{"autoIV":1,"autoMax":25,"autoRT":"10000"},"MON2":{"autoIV":1,"autoMax":25,"autoRT":"10000"}},"groups":{"LREC3":"MON2","LREC4":"MON2","MON2":"LREC3,LREC4"},"sp":2023538075,"sa":"Y-BUCKET=\"900\" ctout=380 rs=\"lu:0;pt:home;site:fp;ver:megastrm\" refresh=true","ref":"https:\/\/www.yahoo.com\/","ult":{"pg":{"property":"fp_en-US","rid":"3ffu699i7hs9u","test":"900"}}},"adFetch":{"ps":"LDRB,LREC,MAST,MON","sp":2023538075,"sa":"Y-BUCKET=\"900\" ctout=380 rs=\"lu:0;pt:home;site:fp;ver:megastrm\"","ref":"https:\/\/www.yahoo.com\/","ult":{"pg":{"property":"fp_en-US","rid":"3ffu699i7hs9u","test":"900"}}}}; equals www.yahoo.com (Yahoo)
Source: J7NKSXWB.htm.30.dr	String found in binary or memory: C.positions = {"LDRB":{"clean":"sda-LDRB","dest":"sda-LDRB-iframe","fdb":1,"h":90,"id":"LDRB","metaSize":true,"pos":"LDRB","supports":{"exp-ovr":1,"exp-push":1,"lyr":0},"w":728,"meta":{"hostURL":"https:\/\/www.yahoo.com\/"}},"LREC":{"clean":"sda-LREC","dest":"sda-LREC-iframe","fdb":1,"h":250,"id":"LREC","metaSize":true,"pos":"LREC","supports":{"exp-ovr":0,"exp-push":0,"lyr":0},"w":300,"meta":{"hostURL":"https:\/\/www.yahoo.com\/"},"doubleBuffering":false},"MAST":{"clean":"sda-MAST","closeBtn":{"adc":0,"mode":2,"useShow":1},"dest":"sda-MAST-iframe","fdb":1,"h":250,"id":"MAST","metaSize":true,"pos":"MAST","supports":{"exp-ovr":0,"exp-push":1,"resize-to":1},"w":970,"meta":{"hostURL":"https:\/\/www.yahoo.com\/"}},"MON":{"clean":"sda-MON","dest":"sda-MON-iframe","fdb":1,"h":600,"id":"MON","metaSize":true,"pos":"MON","supports":{"exp-ovr":1,"exp-push":1,"lyr":0,"resize-to":1},"w":300,"meta":{"hostURL":"https:\/\/www.yahoo.com\/"}},"DEFAULT":{"sandbox":false}}; equals www.yahoo.com (Yahoo)
Source: de-ch[1].htm.30.dr	String found in binary or memory: "sameAs":["https://www.facebook.com/microsoftschweiz","https://twitter.com/microsoft_ch","https://www.linkedin.com/company/1035","https://www.youtube.com/user/MicrosoftCH","https://www.instagram.com/microsoftch/"] equals www.facebook.com (Facebook)
Source: de-ch[1].htm.30.dr	String found in binary or memory: "sameAs":["https://www.facebook.com/microsoftschweiz","https://twitter.com/microsoft_ch","https://www.linkedin.com/company/1035","https://www.youtube.com/user/MicrosoftCH","https://www.instagram.com/microsoftch/"] equals www.linkedin.com (Linkedin)
Source: de-ch[1].htm.30.dr	String found in binary or memory: "sameAs":["https://www.facebook.com/microsoftschweiz","https://twitter.com/microsoft_ch","https://www.linkedin.com/company/1035","https://www.youtube.com/user/MicrosoftCH","https://www.instagram.com/microsoftch/"] equals www.twitter.com (Twitter)
Source: de-ch[1].htm.30.dr	String found in binary or memory: "sameAs":["https://www.facebook.com/microsoftschweiz","https://twitter.com/microsoft_ch","https://www.linkedin.com/company/1035","https://www.youtube.com/user/MicrosoftCH","https://www.instagram.com/microsoftch/"] equals www.youtube.com (Youtube)
Source: de-ch[1].htm.30.dr	String found in binary or memory: <a class="d-inline-block" href="https://www.facebook.com/microsoftschweiz" target="_blank" data-bi-ecn="Facebook" data-bi-bhvr="126" data-bi-cn="Facebook" data-bi-socchn="Facebook" data-bi-ct="Social Button" data-bi-pa="body" data-bi-compnm="Social Follow - horizontal"> equals www.facebook.com (Facebook)
Source: de-ch[1].htm.30.dr	String found in binary or memory: <a class="d-inline-block" href="https://www.linkedin.com/company/1035" target="_blank" data-bi-ecn="LinkedIn" data-bi-bhvr="126" data-bi-cn="LinkedIn" data-bi-socchn="LinkedIn" data-bi-ct="Social Button" data-bi-pa="body" data-bi-compnm="Social Follow - horizontal"> equals www.linkedin.com (Linkedin)
Source: de-ch[1].htm.30.dr	String found in binary or memory: <a class="d-inline-block" href="https://www.youtube.com/user/MicrosoftCH" target="_blank" data-bi-ecn="Youtube" data-bi-bhvr="126" data-bi-cn="Youtube" data-bi-socchn="Youtube" data-bi-ct="Social Button" data-bi-pa="body" data-bi-compnm="Social Follow - horizontal"> equals www.youtube.com (Youtube)
Source: J7NKSXWB.htm.30.dr	String found in binary or memory: w._comscore.push({"c1":"2","c2":"7241469","c5":2023538075,"c7":"https://www.yahoo.com/","c14":-1}); equals www.yahoo.com (Yahoo)
Source: J7NKSXWB.htm.30.dr	String found in binary or memory: var pixelDetectUrl = "https://www.yahoo.com/px.gif"; equals www.yahoo.com (Yahoo)
Source: J7NKSXWB.htm.30.dr	String found in binary or memory: {"@context":"http://schema.org","@type":"WebSite","url":"https://www.yahoo.com/","potentialAction":{"@type":"SearchAction","target":"https://search.yahoo.com/search?p={search_term_string}","query-input":"required name=search_term_string"}} equals www.yahoo.com (Yahoo)
Source: J7NKSXWB.htm.30.dr	String found in binary or memory: </script><noscript><img src=https://sb.scorecardresearch.com/p?c1=2&c2=7241469&c5=2023538075&c7=https%3A%2F%2Fwww.yahoo.com%2F&c14=-1></noscript><script type=text/javascript nonce=2dc40bb0e8f14317f55064956635585ba1e88d32ab41e65fae69eacc39bdd39b> equals www.yahoo.com (Yahoo)
Source: J7NKSXWB.htm.30.dr	String found in binary or memory: a cop said as Sean Bickings pleaded for help from the lake, according to the lawsuit.</p></div></div><div class="drawer-fetch-boundary Pos(r)"><div data-bucket="900" data-cfg="{"adMeta":{"adchoicesUrl":"https://legal.yahoo.com/us/en/yahoo/privacy/adinfo/index.html","advertiseWithUsUrl":"https://www.ad.com/?utm_source=yahoo-home&utm_medium=referral&utm_campaign=ad-feedback","sponsoredUrl":"https://legal.yahoo.com/us/en/yahoo/privacy/adinfo/index.html","enableDrawerFeedback":false,"enableAdLiteUpSellFeedback":true},"features":{},"i13n":{"bpos":1,"categoryLabel":"U.S.","cpos":4,"cposy":9},"intlFujiUiConfig":{"roundedCorner":false,"useVerticalControlIcons":false},"xhrPathPrefix":"/fp_ms/_rcv/remote","ncpParams":{"query":{"pageContext":{"lu":0,"pageType":"home","site":"fp","appName":"megastrm"}}}}" data-wf-boundary="drawer-fetch-boundary" data-wf-retry-count="1" data-wf-target=".drawer-fetch-target" data-wf-trigger="onLoad" data-wf-url="/fp_ms/_rcv/remote?m_mode=json&m_id=react-wafer-stream&ctrl=StreamRelated" class="stream-drawer Trsde(0.3s) Trsdu(0.7s) Trstf(eio) Trsp(max-height) Mah(0px) show-drawer_Mah(280px) D(n) drawer-beacon_D(b) Ov(h) stream-related-drawer"><div class="drawer-fetch-target"></div></div><div class="adfeedback-dialog"> </div></div></div></li><li class="stream-item js-stream-content Pos(r) Bgc(--white)" data-type="1" data-uuid="969f6d1f-cac6-3d42-bb9c-806e8c8cb86c" data-cpos="5" data-cposy="10" data-ycts="YMEDIA:CATEGORY=000000361,001000069,001000299,YMEDIA:CATEGORY=000000362,001000298,001000346,001000301" data-wikis="Ashton_Kutcher,Disposable_household_and_per_capita_income,Median_income,Upper_class,Pew_Research_Center" data-property="Business" data-i13n-cfg="{"bpos":1,"categoryLabel":"Business","cpos":5,"cposy":10}" data-test-locator="stream-item" data-yaft-module="stream_item_5"><div class="Mih(140px)"><div class="Py(12px) Pos(r) Cf"><div class="Fl(start) Pos(r) Mend(25px) Maw(220px) W(26%)"><div class="H(0) T(0px) Bdrs(2px) Start(0) Pos(r)" style="padding-bottom:55.91%" data-test-locator="stream-item-image"><a href="/finance/news/heres-net-worth-fall-americas-130000535.html" data-ylk="itc:0;elm:img;elmt:ct;imgt:ss;bpos:1;cpos:5;cposy:10;rspns:nav;t1:a3;t2:strm;t3:ct;ccode:megastream_unified__en-US__frontpage__default__default__desktop__ga__noSplit;ct:story;g:969f6d1f-cac6-3d42-bb9c-806e8c8cb86c;grpt:singlestory;pkgt:orphan_img;pos:1;cnt_tpc:Business;slk:Here's the annual income you need to fall in America's lower, middle, and upper class equals www.yahoo.com (Yahoo)
Source: J7NKSXWB.htm.30.dr	String found in binary or memory: </div><div class="C($streamItemGray) Fz(11px) Mt(2px) Va(b) D(ib)--md1160" data-test-locator="stream-cluster-pub">Variety</div></a></li></ul></div></div><div class="drawer-fetch-boundary Pos(r)"><div data-bucket="900" data-cfg="{"adMeta":{"adchoicesUrl":"https://legal.yahoo.com/us/en/yahoo/privacy/adinfo/index.html","advertiseWithUsUrl":"https://www.ad.com/?utm_source=yahoo-home&utm_medium=referral&utm_campaign=ad-feedback","sponsoredUrl":"https://legal.yahoo.com/us/en/yahoo/privacy/adinfo/index.html","enableDrawerFeedback":false,"enableAdLiteUpSellFeedback":true},"features":{},"i13n":{"bpos":1,"categoryLabel":"Celebrity","cpos":19,"cposy":38},"intlFujiUiConfig":{"roundedCorner":false,"useVerticalControlIcons":false},"xhrPathPrefix":"/fp_ms/_rcv/remote","ncpParams":{"query":{"pageContext":{"lu":0,"pageType":"home","site":"fp","appName":"megastrm"}}}}" data-wf-boundary="drawer-fetch-boundary" data-wf-retry-count="1" data-wf-target=".drawer-fetch-target" data-wf-trigger="onLoad" data-wf-url="/fp_ms/_rcv/remote?m_mode=json&m_id=react-wafer-stream&ctrl=StreamRelated" class="stream-drawer Trsde(0.3s) Trsdu(0.7s) Trstf(eio) Trsp(max-height) Mah(0px) show-drawer_Mah(280px) D(n) drawer-beacon_D(b) Ov(h) stream-related-drawer"><div class="drawer-fetch-target"></div></div><div class="adfeedback-dialog"> </div></div></div></li><li class="stream-item js-stream-content Pos(r) Bgc(--white)" data-type="1" data-uuid="21efd28c-2ea4-3301-84f5-b72244af1f6b" data-cpos="20" data-cposy="41" data-ycts="001000031,001000069" data-wikis="Kate_Hudson,Goldie_Hawn" data-property="Celebrity" data-i13n-cfg="{"bpos":1,"categoryLabel":"Celebrity","cpos":20,"cposy":41}" data-test-locator="stream-item" data-yaft-module="stream_item_20"><div class="Mih(140px)"><div class="Py(12px) Pos(r) Cf"><div class="Fl(start) Pos(r) Mend(25px) Maw(220px) W(26%)"><div class="H(0) T(0px) Bdrs(2px) Start(0) Pos(r)" style="padding-bottom:55.91%" data-test-locator="stream-item-image"><a href="/news/kate-hudson-sunbathes-topless-warns-011924323.html" data-ylk="itc:0;elm:img;elmt:ct;imgt:ss;bpos:1;cpos:20;cposy:41;rspns:nav;t1:a3;t2:strm;t3:ct;ccode:megastream_unified__en-US__frontpage__default__default__desktop__ga__noSplit;ct:story;g:21efd28c-2ea4-3301-84f5-b72244af1f6b;grpt:singlestory;pkgt:orphan_img;pos:1;cnt_tpc:Celebrity;slk:Kate Hudson sunbathes topless, warns brother to unfollow her social media posts: equals www.yahoo.com (Yahoo)
Source: J7NKSXWB.htm.30.dr	String found in binary or memory: </span><u class="StretchedBox"></u></a></h3><p class="LineClamp(2,38px) finance-ticker-fetch-success_D(n) sub-upsell-fetch-success_D(n) Fz(14px) Lh(18px) C($streamSummaryClass) M(0) Bxz(bb) Mb(12px)" data-test-locator="stream-item-summary">Kate Hudson engaged in family banter on Instagram after her brother Oliver screamed upon seeing his sister nearly naked while tanning by the pool without a top.</p></div></div><div class="drawer-fetch-boundary Pos(r)"><div data-bucket="900" data-cfg="{"adMeta":{"adchoicesUrl":"https://legal.yahoo.com/us/en/yahoo/privacy/adinfo/index.html","advertiseWithUsUrl":"https://www.ad.com/?utm_source=yahoo-home&utm_medium=referral&utm_campaign=ad-feedback","sponsoredUrl":"https://legal.yahoo.com/us/en/yahoo/privacy/adinfo/index.html","enableDrawerFeedback":false,"enableAdLiteUpSellFeedback":true},"features":{},"i13n":{"bpos":1,"categoryLabel":"Celebrity","cpos":20,"cposy":41},"intlFujiUiConfig":{"roundedCorner":false,"useVerticalControlIcons":false},"xhrPathPrefix":"/fp_ms/_rcv/remote","ncpParams":{"query":{"pageContext":{"lu":0,"pageType":"home","site":"fp","appName":"megastrm"}}}}" data-wf-boundary="drawer-fetch-boundary" data-wf-retry-count="1" data-wf-target=".drawer-fetch-target" data-wf-trigger="onLoad" data-wf-url="/fp_ms/_rcv/remote?m_mode=json&m_id=react-wafer-stream&ctrl=StreamRelated" class="stream-drawer Trsde(0.3s) Trsdu(0.7s) Trstf(eio) Trsp(max-height) Mah(0px) show-drawer_Mah(280px) D(n) drawer-beacon_D(b) Ov(h) stream-related-drawer"><div class="drawer-fetch-target"></div></div><div class="adfeedback-dialog"> </div></div></div></li><li class="stream-item js-stream-content Pos(r) Bgc(--white)" data-type="1" data-uuid="a30448d9-3077-3ca5-a6b7-fbb569663620" data-cpos="21" data-cposy="42" data-ycts="001000661,001000700" data-wikis="Donald_Trump,Jus_soli,Rolling_Stone,Fourteenth_Amendment_to_the_United_States_Constitution,Illegal_immigration" data-property="Politics" data-has-cluster="true" data-i13n-cfg="{"bpos":1,"categoryLabel":"Politics","cpos":21,"cposy":42}" data-test-locator="stream-item" data-yaft-module="stream_item_21"><div class="Mih(140px)"><div class="Py(12px) Pos(r) Cf"><div class="Fl(start) Pos(r) Mend(25px) Maw(220px) W(26%)"><div class="H(0) T(0px) Bdrs(2px) Start(0) Pos(r)" style="padding-bottom:87.73%" data-test-locator="stream-item-image"><a href="/entertainment/trump-promises-violate-14th-amendment-193116065.html" data-ylk="itc:0;elm:img;elmt:ct;imgt:ss;bpos:1;cpos:21;cposy:42;rspns:nav;t1:a3;t2:strm;t3:ct;ccode:megastream_unified__en-US__frontpage__default__default__desktop__ga__noSplit;ct:story;g:a30448d9-3077-3ca5-a6
Source: J7NKSXWB.htm.30.dr	String found in binary or memory: t lived!!!!</p></div></div><div class="drawer-fetch-boundary Pos(r)"><div data-bucket="900" data-cfg="{"adMeta":{"adchoicesUrl":"https://legal.yahoo.com/us/en/yahoo/privacy/adinfo/index.html","advertiseWithUsUrl":"https://www.ad.com/?utm_source=yahoo-home&utm_medium=referral&utm_campaign=ad-feedback","sponsoredUrl":"https://legal.yahoo.com/us/en/yahoo/privacy/adinfo/index.html","enableDrawerFeedback":false,"enableAdLiteUpSellFeedback":true},"features":{},"i13n":{"bpos":1,"categoryLabel":"Celebrity","cpos":11,"cposy":22},"intlFujiUiConfig":{"roundedCorner":false,"useVerticalControlIcons":false},"xhrPathPrefix":"/fp_ms/_rcv/remote","ncpParams":{"query":{"pageContext":{"lu":0,"pageType":"home","site":"fp","appName":"megastrm"}}}}" data-wf-boundary="drawer-fetch-boundary" data-wf-retry-count="1" data-wf-target=".drawer-fetch-target" data-wf-trigger="onLoad" data-wf-url="/fp_ms/_rcv/remote?m_mode=json&m_id=react-wafer-stream&ctrl=StreamRelated" class="stream-drawer Trsde(0.3s) Trsdu(0.7s) Trstf(eio) Trsp(max-height) Mah(0px) show-drawer_Mah(280px) D(n) drawer-beacon_D(b) Ov(h) stream-related-drawer"><div class="drawer-fetch-target"></div></div><div class="adfeedback-dialog"> </div></div></div></li><li class="stream-item js-stream-content Pos(r) Bgc(--white)" data-type="1" data-uuid="cc5ad19a-7ea9-397b-8d36-2e1249dcb91a" data-cpos="12" data-cposy="23" data-ycts="001000069,001000031" data-wikis="Pamela_Anderson,Khlo%c3%a9_Kardashian" data-property="Style" data-i13n-cfg="{"bpos":1,"categoryLabel":"Style","cpos":12,"cposy":23}" data-test-locator="stream-item" data-yaft-module="stream_item_12"><div class="Mih(140px)"><div class="Py(12px) Pos(r) Cf"><div class="Fl(start) Pos(r) Mend(25px) Maw(220px) W(26%)"><div class="H(0) T(0px) Bdrs(2px) Start(0) Pos(r)" style="padding-bottom:55.91%" data-test-locator="stream-item-image"><a href="/entertainment/leave-khlo-kardashian-eat-pamela-165840132.html" data-ylk="itc:0;elm:img;elmt:ct;imgt:ss;bpos:1;cpos:12;cposy:23;rspns:nav;t1:a3;t2:strm;t3:ct;ccode:megastream_unified__en-US__frontpage__default__default__desktop__ga__noSplit;ct:story;g:cc5ad19a-7ea9-397b-8d36-2e1249dcb91a;grpt:singlestory;pkgt:orphan_img;pos:1;cnt_tpc:Style;slk:Leave It to Khlo equals www.yahoo.com (Yahoo)

Source: 77EC63BDA74BD0D0E0426DC8F80085060.30.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: de-ch[1].htm.30.dr	String found in binary or memory: http://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RWO4yJ?ver=2ab3"
Source: de-ch[1].htm.30.dr	String found in binary or memory: http://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RWOalS?ver=cc6e"
Source: J7NKSXWB.htm.30.dr	String found in binary or memory: http://schema.org
Source: de-ch[1].htm.30.dr	String found in binary or memory: http://schema.org/Organization
Source: Amcache.hve.9.dr	String found in binary or memory: http://upx.sf.net
Source: J7NKSXWB.htm.30.dr	String found in binary or memory: http://www.opensource.org/licenses/mit-license.php
Source: J7NKSXWB.htm.30.dr	String found in binary or memory: https://5.ras.yahoo.com/adcount%7C2.0%7C5113.1%7C4830424%7C0%7C0%7CAdId=-41;BnId=0;ct=1864049394;st=
Source: J7NKSXWB.htm.30.dr	String found in binary or memory: https://5.ras.yahoo.com/adcount%7C2.0%7C5113.1%7C4830441%7C0%7C225%7CAdId=11101911;BnId=2;ct=1864049
Source: de-ch[1].htm.30.dr	String found in binary or memory: https://accdn.lpsnmedia.net
Source: de-ch[1].htm.30.dr	String found in binary or memory: https://aka.ms/yourcaliforniaprivacychoices
Source: de-ch[1].htm.30.dr	String found in binary or memory: https://analytics.tiktok.com
Source: de-ch[1].htm.30.dr	String found in binary or memory: https://cdnssl.clicktale.net
Source: de-ch[1].htm.30.dr	String found in binary or memory: https://cdnssl.clicktale.net/www32/ptc/05d32363-d534-4d93-9b65-cde674775e71.js
Source: de-ch[1].htm.30.dr	String found in binary or memory: https://d.impactradius-event.com
Source: J7NKSXWB.htm.30.dr	String found in binary or memory: https://fp-graviton-home-gateway.media.yahoo.com/
Source: de-ch[1].htm.30.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net
Source: de-ch[1].htm.30.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE1Mu3b?ver=5c31
Source: de-ch[1].htm.30.dr	String found in binary or memory: https://js.monitor.azure.com
Source: J7NKSXWB.htm.30.dr	String found in binary or memory: https://legal.yahoo.com/us/en/yahoo/privacy/adinfo/index.html"
Source: de-ch[1].htm.30.dr	String found in binary or memory: https://login.live.com/me.srf?wa=wsignin1.0
Source: de-ch[1].htm.30.dr	String found in binary or memory: https://lpcdn.lpsnmedia.net
Source: de-ch[1].htm.30.dr	String found in binary or memory: https://lptag.liveperson.net
Source: de-ch[1].htm.30.dr	String found in binary or memory: https://mem.gfx.ms
Source: de-ch[1].htm.30.dr	String found in binary or memory: https://onedrive.live.com/about/de-ch/
Source: J7NKSXWB.htm.30.dr	String found in binary or memory: https://openweb.jac.yahoosandbox.com
Source: J7NKSXWB.htm.30.dr	String found in binary or memory: https://openweb.jac.yahoosandbox.com/1.5.0/jac.js
Source: de-ch[1].htm.30.dr	String found in binary or memory: https://outlook.live.com/owa/
Source: de-ch[1].htm.30.dr	String found in binary or memory: https://publisher.liveperson.net
Source: J7NKSXWB.htm.30.dr	String found in binary or memory: https://s.yimg.com/aaq/hc/homepage-pwa-defer-1.1.6.js
Source: J7NKSXWB.htm.30.dr	String found in binary or memory: https://s.yimg.com/aaq/nel/js/spotIm.custom.SpotIMJAC.modal.9d3270fa67932556c75baaed2c09c955.js
Source: J7NKSXWB.htm.30.dr	String found in binary or memory: https://s.yimg.com/aaq/spotim/
Source: J7NKSXWB.htm.30.dr	String found in binary or memory: https://s.yimg.com/aaq/vzm/cs_1.4.0.js
Source: J7NKSXWB.htm.30.dr	String found in binary or memory: https://s.yimg.com/aaq/wf/wf-core-1.63.0.js
Source: J7NKSXWB.htm.30.dr	String found in binary or memory: https://s.yimg.com/cx/pv/perf-vitals_3.1.0.js
Source: J7NKSXWB.htm.30.dr	String found in binary or memory: https://s.yimg.com/nn/lib/metro/g/myy/advertisement_0.0.19.js
Source: J7NKSXWB.htm.30.dr	String found in binary or memory: https://s.yimg.com/ss/rapid-3.53.38.js
Source: J7NKSXWB.htm.30.dr	String found in binary or memory: https://s.yimg.com/uc/sf/0.1.322/js/safe.min.js
Source: J7NKSXWB.htm.30.dr	String found in binary or memory: https://s.yimg.com/uu/api/res/1.2/2kRwuXH6fvmgKfpoQCf56g--~B/Zmk9c3RyaW07aD0xNDA7cT05MDt3PTE0MDthcHB
Source: J7NKSXWB.htm.30.dr	String found in binary or memory: https://s.yimg.com/uu/api/res/1.2/4cg6h0vinH_o7ba.oxXthQ--~B/Zmk9c3RyaW07aD0zODg7cT05NTt3PTcyMDthcHB
Source: J7NKSXWB.htm.30.dr	String found in binary or memory: https://s.yimg.com/uu/api/res/1.2/5BZN9wyvjM8FfgniQrH0uw--~B/Zmk9c3RyaW07aD0yNDY7cT04MDt3PTQ0MDthcHB
Source: J7NKSXWB.htm.30.dr	String found in binary or memory: https://s.yimg.com/uu/api/res/1.2/6DI2hkBaEy3aroPxqBStjQ--~B/Zmk9c3RyaW07aD0yNDY7cT04MDt3PTQ0MDthcHB
Source: J7NKSXWB.htm.30.dr	String found in binary or memory: https://s.yimg.com/uu/api/res/1.2/6lV3qkp5vhD2J.O5ha31Nw--~B/Zmk9c3RyaW07aD0zODY7cT04MDt3PTQ0MDthcHB
Source: J7NKSXWB.htm.30.dr	String found in binary or memory: https://s.yimg.com/uu/api/res/1.2/7mz1gUykvPcUcalzuGE1WQ--~B/Zmk9c3RyaW07aD0yNDY7cT04MDt3PTQ0MDthcHB
Source: J7NKSXWB.htm.30.dr	String found in binary or memory: https://s.yimg.com/uu/api/res/1.2/GrbIGl3XT7cxPkRfHGfS9A--~B/Zmk9c3RyaW07aD0zODY7cT04MDt3PTQ0MDthcHB
Source: J7NKSXWB.htm.30.dr	String found in binary or memory: https://s.yimg.com/uu/api/res/1.2/H3vVA32ymLk3HFF8J_ZI5w--~B/Zmk9c3RyaW07aD0xNDA7cT05MDt3PTE0MDthcHB
Source: J7NKSXWB.htm.30.dr	String found in binary or memory: https://s.yimg.com/uu/api/res/1.2/c3dObtZQiIqjZKMWzeYQcw--~B/Zmk9c3RyaW07aD0yNDY7cT04MDt3PTQ0MDthcHB
Source: J7NKSXWB.htm.30.dr	String found in binary or memory: https://s.yimg.com/uu/api/res/1.2/fiFKhsorJ_.XzJNVa7HgsQ--~B/Zmk9c3RyaW07aD0yNDY7cT04MDt3PTQ0MDthcHB
Source: J7NKSXWB.htm.30.dr	String found in binary or memory: https://s.yimg.com/uu/api/res/1.2/h64YbbKcO2GsKYAy1QMRMw--~B/Zmk9c3RyaW07aD0zODY7cT04MDt3PTQ0MDthcHB
Source: J7NKSXWB.htm.30.dr	String found in binary or memory: https://s.yimg.com/uu/api/res/1.2/k8SbH9Gqa6W8a7JKyncC.A--~B/Zmk9c3RyaW07aD0xNDA7cT05MDt3PTE0MDthcHB
Source: J7NKSXWB.htm.30.dr	String found in binary or memory: https://s.yimg.com/uu/api/res/1.2/mzPB3eeJrxJuAn9uOhK0cA--~B/Zmk9c3RyaW07aD0xNDA7cT05MDt3PTE0MDthcHB
Source: J7NKSXWB.htm.30.dr	String found in binary or memory: https://s.yimg.com/uu/api/res/1.2/p68hnTLk2asTrmg6nFL37A--~B/Zmk9c3RyaW07aD0zODY7cT04MDt3PTQ0MDthcHB
Source: J7NKSXWB.htm.30.dr	String found in binary or memory: https://sb.scorecardresearch.com/p?c1=2&c2=7241469&c5=2023538075&c7=https%3A%2F%2Fwww.yahoo.com%2F&c
Source: de-ch[1].htm.30.dr	String found in binary or memory: https://schema.org
Source: J7NKSXWB.htm.30.dr	String found in binary or memory: https://search.yahoo.com/search?p=
Source: de-ch[1].htm.30.dr	String found in binary or memory: https://start.microsoftapp.net/start?pc_campaign=UHF_Banner_15mkts&adjust=y9xgnyl_5sblqid"
Source: de-ch[1].htm.30.dr	String found in binary or memory: https://twitter.com/microsoft_ch
Source: J7NKSXWB.htm.30.dr	String found in binary or memory: https://www.ad.com/?utm_source=yahoo-home&utm_medium=referral&utm_campaign=ad-feedback"
Source: de-ch[1].htm.30.dr	String found in binary or memory: https://www.clarity.ms
Source: de-ch[1].htm.30.dr	String found in binary or memory: https://www.instagram.com/microsoftch/
Source: de-ch[1].htm.30.dr	String found in binary or memory: https://www.linkedin.com/company/1035
Source: de-ch[1].htm.30.dr	String found in binary or memory: https://www.onenote.com/?omkt=de-CH
Source: de-ch[1].htm.30.dr	String found in binary or memory: https://www.skype.com/de/
Source: de-ch[1].htm.30.dr	String found in binary or memory: https://www.xbox.com/
Source: J7NKSXWB.htm.30.dr	String found in binary or memory: https://www.yahoo.com/
Source: J7NKSXWB.htm.30.dr	String found in binary or memory: https://www.yahoo.com/px.gif
Source: de-ch[1].htm.30.dr	String found in binary or memory: https://www.youtube.com/user/MicrosoftCH
Source: de-ch[1].htm.30.dr	String found in binary or memory: https://xboxdesignlab.xbox.com/xbox-design-lab?recipeId=G4E9FNSC&icid=mscom_marcom_CPH4a_PrideXDLcon
Source: J7NKSXWB.htm.30.dr	String found in binary or memory: https://yep.video.yahoo.com/oath/js/1/oath-player.js?ypv=8.5.43&lang=en-US

Source: unknown

DNS traffic detected: queries for: yahoo.com

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, /User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: yahoo.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, /User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheConnection: Keep-AliveHost: www.yahoo.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, /User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: www.yahoo.comConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 54.161.105.65:443 -> 192.168.2.5:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 87.248.100.215:443 -> 192.168.2.5:49737 version: TLS 1.2

Source: loaddll32.exe, 00000000.00000002.410374276.00000000009BB000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: qbot1.dll

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL

Source: 19.2.rundll32.exe.2c60a28.1.unpack, type: UNPACKEDPE	Matched rule: MAL_QakBot_ConfigExtraction_Feb23 cape_options = bp0=$params+23,action0=setdump:eax::ecx,bp1=$c2list1+40,bp1=$c2list2+38,action1=dump,bp2=$conf+13,action2=dump,count=1,typestring=QakBot Config, date = 2023-02-17, author = kevoreilly, description = QakBot Config Extraction, reference = https://github.com/kevoreilly/CAPEv2/blob/master/analyzer/windows/data/yara/QakBot.yar, license = https://github.com/kevoreilly/CAPEv2/blob/master/LICENSE, packed = f084d87078a1e4b0ee208539c53e4853a52b5698e98f0578d7c12948e3831a68
Source: 19.2.rundll32.exe.29a0000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QakBot_ConfigExtraction_Feb23 cape_options = bp0=$params+23,action0=setdump:eax::ecx,bp1=$c2list1+40,bp1=$c2list2+38,action1=dump,bp2=$conf+13,action2=dump,count=1,typestring=QakBot Config, date = 2023-02-17, author = kevoreilly, description = QakBot Config Extraction, reference = https://github.com/kevoreilly/CAPEv2/blob/master/analyzer/windows/data/yara/QakBot.yar, license = https://github.com/kevoreilly/CAPEv2/blob/master/LICENSE, packed = f084d87078a1e4b0ee208539c53e4853a52b5698e98f0578d7c12948e3831a68
Source: 19.2.rundll32.exe.2c60a28.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QakBot_ConfigExtraction_Feb23 cape_options = bp0=$params+23,action0=setdump:eax::ecx,bp1=$c2list1+40,bp1=$c2list2+38,action1=dump,bp2=$conf+13,action2=dump,count=1,typestring=QakBot Config, date = 2023-02-17, author = kevoreilly, description = QakBot Config Extraction, reference = https://github.com/kevoreilly/CAPEv2/blob/master/analyzer/windows/data/yara/QakBot.yar, license = https://github.com/kevoreilly/CAPEv2/blob/master/LICENSE, packed = f084d87078a1e4b0ee208539c53e4853a52b5698e98f0578d7c12948e3831a68

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6336 -s 656

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\Windows\AppCompat\Programs\Amcache.hve.tmp

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1002B980
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1002C7F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_029B32F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_029B72EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_029B8E20
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_029A3A40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_029B6F30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_029B4B53

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_029ACAF3 NtAllocateVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_029AAA38 GetLastError,NtResumeThread,FindCloseChangeNotification,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_029B44D8 NtProtectVirtualMemory,NtProtectVirtualMemory,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_029AA51F NtAllocateVirtualMemory,NtWriteVirtualMemory,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_029AA93E GetThreadContext,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,

Source: qbot1.dll

Binary or memory string: OriginalFilenameAdobeExtendScript.dllD vs qbot1.dll

Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: schannel.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: cryptnet.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: webio.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: cabinet.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll

Source: qbot1.dll

Virustotal: Detection: 12%

Source: qbot1.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\qbot1.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\qbot1.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qbot1.dll,m?0API@ScScript@@IAE@AAVEngine@1@H@Z
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\qbot1.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6336 -s 656
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6268 -s 660
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qbot1.dll,m?0BinaryNode@ScScript@@QAE@ABUScanInfo@1@PAVNode@1@1@Z
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 672
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qbot1.dll,m?0BreakpointInfo@ScScript@@QAE@ABV01@@Z
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5772 -s 648
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\qbot1.dll",m?0API@ScScript@@IAE@AAVEngine@1@H@Z
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\qbot1.dll",m?0BinaryNode@ScScript@@QAE@ABUScanInfo@1@PAVNode@1@1@Z
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\qbot1.dll",m?0BreakpointInfo@ScScript@@QAE@ABV01@@Z
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\qbot1.dll",next
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\qbot1.dll",munlockRef@Engine@ScScript@@QAEXABVVariant@ScCore@@@Z
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\qbot1.dll",mundefinedError@Callback@ScScript@@UAE_NAAVEngine@2@ABVVariant@ScCore@@1AAV45@@Z
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5428 -s 652
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7156 -s 652
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5444 -s 648
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe
Source: C:\Windows\SysWOW64\wermgr.exe	Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /all
Source: C:\Windows\SysWOW64\ipconfig.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wermgr.exe	Process created: C:\Windows\SysWOW64\whoami.exe whoami /all
Source: C:\Windows\SysWOW64\whoami.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\qbot1.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qbot1.dll,m?0API@ScScript@@IAE@AAVEngine@1@H@Z
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qbot1.dll,m?0BinaryNode@ScScript@@QAE@ABUScanInfo@1@PAVNode@1@1@Z
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qbot1.dll,m?0BreakpointInfo@ScScript@@QAE@ABV01@@Z
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\qbot1.dll",m?0API@ScScript@@IAE@AAVEngine@1@H@Z
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\qbot1.dll",m?0BinaryNode@ScScript@@QAE@ABUScanInfo@1@PAVNode@1@1@Z
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\qbot1.dll",m?0BreakpointInfo@ScScript@@QAE@ABV01@@Z
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\qbot1.dll",next
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\qbot1.dll",munlockRef@Engine@ScScript@@QAEXABVVariant@ScCore@@@Z
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\qbot1.dll",mundefinedError@Callback@ScScript@@UAE_NAAVEngine@2@ABVVariant@ScCore@@1AAV45@@Z
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\qbot1.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe
Source: C:\Windows\SysWOW64\wermgr.exe	Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /all
Source: C:\Windows\SysWOW64\wermgr.exe	Process created: C:\Windows\SysWOW64\whoami.exe whoami /all

Source: C:\Windows\SysWOW64\wermgr.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Windows\SysWOW64\wermgr.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Zayfhyxjea

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER5B33.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winDLL@40/37@2/100

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 19_2_029AD2F7 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,SysAllocString,CoSetProxyBlanket,

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 19_2_029AC800 CreateToolhelp32Snapshot,Process32First,FindCloseChangeNotification,

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qbot1.dll,m?0API@ScScript@@IAE@AAVEngine@1@H@Z

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7156
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5044
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6356:120:WilError_01
Source: C:\Windows\SysWOW64\wermgr.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{DAB8A7D0-9C66-4E50-8626-2C29CBC7F091}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5500:120:WilError_01
Source: C:\Windows\SysWOW64\wermgr.exe	Mutant created: \Sessions\1\BaseNamedObjects\{75B9B879-3461-496A-83BB-96D7E6BF196A}
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5428
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4332:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6336
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5772
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6268
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5444
Source: C:\Windows\SysWOW64\wermgr.exe	Mutant created: \Sessions\1\BaseNamedObjects\{DAB8A7D0-9C66-4E50-8626-2C29CBC7F091}

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\wermgr.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\wermgr.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\wermgr.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\wermgr.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\wermgr.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: qbot1.dll

Static PE information: More than 305 > 100 exports found

Source: qbot1.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: qbot1.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: qbot1.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: qbot1.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: qbot1.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: qbot1.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: qbot1.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: qbot1.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: ExtendScript.pdb source: rundll32.exe, 00000003.00000002.398530807.000000001006A000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.398962293.000000001006A000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.403691320.000000001006A000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.409151582.000000001006A000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.417454259.000000001006A000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000011.00000002.417658145.000000001006A000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000012.00000002.418188854.000000001006A000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000013.00000002.429703826.000000001006A000.00000002.00000001.01000000.00000003.sdmp, qbot1.dll
Source:	Binary string: ExtendScript.pdb source: rundll32.exe, 00000003.00000002.398530807.000000001006A000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.398962293.000000001006A000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.403691320.000000001006A000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.409151582.000000001006A000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.417454259.000000001006A000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000011.00000002.417658145.000000001006A000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000012.00000002.418188854.000000001006A000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000013.00000002.429703826.000000001006A000.00000002.00000001.01000000.00000003.sdmp, qbot1.dll

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_1005C675 push ecx; ret

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 19_2_029A93B8 LoadLibraryA,GetProcAddress,

Source: qbot1.dll

Static PE information: real checksum: 0xd799f should be: 0xe6042

Persistence and Installation Behavior

Uses ipconfig to lookup or modify the Windows network settings

Source: C:\Windows\SysWOW64\wermgr.exe

Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /all

Boot Survival

Uses whoami command line tool to query computer and username

Source: C:\Windows\SysWOW64\wermgr.exe	Process created: C:\Windows\SysWOW64\whoami.exe whoami /all
Source: C:\Windows\SysWOW64\wermgr.exe	Process created: C:\Windows\SysWOW64\whoami.exe whoami /all

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Windows\SysWOW64\rundll32.exe

Memory written: PID: 7148 base: 2B3C50 value: E9 63 D7 45 02

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wermgr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wermgr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wermgr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wermgr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\whoami.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\whoami.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries memory information (via WMI often done to detect virtual machines)

Source: C:\Windows\SysWOW64\wermgr.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : select * from Win32_PhysicalMemory

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Source: C:\Windows\SysWOW64\wermgr.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : select * from Win32_PhysicalMemory

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\SysWOW64\wermgr.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : select * from Win32_DiskDrive

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\Windows\SysWOW64\wermgr.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : select Caption,Description,DeviceID,Manufacturer,Name,PNPDeviceID,Service,Status from Win32_PnPEntity

Source: C:\Windows\SysWOW64\rundll32.exe TID: 1236

Thread sleep count: 176 > 30

Source: C:\Windows\SysWOW64\rundll32.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\SysWOW64\rundll32.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Source: C:\Windows\SysWOW64\wermgr.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Windows\SysWOW64\wermgr.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : select * from Win32_ComputerSystem

Source: C:\Windows\SysWOW64\wermgr.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : select * from Win32_Bios

Source: C:\Windows\SysWOW64\wermgr.exe

Process information queried: ProcessInformation

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_100559A0 GetVersionExA,GetVersionExA,GetVersionExA,GetSystemInfo,

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 19_2_029A9E70 FindFirstFileW,FindNextFileW,

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Source: Amcache.hve.9.dr	Binary or memory string: VMware
Source: Amcache.hve.9.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.9.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.9.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.9.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.9.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.9.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.9.dr	Binary or memory string: VMware, Inc.me
Source: J7NKSXWB.htm.30.dr	Binary or memory string: ;" aria-hidden="true" class="js-content-viewer rapidnofollow" tabindex="-1"><img class="W(100%) Bdrs(2px)" src="https://s.yimg.com/uu/api/res/1.2/GrbIGl3XT7cxPkRfHGfS9A--~B/Zmk9c3RyaW07aD0zODY7cT04MDt3PTQ0MDthcHBpZD15dGFjaHlvbg--/https://media.zenfs.com/en/rollingstone.com/1559327ca430d396aaa47b044ff6e77a.cf.jpg" alt="" data-test-locator="stream-item-image"/></a></div> </div><div class="Pend(45px) Ov(h)"><div class="Fz(16px) Fw(b) Tt(c) D(ib) Mb(4px) Mend(9px) Lh(1) C($cat-politics)" data-test-locator="stream-item-category-label">Politics</div><div class="C($streamItemGray) Fz(12px) D(ib) Mb(4px) Lh(1)" id="stream-item-publisher_21" data-test-locator="stream-item-publisher">Rolling Stone</div><h3 class="LineClamp(2,2.6em) Mb(4px) Mb(0)--md1160 Mt(0) Lh(1.3) Fz(19px) stream-item-title" data-test-locator="stream-item-title"><a class="js-content-viewer rapidnofollow wafer-caas D(b) Td(n) Td(n):f C(--cobalt) C(--dory):h" data-uuid="a30448d9-3077-3ca5-a6b7-fbb569663620" href="/entertainment/trump-promises-violate-14th-amendment-193116065.html" data-ylk="itc:0;elm:hdln;elmt:ct;bpos:1;cpos:21;cposy:42;rspns:nav;t1:a3;t2:strm;t3:ct;ccode:megastream_unified__en-US__frontpage__default__default__desktop__ga__noSplit;ct:story;g:a30448d9-3077-3ca5-a6b7-fbb569663620;grpt:storyCluster;pkgt:cluster_all_img;pos:1;cnt_tpc:Politics;slk:Trump Promises to Violate 14th Amendment
Source: Amcache.hve.9.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: VMware-42 35 bb 32 33 75 d2 27-52 00 3c e2 4b d4 32 71
Source: Amcache.hve.9.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.18227214.B64.2106252220,BiosReleaseDate:06/25/2021,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1g

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_1005C09A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 19_2_029A93B8 LoadLibraryA,GetProcAddress,

Source: C:\Windows\SysWOW64\whoami.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\whoami.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\whoami.exe	Process token adjusted: Debug

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100379BC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_3_00882297 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_029A1015 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_029A21CD mov eax, dword ptr fs:[00000030h]

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_1001DD90 LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_1005C09A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\wermgr.exe base: 2740000
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\wermgr.exe base: 2710000
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\wermgr.exe base: 2B3C50

Allocates memory in foreign processes

Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: C:\Windows\SysWOW64\wermgr.exe base: 2710000 protect: page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: C:\Windows\SysWOW64\wermgr.exe base: 2740000 protect: page read and write

Injects a PE file into a foreign processes

Source: C:\Windows\SysWOW64\rundll32.exe

Memory written: C:\Windows\SysWOW64\wermgr.exe base: 2710000 value starts with: 4D5A

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\qbot1.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe
Source: C:\Windows\SysWOW64\wermgr.exe	Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /all
Source: C:\Windows\SysWOW64\wermgr.exe	Process created: C:\Windows\SysWOW64\whoami.exe whoami /all

Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\wermgr.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\wermgr.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 19_2_029AC3B5 GetSystemTimeAsFileTime,

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_100060D0 mgetVersion@Engine@ScScript@@SAHXZ,mgetStackTrace@DebugAPI@ScScript@@QBE?AVString@ScCore@@HH@Z,mgetName@Engine@ScScript@@QBEABVString@ScCore@@XZ,

Source: C:\Windows\SysWOW64\wermgr.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Source: rundll32.exe, 00000013.00000003.410719963.00000000048EF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bdagent.exe
Source: rundll32.exe, 00000013.00000003.410719963.00000000048EF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vsserv.exe
Source: rundll32.exe, 00000013.00000003.410719963.00000000048EF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avp.exe
Source: Amcache.hve.9.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: rundll32.exe, 00000013.00000003.410719963.00000000048EF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avgcsrvx.exe
Source: rundll32.exe, 00000013.00000003.410719963.00000000048EF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: mcshield.exe
Source: rundll32.exe, 00000013.00000003.410719963.00000000048EF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Qbot

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 19.2.rundll32.exe.2c60a28.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.29a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.2c60a28.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000013.00000002.424621480.0000000002C4A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.425037724.0000000004870000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected Qbot

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 19.2.rundll32.exe.2c60a28.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.29a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.2c60a28.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000013.00000002.424621480.0000000002C4A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.425037724.0000000004870000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	341 Windows Management Instrumentation	1 DLL Side-Loading	311 Process Injection	11 Masquerading	1 Credential API Hooking	1 System Time Discovery	Remote Services	1 Credential API Hooking	Exfiltration Over Other Network Medium	11 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	3 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	341 Virtualization/Sandbox Evasion	1 Input Capture	461 Security Software Discovery	Remote Desktop Protocol	1 Input Capture	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	311 Process Injection	Security Account Manager	341 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Archive Collected Data	Automated Exfiltration	1 Ingress Tool Transfer	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Obfuscated Files or Information	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	2 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Rundll32	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	113 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 DLL Side-Loading	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	1 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	335 System Information Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
qbot1.dll	13%	Virustotal		Browse

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://www.ad.com/?utm_source=yahoo-home&utm_medium=referral&utm_campaign=ad-feedback"	0%	URL Reputation	safe
https://analytics.tiktok.com	0%	URL Reputation	safe
https://analytics.tiktok.com	0%	URL Reputation	safe
https://mem.gfx.ms	0%	URL Reputation	safe
https://openweb.jac.yahoosandbox.com	0%	Virustotal		Browse
https://d.impactradius-event.com	0%	Virustotal		Browse
https://openweb.jac.yahoosandbox.com	0%	Avira URL Cloud	safe
https://openweb.jac.yahoosandbox.com/1.5.0/jac.js	0%	Avira URL Cloud	safe
https://www.clarity.ms	0%	Avira URL Cloud	safe
https://sb.scorecardresearch.com/p?c1=2&c2=7241469&c5=2023538075&c7=https%3A%2F%2Fwww.yahoo.com%2F&c	0%	Avira URL Cloud	safe
https://d.impactradius-event.com	0%	Avira URL Cloud	safe
https://start.microsoftapp.net/start?pc_campaign=UHF_Banner_15mkts&adjust=y9xgnyl_5sblqid"	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
new-fp-shed.wg1.b.yahoo.com	87.248.100.215	true	false	high
yahoo.com	54.161.105.65	true	false	high
windowsupdatebg.s.llnwi.net	178.79.225.128	true	false	high
www.yahoo.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
https://yahoo.com/	false	high
http://www.yahoo.com/	false	high
https://www.yahoo.com/	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://s.yimg.com/ss/rapid-3.53.38.js	J7NKSXWB.htm.30.dr	false		high
https://outlook.live.com/owa/	de-ch[1].htm.30.dr	false		high
https://s.yimg.com/uu/api/res/1.2/6lV3qkp5vhD2J.O5ha31Nw--~B/Zmk9c3RyaW07aD0zODY7cT04MDt3PTQ0MDthcHB	J7NKSXWB.htm.30.dr	false		high
https://www.onenote.com/?omkt=de-CH	de-ch[1].htm.30.dr	false		high
https://js.monitor.azure.com	de-ch[1].htm.30.dr	false		high
https://s.yimg.com/uu/api/res/1.2/fiFKhsorJ_.XzJNVa7HgsQ--~B/Zmk9c3RyaW07aD0yNDY7cT04MDt3PTQ0MDthcHB	J7NKSXWB.htm.30.dr	false		high
https://s.yimg.com/uu/api/res/1.2/h64YbbKcO2GsKYAy1QMRMw--~B/Zmk9c3RyaW07aD0zODY7cT04MDt3PTQ0MDthcHB	J7NKSXWB.htm.30.dr	false		high
https://s.yimg.com/cx/pv/perf-vitals_3.1.0.js	J7NKSXWB.htm.30.dr	false		high
https://s.yimg.com/aaq/spotim/	J7NKSXWB.htm.30.dr	false		high
https://s.yimg.com/uu/api/res/1.2/p68hnTLk2asTrmg6nFL37A--~B/Zmk9c3RyaW07aD0zODY7cT04MDt3PTQ0MDthcHB	J7NKSXWB.htm.30.dr	false		high
https://www.skype.com/de/	de-ch[1].htm.30.dr	false		high
https://fp-graviton-home-gateway.media.yahoo.com/	J7NKSXWB.htm.30.dr	false		high
https://s.yimg.com/uu/api/res/1.2/7mz1gUykvPcUcalzuGE1WQ--~B/Zmk9c3RyaW07aD0yNDY7cT04MDt3PTQ0MDthcHB	J7NKSXWB.htm.30.dr	false		high
https://openweb.jac.yahoosandbox.com	J7NKSXWB.htm.30.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://s.yimg.com/uu/api/res/1.2/k8SbH9Gqa6W8a7JKyncC.A--~B/Zmk9c3RyaW07aD0xNDA7cT05MDt3PTE0MDthcHB	J7NKSXWB.htm.30.dr	false		high
https://www.ad.com/?utm_source=yahoo-home&utm_medium=referral&utm_campaign=ad-feedback"	J7NKSXWB.htm.30.dr	false	URL Reputation: safe	unknown
https://lptag.liveperson.net	de-ch[1].htm.30.dr	false		high
https://search.yahoo.com/search?p=	J7NKSXWB.htm.30.dr	false		high
https://xboxdesignlab.xbox.com/xbox-design-lab?recipeId=G4E9FNSC&icid=mscom_marcom_CPH4a_PrideXDLcon	de-ch[1].htm.30.dr	false		high
http://schema.org	J7NKSXWB.htm.30.dr	false		high
http://www.opensource.org/licenses/mit-license.php	J7NKSXWB.htm.30.dr	false		high
https://analytics.tiktok.com	de-ch[1].htm.30.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://legal.yahoo.com/us/en/yahoo/privacy/adinfo/index.html"	J7NKSXWB.htm.30.dr	false		high
https://5.ras.yahoo.com/adcount%7C2.0%7C5113.1%7C4830424%7C0%7C0%7CAdId=-41;BnId=0;ct=1864049394;st=	J7NKSXWB.htm.30.dr	false		high
https://s.yimg.com/uu/api/res/1.2/H3vVA32ymLk3HFF8J_ZI5w--~B/Zmk9c3RyaW07aD0xNDA7cT05MDt3PTE0MDthcHB	J7NKSXWB.htm.30.dr	false		high
https://www.instagram.com/microsoftch/	de-ch[1].htm.30.dr	false		high
https://www.clarity.ms	de-ch[1].htm.30.dr	false	Avira URL Cloud: safe	unknown
https://cdnssl.clicktale.net/www32/ptc/05d32363-d534-4d93-9b65-cde674775e71.js	de-ch[1].htm.30.dr	false		high
https://cdnssl.clicktale.net	de-ch[1].htm.30.dr	false		high
https://publisher.liveperson.net	de-ch[1].htm.30.dr	false		high
https://s.yimg.com/uu/api/res/1.2/4cg6h0vinH_o7ba.oxXthQ--~B/Zmk9c3RyaW07aD0zODg7cT05NTt3PTcyMDthcHB	J7NKSXWB.htm.30.dr	false		high
https://s.yimg.com/uu/api/res/1.2/mzPB3eeJrxJuAn9uOhK0cA--~B/Zmk9c3RyaW07aD0xNDA7cT05MDt3PTE0MDthcHB	J7NKSXWB.htm.30.dr	false		high
https://s.yimg.com/aaq/nel/js/spotIm.custom.SpotIMJAC.modal.9d3270fa67932556c75baaed2c09c955.js	J7NKSXWB.htm.30.dr	false		high
https://d.impactradius-event.com	de-ch[1].htm.30.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://s.yimg.com/aaq/hc/homepage-pwa-defer-1.1.6.js	J7NKSXWB.htm.30.dr	false		high
https://start.microsoftapp.net/start?pc_campaign=UHF_Banner_15mkts&adjust=y9xgnyl_5sblqid"	de-ch[1].htm.30.dr	false	Avira URL Cloud: safe	unknown
https://s.yimg.com/uu/api/res/1.2/2kRwuXH6fvmgKfpoQCf56g--~B/Zmk9c3RyaW07aD0xNDA7cT05MDt3PTE0MDthcHB	J7NKSXWB.htm.30.dr	false		high
https://onedrive.live.com/about/de-ch/	de-ch[1].htm.30.dr	false		high
https://s.yimg.com/aaq/vzm/cs_1.4.0.js	J7NKSXWB.htm.30.dr	false		high
https://s.yimg.com/uu/api/res/1.2/c3dObtZQiIqjZKMWzeYQcw--~B/Zmk9c3RyaW07aD0yNDY7cT04MDt3PTQ0MDthcHB	J7NKSXWB.htm.30.dr	false		high
https://lpcdn.lpsnmedia.net	de-ch[1].htm.30.dr	false		high
https://www.youtube.com/user/MicrosoftCH	de-ch[1].htm.30.dr	false		high
http://upx.sf.net	Amcache.hve.9.dr	false		high
https://schema.org	de-ch[1].htm.30.dr	false		high
https://s.yimg.com/uc/sf/0.1.322/js/safe.min.js	J7NKSXWB.htm.30.dr	false		high
https://mem.gfx.ms	de-ch[1].htm.30.dr	false	URL Reputation: safe	unknown
https://s.yimg.com/uu/api/res/1.2/5BZN9wyvjM8FfgniQrH0uw--~B/Zmk9c3RyaW07aD0yNDY7cT04MDt3PTQ0MDthcHB	J7NKSXWB.htm.30.dr	false		high
https://aka.ms/yourcaliforniaprivacychoices	de-ch[1].htm.30.dr	false		high
https://www.yahoo.com/px.gif	J7NKSXWB.htm.30.dr	false		high
https://s.yimg.com/uu/api/res/1.2/6DI2hkBaEy3aroPxqBStjQ--~B/Zmk9c3RyaW07aD0yNDY7cT04MDt3PTQ0MDthcHB	J7NKSXWB.htm.30.dr	false		high
https://twitter.com/microsoft_ch	de-ch[1].htm.30.dr	false		high
https://5.ras.yahoo.com/adcount%7C2.0%7C5113.1%7C4830441%7C0%7C225%7CAdId=11101911;BnId=2;ct=1864049	J7NKSXWB.htm.30.dr	false		high
https://s.yimg.com/aaq/wf/wf-core-1.63.0.js	J7NKSXWB.htm.30.dr	false		high
https://sb.scorecardresearch.com/p?c1=2&c2=7241469&c5=2023538075&c7=https%3A%2F%2Fwww.yahoo.com%2F&c	J7NKSXWB.htm.30.dr	false	Avira URL Cloud: safe	unknown
https://accdn.lpsnmedia.net	de-ch[1].htm.30.dr	false		high
https://www.linkedin.com/company/1035	de-ch[1].htm.30.dr	false		high
https://www.xbox.com/	de-ch[1].htm.30.dr	false		high
http://schema.org/Organization	de-ch[1].htm.30.dr	false		high
https://s.yimg.com/nn/lib/metro/g/myy/advertisement_0.0.19.js	J7NKSXWB.htm.30.dr	false		high
https://yep.video.yahoo.com/oath/js/1/oath-player.js?ypv=8.5.43&lang=en-US	J7NKSXWB.htm.30.dr	false		high
https://openweb.jac.yahoosandbox.com/1.5.0/jac.js	J7NKSXWB.htm.30.dr	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
2.82.8.80	unknown	Portugal	3243	MEO-RESIDENCIALPT	true
70.160.67.203	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	true
75.143.236.149	unknown	United States	20115	CHARTER-20115US	true
83.110.223.61	unknown	United Arab Emirates	5384	EMIRATES-INTERNETEmiratesInternetAE	true
86.195.14.72	unknown	France	3215	FranceTelecom-OrangeFR	true
27.253.11.10	unknown	Australia	4804	MPX-ASMicroplexPTYLTDAU	true
184.182.66.109	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	true
80.167.196.79	unknown	Denmark	3292	TDCTDCASDK	true
92.186.69.229	unknown	France	12479	UNI2-ASES	true
89.32.156.5	unknown	Italy	48544	TECNOADSL-ASIT	true
174.4.89.3	unknown	Canada	6327	SHAWCA	true
161.142.103.187	unknown	Malaysia	9930	TTNET-MYTIMEdotComBerhadMY	true
213.64.33.92	unknown	Sweden	3301	TELIANET-SWEDENTeliaCompanySE	true
24.234.220.88	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	true
14.192.241.76	unknown	Malaysia	9534	MAXIS-AS1-APBinariangBerhadMY	true
125.63.125.205	unknown	India	10029	SHYAMSPECTRA-ASSHYAMSPECTRAPVTLTDIN	true
173.88.135.179	unknown	United States	10796	TWC-10796-MIDWESTUS	true
72.205.104.134	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	true
69.160.121.6	unknown	Jamaica	33576	DIG001JM	true
47.34.30.133	unknown	United States	20115	CHARTER-20115US	true
183.87.163.165	unknown	India	132220	JPRDIGITAL-INJPRDigitalPvtLtdIN	true
70.49.205.198	unknown	Canada	577	BACOMCA	true
184.181.75.148	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	true
84.35.26.14	unknown	Netherlands	21221	INFOPACT-ASTheNetherlandsNL	true
100.4.163.158	unknown	United States	701	UUNETUS	true
103.141.50.43	unknown	India	133693	SKISP-AS-INSriKrishnaInternetServicesPrivateLimitedI	true
70.50.83.216	unknown	Canada	577	BACOMCA	true
165.120.169.171	unknown	United States	2856	BT-UK-ASBTnetUKRegionalnetworkGB	true
79.92.15.6	unknown	France	15557	LDCOMNETFR	true
68.203.69.96	unknown	United States	11427	TWC-11427-TEXASUS	true
64.121.161.102	unknown	United States	6079	RCN-ASUS	true
96.56.197.26	unknown	United States	6128	CABLE-NET-1US	true
178.175.187.254	unknown	Moldova Republic of	43289	TRABIAMD	true
188.28.19.84	unknown	United Kingdom	206067	H3GUKGB	true
186.64.67.30	unknown	Argentina	27953	NODOSUDSAAR	true
98.187.21.2	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	true
76.86.31.59	unknown	United States	20001	TWC-20001-PACWESTUS	true
96.87.28.170	unknown	United States	7922	COMCAST-7922US	true
75.109.111.89	unknown	United States	19108	SUDDENLINK-COMMUNICATIONSUS	true
88.126.94.4	unknown	France	12322	PROXADFR	true
103.101.203.177	unknown	Singapore	133136	MYREPUBLIC-SGMyRepublicLtdSG	true
117.195.16.105	unknown	India	9829	BSNL-NIBNationalInternetBackboneIN	true
94.204.202.106	unknown	United Arab Emirates	15802	DU-AS1AE	true
47.205.25.170	unknown	United States	5650	FRONTIER-FRTRUS	true
95.45.50.93	unknown	Ireland	5466	EIRCOMInternetHouseIE	true
80.12.88.148	unknown	France	3215	FranceTelecom-OrangeFR	true
98.37.25.99	unknown	United States	7922	COMCAST-7922US	true
5.107.153.132	unknown	United Arab Emirates	5384	EMIRATES-INTERNETEmiratesInternetAE	true
81.111.108.123	unknown	United Kingdom	5089	NTLGB	true
69.133.162.35	unknown	United States	11426	TWC-11426-CAROLINASUS	true
205.237.67.69	unknown	Canada	11290	CC-3272CA	true
54.161.105.65	yahoo.com	United States	14618	AMAZON-AESUS	false
87.248.100.215	new-fp-shed.wg1.b.yahoo.com	United Kingdom	34010	YAHOO-IRDGB	false
201.143.215.69	unknown	Mexico	8151	UninetSAdeCVMX	true
76.178.148.107	unknown	United States	10838	OCEANIC-INTERNET-RRUS	true
69.242.31.249	unknown	United States	7922	COMCAST-7922US	true
85.104.105.67	unknown	Turkey	9121	TTNETTR	true
201.244.108.183	unknown	Colombia	19429	ETB-ColombiaCO	true
2.49.63.160	unknown	United Arab Emirates	5384	EMIRATES-INTERNETEmiratesInternetAE	true
80.6.50.34	unknown	United Kingdom	5089	NTLGB	true
116.74.163.130	unknown	India	17488	HATHWAY-NET-APHathwayIPOverCableInternetIN	true
116.120.145.170	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	true
27.0.48.233	unknown	India	132573	SAINGN-AS-INSAINGNNetworkServicesIN	true
70.28.50.223	unknown	Canada	577	BACOMCA	true
98.145.23.67	unknown	United States	20001	TWC-20001-PACWESTUS	true
47.149.134.231	unknown	United States	5650	FRONTIER-FRTRUS	true
82.125.44.236	unknown	France	3215	FranceTelecom-OrangeFR	true
90.7.72.46	unknown	France	3215	FranceTelecom-OrangeFR	true
81.229.117.95	unknown	Sweden	3301	TELIANET-SWEDENTeliaCompanySE	true
46.246.254.242	unknown	Greece	1241	FORTHNET-GRForthnetEU	true
45.243.142.31	unknown	Egypt	24863	LINKdotNET-ASEG	true
70.64.77.115	unknown	Canada	6327	SHAWCA	true
89.129.109.27	unknown	Spain	12479	UNI2-ASES	true
79.77.142.22	unknown	United Kingdom	9105	TISCALI-UKTalkTalkCommunicationsLimitedGB	true
122.184.143.86	unknown	India	9498	BBIL-APBHARTIAirtelLtdIN	true
50.68.186.195	unknown	Canada	6327	SHAWCA	true
213.55.33.103	unknown	France	49902	SRR-ASFR	true
45.62.70.33	unknown	Canada	40440	NRTC-CA	true
83.249.198.100	unknown	Sweden	39651	COMHEM-SWEDENSE	true
12.172.173.82	unknown	United States	2386	INS-ASUS	true
47.199.241.39	unknown	United States	5650	FRONTIER-FRTRUS	true
79.168.224.165	unknown	Portugal	2860	NOS_COMUNICACOESPT	true
199.27.66.213	unknown	United States	40608	HCTNEBRASKAUS	true
176.142.207.63	unknown	France	5410	BOUYGTEL-ISPFR	true
86.176.83.44	unknown	United Kingdom	2856	BT-UK-ASBTnetUKRegionalnetworkGB	true
92.154.17.149	unknown	France	3215	FranceTelecom-OrangeFR	true
90.29.86.138	unknown	France	3215	FranceTelecom-OrangeFR	true
223.166.13.95	unknown	China	17621	CNCGROUP-SHChinaUnicomShanghainetworkCN	true
58.186.75.42	unknown	Viet Nam	18403	FPT-AS-APTheCorporationforFinancingPromotingTechnolo	true
65.95.141.84	unknown	Canada	577	BACOMCA	true
50.68.204.71	unknown	Canada	6327	SHAWCA	true
71.38.155.217	unknown	United States	209	CENTURYLINK-US-LEGACY-QWESTUS	true
77.126.99.230	unknown	Israel	9116	GOLDENLINES-ASNPartnerCommunicationsMainAutonomousSyste	true
220.240.164.182	unknown	Australia	7545	TPG-INTERNET-APTPGTelecomLimitedAU	true
103.123.223.133	unknown	India	138329	KWS-AS-APKenstarWebSolutionsPrivateLimitedIN	true
2.36.64.159	unknown	Italy	30722	VODAFONE-IT-ASNIT	true
198.2.51.242	unknown	United States	20001	TWC-20001-PACWESTUS	true
93.147.235.8	unknown	Italy	30722	VODAFONE-IT-ASNIT	true
92.9.45.20	unknown	United Kingdom	13285	OPALTELECOM-ASTalkTalkCommunicationsLimitedGB	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	37.1.0 Beryl
Analysis ID:	880144
Start date and time:	2023-06-01 21:22:57 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 16m 51s
Hypervisor based Inspection enabled:	false
Report type:	light
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	38
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	qbot1.dll
Detection:	MAL
Classification:	mal100.troj.evad.winDLL@40/37@2/100
EGA Information:	Successful, ratio: 33.3%
HDC Information:	Successful, ratio: 72.9% (good quality ratio 42.8%) Quality average: 41.7% Quality standard deviation: 40.9%
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .dll Override analysis time to 240s for rundll32

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
TCP Packets have been reduced to 100
Excluded IPs from analysis (whitelisted): 20.189.173.21, 20.42.65.92, 20.81.111.85, 20.84.181.62, 20.103.85.33, 20.53.203.50, 20.112.52.29, 23.36.225.122, 178.79.225.128
Excluded domains from analysis (whitelisted): www.microsoft.com-c-3.edgekey.net, onedsblobprdeus17.eastus.cloudapp.azure.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, e13678.dscb.akamaiedge.net, ctldl.windowsupdate.com, watson.telemetry.microsoft.com, microsoft.com, www.microsoft.com, wu-bg-shim.trafficmanager.net, www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
Execution Graph export aborted for target rundll32.exe, PID 5044 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 6336 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing network information.

Simulations

Behavior and APIs

Time	Type	Description
21:24:00	API Interceptor	7x Sleep call for process: WerFault.exe modified
21:24:06	API Interceptor	1x Sleep call for process: loaddll32.exe modified
21:24:17	API Interceptor	9x Sleep call for process: wermgr.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.915002607621147
Encrypted:	false
SSDEEP:	192:C5Ai90oXXHBUZMX4jed+T/u7sdS274It7c:fiTX3BUZMX4je2/u7sdX4It7c
MD5:	E3B8E452B6905834223D17CCD4EEE909
SHA1:	E0919958374592CF3D504023D49D034AEE63B6B7
SHA-256:	EDCE1586E87A1EB14974726222CED71ADFC19D7E5F8BBEE714B79D525F3A5681
SHA-512:	D908C996F6C99413668A3C891F2D2EB8788154D6AC1B511737471D2B97B8E883B8AD57B2307ED0D2871AE2D8AD351E7EBE5D9AB7FA76BEE0157977090B89B2AB
Malicious:	false
Reputation:	unknown
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.3.0.1.5.3.4.4.7.1.7.1.3.8.0.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.3.0.1.5.3.4.4.8.5.6.2.0.1.2.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.1.5.0.3.1.b.f.-.2.8.d.2.-.4.4.c.2.-.a.2.5.8.-.1.b.4.1.4.f.6.b.2.4.e.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.e.1.8.7.3.9.8.-.4.3.a.7.-.4.6.6.8.-.9.c.a.7.-.5.9.e.d.b.6.8.2.9.7.5.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.f.4.-.0.0.0.1.-.0.0.1.9.-.3.9.8.9.-.8.0.1.1.0.a.9.5.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.b.5.f.!.r.

Process:	C:\Windows\SysWOW64\wermgr.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 63843 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	63843
Entropy (8bit):	7.99568798138569
Encrypted:	true
SSDEEP:	1536:MRxM2u+06GOIVUvVmMKAfUfsrPa1jfCu18ZNMe3v:KMH+F3IacMZ2CPACu1GN7v
MD5:	3AC860860707BAAF32469FA7CC7C0192
SHA1:	C33C2ACDABA0E6FA41FD2F00F186804722477639
SHA-256:	D015145D551ECD14916270EFAD773BBC9FD57FAD2228D2C24559F696C961D904
SHA-512:	D62AD2408C969A95550FB87EFDA50F988770BA5E39972041BF85924275BAF156B8BEC309ECC6409E5ACDD37EC175DEA40EFF921AB58933B5B5B5D35A6147567C
Malicious:	false
Reputation:	unknown
Preview:	MSCF....c.......,...................I..................V. .authroot.stl....e/5..CK..8U....a..t2.1.P. J.".t..2F2e....&))$7I.4...e...+SJE...[.T/..{......c.k....?..Z....bz..qzq.l...,.{...i......39..a.ia....&.3.L2...CTf....I7. ....o.2.0a1m.PG.t.......GH.k.6#L.t2.4._.Y!B.h.....NP~..<Z.G..F#..x"f%...x.aF(.J.3...bf7y.j....)...3......y7UZ..7g~9......."._.t_"K.S...">..,.......V..}.K.Vv3[...A.9O..Ea\..+CEv...6CBKt...K..5qa....!..<./X.......r.. ?(.\[. ......y..... ..V.s.`...k@.`........p...GY..;.`....v..ou..........GH.6.l...P2.(8g.....".......-#...h.U.t..{o./e.wAST.f}0R.(.NM.{...{.=Ch.va'.?W...C....T.pw=.W~+......u.`D.)(..VdN. .py@...%...YY.>.`.....Y.U........}...9....\V~=..-...Q......_0.o.nZ....(6.....4.}.`...s.O.K5.W..4.....s,}...6.....'.8&}.{.....RlZ.?.D4).(.....O......V..V.pk.:]...,.f`D..e.SO.G.%.:).......eo.bU}.....g..$.gui..h.;-....he(.XoY;..6a..x..`lq....:.F!..l.X....!...Lg..53.._....S..G..`...N\|..Zx..o.#}Lnd1.V.eE....I.'..`.....KnN....3....{.

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.774709126218966
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	qbot1.dll
File size:	878008
MD5:	682b7633158d20f720ca61cc96c45c50
SHA1:	1f409c817fdf4d65c1f2009f925b583672f67619
SHA256:	83380409b59ca7c171c09f2972034ec5d1789b6e5830e333a897dc4ac1ec885e
SHA512:	3da1b7d9e770217221cf26f8e88af84698b8b2c50a09cba0383d23edce73fecaa2d90715288844d3a3f2bf6d7d8836811982109ffc76ba336deb9029633bb536
SSDEEP:	12288:ovXYcP7kXn89DhAw1aUN3RFEycMFSDXxqEbHXeL/Lt72G3m0ch:mvTkXnyD6ORDccmEs3M/Lt72G3m0
TLSH:	F7156CF25A01867DE2AD117189FDEB5F803E99D04B38A2C3729C5A6A1DB18D31F36713
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........5.Fz[XFz[XFz[XO..XBz[X]..XCz[XFzZX.x[X.4.XGz[X]..XEz[X]..XKz[X]..X!z[X]..XGz[X]..XGz[X]..XGz[XRichFz[X................PE..L..

Entrypoint:	0x1005c5fa
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5036D5DC [Fri Aug 24 01:16:12 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	ecbfa0c187b811cd9c0664ba6d0c27aa

Signature Valid:
Signature Issuer:
Signature Validation Error:
Error Number:
Not Before, Not After
Subject Chain
Version:
Thumbprint MD5:
Thumbprint SHA-1:
Thumbprint SHA-256:
Serial:

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x8cc20	0x4480	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x85be4	0x64	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x95000	0xa18	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xa0000	0x1c90	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x96000	0xca3c	.rsrc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x6aa30	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x73c48	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x6a000	0xa14	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x68745	0x68800	False	0.3936271119916268	data	6.339556700724658	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x6a000	0x270a0	0x27200	False	0.3806784145367412	data	5.524617438010386	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x92000	0x2544	0x2200	False	0.34627757352941174	data	5.345647866062178	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x95000	0x2b508	0x2c000	False	0.8748335404829546	data	7.645313379162503	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xc1000	0xd3b2	0xd400	False	0.6316701061320755	data	6.608874822602809	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country
RT_ICON	0x95140	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States
RT_GROUP_ICON	0x95428	0x14	data	English	United States
RT_VERSION	0x9543c	0x480	data	English	United States
RT_MANIFEST	0x958bc	0x15a	ASCII text, with CRLF line terminators	English	United States

Name	Ordinal	Address
m?0API@ScScript@@IAE@AAVEngine@1@H@Z	1	0x10001610
m?0BinaryNode@ScScript@@QAE@ABUScanInfo@1@PAVNode@1@1@Z	2	0x10037fd0
m?0BreakpointInfo@ScScript@@QAE@ABV01@@Z	3	0x100251c0
m?0BreakpointInfo@ScScript@@QAE@XZ	4	0x10025150
m?0Callback@ScScript@@QAE@XZ	5	0x10001330
m?0DataPool@ScScript@@QAE@XZ	6	0x10004cc0
m?0DebugAPI@ScScript@@AAE@AAVEngine@1@@Z	7	0x10025ee0
m?0Debugger@ScScript@@QAE@ABV01@@Z	8	0x10001460
m?0Debugger@ScScript@@QAE@XZ	9	0x10004eb0
m?0Dispatcher@ScScript@@QAE@PBD@Z	10	0x10007260
m?0ESContext@ScScript@@IAE@XZ	11	0x10009d80
m?0EmptyNode@ScScript@@QAE@ABUScanInfo@1@@Z	12	0x10037f00
m?0Engine@ScScript@@IAE@XZ	13	0x100094f0
m?0FileDisp@ScScript@@QAE@XZ	14	0x10024110
m?0GlobalDialogs@ScScript@@QAE@XZ	15	0x1002a3f0
m?0HiliteAPI@ScScript@@AAE@AAVEngine@1@@Z	16	0x1002a080
m?0LabelNode@ScScript@@QAE@ABUScanInfo@1@@Z	17	0x10038270
m?0ListNode@ScScript@@QAE@ABUScanInfo@1@@Z	18	0x10038140
m?0LiveObjectAPI@ScScript@@AAE@AAVEngine@1@@Z	19	0x1002a690
m?0Node@ScScript@@QAE@ABUScanInfo@1@@Z	20	0x10037280
m?0ParserAPI@ScScript@@AAE@AAVEngine@1@@Z	21	0x1002a840
m?0Preprocessor@ScScript@@QAE@XZ	22	0x100104f0
m?0ProfilerData@ScScript@@QAE@XZ	23	0x10001710
m?0RuntimeError@ScScript@@QAE@ABV01@@Z	24	0x10008e10
m?0RuntimeError@ScScript@@QAE@XZ	25	0x10008d20
m?0ScopeInfo@ScScript@@QAE@XZ	26	0x10019230
m?0ScopeNode@ScScript@@QAE@ABUScanInfo@1@@Z	27	0x10038360
m?0Script@ScScript@@QAE@XZ	28	0x10001590
m?0ScriptContainer@ScScript@@QAE@XZ	29	0x100194a0
m?0ScriptContainer@ScScript@@QAE@_N@Z	30	0x10019520
m?0TernaryNode@ScScript@@QAE@ABUScanInfo@1@PAVNode@1@11@Z	31	0x10038080
m?0UnaryNode@ScScript@@QAE@ABUScanInfo@1@PAVNode@1@@Z	32	0x10037f30
m?0ValidateData@ScScript@@QAE@ABV01@@Z	33	0x10055dd0
m?0ValidateData@ScScript@@QAE@XZ	34	0x10055dc0
m?1API@ScScript@@UAE@XZ	35	0x10001660
m?1BinaryNode@ScScript@@UAE@XZ	36	0x10038000
m?1BreakpointInfo@ScScript@@UAE@XZ	37	0x10025290
m?1Callback@ScScript@@UAE@XZ	38	0x10001660
m?1DataPool@ScScript@@QAE@XZ	39	0x10003dc0
m?1DebugAPI@ScScript@@UAE@XZ	40	0x10001660
m?1Debugger@ScScript@@UAE@XZ	41	0x10004ed0
m?1Dispatcher@ScScript@@UAE@XZ	42	0x10007e00
m?1ESContext@ScScript@@MAE@XZ	43	0x10009e90
m?1EmptyNode@ScScript@@UAE@XZ	44	0x100017e0
m?1Engine@ScScript@@UAE@XZ	45	0x100095a0
m?1FileDisp@ScScript@@UAE@XZ	46	0x100241d0
m?1GlobalDialogs@ScScript@@UAE@XZ	47	0x10001770
m?1HiliteAPI@ScScript@@UAE@XZ	48	0x10001660
m?1LabelNode@ScScript@@UAE@XZ	49	0x100382f0
m?1ListNode@ScScript@@UAE@XZ	50	0x100381d0
m?1LiveObjectAPI@ScScript@@UAE@XZ	51	0x10001660
m?1Node@ScScript@@UAE@XZ	52	0x10037e90
m?1ParserAPI@ScScript@@UAE@XZ	53	0x10001660
m?1Preprocessor@ScScript@@UAE@XZ	54	0x10010cb0
m?1RuntimeError@ScScript@@UAE@XZ	55	0x10008da0
m?1ScopeInfo@ScScript@@UAE@XZ	56	0x100192c0
m?1ScopeNode@ScScript@@UAE@XZ	57	0x10038400
m?1Script@ScScript@@MAE@XZ	58	0x10008d10
m?1ScriptContainer@ScScript@@UAE@XZ	59	0x10019ce0
m?1TernaryNode@ScScript@@UAE@XZ	60	0x100380b0
m?1UnaryNode@ScScript@@UAE@XZ	61	0x10037f60
m?1ValidateData@ScScript@@UAE@XZ	62	0x10055e50
m?4BreakpointInfo@ScScript@@QAEAAV01@ABV01@@Z	63	0x10025240
m?4Debugger@ScScript@@QAEAAV01@ABV01@@Z	64	0x10001490
m?4InitTerm@ScScript@@QAEAAV01@ABV01@@Z	65	0x100016e0
m?4RuntimeError@ScScript@@QAEAAV01@ABV01@@Z	66	0x10008eb0
m?4ValidateData@ScScript@@QAEAAV01@ABV01@@Z	67	0x100016e0
m?_7API@ScScript@@6B@	68	0x1006aac0
m?_7BinaryNode@ScScript@@6B@	69	0x100704dc
m?_7BreakpointInfo@ScScript@@6B@	70	0x1006e89c
m?_7Callback@ScScript@@6B@	71	0x1006aa50
m?_7DebugAPI@ScScript@@6B@	72	0x1006e940
m?_7Debugger@ScScript@@6B@	73	0x1006aa7c
m?_7Dispatcher@ScScript@@6B@	74	0x1006c41c
m?_7ESContext@ScScript@@6B@	75	0x1006c60c
m?_7EmptyNode@ScScript@@6B@	76	0x10070484
m?_7Engine@ScScript@@6B@	77	0x1006c53c
m?_7FileDisp@ScScript@@6B@	78	0x1006e79c
m?_7GlobalDialogs@ScScript@@6B@	79	0x1006ec04
m?_7HiliteAPI@ScScript@@6B@	80	0x1006eb58
m?_7LabelNode@ScScript@@6B@	81	0x10070560
m?_7ListNode@ScScript@@6B@	82	0x10070534
m?_7LiveObjectAPI@ScScript@@6B@	83	0x1006ec6c
m?_7Node@ScScript@@6B@	84	0x1007044c
m?_7ParserAPI@ScScript@@6B@	85	0x1006ec74
m?_7Preprocessor@ScScript@@6B@	86	0x1006ca10
m?_7RuntimeError@ScScript@@6B@	87	0x1006c52c
m?_7ScopeInfo@ScScript@@6B@	88	0x1006cd9c
m?_7ScopeNode@ScScript@@6B@	89	0x1007058c
m?_7Script@ScScript@@6B@	90	0x1006aa9c
m?_7ScriptContainer@ScScript@@6B@	91	0x1006cda4
m?_7TernaryNode@ScScript@@6B@	92	0x10070508
m?_7UnaryNode@ScScript@@6B@	93	0x100704b0
m?_7ValidateData@ScScript@@6B@	94	0x10072178
m?_FDispatcher@ScScript@@QAEXXZ	95	0x10001580
m_isInteger@DataPool@ScScript@@ABE_NH@Z	96	0x10004380
m_isUInteger@DataPool@ScScript@@ABE_NH@Z	97	0x100044e0
madd@DataPool@ScScript@@QAEHABVVariant@ScCore@@@Z	98	0x10004140
madd@DataPool@ScScript@@QAEHG@Z	99	0x100013d0
madd@DataPool@ScScript@@QAEHI@Z	100	0x10004070
madd@DataPool@ScScript@@QAEHN@Z	101	0x10003fc0
madd@DataPool@ScScript@@QAEHPBD@Z	102	0x10003de0
madd@DataPool@ScScript@@QAEHPBG@Z	103	0x10003ee0
madd@ScriptContainer@ScScript@@QAEXABV12@_N@Z	104	0x100197a0
maddClass@Dispatcher@ScScript@@QAEXABVString@ScCore@@@Z	105	0x10007390
maddClass@Dispatcher@ScScript@@QAEXPBD@Z	106	0x10007f30
maddProperties@Dispatcher@ScScript@@QAEXHPBUPropEntry@2@PBD@Z	107	0x10001530
matExit@InitTerm@ScScript@@SAXP6AXXZ@Z	108	0x1000a820
mcall@Dispatcher@ScScript@@QAEXAAUArguments@2@PBD@Z	109	0x10007990
mcall@Dispatcher@ScScript@@UAEXAAUArguments@2@P6AX0@Z@Z	110	0x10006b20
mcall@GlobalDialogs@ScScript@@UAEHAAVLiveObject@ScCore@@HABVArray@4@AAVVariant@4@PAVError@4@@Z	111	0x1002a470
mcheckStack@ESContext@ScScript@@QBE_NXZ	112	0x10001810
mclearError@Engine@ScScript@@UAEXXZ	113	0x10009170
mclone@Engine@ScScript@@UBEHPAPAV12@@Z	114	0x10009650
mcommand@DebugAPI@ScScript@@QAEXW4Cmd@12@_N@Z	115	0x10026050
mcompile@ScriptContainer@ScScript@@QAEHABVFileSpec@ScCore@@_NP6A_N0@Z@Z	116	0x1001a140
mcompile@ScriptContainer@ScScript@@QAEHABVString@ScCore@@0@Z	117	0x10019610
mcreateEngine@Engine@ScScript@@SAPAV12@W4Type@12@@Z	118	0x10008fe0
mcreateFile@FileDisp@ScScript@@QAE_NAAVVariant@ScCore@@ABVString@4@@Z	119	0x100242a0
mcreateFolder@FileDisp@ScScript@@QAE_NAAVVariant@ScCore@@ABVString@4@@Z	120	0x100241e0
mcreateValidateVTable@ValidateData@ScScript@@SAPAVHashTable@ScCore@@XZ	121	0x10055de0
mdebugBreak@DebugAPI@ScScript@@QBEXABVString@ScCore@@@Z	122	0x10025f70
mdecRef@ScopeInfo@ScScript@@QBEXXZ	123	0x10001700
mdecompile@ParserAPI@ScScript@@QBE?AVString@ScCore@@ABVScopeNode@2@@Z	124	0x1002a810
mdirective@Preprocessor@ScScript@@AAE_NAAUProcData@12@@Z	125	0x10010570
mdoProcess@Preprocessor@ScScript@@AAE_NAAUProcData@12@@Z	126	0x10010040
mdump@BinaryNode@ScScript@@UAEXAAVEngine@2@H@Z	127	0x10037e40
mdump@LabelNode@ScScript@@UAEXAAVEngine@2@H@Z	128	0x10037e70
mdump@ListNode@ScScript@@UAEXAAVEngine@2@H@Z	129	0x10037e60
mdump@Node@ScScript@@UAEXAAVEngine@2@H@Z	130	0x10037e20
mdump@ScopeNode@ScScript@@UAEXAAVEngine@2@H@Z	131	0x10037e80
mdump@TernaryNode@ScScript@@UAEXAAVEngine@2@H@Z	132	0x10037e50
mdump@UnaryNode@ScScript@@UAEXAAVEngine@2@H@Z	133	0x10037e30
menablePreProcessor@ParserAPI@ScScript@@QAE_N_N@Z	134	0x1002a770
mengineNotify@Callback@ScScript@@UAEXAAVEngine@2@HH@Z	135	0x10001950
menterDebugMode@Callback@ScScript@@UAEXAAVEngine@2@@Z	136	0x100018f0
merase@ScriptContainer@ScScript@@QAEXXZ	137	0x10019820
merrorAlert@ScriptContainer@ScScript@@QBEXXZ	138	0x1001a0c0
merrorAlert@ScriptContainer@ScScript@@SAXABVError@ScCore@@@Z	139	0x1001a040
merrorMessage@ScriptContainer@ScScript@@QBE?AVString@ScCore@@XZ	140	0x10019d60
merrorMessage@ScriptContainer@ScScript@@SA?AVString@ScCore@@ABVError@4@@Z	141	0x10019870
meval@DebugAPI@ScScript@@QAEHABVString@ScCore@@AAVVariant@4@@Z	142	0x100261c0
mexecute@ScriptContainer@ScScript@@QAEHAAVEngine@2@H@Z	143	0x10019f90
mexecuteStaticXML@DebugAPI@ScScript@@SAPAVXML@ScCore@@ABV34@AAVError@4@@Z	144	0x10029d00
mexecuteXML@DebugAPI@ScScript@@QAEPAVXML@ScCore@@ABV34@AAVError@4@@Z	145	0x100298b0
mexit@InitTerm@ScScript@@SAXXZ	146	0x1000a840
mfindEngine@Engine@ScScript@@SAPAV12@ABVString@ScCore@@@Z	147	0x10009360
mfindProperty@Dispatcher@ScScript@@UBEPBVPropInfo@2@HHPAVRoot@ScCore@@_N1@Z	148	0x10007790
mfoldConstants@BinaryNode@ScScript@@UAEPAVNode@2@XZ	149	0x10038680
mfoldConstants@ListNode@ScScript@@UAEPAVNode@2@XZ	150	0x10038c90
mfoldConstants@Node@ScScript@@UAEPAV12@XZ	151	0x100373e0
mfoldConstants@TernaryNode@ScScript@@UAEPAVNode@2@XZ	152	0x10038c30
mfoldConstants@UnaryNode@ScScript@@UAEPAVNode@2@XZ	153	0x10038480
mgarbageCollecting@Callback@ScScript@@UAE_NAAVEngine@2@@Z	154	0x100018d0
mgcAll@Engine@ScScript@@SAXXZ	155	0x100093e0
mget@DataPool@ScScript@@SAAAV12@XZ	156	0x10003c00
mget@Dispatcher@ScScript@@UAEXAAUArguments@2@@Z	157	0x10006ae0
mget@ESContext@ScScript@@SAAAV12@XZ	158	0x10009e50
mgetAll@Engine@ScScript@@SAXAAV?$TSimpleArray@VEngine@ScScript@@@ScCore@@@Z	159	0x100093c0
mgetBreakpoints@DebugAPI@ScScript@@QBEXAAV?$TSimpleArray@VBreakpointInfo@ScScript@@@ScCore@@@Z	160	0x100254d0
mgetCallback@Engine@ScScript@@QBEPAVCallback@2@XZ	161	0x10009120
mgetClass@Dispatcher@ScScript@@QBEABVString@ScCore@@H@Z	162	0x100074b0
mgetClassCount@Dispatcher@ScScript@@QBEHXZ	163	0x10006a50
mgetClassID@Dispatcher@ScScript@@ABEHH@Z	164	0x10006a60
mgetClassInfo@Dispatcher@ScScript@@UAEPBVClassInfo@ScCore@@ABVString@4@@Z	165	0x10006b40
mgetClassObject@Callback@ScScript@@UAEPAVLiveObject@ScCore@@AAVEngine@2@ABVString@4@AAI@Z	166	0x10001920
mgetConstant@Node@ScScript@@QBEPBVVariant@ScCore@@XZ	167	0x10001640
mgetContextInfo@DebugAPI@ScScript@@QBEHHAAVString@ScCore@@AAVArray@4@@Z	168	0x10026430
mgetContextLevel@DebugAPI@ScScript@@QBEHXZ	169	0x10001760
mgetCurrent@Engine@ScScript@@SAPAV12@XZ	170	0x10008fd0
mgetDebugFlags@Engine@ScScript@@QBEHXZ	171	0x100016b0
mgetDebugLevel@Engine@ScScript@@QBEHXZ	172	0x10001690
mgetDebugState@DebugAPI@ScScript@@QBE?AW4State@12@XZ	173	0x10025f20
mgetDictionary@Engine@ScScript@@UBEPAVDictionary@ScCore@@XZ	174	0x10009100
mgetDirective@Preprocessor@ScScript@@QBEPBVString@ScCore@@ABV34@@Z	175	0x10010a90
mgetEngine@API@ScScript@@QBEAAVEngine@2@XZ	176	0x10001650
mgetEnumNames@Dispatcher@ScScript@@UBEXABVVariant@ScCore@@AAV?$TSimpleArray@VString@ScCore@@@4@@Z	177	0x10006ad0
mgetEnumerableProperties@Dispatcher@ScScript@@UBEXABVVariant@ScCore@@AAVSimpleArray@4@H@Z	178	0x100080e0
mgetError@Engine@ScScript@@UBEABVError@ScCore@@XZ	179	0x10009160
mgetError@ScriptContainer@ScScript@@QBEAAVError@ScCore@@XZ	180	0x100195c0
mgetErrorInfo@Engine@ScScript@@UBEABVRuntimeError@2@XZ	181	0x10009140
mgetGlobalObject@LiveObjectAPI@ScScript@@QBEAAVLiveObject@ScCore@@XZ	182	0x1002a390
mgetID@Engine@ScScript@@QBEIXZ	183	0x10009050
mgetIncludePath@ParserAPI@ScScript@@QBEABVString@ScCore@@XZ	184	0x1002a790
mgetIncludes@Preprocessor@ScScript@@QBEABVString@ScCore@@XZ	185	0x10010460
mgetInteger@DataPool@ScScript@@QBEHH@Z	186	0x10004b30
mgetLocalizer@Engine@ScScript@@QBEPBVLocalizer@ScCore@@XZ	187	0x100090e0
mgetName@API@ScScript@@QBEHXZ	188	0x10001640
mgetName@Engine@ScScript@@QBEABVString@ScCore@@XZ	189	0x10009060
mgetNode@ListNode@ScScript@@QBEPAVNode@2@H@Z	190	0x10001870
mgetNumber@DataPool@ScScript@@QBENH@Z	191	0x10004640
mgetOutputStream@DebugAPI@ScScript@@QBEPAVFile@ScCore@@XZ	192	0x10001750
mgetParent@Dispatcher@ScScript@@QBEPAV12@XZ	193	0x100069e0
mgetProfilerData@DebugAPI@ScScript@@QAEXPAV?$TSimpleArray@VProfilerData@ScScript@@@ScCore@@_N@Z	194	0x100265f0
mgetProfilingLevel@Engine@ScScript@@QBEHXZ	195	0x100016a0
mgetProperties@DebugAPI@ScScript@@QAE_NABVVariant@ScCore@@AAV?$THashTable@VVariant@ScCore@@@4@H@Z	196	0x10026750
mgetProperties@DebugAPI@ScScript@@QAE_NABVVariant@ScCore@@AAV?$THashTable@VVariant@ScCore@@@4@_N2@Z	197	0x10029e80
mgetProperties@Dispatcher@ScScript@@UBEXHHAAV?$TSimpleArray@$$CBVPropInfo@ScScript@@@ScCore@@@Z	198	0x10007600
mgetPropertyTable@GlobalDialogs@ScScript@@SAABULivePropertyInfo@ScCore@@XZ	199	0x1002a460
mgetScript@DebugAPI@ScScript@@QBEPAVScript@2@XZ	200	0x10026220
mgetScript@ScriptContainer@ScScript@@QBEPAVScript@2@H@Z	201	0x100195d0
mgetSecurityFlags@FileDisp@ScScript@@QBEHXZ	202	0x10001750
mgetSource@DebugAPI@ScScript@@QBE?AVString@ScCore@@XZ	203	0x10026270
mgetSourceFileID@DebugAPI@ScScript@@QBEHXZ	204	0x10026310
mgetSourceLine@DebugAPI@ScScript@@QBEHXZ	205	0x10026340
mgetStackDepth@DebugAPI@ScScript@@QBEHXZ	206	0x10026480
mgetStackTrace@DebugAPI@ScScript@@QBE?AVString@ScCore@@HH@Z	207	0x10026370
mgetSymbol@DataPool@ScScript@@QBE?AVString@ScCore@@H@Z	208	0x100049e0
mgetTable@Dispatcher@ScScript@@ABEPBVTableEntry@2@H@Z	209	0x100074f0
mgetUInteger@DataPool@ScScript@@QBEIH@Z	210	0x10004bd0
mgetUserData@Dispatcher@ScScript@@QBEPAVRoot@ScCore@@XZ	211	0x10001550
mgetUserData@Engine@ScScript@@QBEPAVRoot@ScCore@@XZ	212	0x10001550
mgetValue@DataPool@ScScript@@QBEXHAAVVariant@ScCore@@@Z	213	0x10004790
mgetVersion@Engine@ScScript@@SAHXZ	214	0x10008fc0
mgetWatchpointInfo@DebugAPI@ScScript@@QAE_NAAVVariant@ScCore@@00@Z	215	0x100254f0
mgetXML@LiveObjectAPI@ScScript@@QBEPAVXML@ScCore@@ABVVariant@4@@Z	216	0x1002a3b0
mhasDotProperties@Dispatcher@ScScript@@QBE_NH@Z	217	0x10007570
mhasOperators@Dispatcher@ScScript@@ABE_NH@Z	218	0x100075c0
mhasProperty@Dispatcher@ScScript@@UBEPBUPropEntry@2@ABVVariant@ScCore@@0_N@Z	219	0x10006ac0
mincRef@ScopeInfo@ScScript@@QBEXXZ	220	0x100016f0
minit@InitTerm@ScScript@@SAXXZ	221	0x1000a6e0
minit@ValidateData@ScScript@@SAXXZ	222	0x10055ed0
minsert@ScriptContainer@ScScript@@QAEXAAVScript@2@H@Z	223	0x10019740
minvalidateClassAll@Engine@ScScript@@SAXABVString@ScCore@@@Z	224	0x100094a0
misClass@Dispatcher@ScScript@@QBE_NABVString@ScCore@@@Z	225	0x100069f0
misClass@Dispatcher@ScScript@@QBE_NH@Z	226	0x10006a30
misClass@Dispatcher@ScScript@@QBE_NPBD@Z	227	0x10007440
misCommandEnabled@DebugAPI@ScScript@@QAE_NW4Cmd@12@@Z	228	0x10025f90
misContinueOnError@ScriptContainer@ScScript@@QBE_NXZ	229	0x100195a0
misEmpty@Node@ScScript@@QBE_NXZ	230	0x100017d0
misInitialized@InitTerm@ScScript@@SA_NXZ	231	0x1000a800
misInteger@DataPool@ScScript@@QBE_NH@Z	232	0x100013e0
misNumber@DataPool@ScScript@@QBE_NH@Z	233	0x10004210
misReadOnly@DebugAPI@ScScript@@QAE_NABVVariant@ScCore@@ABVString@4@@Z	234	0x10026ac0
misUInteger@DataPool@ScScript@@QBE_NH@Z	235	0x10001420
misUpperCase@DataPool@ScScript@@SA_NH@Z	236	0x100013b0
misValidClassName@Callback@ScScript@@UAE_NAAVEngine@2@ABVString@ScCore@@@Z	237	0x10001940
misValidLine@Script@ScScript@@SA_NABV12@H@Z	238	0x10045560
mleaveDebugMode@Callback@ScScript@@UAEXAAVEngine@2@_N@Z	239	0x10001900
mlength@ListNode@ScScript@@QBEHXZ	240	0x100017f0
mlength@ScriptContainer@ScScript@@QBEJXZ	241	0x100195b0
mload@ScriptContainer@ScScript@@QAEHAAVEngine@2@@Z	242	0x100196a0
mlockRef@Engine@ScScript@@QAEXABVVariant@ScCore@@@Z	243	0x100016d0
mmakeXMLObject@LiveObjectAPI@ScScript@@QBEXABVXML@ScCore@@AAVVariant@4@@Z	244	0x1002a3d0
mnext@HiliteAPI@ScScript@@QAE_NPAVHiliteAPIData@2@AAUHiliteRange@2@@Z	245	0x1002a0b0
mparse@ParserAPI@ScScript@@QBEPAVScopeNode@2@ABVString@ScCore@@@Z	246	0x1002a870
mprocess@Preprocessor@ScScript@@QAEHABVString@ScCore@@0AAV34@PAVError@4@@Z	247	0x10010b20
mput@Dispatcher@ScScript@@UAEXAAUArguments@2@@Z	248	0x10006b00
mregisterProperties@Dispatcher@ScScript@@QAEXHPBUPropEntry@2@@Z	249	0x100083e0
mregisterProperties@Dispatcher@ScScript@@QAEXHPBUPropEntry@2@ABVString@ScCore@@@Z	250	0x10007fa0
mregisterProperties@Dispatcher@ScScript@@QAEXHPBUPropEntry@2@PBD@Z	251	0x10008420
mrestoreError@Engine@ScScript@@UAEXABVError@ScCore@@@Z	252	0x10009180
mrunning@Callback@ScScript@@UAEXAAVEngine@2@@Z	253	0x100018c0
mruntimeError@Callback@ScScript@@UAEXAAVEngine@2@@Z	254	0x100018e0
mset@RuntimeError@ScScript@@QAEXABVError@ScCore@@@Z	255	0x10008f10
msetBreakpoints@DebugAPI@ScScript@@QAEXPBV?$TSimpleArray@VBreakpointInfo@ScScript@@@ScCore@@@Z	256	0x100254e0
msetCallback@Engine@ScScript@@QAEXPAVCallback@2@@Z	257	0x10009130
msetContextLevel@DebugAPI@ScScript@@QAEXH@Z	258	0x100254b0
msetDebugFlags@Engine@ScScript@@QAEXH@Z	259	0x100016c0
msetDebugLevel@Engine@ScScript@@QAEXH@Z	260	0x10009070
msetDictionary@Engine@ScScript@@UAEXPAVDictionary@ScCore@@@Z	261	0x10009110
msetError@Engine@ScScript@@UAEXABVError@ScCore@@@Z	262	0x10009890
msetError@Engine@ScScript@@UAEXABVRuntimeError@2@@Z	263	0x10009b10
msetError@Engine@ScScript@@UAEXH@Z	264	0x10009190
msetError@Engine@ScScript@@UAEXHABVLiveObject@ScCore@@H_NH@Z	265	0x10009200
msetError@Engine@ScScript@@UAEXHABVString@ScCore@@H_N@Z	266	0x100099f0
msetGlobalObject@LiveObjectAPI@ScScript@@QBEXAAVLiveObject@ScCore@@@Z	267	0x1002a3a0
msetIncludePath@ParserAPI@ScScript@@QBEXABVString@ScCore@@@Z	268	0x1002a7a0
msetIncludes@Preprocessor@ScScript@@QAEXABVString@ScCore@@@Z	269	0x10010470
msetLocalizer@Engine@ScScript@@QAEXPBVLocalizer@ScCore@@@Z	270	0x100090f0
msetName@Engine@ScScript@@QAE_NABVString@ScCore@@@Z	271	0x100096b0
msetOutputStream@DebugAPI@ScScript@@QAEXPAVFile@ScCore@@@Z	272	0x10001740
msetProfilingLevel@Engine@ScScript@@QAEXH@Z	273	0x100090b0
msetSecurityFlags@FileDisp@ScScript@@QAEXH@Z	274	0x10001740
msetStackBottom@ESContext@ScScript@@QAEXH@Z	275	0x10001800
msetUserData@Dispatcher@ScScript@@QAEXPAVRoot@ScCore@@_N@Z	276	0x10001560
msetUserData@Engine@ScScript@@QAEXPAVRoot@ScCore@@_N@Z	277	0x10001670
mstart@HiliteAPI@ScScript@@QAEPAVHiliteAPIData@2@ABVString@ScCore@@HH@Z	278	0x10029f70
mstop@HiliteAPI@ScScript@@QAEXPAVHiliteAPIData@2@@Z	279	0x1002a050
msubClass@Dispatcher@ScScript@@QAEXAAV12@@Z	280	0x10006aa0
mtest_1@ValidateData@ScScript@@UAEXXZ	281	0x10055e60
mtest_2@ValidateData@ScScript@@UAEXXZ	282	0x10055e70
mtest_3@ValidateData@ScScript@@UAEXXZ	283	0x10055e80
mthrowException@ValidateData@ScScript@@SAXXZ	284	0x10055e90
mtoBinaryNode@BinaryNode@ScScript@@UBEPBV12@XZ	285	0x10037460
mtoBinaryNode@Node@ScScript@@UBEPBVBinaryNode@2@XZ	286	0x10037400
mtoLabelNode@LabelNode@ScScript@@UBEPBV12@XZ	287	0x10037490
mtoLabelNode@Node@ScScript@@UBEPBVLabelNode@2@XZ	288	0x10037430
mtoListNode@ListNode@ScScript@@UBEPBV12@XZ	289	0x10037480
mtoListNode@Node@ScScript@@UBEPBVListNode@2@XZ	290	0x10037420
mtoScopeNode@Node@ScScript@@UBEPBVScopeNode@2@XZ	291	0x10037440
mtoScopeNode@ScopeNode@ScScript@@UBEPBV12@XZ	292	0x100374a0
mtoString@BinaryNode@ScScript@@UBE?AVString@ScCore@@XZ	293	0x10037960
mtoString@LabelNode@ScScript@@UBE?AVString@ScCore@@XZ	294	0x10037b50
mtoString@ListNode@ScScript@@UBE?AVString@ScCore@@XZ	295	0x10038d40
mtoString@Node@ScScript@@UBE?AVString@ScCore@@XZ	296	0x10037700
mtoString@ScopeNode@ScScript@@UBE?AVString@ScCore@@XZ	297	0x10037c50
mtoString@TernaryNode@ScScript@@UBE?AVString@ScCore@@XZ	298	0x10037a40
mtoString@UnaryNode@ScScript@@UBE?AVString@ScCore@@XZ	299	0x100378b0
mtoTernaryNode@Node@ScScript@@UBEPBVTernaryNode@2@XZ	300	0x10037410
mtoTernaryNode@TernaryNode@ScScript@@UBEPBV12@XZ	301	0x10026510
mtoUnaryNode@Node@ScScript@@UBEPBVUnaryNode@2@XZ	302	0x100373f0
mtoUnaryNode@UnaryNode@ScScript@@UBEPBV12@XZ	303	0x10037450
mundefinedError@Callback@ScScript@@UAE_NAAVEngine@2@ABVVariant@ScCore@@1AAV45@@Z	304	0x10001910
munlockRef@Engine@ScScript@@QAEXABVVariant@ScCore@@@Z	305	0x100016d0
next	306	0x10037470

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 1, 2023 21:27:26.990444899 CEST	49730	2222	192.168.2.5	213.64.33.92
Jun 1, 2023 21:27:27.032546043 CEST	2222	49730	213.64.33.92	192.168.2.5
Jun 1, 2023 21:27:27.032670021 CEST	49730	2222	192.168.2.5	213.64.33.92
Jun 1, 2023 21:27:27.033020020 CEST	49730	2222	192.168.2.5	213.64.33.92
Jun 1, 2023 21:27:27.075469017 CEST	2222	49730	213.64.33.92	192.168.2.5
Jun 1, 2023 21:27:27.081409931 CEST	2222	49730	213.64.33.92	192.168.2.5
Jun 1, 2023 21:27:27.084450006 CEST	49730	2222	192.168.2.5	213.64.33.92
Jun 1, 2023 21:27:27.645675898 CEST	49730	2222	192.168.2.5	213.64.33.92
Jun 1, 2023 21:27:27.686903954 CEST	2222	49730	213.64.33.92	192.168.2.5
Jun 1, 2023 21:27:27.687359095 CEST	2222	49730	213.64.33.92	192.168.2.5
Jun 1, 2023 21:27:27.687517881 CEST	49730	2222	192.168.2.5	213.64.33.92
Jun 1, 2023 21:27:27.688122988 CEST	49730	2222	192.168.2.5	213.64.33.92
Jun 1, 2023 21:27:27.731060028 CEST	2222	49730	213.64.33.92	192.168.2.5
Jun 1, 2023 21:27:27.762924910 CEST	2222	49730	213.64.33.92	192.168.2.5
Jun 1, 2023 21:27:27.764712095 CEST	49730	2222	192.168.2.5	213.64.33.92
Jun 1, 2023 21:27:42.492559910 CEST	49732	2222	192.168.2.5	213.64.33.92
Jun 1, 2023 21:27:42.534629107 CEST	2222	49732	213.64.33.92	192.168.2.5
Jun 1, 2023 21:27:42.535881996 CEST	49732	2222	192.168.2.5	213.64.33.92
Jun 1, 2023 21:27:42.536344051 CEST	49732	2222	192.168.2.5	213.64.33.92
Jun 1, 2023 21:27:42.597027063 CEST	2222	49732	213.64.33.92	192.168.2.5
Jun 1, 2023 21:27:42.597081900 CEST	2222	49732	213.64.33.92	192.168.2.5
Jun 1, 2023 21:27:42.597326040 CEST	49732	2222	192.168.2.5	213.64.33.92
Jun 1, 2023 21:27:42.599488974 CEST	49732	2222	192.168.2.5	213.64.33.92
Jun 1, 2023 21:27:42.602232933 CEST	49732	2222	192.168.2.5	213.64.33.92
Jun 1, 2023 21:27:42.602315903 CEST	49732	2222	192.168.2.5	213.64.33.92
Jun 1, 2023 21:27:42.648127079 CEST	2222	49732	213.64.33.92	192.168.2.5
Jun 1, 2023 21:27:42.648277044 CEST	49732	2222	192.168.2.5	213.64.33.92
Jun 1, 2023 21:27:42.653332949 CEST	2222	49732	213.64.33.92	192.168.2.5
Jun 1, 2023 21:27:42.653367043 CEST	2222	49732	213.64.33.92	192.168.2.5
Jun 1, 2023 21:27:42.653379917 CEST	2222	49732	213.64.33.92	192.168.2.5
Jun 1, 2023 21:27:42.653390884 CEST	2222	49732	213.64.33.92	192.168.2.5
Jun 1, 2023 21:27:42.653410912 CEST	2222	49732	213.64.33.92	192.168.2.5
Jun 1, 2023 21:27:42.653431892 CEST	2222	49732	213.64.33.92	192.168.2.5
Jun 1, 2023 21:27:42.653453112 CEST	2222	49732	213.64.33.92	192.168.2.5
Jun 1, 2023 21:27:42.653472900 CEST	2222	49732	213.64.33.92	192.168.2.5
Jun 1, 2023 21:27:42.653491974 CEST	2222	49732	213.64.33.92	192.168.2.5
Jun 1, 2023 21:27:42.653512955 CEST	2222	49732	213.64.33.92	192.168.2.5
Jun 1, 2023 21:27:42.653585911 CEST	49732	2222	192.168.2.5	213.64.33.92
Jun 1, 2023 21:27:42.653585911 CEST	49732	2222	192.168.2.5	213.64.33.92
Jun 1, 2023 21:27:42.653680086 CEST	49732	2222	192.168.2.5	213.64.33.92
Jun 1, 2023 21:27:42.696938992 CEST	2222	49732	213.64.33.92	192.168.2.5
Jun 1, 2023 21:27:42.697091103 CEST	49732	2222	192.168.2.5	213.64.33.92
Jun 1, 2023 21:27:42.703682899 CEST	2222	49732	213.64.33.92	192.168.2.5
Jun 1, 2023 21:27:42.703725100 CEST	2222	49732	213.64.33.92	192.168.2.5
Jun 1, 2023 21:27:42.703749895 CEST	2222	49732	213.64.33.92	192.168.2.5
Jun 1, 2023 21:27:42.703896046 CEST	2222	49732	213.64.33.92	192.168.2.5
Jun 1, 2023 21:27:42.703912020 CEST	49732	2222	192.168.2.5	213.64.33.92
Jun 1, 2023 21:27:42.703918934 CEST	2222	49732	213.64.33.92	192.168.2.5
Jun 1, 2023 21:27:42.703942060 CEST	2222	49732	213.64.33.92	192.168.2.5
Jun 1, 2023 21:27:42.703963995 CEST	2222	49732	213.64.33.92	192.168.2.5
Jun 1, 2023 21:27:42.703973055 CEST	49732	2222	192.168.2.5	213.64.33.92
Jun 1, 2023 21:27:42.703985929 CEST	2222	49732	213.64.33.92	192.168.2.5
Jun 1, 2023 21:27:42.703993082 CEST	49732	2222	192.168.2.5	213.64.33.92
Jun 1, 2023 21:27:42.704005957 CEST	2222	49732	213.64.33.92	192.168.2.5
Jun 1, 2023 21:27:42.704022884 CEST	49732	2222	192.168.2.5	213.64.33.92
Jun 1, 2023 21:27:42.704026937 CEST	2222	49732	213.64.33.92	192.168.2.5
Jun 1, 2023 21:27:42.704049110 CEST	2222	49732	213.64.33.92	192.168.2.5
Jun 1, 2023 21:27:42.704066038 CEST	49732	2222	192.168.2.5	213.64.33.92
Jun 1, 2023 21:27:42.704092026 CEST	49732	2222	192.168.2.5	213.64.33.92
Jun 1, 2023 21:27:42.738687992 CEST	2222	49732	213.64.33.92	192.168.2.5
Jun 1, 2023 21:27:42.738960981 CEST	49732	2222	192.168.2.5	213.64.33.92
Jun 1, 2023 21:27:42.746886969 CEST	2222	49732	213.64.33.92	192.168.2.5
Jun 1, 2023 21:27:42.747117043 CEST	49732	2222	192.168.2.5	213.64.33.92
Jun 1, 2023 21:27:42.751935005 CEST	2222	49732	213.64.33.92	192.168.2.5
Jun 1, 2023 21:27:42.751964092 CEST	2222	49732	213.64.33.92	192.168.2.5
Jun 1, 2023 21:27:42.751982927 CEST	2222	49732	213.64.33.92	192.168.2.5
Jun 1, 2023 21:27:42.752187014 CEST	49732	2222	192.168.2.5	213.64.33.92
Jun 1, 2023 21:27:42.752381086 CEST	2222	49732	213.64.33.92	192.168.2.5
Jun 1, 2023 21:27:42.752404928 CEST	2222	49732	213.64.33.92	192.168.2.5
Jun 1, 2023 21:27:42.752423048 CEST	2222	49732	213.64.33.92	192.168.2.5
Jun 1, 2023 21:27:42.752441883 CEST	2222	49732	213.64.33.92	192.168.2.5
Jun 1, 2023 21:27:42.752460003 CEST	2222	49732	213.64.33.92	192.168.2.5
Jun 1, 2023 21:27:42.752477884 CEST	2222	49732	213.64.33.92	192.168.2.5
Jun 1, 2023 21:27:42.752496958 CEST	2222	49732	213.64.33.92	192.168.2.5
Jun 1, 2023 21:27:42.752505064 CEST	49732	2222	192.168.2.5	213.64.33.92
Jun 1, 2023 21:27:42.752541065 CEST	49732	2222	192.168.2.5	213.64.33.92
Jun 1, 2023 21:27:42.752588987 CEST	49732	2222	192.168.2.5	213.64.33.92
Jun 1, 2023 21:27:42.779994011 CEST	2222	49732	213.64.33.92	192.168.2.5
Jun 1, 2023 21:27:42.780792952 CEST	2222	49732	213.64.33.92	192.168.2.5
Jun 1, 2023 21:27:42.781001091 CEST	49732	2222	192.168.2.5	213.64.33.92
Jun 1, 2023 21:27:42.787924051 CEST	2222	49732	213.64.33.92	192.168.2.5
Jun 1, 2023 21:27:42.788029909 CEST	49732	2222	192.168.2.5	213.64.33.92
Jun 1, 2023 21:27:42.788773060 CEST	2222	49732	213.64.33.92	192.168.2.5
Jun 1, 2023 21:27:42.789233923 CEST	49732	2222	192.168.2.5	213.64.33.92
Jun 1, 2023 21:27:42.793484926 CEST	2222	49732	213.64.33.92	192.168.2.5
Jun 1, 2023 21:27:42.794975996 CEST	49732	2222	192.168.2.5	213.64.33.92
Jun 1, 2023 21:27:42.806771040 CEST	2222	49732	213.64.33.92	192.168.2.5
Jun 1, 2023 21:27:42.806807995 CEST	2222	49732	213.64.33.92	192.168.2.5
Jun 1, 2023 21:27:42.806824923 CEST	2222	49732	213.64.33.92	192.168.2.5
Jun 1, 2023 21:27:42.806845903 CEST	2222	49732	213.64.33.92	192.168.2.5
Jun 1, 2023 21:27:42.806865931 CEST	2222	49732	213.64.33.92	192.168.2.5
Jun 1, 2023 21:27:42.806886911 CEST	2222	49732	213.64.33.92	192.168.2.5
Jun 1, 2023 21:27:42.806907892 CEST	2222	49732	213.64.33.92	192.168.2.5
Jun 1, 2023 21:27:42.806967020 CEST	2222	49732	213.64.33.92	192.168.2.5
Jun 1, 2023 21:27:42.806988001 CEST	2222	49732	213.64.33.92	192.168.2.5
Jun 1, 2023 21:27:42.807009935 CEST	2222	49732	213.64.33.92	192.168.2.5
Jun 1, 2023 21:27:42.807032108 CEST	2222	49732	213.64.33.92	192.168.2.5
Jun 1, 2023 21:27:42.807029963 CEST	49732	2222	192.168.2.5	213.64.33.92
Jun 1, 2023 21:27:42.807029963 CEST	49732	2222	192.168.2.5	213.64.33.92
Jun 1, 2023 21:27:42.807054996 CEST	2222	49732	213.64.33.92	192.168.2.5

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jun 1, 2023 21:27:57.308912039 CEST	192.168.2.5	8.8.8.8	0x1035	Standard query (0)	yahoo.com	A (IP address)	IN (0x0001)	false
Jun 1, 2023 21:27:58.128428936 CEST	192.168.2.5	8.8.8.8	0xf672	Standard query (0)	www.yahoo.com	A (IP address)	IN (0x0001)	false

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jun 1, 2023 21:27:27.272839069 CEST	8.8.8.8	192.168.2.5	0x9a68	No error (0)	windowsupdatebg.s.llnwi.net		178.79.225.128	A (IP address)	IN (0x0001)	false
Jun 1, 2023 21:27:27.272839069 CEST	8.8.8.8	192.168.2.5	0x9a68	No error (0)	windowsupdatebg.s.llnwi.net		95.140.230.192	A (IP address)	IN (0x0001)	false
Jun 1, 2023 21:27:57.332308054 CEST	8.8.8.8	192.168.2.5	0x1035	No error (0)	yahoo.com		54.161.105.65	A (IP address)	IN (0x0001)	false
Jun 1, 2023 21:27:57.332308054 CEST	8.8.8.8	192.168.2.5	0x1035	No error (0)	yahoo.com		74.6.231.21	A (IP address)	IN (0x0001)	false
Jun 1, 2023 21:27:57.332308054 CEST	8.8.8.8	192.168.2.5	0x1035	No error (0)	yahoo.com		34.225.127.72	A (IP address)	IN (0x0001)	false
Jun 1, 2023 21:27:57.332308054 CEST	8.8.8.8	192.168.2.5	0x1035	No error (0)	yahoo.com		74.6.143.26	A (IP address)	IN (0x0001)	false
Jun 1, 2023 21:27:57.332308054 CEST	8.8.8.8	192.168.2.5	0x1035	No error (0)	yahoo.com		74.6.143.25	A (IP address)	IN (0x0001)	false
Jun 1, 2023 21:27:57.332308054 CEST	8.8.8.8	192.168.2.5	0x1035	No error (0)	yahoo.com		74.6.231.20	A (IP address)	IN (0x0001)	false
Jun 1, 2023 21:27:57.332308054 CEST	8.8.8.8	192.168.2.5	0x1035	No error (0)	yahoo.com		98.137.11.164	A (IP address)	IN (0x0001)	false
Jun 1, 2023 21:27:57.332308054 CEST	8.8.8.8	192.168.2.5	0x1035	No error (0)	yahoo.com		98.137.11.163	A (IP address)	IN (0x0001)	false
Jun 1, 2023 21:27:58.153315067 CEST	8.8.8.8	192.168.2.5	0xf672	No error (0)	www.yahoo.com	new-fp-shed.wg1.b.yahoo.com		CNAME (Canonical name)	IN (0x0001)	false
Jun 1, 2023 21:27:58.153315067 CEST	8.8.8.8	192.168.2.5	0xf672	No error (0)	new-fp-shed.wg1.b.yahoo.com		87.248.100.215	A (IP address)	IN (0x0001)	false
Jun 1, 2023 21:27:58.153315067 CEST	8.8.8.8	192.168.2.5	0xf672	No error (0)	new-fp-shed.wg1.b.yahoo.com		87.248.100.216	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	21:23:56
Start date:	01/06/2023
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\qbot1.dll"
Imagebase:	0xd40000
File size:	126464 bytes
MD5 hash:	3B4636AE519868037940CA5C4272091B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Target ID:	8
Start time:	21:23:57
Start date:	01/06/2023
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6336 -s 656
Imagebase:	0x180000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Target ID:	10
Start time:	21:23:59
Start date:	01/06/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\qbot1.dll,m?0BinaryNode@ScScript@@QAE@ABUScanInfo@1@PAVNode@1@1@Z
Imagebase:	0x8b0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Target ID:	13
Start time:	21:24:02
Start date:	01/06/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\qbot1.dll,m?0BreakpointInfo@ScScript@@QAE@ABV01@@Z
Imagebase:	0x8b0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Target ID:	15
Start time:	21:24:03
Start date:	01/06/2023
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5772 -s 648
Imagebase:	0x180000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Target ID:	30
Start time:	21:24:11
Start date:	01/06/2023
Path:	C:\Windows\SysWOW64\wermgr.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\wermgr.exe
Imagebase:	0x2a0000
File size:	191904 bytes
MD5 hash:	CCF15E662ED5CE77B5FF1A7AAE305233
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Target ID:	32
Start time:	21:27:27
Start date:	01/06/2023
Path:	C:\Windows\SysWOW64\ipconfig.exe
Wow64 process (32bit):	true
Commandline:	ipconfig /all
Imagebase:	0x11a0000
File size:	29184 bytes
MD5 hash:	B0C7423D02A007461C850CD0DFE09318
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Target ID:	34
Start time:	21:27:28
Start date:	01/06/2023
Path:	C:\Windows\SysWOW64\whoami.exe
Wow64 process (32bit):	true
Commandline:	whoami /all
Imagebase:	0x3e0000
File size:	59392 bytes
MD5 hash:	2E498B32E15CD7C0177A254E2410559C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report qbot1.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Qbot

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_9fb6f77b13131586566dd65310d5dce5865fec4f_82810a17_1995889c\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_9fb6f77b13131586566dd65310d5dce5865fec4f_82810a17_19b56739\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_9fb6f77b13131586566dd65310d5dce5865fec4f_82810a17_19b96630\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_c6a0b02083f29b4f045509d58da68ab1c531655_82810a17_192989f4\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_c6a0b02083f29b4f045509d58da68ab1c531655_82810a17_1a9588cb\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_c6a0b02083f29b4f045509d58da68ab1c531655_82810a17_1bc56fb5\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_c6a0b02083f29b4f045509d58da68ab1c531655_82810a17_1be17998\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5B33.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5C4C.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5E22.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5E90.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5F0C.tmp.WERInternalMetadata.xml

Windows Analysis Report
qbot1.dll

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre